Last night, while being interviewed by Charlie Rose with Janine Gibson and former NSAer Stewart Baker in New York, Guardian Editor-in-Chief Alan Rusbridger pulled out of his jacket pocket a symbol of press freedom and attempts to muzzle it: a piece of the Mac that the UK’s spies from GCHQ destroyed in the paper’s basement. The rest is destined for a museum in London and the Newseum in Washington.
Here is a post I wrote for the Guardian:
It has been said that privacy is dead. Not so. It’s secrecy that is dying. Openness will kill it.
American and British spies undermined the secrecy and security of everyone using the internet with their efforts to foil encryption. Then Edward Snowden foiled them by revealing what is perhaps (though we’ll never know) their greatest secret.
When I worried on Twitter that we could not trust encryption now, technologist Lauren Weinstein responded with assurances that it would be difficult to hide back doors in commonly used PGP encryption — because it is open source.
Openness is the more powerful weapon. Openness is the principle that guides Guardian journalism. Openness is all that can restore trust in government and technology companies. And openness — in standards, governance, and ethics — must be the basis of technologists’ efforts to take back the the net.
Secrecy is under dire threat but don’t confuse that with privacy. “All human beings have three lives: public, private, and secret,” Gabriel García Márquez tells his biographer. “Secrecy is what is known, but not to everyone. Privacy is what allows us to keep what we know to ourselves,” Jill Lepore explains in The New Yorker. “Privacy is consensual where secrecy is not,” write Carol Warren and Barbara Laslett in the Journal of Social Issues. Think of it this way: Privacy is what we keep to ourselves. Secrecy is what is kept from us. Privacy is a right claimed by citizens. Secrecy is a privilege claimed by government.
It’s often said that the internet is a threat to privacy, but on the whole I argue it is not much more of a threat than a gossipy friend or a nosy neighbor, a slip of the tongue or of the email “send” button. Privacy is certainly put at risk when we can no longer trust that our communication, even encrypted, are safe from government’s spying eyes. But privacy has many protectors. And we all have one sure vault for privacy: our own thoughts. Even if the government were capable of mind-reading, ProPublica argues in an essay explaining its reason to join the Snowden story, the fact of it “would have to be known.”
The agglomeration of data that makes us fear for our privacy is also what makes it possible for one doubting soul, one weak link — one Manning or Snowden — to learn secrets. The speed of data that makes us fret over the the devaluation of facts is also what makes it possible for journalists’ facts to spread before government can stop them. The essence of the Snowden story, then, isn’t government’s threat to privacy so much as government’s loss of secrecy.
Oh, it will take a great deal for government to learn that lesson. Its first response is to try to match a loss of secrecy with greater secrecy, with a war on the agents of openness: whistleblowers and journalists and news organizations. President Obama had the opportunity to meet Snowden’s revelations — redacted responsibly by the Guardian — with embarrassment, apology, and a vow to make good on his promise of transparency. He failed.
But the agents of openness will continue to wage their war on secrecy.
In a powerful charge to fellow engineers, security expert Bruce Schneier urged them to fix the net that “some of us have helped to subvert.” Individuals must make a moral choice, whether they will side with secrecy or openness.
So must their companies. Google and Microsoft are suing government to be released from their secret restrictions but there is still more they can say. I would like Google to explain what British agents could mean when they talk of “new access opportunities being developed” at the company. Google’s response — “we have no evidence of any such thing ever occurring” — would be more reassuring if it were more specific.
This latest story demonstrates that the Guardian — now in league with The New York Times and ProPublica as well as publications in Germany and Brazil — will continue to report openly in spite of government acts of intimidation.
I am disappointed that more news organizations, especially in London, are not helping support the work of openness by adding reporting of their own and editorializing against government overreach. I am also saddened that my American colleagues in news industry organizations as well as journalism education groups are not protesting loudly.
But even without them, what this story teaches is that it takes only one technologist, one reporter, one news organization to defeat secrecy. At the length openness will out.
I wrote this for the Guardian, where the discussion is quite lively, approaching 1,500 comments. I’m posting it here a few days later for the purposes of my own archive.
What are you thinking, Mr. President?
Is this really the legacy you want for yourself: the chief executive who trampled rights, destroyed privacy, heightened secrecy, ruined trust, and worst of all did not defend but instead detoured around so many of the fundamental principles on which this country is founded?
And I voted for you. I’ll confess you were a second choice. I supported Hillary Clinton first. I said at the time that your rhetoric about change was empty and that I feared you would be another Jimmy Carter: aggressively ineffectual.
Never did I imagine that you would instead become another Richard Nixon: imperial, secretive, vindictive, untrustworthy, inexplicable.
I do care about security. I survived the attack on the World Trade Center and I believe 9/11 was allowed to occur through a failure of intelligence. I thank TSA agents for searching me: applause for security theater. I defend government’s necessary secrets. By the way, I also defend Obamacare. I should be an easy ally. But your exercise of power appalls me. When I wrote about your credibility deficit in the Guardian, I was shocked that among the commenters at that great international voice of liberalism, next to no one defended you. Even on our side of the political divide, I am far from alone in urgently wondering what you are doing.
As a journalist, I am frightened by your vengeful attacks on whistleblowers — Manning, Assange, Snowden, and the rest — and the impact in turn on journalism and its tasks of keeping a watchful eye on you and helping to assure an informed citizenry.
As a citizen, I am disgusted by the systematic evasion of oversight you have supported through the FISA courts; by the use of ports as lawless zones where your agents can harass anyone; by your failure on your promise to close Guantanamo, and this list could go on.
As an American often abroad, I am embarrassed by the damage you have caused to our reputation and to others’ trust in us. I find myself apologizing for what you are doing to citizens of other nations, dismissing the idea that they have rights to privacy because they are “foreign.”
As an internet user, I am most fearful of the impact of your wanton destruction of privacy and the resulting collapse of trust in the net and what that will do to the freedom we have enjoyed in it as well as the business and jobs that are being built atop it.
And as a Democrat, I worry that you are losing us the next election, handing an issue to the Republicans that should have been ours: protecting the rights of citizens against the overreach of the security state.
Surely you can see this. But you keep doubling down, becoming only more dogged in your defense of secrecy and your guardians of it. I don’t understand.
The only way I could possibly grant you the benefit of doubt is to think that there is some ominous fact about our security that only you and your circle know and can’t breath or the jig will be up. But I don’t believe that anymore than I believe a James Bond movie or an Oliver Stone conspiracy theory. You can’t argue that Armageddon is on the way and that al Qaeda is on the run at the same time.
No, I think it is this: Secrecy corrupts. Absolute secrecy corrupts absolutely. You have been seduced by the idea that your authority rests in your secrets and your power to hold them. Every attack on that power, every questioning of it only makes you draw in tighter, receding into your vault with the key you think your office grants you. You are descending into a dark hole of your own digging.
But you know better, don’t you? In a democracy, secrecy is not the foundation of authority; that is the basis of dictatorships. Principles and their defense is what underpins your office.
First among those principles is the defense of our freedom. Security is only a subset of that, for if we are not secure we are not free. Freedom demands the confidence that we are not under attack, yes, but also that we are not being surveilled without our knowledge and consent. The balance, which we are supposedly debating, must go to freedom.
Transparency is another principle you promised to uphold but have trammeled instead. The only way to assure trust in your actions is if they are overseen by open courts, by informed legislators, by an uninhibited press, and most importantly by an informed citizenry.
As political and media attention turn away from you, you have an opportunity to rise again to the level of principles, to prove that your rhetoric about change was not empty after all, to rebuild your already ill-fated legacy, to do what is expected of you and your office.
You could decide to operate on the principle that our privacy is protected in any medium — not just in our first-class letters but in our emails and chats and calls — unless under specific and due warrant.
You could decide to end what will be known as the Obama Collect it All doctrine and make the art of intelligence focus rather than reach.
You could decide to respect the efforts of whistleblowers as courageous practitioners of civil disobedience who are sacrificing much in their efforts to protect lives and democracy. If they are the Martin Luther Kings of our age, then call off Bull Connor‘s digital dogs and fire hoses, will you?
You could decide to impress us with the transparency you still can bring to government, so that the institution you run becomes open by default rather than by force, as it is now, under you.
You could decide to support a free press and stop efforts — here and, using your influence, with our friends in the UK — to restrain their work.
You could decide that whether they are visiting our land or talking with our citizens by email or phone, foreigners are not to be distrusted by default.
You could try to reverse the damage you have done to the internet and its potential by upholding its principles of openness and freedom.
You could. Will you?
Fear not, says the NSA, we “touch” only 1.6% of daily internet traffic. If, as they say, the net carries 1,826 petabytes of information per day, then the NSA “touches” about 29 petabytes a day. They don’t say what “touch” means. Ingest? Store? Analyze? Inquiring minds want to know.
For context, Google in 2010 said it had indexed only 0.004% of the data on the net. So by inference from the percentages, does that mean that the NSA is equal to 400 Googles? Better math minds than mine will correct me if I’m wrong.
Seven petabytes of photos are added to Facebook each month. That’s .23 petabytes per day. So that means the NSA is 126 Facebooks.
Keep in mind that most of the data passing on the net is not email or web pages. It’s media. According to Sandvine data for the U.S. fixed net from 2013, real-time entertainment accounted for 62% of net traffic, P2P file-sharing for 10.5%. The NSA needn’t watch all those episodes of Homeland (or maybe they should) or listen to all that Cold Play — though I’m sure the RIAA and MPAA are dying to know what the NSA knows about who’s “stealing” what since that “stealing” allegedly accounts for 23.8% of net traffic.
HTTP — the web — accounts for only 11.8% of aggregated up- and download traffic in the U.S., Sandvine says. Communications — the part of the net the NSA really cares about — accounts for 2.9% in the U.S.
So by very rough, beer-soaked-napkin numbers, the NSA’s 1.6% of net traffic would be half of the communication on the net. That’s a fuckuvalota “touching.”
And keep in mind that by one estimate 68.8% of email is spam.
And, of course, metadata doesn’t add up to much data at all; it’s just a few bits per file — who sent what to whom — and that’s where the NSA finds much of its incriminating information. So these numbers are meaningless when it comes to looking at how much the NSA knows about who’s talking to whom. A few weeks ago on Twitter, I showed that with the NSA’s clearance to go three hops out from a suspect, it doesn’t take very long at all before this law of large numbers encompasses us all and our cats.
If you have better data (and better math) than I have, please do share it.
* “Reach out and touch someone” art inspired by Josh Stearns
I wrote this for the Guardian. I’m crossposting it here for my archive. The post is all the more relevant a day later as Google, Apple, AT&T, and Public Knowledge attend a secret White House meeting about secrecy. I’d have a lot more respect for them if they refused, given the condition.
Technology companies: Now is the moment when you must answer for us, your users, whether you are collaborators in the U.S. government’s efforts to collect it all — our every move on the internet — or whether you, too, are victims of its overreach.
Every company named in Edward Snowden’s revelations has said that it must comply with government demands, including requirements to keep secret court orders secret. True enough. But there’s only so long they can hide behind that cloak before making it clear whether they are resisting government’s demands or aiding in them. And now the time has come to go farther: to use both technology and political capital to actively protect the public’s privacy. Who will do that?
We now know, thanks to Snowden, of at least three tiers of technology companies enmeshed in the NSA’s hoovering of our net activity (we don’t yet know whether the NSA has co-opted companies from the financial, retail, data services, and other industries):
(1) Internet platforms that provide services directly to consumers, allowing government to demand access to signals about us: Google with search, mail, calendars, maps; Facebook with connections; Skype with conversations, and so on.
In its first Prism reporting, the Washington Post apparently unfairly fingered nine of these companies, accusing the NSA and FBI of “tapping directly into the central servers” that hold our “chats, photographs, e-mails, documents, and connection logs.” Quickly, the companies repudiated that claim and sought the right to report at least how many secret demands are made. But there’s more they can and should do.
(2) Communications brands with consumer relationships that hand over metadata and/or open taps on internet traffic for collection by the NSA and Britain’s GCHQ, creating vast databases that can then be searched via XKeyscore. Verizon leads that list, and we now know from the Süddeutsche Zeitung that it also includes BT and Vodafone.
(3) Bandwidth providers that enable the NSA and its international partners to snoop on the net, wholesale. The Süddeutsche lists the three telco brands above in addition to Level 3, Global Crossing, Viatel, and Interroute. Eric King, head of research for Privacy International, asked in the Guardian, “Were the companies strong-armed, or are they voluntary intercept partners?”
The bulk data carriers have no consumer brands or relationships and thus are probably the least likely to feel commercial pressure to protect the rights of the users at the edge. The telephone companies should care more but they operate as oligopolies with monopoly attitudes and rarely exhibit consumer empathy (which is a nice way of saying their business models are built on customer imprisonment).
A hodgepodge alliance of U.S. legislators is finally waking up to the need and opportunity to stand up for citizens’ rights, but they will be slow and, don’t we know, ineffective and often uninformed. The courts will be slower and jealous of their power. Diplomacy’s the slowest route to reform yet, dealing in meaningless symbolism.
So our strongest expectations must turn to the first tier above, the consumer internet platforms. They have the most to lose — in trust and thus value — in taking government’s side against us.
At the Guardian Activate conference in London last month, I asked Vint Cerf, an architect of the net and evangelist for Google, about encrypting our communication as a defense against NSA spying. He suggested that communication should be encrypted into and out of internet companies’ servers (thwarting, or so we’d hope, the eavesdropping on the net’s every bit over telcos’ fibre) but should be decrypted inside the companies’ servers so they could bring us added value based on the content: a boarding pass on our phone, a reminder from our calendar, an alert about a story we’re following (not to mention a targeted ad).
Now there are reports that Google is looking at encrypting at least documents stored in Google Drive. That is wise in any case, as often these can contain users’ sensitive company and personal information. I now think Google et al need to go farther and make encryption an option on any information. I don’t want encryption to be the default because, in truth, most of my digital life is banal and I’d like to keep getting those handy calendar reminders. But technology companies need to put the option and power of data security directly into users’ hands.
That also means that the technology companies have to reach out and work with each other to enable encryption and other protections across their services. I learned the hard way how difficult it is to get simple answers to questions about how to encrypt email. The industry should work hard to make that an option on every popular service.
But let’s be clear that encryption is not the solution, probably only a speed bump to the NSA’s omnivorous ingesting. At the Activate conference, Cerf was asked whether the solution in the end will be technical or institutional. No doubt, institutional, he answered. That means that companies and government agencies must operate under stated principles and clear laws with open oversight.
Before Snowden’s leaks, technology CEOs would have had to balance cooperation and resistance just as the nation supposedly balances security and privacy. But now the tide of public opinion has clearly shifted — at least for now — and so this is the moment to grab control of issue.
If they do not assert that clear control, these technology companies risk losing business not only from skittish consumers but also from corporate and foreign-government clients. The Cloud Security Alliance polled companies and found that 10% had canceled U.S. cloud business and 56% were less likely to do business with U.S. providers. “If businesses or governments think they might be spied on,” said European Commission Vice President Neelie Kroes, “they will have less reason to trust the cloud, and it will be cloud providers who ultimately miss out.”
Besides taking action to secure technology and oversight within their companies and the industry, right-thinking technology companies also need to band together to use their political capital to lobby governments across the world to protect the rights of users and the freedom and sanctity of privacy and speech on the net. They must take bold and open stands.
To do that, they must first decide on the principles they should protect. In my book Public Parts, I proposed some principles to discuss, among them:
* the idea that if any bit on the net is stopped or detoured — or spied upon — then no bit and the net itself cannot be presumed to be free;
* that the net must remain open and distributed, commandeered and corrupted by no government;
* that citizens have a right to speak, assemble, and act online and thus have a right to connect without fear;
* that privacy is an ethic of knowing someone else’s information and coming by it openly;
* and that government must become transparent by default and secret by necessity (there are necessary secrets). Edward Snowden has shown us all too clearly that the opposite is now true.
I also believe that we must see a discussion of principles and ethics from the technologists inside these companies. One reason I have given Google the benefit of the doubt — besides being an admirer — is that I believe the engineers I know inside Google would not stay if they saw it violating their ethics even if under government order.
Yonathan Zunger, the chief architect of Google+, said this after the Guardian’s and Glenn Greenwald’s first revelations were published:
I can tell you that it is a point of pride, both for the company and for many of us, personally, that we stand up to governments that demand people’s information…. I can categorically state that nothing resembling the mass surveillance of individuals by governments within our systems has ever crossed my plate. If it had, even if I couldn’t talk about it, in all likelihood I would no longer be working at Google.
In the end, it’s neither technologies nor institutions that will secure us from the inexorable overreach of government curiosity in the face of technical capability. Responsibility for oversight and correction begins with individuals, whether whistleblowers or renegade politicians or employees of conscience who finally remind those in power: “Don’t be evil.”
