A video interview with the cryptographer studying the Snowden documents
Since Edward Snowden's disclosures about widespread NSA surveillance, Americans and people everywhere have been presented with a digital variation on an old analog threat: the erosion of freedoms and privacy in exchange, presumably, for safety and security.
Bruce Schneier knows the debate well. He's an expert in cryptography and he wrote the book on computer security; Applied Cryptography is one of the field's basic resources, "the book the NSA never wanted to be published," raved Wired in 1994. He knows the evidence well too: lately he's been helping the Guardian and the journalist Glenn Greenwald review the documents they have gathered from Snowden, in order to help explain some of the agency's top secret and highly complex spying programs.
To do that, Schneier has taken his careful digital privacy regime to a new level, relying on a laptop with an encrypted hard drive that he never connects to the internet. That couldn't prevent a pilfered laptop during, say, a "black bag operation," of course. "I know that if some government really wanted to get my data, there'd be little I could do to stop them."
Video interview: Motherboard Meets Bruce Schneier
Still, Schneier manages to avoid paranoia. When we met at the Berkman Center at Harvard Law School, where he's now a research fellow, scribbling away on security, the Internet, and power, Schneier wore a Hawaiian shirt and a ponytail; he had the cool demeanor of a rebellious tenured professor. He insisted that the Snowden bombshells only confirmed things he'd and many others had known for years. "Nothing in the documents is really a surprise," he said.
I asked him about the NSA disclosure that bothered him most. He described how, in the name of defending the country, the hackers of the NSA are committing a cardinal digital sin: weakening the Internet by targeting cryptography and other security measures that make the Internet secure for the bad guys and for everyone else too.
Slides from top secret GCHQ and NSA presentations released by Edward Snowden. See more documents at the EFF.
The NSA used to target only foreign signals, and according to its own legal interpretations, that's what it still does. But communications are now global: the Internet is so interconnected that everything and everyone on the network becomes a potential target, even the network itself.
That's not to say that the NSA has "broken" all cryptography: "the math works," says Schneier, and while anonymizing tools like Tor are targeted by NSA, they seem to remain secure. Instead, the NSA appears to have manipulated encryption tools and tapped into data center links and fiber backbones—in essence, silently removing the hinges from their doors.
"We do know they made a systematic effort to place back doors in the products we use to get our security, and that makes us all less safe," he said. Schneier, like others in the cryptography community, regularly trades hunches and suspicions about NSA encryption exploits, and the National Institute for Standards and Technology, the federal group that sets encryption standards, is reviewing its past work in light of the NSA scandal. But few know for sure just how widespread the NSA's targeting of encryption standards is. And, Schneier worries, those who do know might not necessarily be well-intentioned.
"It's folly to believe they are the only ones that are taking advantage of it," he said. "So [the NSA is] saying in effect, we want to listen in on the Chinese, so much that we're gonna let the Chinese listen in on you. I think we'll be safer in a world where neither can listen—if we spend more effort on security, on assurance, then we'll be safer, even though there are bad actors."
Surprise or no, Schneier admits that revelations like this are still hard for us to compute. He pulled out a little metaphorical key to that idea: "It's a lot like thinking about death. We know it's coming. It's not a surprise. And yet when it comes, it's always a surprise," he said. "That's what Snowden is doing—he's making us think about this."
Thinking about surveillance doesn't need to be overly philosophical or difficult or even creepy. "It's not about anonymity, it's not about secrecy—It's about control." That concern over how our data is treated, by whom and for what, applies to how government surveillance is conducted, but it's also crucial when thinking about the companies that act as stewards of our data, and which offer the government and who knows who else a ready font of valuable information about us.
And while we may have tacit and Constitutional agreements with the government (agreements that have been broken), Schneier worries that we lack similar protections from big tech companies and their "feudal"-like systems where we work and play. Why not have "a Magna Carta for the Internet," he wonders, to more clearly articulate the terms of our relationship with governments and corporations? (As the Web turned 25 years old on March 12, its inventor, Tim Berners-Lee, also called for a Web "Magna Carta".) That would help to establish some kind of trust—which is, he points out, crucial for society, for security, and when it's necessary, secrecy.
But under the shroud of too much secrecy, and not enough oversight and transparency, security measures can run roughshod over our standards and our sense of autonomy. Kept in the dark, we may have nothing to say about it. There are technological solutions, like continually improving cryptography and protecting yourself online, but there are also political ones too: now a number of measures are afoot in Congress and in the courts meant to rein in the government and Internet companies.
Schneier is carefully optimistic about political change, especially as more younger people enter the fray with a stronger sense of the relationship between our data and our lives as citizens. But given how little most people tend to think about their data or their privacy, he worries that serious political responses to the problem of digital security might take some time. Consider something as basic as the most common password. "It used to be 'password,' but we all got better, and now it's 'password1,'" he chuckled. "That fools all the hackers—don't tell them!"
Updated March 14 to include Tim Berners-Lee's "Magna Carta" for the Web.