(This is a guest post from AJ Bahnken, and was originally delivered at the inaugural edition of Santa Barbara’s Techno-Activism Third Mondays (TA3M) meetup.)
As many have stated, this past year has been the Year of Privacy. The year of realizations and revelations in privacy issues and in fighting back against forced exposure. A lot has come to light this past year on the vicious actions of those involved in global surveillance. With everything that has occurred, this much is clear: We have learned a lot this last year.We learned that the conspiracy theories of yesterday are in fact a reality. We learned about the willing and unwilling interception of data from consumer software. We learned about the recording of all of our phone calls, and that the same companies that are providing us with this technology are now profiting from this interception. We learned about forced tapping of the major telecom companies in the European Union. We learned that many public webmail providers are lacking up-to-date web security measures in their software.
We’ve learned that we can’t trust the technology behind our proprietary consumer products.
We learned that centralized power has failed us.
We learned about the attack on the creation process behind cryptographic algorithms, thereby making all of us less secure. We learned that the NSA and GCHQ have been directly targeting privacy software like Tor. We learned more about the extent of the privatization of anti-privacy software and solutions, and that it is scary and vast. We learned that the GCHQ has resorted to phishing social networks like Linkedin to get the information they want.
We learned that the NSA requested phone numbers from US Government officials, and then proceeded to wiretap them, specifically mentioning that they are monitoring conversations of at least 35 world leaders. We learned that the victims of this data analysis are worldwide, and that the data obtained is searchable, as easy as making a query with Google.We learned that we must encrypt everything.
We learned from Mediastan that the media outside and inside the US are afraid of speaking against the government, and for this reason choose to self-censor their publications. We watched the Congress dance around Do-Not-Track, an “agreed standard” band-aid for ad companies which has continued to go nowhere. We watched the targets of programs like PRISM conveniently ignore these issues until they realized they were victims as well, and even then, only some started to raise concerns. We watched the Five Eyes work hard to soften the language of surveillance resolutions at the UN.
We learned that others won’t always take the stand for us.
The above is an overview of some of the lessons learned this last year, especially ones that are close to home for myself. There is a lot to each one, and a lot to each point. If you are interested in any of them, please follow the citations and their sources.
Now that the overview is complete, I would like to dive into each of the lessons that have been pointed out.
1. We’ve learned that we can’t trust the technology behind our proprietary consumer products.
When Glenn Greenwald started leaking documents, one of the initial big leaks was that of the NSA program PRISM. Many in the security and privacy space had been saying something of this sort was in existence, but there was never this much explicit evidence. The discussion of a “Facebook API for the government” or similar tools was still yet to be brought into the open.PRISM showed the semi-voluntary retrieval of our private data from the products of companies Dropbox, Google, Yahoo, Microsoft (including their product Skype), Apple, Facebook, Twitter, and AOL. We now have explicit examples of voluntary contributions, such as Microsoft developing software to collect encrypted emails in Outlook.com’s chat, and the NSA having access to Outlook.com emails by collecting them prior to encryption.
In regards to cellular companies, one of the first Snowden articles from The Guardian talked about how the NSA was collecting millions of phone records from Verizon customers on a daily basis. Alongside that, in 2012 The Huffington Post had reported that Verizon and AT&T had set up shop to make money from the frequent data requests coming from the government.As part of a response to PRISM and similar programs, the EFF issued a security report on the state of web encryption. In this we saw that most public email providers lacking support for STARTTLS, among other things, and that the tech-giants are not doing so well generally in terms of web encryption.For alternatives, check out http://prism-break.org
2. We learned that centralized power has failed us.
MUSCULAR is a program from the NSA that secretly collects data from companies like Google and Yahoo when that data is leaving the country. This is the willing side, where PRISM was the more unwilling side. MUSCULAR showed us that, in the case where everyone fought back against this data collection, the NSA would still find a loophole in which it was “OK” for them to collect the information that they desire. This shines a bright light on the fallacies of centralized power on the web.If everyone is trusting Google with their emails, contacts, messages, and interests, then all anyone needs to do is to hack Google to acquire this data. For malicious hackers, this is challenging, for Google is an engineering-centric company that has spent a lot of time on combating this possibility. But if you are a branch of the United States Government, then it becomes much easier to simply tap into the connection between domestic and foreign data centers.
MUSCULAR also showed us the extent to which the NSA is willing to go to get the data and information it desires to collect. Stepping on the toes of US-based companies in the name of “national security”.
3. We learned that we must encrypt everything.
Just because there is mass surveillance going on does not mean that we need to stop communicating electronically. We just need to be smarter about it. When asked what remains as a tactic to combat mass surveillance, Snowden said that “good encryption still works”. Whether it be sharing files, instant messaging, or email, we must use encryption if we want to circumvent this global invasion of privacy. The NSA will store those messages if they can, with the hope that someday they will be able to crack them, but that is a lot better than the ability to instantly categorize and analyze all communications with ease.If this is a new subject for you, I recommend checking out OTR (https://otr.cypherpunks.ca/), Truecrypt (http://www.truecrypt.org/), and GnuPG (http://www.gnupg.org/). Also, The EFF’s Surveillance Self-Defense project (https://ssd.eff.org/) contains more in-depth information on this topic.
4. We learned that others won’t always take the stand for us.
Personally, this one was the most heartbreaking revelations of the year. A lot of so-called journalists in the major media and high profile policy pushers did nothing this year. Mediastan showed the reluctance of editors to publish controversial material, self-censoring their reports. The effort for pushing Do-Not-Track to Congress has been going nowhere, it almost seems like many have forgotten or started ignoring it.
Though we must recognize the journalists and policy pushers that have been working hard this year, because there are many. Organizations like the EFF, the ACLU, the Open Technology Institute and EPIC, individuals such as Glenn Greenwald, Jacob Appelbaum, and Laura Poitras, and publications such as Der Spiegel, The Guardian, and O Globo deserve all the admiration in the world.
The tech giants that were targeted in PRISM and MUSCULAR took far too long to take a stand. They have the ability to quickly carry weight in this conversation, and they stood by for far too long. It took the display of them being “victims” for them to start doing anything. This just goes to show how much they don’t care, unless there is money in it for them.
Having such a wave of distrust in a single year has been difficult. We’ve learned that we are all under near complete tech-surveillance due to the actions (or lack thereof) by so many in government and the tech sector. The biggest lesson from last year is that this all must change, that it has gotten way out of hand.
I am not sure what the solution is, but it will probably have to come in the form of societal, political, and technological shifts. Nevertheless, I know that we can all do our part by getting involved in even the simplest of ways. We don’t all have to become full-time activists to assist this movement. There are local groups springing up like TA3M (http://ta3m.net/) that are a great way to get involved. Joining the conversation on Twitter or other websites is another great way to get involved that doesn’t require too much time or effort. If you are a developer, open source projects like arkOS, LEAP Encryption Access Project, and the Tor Project could always use your help.
Whatever you do, I would suggest not sitting on your hands waiting for others to “make it better”.