Security experts Bruce Schneier and Mikko Hypponen on the NSA, PRISM and why we should be worried

Posted by:

As Edward Snowden is linked to one country after the next, the media has its eye fixed on where he will next request asylum. (Today, it’s Russia.) Meanwhile, back at US headquarters, as NSA officials speak in a House Judiciary Committee hearing, the agency is still doing what it’s doing. To get more information on exactly what that means, the TED Blog wrote to two security experts, Bruce Schneier (watch his talk) and Mikko Hypponen (see his talk), to ask them about what it is we should be worried about. Turns out, pretty much everything.

For people who work in security, is the existence of PRISM surprising? Which aspects of it are routine or expected or even necessary, and which are genuinely dangerous?

Bruce Schneier: The security mirage Bruce Schneier: The security mirage

Bruce Schneier: First, be careful with names. PRISM is a specific NSA database, just a part of the overall NSA surveillance effort. The agency has been playing all sorts of games with names, dividing their efforts up and using many different code names in an attempt to disguise what they’re doing. It allows them to deny that a specific program is doing something, while conveniently omitting the fact that another program is doing the thing and the two programs are talking to each other. So I am less interested in what is in the specific PRISM database, and more what the NSA is doing overall with domestic surveillance.

The Snowden documents reveal NSA’s broad surveillance against Americans. Those of us who watch the NSA know that their goal is to eavesdrop on everything, but the scope and extent of their domestic surveillance was surprising. Our laws are supposed to protect against this sort of abuse, but in the years after the 9/11 terrorist attacks they failed pretty severely. Also surprising was the tortured legal reasoning used to justify these surveillance programs, and the extent to which the FISA [Foreign Intelligence Surveillance Act] court failed to provide any meaningful oversight.

None of this is routine, none of this is necessary. All of it is dangerous. I live in a country where secret judges make secret rulings based on secret laws — where there is a body of secret law. That’s not how America is supposed to be, and that’s extremely dangerous.

What data, exactly, is being collected about American citizens? What isn’t?

Bruce Schneier: We don’t know what is being collected exactly, but a safe assumption is that approximately everything is being collected. Computers generate transaction data as a byproduct of their operation. And since pretty much everything we do is mediated by computers in some way, pretty much everything we do generates some form of personal data. The NSA is trying to collect all of it. So think of everything you do on the Internet: browsing, shopping, chatting, friending. Think of everything you do on your phone, including where you are. Think of everything you do financially that doesn’t involve cash, and so on and so on. We know that all of this is being collected by the NSA, and stored in databases such as PRISM.

Mikko Hypponen: That’s a good question, and it’s exactly the wrong question to ask. Much of the recent outrage about the surveillance programs has been about the monitoring of U.S. Citizens, as it’s probably illegal. However, U.S. intelligence has the legal right to monitor foreign communications as they go through to U.S. service providers. However, even though something is legal doesn’t make it right. I’m not American; I don’t really care about what data is being collected about American citizens. I’m worried about us, the foreigners. After all, we foreigners make up 96 percent of the people on the planet.

The United States has an unfair advantage, as most of the popular cloud services, search engines, computer and mobile operating systems or web browsers are made by U.S. companies. When the rest of the world uses the net, they are effectively using U.S.-based services, making them a legal target for U.S. intelligence.

But foreigners are not automatically criminals or terrorists. And in a surveillance state, everybody is assumed guilty.

What, if anything, can citizens do to protect themselves from potentially unlawful uses of PRISM?

Bruce Schneier: A rogue NSA is a political problem, and the solutions are political. We need elected officials that will reign the agency in. We need judges and courts that will respect the Constitution and enforce the law. Seems far-fetched, I agree, but that’s our only solution.

Mikko Hypponen: Three types of online attack Mikko Hypponen: Three types of online attack

Mikko Hypponen: Unfortunately, there’s nothing individual users can do to change what the U.S. is doing. The only things that can be effective are 1) political pressure and 2) alternative services. We’re seeing very weak political pressure coming from the EU parliament and from world leaders in general. They just don’t seem to be willing to take the U.S. on for this. Alternative services would mean that there would be services available to compete with Google, Facebook, Amazon, Dropbox, Skype, etc., and they would be run by companies not based in the U.S.A. The rest of the world has simply failed in being able to compete with them, and we really should be doing better here.

What aspects, if any, of the leak of PRISM pose a risk to national security?

Bruce Schneier: It’s not public knowledge of PRISM that poses a risk to national security, it’s the database itself — and the other databases with other names, and the NSA in general. Massive invasions of privacy without counterbalancing transparency and oversight are very dangerous to the security of our nation. It’s the reason our Constitution forbids it, and the reason we don’t look longingly at other governments that treat their citizens in this way.

The leak is the best thing that could happen to national security, because it gives us a chance at fixing these genuine threats.

Where did the government go wrong, and what can they do better?

Bruce Schneier: Basically, they went wrong by breaking the law. And then can do better by following the law. More specifically, the government went wrong right after the terrorist attacks of 9/11. They reacted out of fear, and in a mistaken attempt to be more secure, they gave the NSA free reign to engage in mass domestic surveillance. A recent op-ed in The New York Times called the NSA a criminal organization. That’s a good characterization of what’s going on right now, and we all need to demand better out of our government.