Long story short:
* If it’s a commercial product, the NSA/GCHQ have by hook, crook, or threat of export ban got an official backdoor/bug-door in it.
* If it’s an open-source product, there are several skilled programmers per project paid to contribute full-time (but make it look part-time) and ensure backdoors/bug-doors get added.
Don’t trust anything you don’t understand, indeed!
Schneier has an excellent, if somewhat ironic essay in the Guardian, in which he opines “the US government has betrayed the Internet. We need to take it back. […] the US has proved to be an unethical steward of the internet. The UK is no better. The NSA’s actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything”
Far be it for me to detract from his words. “We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying” and “we need open protocols, open implementations, open systems” are quotes worth repeating.
But he also calls for whistleblowers to contact him directly (“I’ve heard from 5, I’d like to hear from 50”) and he has another essay advising people on how to avoid the NSA, recommending the usual suspects.
In light of this, I would point out that it’s well known Schneier is an “ex-DoD” (the polite way of saying ex-NSA) cryptographer. This presumably means he once had a clearance, which, as someone once explained to me, means “they control what you write.” John Young, in a posting to the public email@example.com list, points out that “as head of BT security it is hard to believe that Schneier did not know about BT’s covert cooperation with GCHQ and NSA.”
So perhaps that’s what Schneier means by finishing his essay with “we built the internet, and some of us have helped to subvert it.” In light of the above, this may be as much regret as he can express in public without getting arrested… but I would still advise people to keep the “former Chekist” rule in mind.
This does not mean that Schneier’s blog is worth un-following. In the comments, find a most interesting story about how all this works — a story from the 80s, about the CIA running a backdoored-hardware shop that planted cleverly designed chips in database systems destined for anyone whose supply chain they could compromise. Written by the president of the company whose software they pirated (didn’t even pay license fees!) as part of the effort. http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
As for the rest of us, I suspect the answer to the solution is not just thinking outside the box, but thinking outside our understanding of the box.
(I’ve seen Schneier fail to do this, sticking to certain assumptions that seemed to compromise or smother the point he was making. So perhaps that’s the real root of the “former Chekist” rule — that besides whatever brainwashing those agencies do to ensure secrets stay seekrit and interests stay protected, the assumptions they etch into their employees’ minds live on long after the ink on the resignation letter’s dried.)
“By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.
This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.
And by we, I mean the engineering community.
Yes, this is primarily a political problem, a policy matter that requires political intervention.
But this is also an engineering problem, and there are several things engineers can – and should – do.
One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order. If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story. Your employer obligations don’t cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers.
We need to know how exactly how the NSA and other agencies are subverting routers, switches, the internet backbone, encryption technologies and cloud systems. I already have five stories from people like you, and I’ve just started collecting. I want 50. There’s safety in numbers, and this form of civil disobedience is the moral thing to do.
Two, we can design. We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying. We need new techniques to prevent communications intermediaries from leaking private information.
We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert.
The Internet Engineering Task Force, the group that defines the standards that make the internet run, has a meeting planned for early November in Vancouver. This group needs to dedicate its next meeting to this task. This is an emergency, and demands an emergency response.
Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA’s actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations.
Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country’s internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can’t be dominated or abused by any one country.
Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can ensure that they don’t only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose.
Dismantling the surveillance state won’t be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we’re going to be breaking new ground.
Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We’ve had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy.
To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.”