On the evening of Monday 23 Feburary, Edward Snowden joined Glenn Greenwald and Oscar-winning Citizenfour director Laura Poitras to answer questions submitted by reddit users. Edward Snowden’s answers covered NSA information management, his life in Russia, how whistleblowers can best be protected and making surveillance an important issue in the next US Presidential election, among other issues.
The discussion also touched on two recent news reports: the bulk seizure of SIM card encryption keys by the NSA and GCHQ; and the exposure of state-level Equation Group malware by the Kaspersky Group, which has widely been attributed to the NSA. A previous malware discovery, Regin, has been corroborated as having links to the NSA and its Five Eyes allies by documents disclosed by Snowden.
Reddit confirmed that the AMA was viewed over a million times on the evening it was published. A selection of Edward Snowden’s answers follows below.
Mr. Snowden, what do you think about the latest news kaspersky broke? I understand they don’t talk about victims and aggressors because it’s their business model. But do you think they should name the nsa as an aggressor when they know about?
The Kaspersky report on the “Equation Group” (they appear to have stopped short of naming them specifically as NSA, although authorship is clear) was significant, but I think more significant is the recent report on the joint UK-UK hacking of Gemalto, a Dutch company that produces critical infrastructure used around the world, including here at home.
Why? Well, although firmware exploitation is nasty, it’s at least theoretically reparable: tools could plausibly be created to detect the bad firmware hashes and re-flash good ones. This isn’t the same for SIMs, which are flashed at the factory and never touched again. When the NSA and GCHQ compromised the security of potentially billions of phones (3g/4g encryption relies on the shared secret resident on the sim), they not only screwed the manufacturer, they screwed all of us, because the only way to address the security compromise is to recall and replace every SIM sold by Gemalto.
Our governments – particular the security branches – should never be weighing the equities in an intelligence gathering operation such that a temporary benefit to surveillance regarding a few key targets is seen as more desireable than protecting the communications of a global system (and this goes double when we are more reliant on communications and technology for our economy productivity than our adversaries).
So far Gemalto is claiming SIMs are still secure.
Not believing them at this point. Theoretically I would believe them if they had found some traces of an intrusion and had figured out that it would not have allowed access to private keys. But based on just their claims of security, not buying it yet.
I wouldn’t believe them either. When we’re talking about how to weight reliability between specific government documents detailing specific Gemalto employees and systems (and tittering about how badly they’ve been owned) against a pretty breezy and insubstantial press release from a corporation whose stock lost 500,000,000 EUR in value in a single day, post-report, I know which side I come down on.
That’s not to say Gemalto’s claims are totally worthless, but they have to recognize that their business relies on trust, and if they try to wave away a serious compromise, it’ll cost them more than it saves them.
Edward, a friend of mine works for the NSA. He still actively denies that anything you have done or said is legitimate, completely looking past any documented proof that you uncovered and released.
Is this because at lower levels of the agency, they don’t see what’s going on in the intelligence gathering section? Or do you suspect he simply refuses to see any wrongdoing by his employer?
So when you work at NSA, you get sent what are called “Agency-All” emails. They’re what they sound like: messages that go to everybody in the workforce.
In addition to normal bureaucratic communications, they’re used frequently for opinion-shaping internally, and are often classified at least in part. They assert (frequently without evidence) what is true or false about cases and controversies in the public news that might influence the thinking about the Intelligence Community workforce, while at the same time reminding them how totally screwed they’ll be if they talk to a journalist (while helpfully reminding them to refer people to the public affairs office).
Think about what it does to a person to come into their special top-secret office every day and get a special secret email from “The Director of NSA” (actually drafted by totally different people, of course, because senior officials don’t have time to write PR emails) explaining to you why everything you heard in the news is wrong, and how only the brave, patriotic, and hard-working team of cleared professionals in the IC know the truth.
Think about how badly you want to believe that. Everybody wants to be valued and special, and nobody wants to think they’ve perhaps contributed to a huge mistake. It’s not evil, it’s human.
Tell your friend I was just like they are. But there’s a reason the government has — now almost two years out — never shown me to have told a lie. I don’t ask anybody to believe me. I don’t want anybody to believe me. I want you to look around and decide for yourself what you believe, independent of what people says, indepedent of what’s on TV, and independent of what your classified emails might claim.
how can we make sure that people still want to leak important information when everyone who does so puts the rest of their lives at stake?
Whistleblower protection laws, a strong defense of the right for someone charged with political crimes to make any defense they want (currently in the US, someone charged with revealing classified information is entirely prohibited from arguing before the jury that the programs were unlawful, immoral, or otherwise wrongful), and support for the development of technically and legally protected means of communications between sources and journalists.
The sad truth is that societies that demand whistleblowers be martyrs often find themselves without either, and always when it matters the most.
Mr. Snowden, if you had a chance to do things over again, would you do anything differently? If so, what?
I would have come forward sooner. I talked to Daniel Ellsberg about this at length, who has explained why more eloquently than I can.
Had I come forward a little sooner, these programs would have been a little less entrenched, and those abusing them would have felt a little less familiar with and accustomed to the exercise of those powers. This is something we see in almost every sector of government, not just in the national security space, but it’s very important:
Once you grant the government some new power or authority, it becomes exponentially more difficult to roll it back. Regardless of how little value a program or power has been shown to have (such as the Section 215 dragnet interception of call records in the United States, which the government’s own investigation found never stopped a single imminent terrorist attack despite a decade of operation), once it’s a sunk cost, once dollars and reputations have been invested in it, it’s hard to peel that back.
Don’t let it happen in your country.
What’s the best way to make NSA spying an issue in the 2016 Presidential Election? It seems like while it was a big deal in 2013, ISIS and other events have put it on the back burner for now in the media and general public. What are your ideas for how to bring it back to the forefront?
This is a good question, and there are some good traditional answers here. Organizing is important. Activism is important.
At the same time, we should remember that governments don’t often reform themselves. One of the arguments in a book I read recently (Bruce Schneier, “Data and Goliath”), is that perfect enforcement of the law sounds like a good thing, but that may not always be the case. The end of crime sounds pretty compelling, right, so how can that be?
Well, when we look back on history, the progress of Western civilization and human rights is actually founded on the violation of law. America was of course born out of a violent revolution that was an outrageous treason against the crown and established order of the day. History shows that the righting of historical wrongs is often born from acts of unrepentant criminality. Slavery. The protection of persecuted Jews.
But even on less extremist topics, we can find similar examples. How about the prohibition of alcohol? Gay marriage? Marijuana?
Where would we be today if the government, enjoying powers of perfect surveillance and enforcement, had — entirely within the law — rounded up, imprisoned, and shamed all of these lawbreakers?
Ultimately, if people lose their willingness to recognize that there are times in our history when legality becomes distinct from morality, we aren’t just ceding control of our rights to government, but our agency in determing thour futures.
How does this relate to politics? Well, I suspect that governments today are more concerned with the loss of their ability to control and regulate the behavior of their citizens than they are with their citizens’ discontent.
How do we make that work for us? We can devise means, through the application and sophistication of science, to remind governments that if they will not be responsible stewards of our rights, we the people will implement systems that provide for a means of not just enforcing our rights, but removing from governments the ability to interfere with those rights.
You can see the beginnings of this dynamic today in the statements of government officials complaining about the adoption of encryption by major technology providers. The idea here isn’t to fling ourselves into anarchy and do away with government, but to remind the government that there must always be a balance of power between the governing and the governed, and that as the progress of science increasingly empowers communities and individuals, there will be more and more areas of our lives where — if government insists on behaving poorly and with a callous disregard for the citizen — we can find ways to reduce or remove their powers on a new — and permanent — basis.
Our rights are not granted by governments. They are inherent to our nature. But it’s entirely the opposite for governments: their privileges are precisely equal to only those which we suffer them to enjoy.
We haven’t had to think about that much in the last few decades because quality of life has been increasing across almost all measures in a significant way, and that has led to a comfortable complacency. But here and there throughout history, we’ll occasionally come across these periods where governments think more about what they “can” do rather than what they “should” do, and what is lawful will become increasingly distinct from what is moral.
In such times, we’d do well to remember that at the end of the day, the law doesn’t defend us; we defend the law. And when it becomes contrary to our morals, we have both the right and the responsibility to rebalance it toward just ends.
We’ve now known about the scary stuff happening at the NSA for quite some time. And yet from what I’ve seen, there’s been no real effort to stop it.
What are your thoughts on what we, as regular citizens, can do now?
One of the biggest problems in governance today is the difficulty faced by citizens looking to hold officials to account when they cross the line. We can develop new tools and traditions to protect our rights, and we can do our best to elect new and better representatives, but if we cannot enforce consequences on powerful officials for abusive behavior, we end up in a system where the incentives reward bad behavior post-election.
That’s how we end up with candidates who say one thing but, once in power, do something radically different. How do you fix that? Good question.
Mr Snowden, do you feel that your worst fear is being realized, that most people don’t care about their privacy?
To answer the question, I don’t. Poll after poll is confirming that, contrary to what we tend to think, people not only care, they care a lot. The problem is we feel disempowered. We feel like we can’t do anything about it, so we may as well not try.
It’s going to be a long process, but that’s starting to change. The technical community (and a special shoutout to every underpaid and overworked student out there working on this — you are the noble Atlas lifting up the globe in our wildly inequitable current system) is in a lot of way left holding the bag on this one by virtue of the nature of the problems, but that’s not all bad. 2013, for a lot of engineers and researchers, was a kind of atomic moment for computer science. Much like physics post-Manhattan project, an entire field of research that was broadly apolitical realized that work intended to improve the human condition could also be subverted to degrade it.
Politicians and the powerful have indeed got a hell of a head start on us, but equality of awareness is a powerful equalizer. In almost every jurisdiction you see officials scrambling to grab for new surveillance powers now not because they think they’re necessary — even government reports say mass surveillance doesn’t work — but because they think it’s their last chance.
Maybe I’m an idealist, but I think they’re right. In twenty years’ time, the paradigm of digital communications will have changed entirely, and so too with the norms of mass surveillance.
Don’t you find it kind of depressing how little the world was actually moved by the revelations?
To dogpile on to this, many of the changes that are happening are invisible because they’re happening at the engineering level. Google encrypted the backhaul communications between their data centers to prevent passive monitoring. Apple was the first forward with an FDE-by-default smartphone (kudos!). Grad students around the world are trying to come up with ways to solve the metadata problem (the opportunity to monitor everyone’s associations — who you talk to, who you sleep with, who you vote for — even in encrypted communications).
The biggest change has been in awareness. Before 2013, if you said the NSA was making records of everybody’s phonecalls and the GCHQ was monitoring lawyers and journalists, people raised eyebrows and called you a conspiracy theorist.
Those days are over. Facts allow us to stop speculating and start building, and that’s the foundation we need to fix the internet. We just happened to be the generation stuck with fighting these fires.
Russian journalist Andrei Soldatov has described your daily life as circumscribed by Russian state security services, which he said control the circumstances of your life there. Is this accurate? What are your interactions with Russian state security like? With Russian government representatives generally?
Good question, thanks for asking.
The answer is “of course not.” You’ll notice in all of these articles, the assertions ultimately come down to speculation and suspicion. None of them claim to have any actual proof, they’re just so damned sure I’m a russian spy that it must be true.
And I get that. I really do. I mean come on – I used to teach “cyber counterintelligence” (their term) at DIA.
But when you look at in aggregate, what sense does that make? If I were a russian spy, why go to Hong Kong? It’s would have been an unacceptable risk. And further – why give any information to journalists at all, for that matter, much less so much and of such importance? Any intelligence value it would have to the russians would be immediately compromised.
If I were a spy for the russians, why the hell was I trapped in any airport for a month? I would have gotten a parade and a medal instead.
The reality is I spent so long in that damn airport because I wouldn’t play ball and nobody knew what to do with me. I refused to cooperate with Russian intelligence in any way (see my testimony to EU Parliament on this one if you’re interested), and that hasn’t changed.
At this point, I think the reason I get away with it is because of my public profile. What can they really do to me? If I show up with broken fingers, everybody will know what happened.
Don’t you fear that at some point you will be used as leverage in a negotiation? eg; “if you drop the sanctions we give you Snowden”
It is very realistic that in the realpolitik of great powers, this kind of thing could happen. I don’t like to think that it would happen, but it certainly could.
At the same time, I’m so incredibly blessed to have had an opportunity to give so much back to the people and internet that I love. I acted in accordance with my conscience and in so doing have enjoyed far more luck than any one person can ask for. If that luck should run out sooner rather than later, on balance I will still – and always – be satisfied.
Can you explain what your life in Moscow is like?
Moscow is the biggest city in Europe. A lot of people forget that. Shy of Tokyo, it’s the biggest city I’ve ever lived in. I’d rather be home, but it’s a lot like any other major city.
What validation do we have that Putin is being honest about NOT spying in Russia?
To tag on to the Putin question: There’s not, and that’s part of the problem world-wide. We can’t just reform the laws in one country, wipe our hands, and call it a day. We have to ensure that our rights aren’t just being protected by letters on a sheet of paper somewhere, or those protections will evaporate the minute our communications get routed across a border. The only way to ensure the human rights of citizens around the world are being respected in the digital realm is to enforce them through systems and standards rather than policies and procedures.