USA Today has revealed that a huge DEA phone records programme – which tracked and stored data relating to international phone calls placed by US persons – was halted as a result of Edward Snowden’s revelations. The DEA database predated 9/11 by almost ten years and “provided a blueprint for the far broader National Security Agency surveillance that followed.”
On 1 April 2015, Barack Obama signed into law an Executive Order “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”
Media reports speculated that the new powers granted by this Executive Order would enable executive authorities to confiscate cryptocurrency holdings and even prohibit donations to Edward Snowden’s defence fund.
On the evening of Monday 23 Feburary, Edward Snowden joined Glenn Greenwald and Oscar-winning Citizenfour director Laura Poitras to answer questions submitted by reddit users. Edward Snowden’s answers covered NSA information management, his life in Russia, how whistleblowers can best be protected and making surveillance an important issue in the next US Presidential election, among other issues.
The discussion also touched on two recent news reports: the bulk seizure of SIM card encryption keys by the NSA and GCHQ; and the exposure of state-level Equation Group malware by the Kaspersky Group, which has widely been attributed to the NSA. A previous malware discovery, Regin, has been corroborated as having links to the NSA and its Five Eyes allies by documents disclosed by Snowden.
Reddit confirmed that the AMA was viewed over a million times on the evening it was published. A selection of Edward Snowden’s answers follows below.
Laura Poitras’ documentary about Edward Snowden, CITIZENFOUR, was awarded an Oscar at the Academy Awards ceremony in Los Angeles on 22 February 2014.
In her acceptance speech, standing alongside Glenn Greenwald and Edward Snowden’s girlfriend Lindsay Mills, Laura Poitras paid tribute to Edward Snowden:
The disclosures that Edward Snowden revealed don’t only expose the threat to our privacy but to our democracy itself. When the most important decisions being made that affect all of us are being made in secret, we lose our ability to control. Thank you to Edward Snowden for his courage and to the many other whistleblowers. I share this with Glenn Greenwald and the other journalists that are exposing truth.
Snowden himself released a statement via the ACLU:
When Laura Poitras asked me if she could film our encounters, I was extremely reluctant. I’m grateful that I allowed her to persuade me. The result is a brave and brilliant film that deserves the honor and recognition it has received. My hope is that this award will encourage more people to see the film and be inspired by its message that ordinary citizens, working together, can change the world.
Courage, the organisation that runs Edward Snowden’s defence fund and this website, also released a statement, which emphasises the “dangerous gap in protections for whistleblowers” demonstrated in the film.
The Courage Foundation is delighted that CITIZENFOUR has been awarded the Oscar for the Best Documentary Feature of 2014.
The film shows that after journalists left Edward Snowden in Hong Kong, awaiting the United States’ charges and extradition request, Snowden relied on WikiLeaks to secure him asylum. As Laura Poitras’ film depicts, Snowden is now safe, living comfortably with his girlfriend in Moscow, but the film demonstrates the dangerous gap in protections for whistleblowers. WikiLeaks’ rescue – and the need it demonstrated – was the inception of Courage, devoted to providing protections, defence and safety nets for whistleblowers in the highest-risk situations, when others can’t or won’t help.
Courage, which hosts Edward Snowden’s only official defence fund, is establishing international networks ready to provide future Snowdens with logistical and legal help, in addition to assisting journalistic sources at risk before the investigation stage. But we need your help. Fighting legal battles against the most powerful governments in the world is expensive, yet essential. Courage’s Acting Director Sarah Harrison said: “Governments are ramping up their efforts to persecute those who expose the truth, and we must do the same if we’re going to keep our truth-tellers safe. Donate to Courage to ensure we are there when we are needed most.”
On Saturday, 14 February, Edward Snowden participated in ACLU Hawaii’s First Amendment Conference by videolink from Moscow. Ben Wizner, Edward Snowden’s ACLU lawyer, also participated in the event.
Video of the event follows below; a full recap is available at civilbeat.com
Edward Snowden participated by videolink in a discussion with Glenn Greenwald and Laura Poitras about CitizenFour and the issues it raises on the evening of 12 February 2015.
Video of the event follows below. David Carr, the New York Times media columnist who moderates the discussion, passed away shortly after this interview.
Since the first reporting on documents disclosed by Edward Snowden in June 2013, a number of legal challenges to GCHQ’s surveillance practices have been initiated in the UK. Today, in response to one of those applications, from Liberty and several other organisations, the court that oversees the GCHQ ruled against the UK intelligence services for the first time in its controversial 15 year history.
Edward Snowden’s coversation with Bruce Schneier formed the first session in Harvard’s annual Data Privacy Symposium. Bruce Schneier has written widely on the subject of encryption and has had access to the NSA and GCHQ documents held by the Guardian.
A recap of the main themes of the discussion follows after the video.
Bruce Schneier begins the discussion by remarking that “for me the biggest surprise in the NSA documents is the lack of big surprises.” Edward Snowden responds that, as he said said before “encryption really is one of the main things, when the mathematics are properly implemented, that we can rely on”, but that still leaves the NSA and other agencies opportunities to subvert communications: “typically the software is not reliable but… the math is sound.”
The conversation then moves on to James Clapper’s remarks in his introduction to the 2013 Congressional Budget Justification for the US intelligence community (the “Black Budget”). Is the talk of “investing in groundbreaking cryptoanalytic capabilities to defeat adversarial cryptography and defeat internet traffic” just for PR purposes, or does the NSA have impressive cryptanalytic capabilities to deploy?
Edward Snowden cautions, “Black budget documents are typically the results of budget justification…”, but the agency does have “a lot of successes against homebrewed crypto, boutique crypto, commercial closed-source crypto and, critically, hardware implementations of crypto. But when we talk about the real academic open-source peer-reviewed standards – things like AES, Blowfish, Twofish – those are typically pretty robust and pretty reliable.”
As Bruce Schneier points out, documents recently published by Der Spiegel appear to indicate that certain cryptographic protocols are still, indeed, problematic for the NSA. He remarks that despite the estimated 440 million US dollars the Black Budget provides for mathematical research, the gap between the NSA’s knowledge and that of the academic and open source community seems to be much narrower than had been assumed:
Twenty years ago we in the academic world assumed we were a decade behind the NSA and other countries and it seems that that might not be true, that there’s more parity than we thought.
Edward Snowden starts by agreeing with Schneier but states that the NSA’s mathematical research “does have a pay-off in certain respects. Sometimes governments use their own algorithms. For instance the Russian government has their own encryption algorithm for protecting their own classified data.” Of course, capabilities against the main publicly used algorithms are “really dangerous… if NSA has such capabilities it should not be using them, it should be reporting them and closing them.” This caution need not necessarily apply against ’boutique cryptography’ used only, or primarily, by actual adversaries.
Schneier moves on by stating that there’s a real problem of insecure cryptography still being used commercially. Several documents recently released by Der Spiegel describe exploiting VPNs that rely on PPTP – a weakness that Schneier himself wrote about as long ago as 1998.
Snowden agrees that such publicly known weaknesses are exploited by the NSA at scale – and that the detection, exploitation, and storage of such information is increasingly automated. He wonders if there is a particular issue with the adoption of new cryptographic algorithms:
When we get new crypto tools, it normally takes a number of years before we know they’re robust. They have to be reviewed by a number of people, they have to be broken a number of times and they have to be fixed. Eventually they reach a level where think they’re defensible.
For algorithms, we don’t have that standard typically because there’s not that many people who can attack them in a credible way outside of the academic community, which is quite small – which is why, when we get new crypto, we don’t see it adopted for ten years. What I wonder is if there’s any way we can pull that curve forward by doing research into cascading cryptographic algorithms, where we don’t rely on a single implementation of a single algorithm at a single bitlength but actually rely on an arbitrary number of cryptographic algorithms.
Schneier responds saying that, ultimately, implementation is the bigger issue and, introducing the second main theme of the conversation, says that what the NSA is doing is now accessible to any number of actors. What differentiates the NSA “the major countries… is the budget to do parallelisation – doing it automatically, 24 by 7 and based on privileges on the internet.”
Everyone can do it
Both Schneier and Snowden note that the kinds of capabilities exposed in the revelations are accessible to a much wider group of actors than before. Passive surveillance on a mass scale is relatively inexpensive and, as encryption becomes more ubiquitous, so will the efforts by state-level actors to acquire encryption keys.
Schneier notes that there’s not much in the revelations in terms of techniques that wasn’t already known widely, explaining:
When I was working with the Guardian in October  and released the story about Tor, the big thing the Guardian and the NSA were negotiating, and they didn’t want released, was the Quantum programme, which is basically packet injection. What surprised me is how that’s not a big secret…
You see it everywhere, there are hacker tools that do packet injection, the Great Firewall of China works on packet injection, FinFisher and Hacking Team sell packet injection to pretty much any third world country that wants it. A lot of the techniques are very democratic. FoxAcid, the big NSA system that does exploiting individual computers, looks like Metasploit, it’s another hacking tool. Yes, it has a bigger budget, a better user interface, certainly better tech support, but these aren’t major differences.
I think we have to start looking at a world in which these capabilities are everywhere, it’s attack versus defence, but these defences affect everybody because these attack tools are very very common.
Snowden concurs, noting that popular conception of the technical prowess of many state-level actors is inaccurate and that, while the NSA will sometimes try to make itself look less capable when performing offensive operations in order to disguise their authorship, the people who staff Tailored Access Operations’ (TAO) Remote Operations Centers (ROCs) are not “these mystical hackers on steroids guys … a great proportion of them are junior enlisted military guys, they’ve gone through a couple of weeks of training.”
This explains why the NSA’s (still-unpublished) FoxAcid manual includes so many stop conditions, says Snowden, “really it’s a paint-by-numbers operation.” In these circumstances, where operatives could rapidly find themselves outside their comfort zone, bureacratising the decision-making process to minimise the political risk of detectability is “sensible in a lot of ways.”
Nevertheless, the agency’s caution should be understood in terms of attribution, not in terms of the targets that have been chosen. Indeed, since the beginning of the war on terror, Snowden says “they’ve been hacking everybody”, with the scope of targeting probably only slowing down after his revelations. In this sense, says Snowden, “I think it’s wrong to say they’re risk adverse… a lot of the targets they’re picking are insane.” In particular, Snowden cites the recent revelation about GCHQ retaining journalists’ emails as an example of an action that was the opposite of risk adverse.
Agreeing with this, Bruce Schneier notes too, that mainstream representations of many Chinese attacks are also inaccurate – some of the attacks we’ve seen are “surprisingly sloppy” and there have been suggestions that many hackers are not actually employees of the Chinese government but free agents working in various degrees of conformity with government objectives.
Edward Snowden, in turn, agrees that as the number of people with the relevant knowledge base increases, the range of actors involved in this sort of activity is growing too and that along with “more exceptional actors who are never noticed because they are never caught and others who are caught regularly” and that even those working under government employ may be moonlighting in order to boost their income:
I actually worked against the Chinese target when I was based in Hawaii… so I know quite a bit about this and can’t talk at full liberty here but in general the level of sophistication in Chinese cyber is not great. There are probably people in this room who were much more capable than a Chinese military cyber unit when they were teenagers.
Referring to commercial surveillance developers like Gamma or Hacking Team, Schneier notes that there are now the equivalent of state-level “script kiddies” in the mix, using these off-the-shelf tools. Many of these are now being regularly detected by the academic community.
Looking at these developments in the round, Schneier says it is surprising that publication of their techniques didn’t appear to be within the range of the “risk-adverse” NSA’s scenarios. Surely now the NSA and other Five Eyes agencies are going to have to examine their tools in light of what reaction might be when they become public.
Edward Snowden responds by noting that Obama has already indicated that the principles used in authorising operations have changed, “which is probably wise.” Nevertheless, the NSA has significant compliance issues, which is reflected in the number of self-reported infractions revealed by the New York Times. NSA analysts may not be bad people but there is certainly a “culture of impunity” within the organisation.
Both Snowden and Schneier note that much of the growth in the NSA’s mass surveillance capabilities was preceded by the corporate exploitation of “big data” models. Government has piggy backed on corporate surveillance – sometimes directly, as we can see in the use of Google cookies by the intelligence agencies.
Schneier notes that “it’s always amusing to see them [Google ]complain about government spying on their users, because it’s their job to spy on their users” and that, while organisations like Google and the IETF are trying to increase the resilience of the internet, there is a problem of business models in play here as well as engineering.
Snowden agrees that the public debate has not really begun to tackle the corporate spying yet and that there will have to be a role for more decentralised business models need to come into play. At a technical level, metadata is not easily encrypted – he uses the example of a counter-cyber investigation to show that, even where content is encrypted, there’s a lot you can do with packet analysis alone.
An incompatible mission
In conclusion, Bruce Schneier returns to an argument he has made before, that the NSA’s dual missions – to defend US computer systems and perform offensive operations – are incompatible. This was less true, he says, during the Cold War because, unlike today, adversaries tended not to be using a shared communications resource. Today’s environment “requires a different way of thinking.”
Edward Snowden concurs with this, returning to an argument of his own, that because of the increased size of the US online economy and the country’s prominence in commercial and academic research, it has on balance more to lose when the internet becomes a regular site of attack. The United States could better serve its interests by promoting network defence and increasing resilience.
On 10 December 2014 – human rights day – Edward Snowden appeared by video link at an event organised by Amnesty International, le Monde, Mediaparte and Arte in Paris. The event, which was simultaneously translated, marks the first time Edward Snowden has spoken live to an audience in France.