TrustyCon 2014: NSA Surveillance “a benign enemy”, says Bruce Schneier

Joseph Menn interviews security expert Bruce Schneier in front of last week’s TrustyCon audience in San Francisco
Joseph Menn interviews security expert Bruce Schneier in front of last week’s TrustyCon audience in San Francisco

Bruce Schneier has been a vocal critic of the mass surveillance being conducted by the NSA and GCHQ. The security expert recently left his post at BT and joined the board of digital rights firm Electronic Frontier Foundation (EFF), one of TrustyCon’s organizers. Although several of TrustyCon’s speakers were part of the group who withdrew from their speaking commitments at last week’s RSA Conference, Schneier was featured on the agenda at both events.

Schneier said that the NSA’s surveillance capabilities are far and away the most advanced in the world, but not necessarily the most skilled. What the Snowden documents have provided are a window into what’s going on at the NSA, he added, “but they are the same sorts of things that any well-funded government is doing – Israel, China, France, and anyone with a budget. It just so happens that the US has the largest budget.”

He then advised that the security industry study the NSA’s surveillance programs, “because it’s a preview of what they will be defending against” a few years from now.

“As enemies go, the NSA isn’t so bad…the US makes a pretty benign enemy. It makes me mad to say this, but that’s the way it goes”, Schneier commented. “A Chinese company might even prefer to be spied on by the NSA rather than the Chinese government”, he said, only half-jokingly. Being part of the local authority, if your own government is spying on you, he observed, then it may actually use the intelligence it gathers. “There is a weird, perverse benefit of having someone else spy on you other than your own country.”

The most fundamental issue the surveillance controversy brings to light, according to Schneier, is leveraging the value of bulk data collection versus the protection of personal privacy – and he sees these disclosures from Edward Snowden having little effect in the way of institutional change on the part of the US Congress.

“The surveillance state is very robust”, he remarked. “My guess is there will be very little change, and what change there is won’t really matter.”

The use of data can be observed, Schneier maintained, but monitoring the collection of data is far more challenging. He then advocated for new laws that limit the use of data, with the knock-on effect that it would limit data collection.

“We have to solve this, but I don’t see a solution anytime soon”, Schneier lamented. “It will take another generation, with people who don’t really remember 9/11, much the way we don’t remember the Maine today.”

Menn had originally kicked off the interview by looking back at Schneier’s talk at the RSA Conference, where he referenced the PRISM slides that Edward Snowden provided to the press. What was rare about the documents is that they included real company names, Schneier remarked, which prompted Mann to ask: How many other RSAs are out there?

What Menn was refereeing to, of course, was a December report by Reuters that RSA received $10 million from the US government so that an NSA formula would be the preferred, or default, method for number generation in the company’s BSafe software.

“The funny thing is that we don’t know”, Schneier replied. “We know about Project Bullrun, which was meant to subvert products and standards.”

Schneier continued: “It feels likely to me that this is not the only example of government subversion…anecdotally I hear from people at companies that they have been approached about back doors. I suspect that we will not get any more names like this, which means we don’t know what to trust.”

Menn then pivoted to the nature of internet-based businesses and the data they collect. He recounted that, during Schneier’s RSA Conference remarks, the security ‘guru’ said that surveillance is the business model of the internet.

In response, Schneier explained that businesses have created services that collect a tremendous amount of data about individuals, and we should reasonably expect that if this data is collected, at some point, governments will want access to it.

The problem, as he outlined, is how do businesses move away from a model where they sell personal/behavioral information to others, yet still maintain profitability? One way is regulation, such as the European approach, Schneier said in response to his own question. Another way is to begin charging reasonable fees for previously free services if the users of those services have any hope of keeping their information private.

One example he presented involved Facebook, which Schneier said could provide a surveillance-free service, where it doesn’t collect information and sell it on to advertisers, and charge members some reasonable fee. “Facebook and others are still waiting for that massive amount of money that is being spent on television”, he observed, contemplating why these companies default to providing free services in exchange for selling user information. “They believe this is the end game”, Schneier added, “but I’m not sure that will ever happen.”

Offering the audience some parting advice, Schneier asserted the value of encryption to stymie government-related efforts to access the information. “As your service gets more popular, you are now more vulnerable to coercion. The government will demand from you, cajole you, by any number of means.”

He observed that there has been a shift in where trust is valued by companies, and any compromise of this trust can have a significant effect on customer relationships. “In the US we are seeing a lot more resistance to anything lower than a court order, and we are seeing court orders being fought”, he said, with a hit of approval.

“Our goal is not to prevent targeted surveillance. The real problem here is the bulk collection of data. The simple use of encryption makes bulk collection extremely difficult for the NSA. We can make it more expensive, and force them to go after my computer alone, and not the entire country.”

What’s hot on Infosecurity Magazine?