The Tech Community Can Put Out the Fire the NSA Started

This piece originally ran at the Guardian.

“You are the firefighters,” National Security Agency whistleblower Edward Snowden told a tech savvy audience here yesterday, during my conversation with him at the SXSW festival. “The people in Austin are the ones who can protect our rights through technical standards.”

Ed’s comments were a call to arms for the tech community to protect its users from indiscriminate mass surveillance by the NSA and the insecurity it creates. Despite the talk from Washington DC regarding cybersecurity threats – and you’ll hear more of it today during a confirmation hearing for the would-be next head of the NSA – it is now clear that the NSA’s mass surveillance efforts are not meant for good. Whether it’s systematically undermining global encryption standards, hacking communications companies’ servers and data links or exploiting so-called zero-day vulnerabilities, the nation’s cyberspies are focused on attacking online privacy and weakening the security of systems that we all trust.

Forget all the government rhetoric on cybersecurity: the NSA simply isn’t here to make the Internet more secure. But that doesn’t mean the agency has to win. The global tech community can fight back, if developers ramp up efforts to build privacy and security into their products. By zeroing in on practical steps Ed and I discussed in our conversation here, we can build a more open, free and secure Internet.

Unfortunately, for far too long, security has been an afterthought. Even for a lot of my fellow geeks here at SXSW.

Until recently, many of the free email and social networking services used by consumers failed to integrate the most basic of encryption technology. That made the NSA’s job far too easy, so the real challenge for the NSA often became processing all of the intercepted communications data, rather than grabbing it in the first place.

Right now, the most widely used communications tools and services – the ones we use to do business, have fun and connect with those we love – fail to deliver the reasonable and realizable trifecta of privacy, security and simplicity. As a result, people are forced to choose between technology that’s incredibly intuitive but fundamentally weak on privacy (such as Google’s Chrome browser and Android operating systems) and technology (like PGP email encryption and Tor) that remains far too difficult for the average person to use … even if those tools do a much better job of protecting private data.

Nine months after Snowden’s documents leaked in these pages, though, the standards and practices of everyday security are truly beginning to change. Over the past few years, and even more so after Ed’s revelations, Silicon Valley companies have begun to enable – by default – basic security features, such as the use of HTTPS encryption to protect data as it is transmitted from their customers’ to the companies’ servers. While HTTPS encryption by default is a great start, isn’t enough. The tech companies must offer apps and services that are safe and secure by default.

1. Disable data, all the way

Far too often, security is an opt-in feature that few regular people will even know about, much less seek out and enable.

In addition, big tech companies need to embrace end-to-end encryption technology. That is, they need to lock their products down, so they won’t be able to see their customers’ data. This kind of encryption technology, if deployed by several major service providers, will significantly thwart the ability of intelligence agencies, in the US and elsewhere, to engage in bulk surveillance. The more communications and data are encrypted, the less tenable mass surveillance becomes.

It comes down to simple economics, really: if the NSA has to spend more time finding a way to break or otherwise circumvent encrypted communications, it will be forced to do what it should have done all along – use its extraordinary powers on high-value targets, rather than the hundreds of millions of innocent people currently subject to NSA surveillance. If you question the power of encryption, consider this: the US government still doesn’t know what documents Ed took, because he encrypted everything.

2. Limit collection, move up storage deadlines

As Ed stressed, tech companies can also begin to limit the data they collect from their customers and only store it for as long as it’s needed for genuine business purposes – and not one second longer. The impact of the government’s ability to demand data from companies like Google and Facebook is amplified because these tech companies collect and store everything. If the companies don’t have the data that the US government and other governments are seeking, they cannot be legally compelled to hand over what no longer exists or never existed in the first place.

The problem, however, is a fundamental conflict of interest between the business model of so many tech giants – the collection, storage and monetization of your data – and your privacy and security.

This is where the average Internet user can make a difference. Right now, the digital services on which we all rely for swift communications and easy web browsing are largely reliant on advertising dollars. They sell the data you generate to third parties, or use it to deliver targeted advertisements for those third parties. Entire businesses are devoted to collecting, analyzing and then monetizing whatever data you produce. As a result, the apps, operating systems and services they provide us are optimized for one major thing: the collection of our private data.

3. Rethink our relationship with tech companies

We, the everyday consumers, must make privacy and security profitable. If we want these companies to put our interests first, we must pay for the services that they provide us. We must demand that those products preserve privacy – again, by default. Until this business model changes, the services that are made for the mass market will remain insecure, vulnerable and optimized for data collection.

By making it harder for the NSA to engage in mass surveillance, we force the agency to target the communications and devices of people genuinely suspected of wrongdoing without compromising the privacy rights of everyone else. I cannot stress enough what I said yesterday: the goal here isn’t to blind the NSA. The goal here is to make sure they cannot spy on innocent people, in bulk. Starting right now.

It’s been said that the geeks shall inherit the Earth. If that’s true, it’s also our responsibility to secure it. One of our own, Edward Snowden, started this revolution. Now it’s time we finished it by using our skills and knowledge to preserve our privacy and civil liberties, not just the bottom line.

Learn more about government surveillance and other civil liberty issuesSign up for breaking news alertsfollow us on Twitter, and like us on Facebook.

Add a comment (4)
Read the Terms of Use


How exactly are consumers supposed to know which products are securing their data sufficiently, which are advertising more data protection than they really provide, and which provide little to no protection at all?

Matt S.

I built a site for anonymous encrypted messaging optimized for the laptop/desktop/tablet community. Users can create an account without divulging any information (no email, no phone, no information, period). The site runs on a VPS which I administer and I have disabled all logging and configured SSL to favor forward secrecy cipher suites. Communication via the site is in the form of encrypted threads with files up to 100M each. Users control the pass keys used to encrypt their content and have security options such as two-factor authentication, automatic log off and account reset prevention. Messages and files are encrypted with AES-256 using OpenSSL. I've never received any requests for information on any of my very satisfied customers. I operate the site as a free public service. You can find it by searching "private secure encrypted". It will be the first organic search result.


The world just doesn’t seem safe anymore, does it?

Think about it: anyone who has your mobile number can call you or text you any time they want, as often as they want to. It is not just angry ex boyfriends or girlfriends or friends who don’t understand that you may not want to be contacted at odd hours or at work, but Hackers, Identity thieves, and for that matter even the NSA can track your movements and find out all they need to know about you once they get their hands on your number.
And to make it worse, most of us have been giving away our Mobile numbers on our business cards, social networks, and email footers for years.
Insurance agents, mobile companies and even ambulance chasers have taken to calling or texting you at any time of the day or night, desperately trying to make a few bucks off you. Surveys and unwanted charities can be even peskier.

“But, isn’t there a national do not call list?”
Of course. I bet you’re on it. But you are still constantly getting calls. On your mobile, over VOIP, from unlisted numbers and even from people belonging to other countries.

ŠtítMe offers the first real solution. You never need to give your mobile number out to anyone again. Give them your ŠtítMe ID example (#JoeBlack) instead. You decide who calls you, when they call you, and if you no longer want to be called. ŠtítMe gives you the ability to deny access to anyone by simply deleting him or her.

Even if a deleted contact tries calling you back, Stitme will ensure the call will not get through.
Try ŠtítMe. Believe me, you’ll wonder how you lived all these years without it!


What guarantees can the US tech Corporations give inventors and small businesses that their direct collaboration and secret mutual data sharing with the NSA are not also abused to steal innovative inventions, Copyrights and Patents? They can give none. And that's still the underreported story of the fire the NSA globally started lies buried deep for now.

Sign Up for Breaking News