I think an even better argument for breaking up the NSA is that there's a fourth category of work they (should) do that's totally unrelated to surveillance and that I'd classify as "very good:" actively working to secure the communications of US government and companies against the NSA-equivalents of other nation-states and rogue actors. Having this is on the same list as encryption sabotage is a recipe for mismanagement and bad policy.
Yes. Imagine if the NSA were tasked with being a gatekeeper for data privacy and integrity that large companies like Facebook had to work with any time they pushed an update that sent data somewhere new, in the same way that the FDA verifies safety and efficacy of pharmaceuticals when they're applied to a new problem-domain. (I know that sounds almost satirically over-the-top, but it could work—if it were limited to companies [and branches of government] that were handling enough user data that, say, identity fraud attacks would be made possible just by having it. And any system where the government itself has specified the data-integrity requirements: voting terminals, library checkout systems, etc.)
Come to think of it, this NSA would probably also be responsible for chasing down companies who ask you for your SSN, wouldn't it?
They could also offer free pen-testing services (presumably through their defense subcontractors; they wouldn't have to employ any whitehats themselves) for small businesses who can't afford pen-testers, like a specialized form of industrial-development grant.
And, of course, they could also do the only legitimate/legal "active no-advance-notice" pen-testing for infrastructure they're concerned about (ISPs, hosts like AWS, etc.), converting taxpayer dollars directly into those "eyes that make bugs shallow."
Effectively, the NSA are to our sovereign data boundaries as the coast guard is to (most of) our physical ones. Since that's the case—where's our Lighthouse Service?
> ...any time they pushed an update that sent data somewhere new...
So you think making the NSA (or any govt agency) the gatekeeper for all data, public and private, would be a good idea? As if there's no way that could be abused? No thanks.
The data wouldn't go through them, nor would they be responsible for auditing the algorithms themselves. The comparison with the FDA was exact: they would simply require the company to execute a study proving (to peer review) the data-integrity of each change they were going to make.
The one interesting thing is that this would likely enforce an open-core-SOA software development model: companies would be incentivized to build a "trust kernel" of services that the government regs apply to, exposing an API with stringent access controls; and then a view layer that consumes that API, which can have whatever sloppy code they wish. The trust kernel would then have to be at least shared-source to enable the peer review necessary for study. (The company couldn't just pass the code around within a cabal of trusted peer companies, since those peers might be unfairly positively-biased.)
That's fairly analogous to the current NIST regulations.
Unfortunately, NIST has been dragging 140-3 in draft form on for years. 140-2 was written in the 1980's and reflects very badly on current hardware and software practices.
Another area you could look into is Common Criteria. I find these certifications to be much more modern.
I've taken products through both processes. If you're going for more than the basic levels they can be quite rigorous and thorough.
Sorry, I tried to write what I imagined was a clarifying comment, at least along the lines of what I thought you were trying to say. But while I was typing it you (who I imagine is the real authority on your own opinion) did exactly the same, but better.
The parent comment is not suggesting that they are the gatekeepers of the data, but rather that they act as a third party to authenticate data transmission. For example, company X says it wants to get you data, pass it through service Y and return Z, with the claim that the sensitive parts be secure. The role of the NSA would be to provide an audit of this process to determine whether or not security was in place. So if a service passed this hypothetical NSAs test they would actually never see any private information. The only danger is that the NSA withhold information about known insecurities, but that isn't any different from the current situation, and does not amount to "gatekeeping".
>"..in the same way the FDA verifies safety and efficacy of pharmaceuticals.."
There is some merit to what you say, but I'd not use the FDA as a model. To me that sounds like a recipe for disaster, imagine the NSA auditing our software with FDA like cronyism and inefficiency? Green-light passes to be auctioned off to the highest bidder, and otherwise legitimate products will be hampered by woe-some delays. "Sorry, cant launch your new update until the NSA approves it."
The NSA could require that certain security properties of the system be held (e.g., all wire transmission and storage of data is encrypted with certain key management policies..) and a 3rd party (e.g., like an accounting firm) could be the one doing the audit.
e; well, not actually pen testing, but knowing what personal information companies store, and mandating minimum safekeeping measures and limits on sharing.
The NSA's Information Assurance wing considers itself responsible for the security of classified US Government systems only—specifically not unclassified US Government systems, or any civilian systems whatsoever, which they feel falls under NIST's domain.
But yes, it's much smaller than their SIGINT wing, and yes, I also feel that having both teams under the same roof (so to speak) is not just an 'equities problem' - it's a full-scale irreconcilable conflict of interest.
You might feel that surely the NSA wouldn't backdoor their own stuff? But no: there they are, actually using Dual_EC_DRBG even in their own most trusted crypto hardware - in, I presume, the firm belief that "nobody but us" has the private key to use the backdoor. Which seems somewhat reckless in light of a working distinguisher and how very fragile (EC)DSA is… and a stark reminder of how the recent return to talk of backdoors - sorry, "front doors" or "secure golden keys", because they want to control the language to frame the debate in the way they want - are so much bullshit, and the only reasonable discussion we can have about things which undermine all of our collective security is one where the people who are asking for such idiotic things to - they think - make their jobs easier should kindly shut the fuck up.
Ahem.
GCHQ over here have the exact same issue with CESG and the MoD CRYPTO group versus the COMINT/ELINT/SIGINT bulk of their mission. GCHQ have even selected their own suppliers and political and other infrastructure for targeted surveillance in some cases! So for those who choose to try to work with them - surprise! - that doesn't mean they're not also working against you too. It just gives them another angle.
"And third, the remainder of the NSA needs to be rebalanced so COMSEC (communications security) has priority over SIGINT (signals intelligence). Instead of working to deliberately weaken security for everyone, the NSA should work to improve security for everyone.
Computer and network security is hard, and we need the NSA's expertise to secure our social networks, business systems, computers, phones and critical infrastructure. Just recall the recent incidents of hacked accounts—from Target to Kickstarter. What once seemed occasional now seems routine. Any NSA work to secure our networks and infrastructure can be done openly—no secrecy required."
Title 10 explicitly disallows the NSA to proactively interfere (good or bad) with private industry services unless specifically requested by a law enforcement agency and in cases like you propose would have had to be requested by the private organization to the LEA in the first place.
Indeed. Compromising cybersecurity as a means of defense is fighting with a gripless sword. It makes no sense that planting backdoors in all of your systems is somehow supposed to help security.
For one, there has been little appreciable gain from this practice, but it's also way too easy for an adversary to subvert a backdoor planted for purposes of peeping around, and use it to do very serious damage. The more entrenched surveillance via cyberespionage becomes, the more it expands the attack surface for a foreign actor to exploit it.
Second, there is no guarantee at all that the NSA is impervious to the same sort of infiltration methods. If they become compromised themselves by a foreign hacking entity, then that's it for everyone they're "surveying".
And third, the remainder of the NSA needs to be rebalanced so COMSEC (communications security) has priority over SIGINT (signals intelligence). Instead of working to deliberately weaken security for everyone, the NSA should work to improve security for everyone.
I don't understand why society thinks that certain things can be contained, while certain other things cannot be.
The liberals will always be telling you that the drug war is a failure, and that drug users will be able to get their hands on drugs anyway, and we should embrace that fact so we can retain some level of control, and so otherwise innocent people don't have to interact with criminals. But guns on the other hand...
The conservatives will always be telling you that guns can't be controlled-- that criminals will get their hands on guns anyway and will conceal carry all the time, and that we're better off keeping them legal so we can retain some level of control, and so that innocent people don't have to be at a disadvantage to criminals. But drugs on the other hand...
I take this a level further: There's no containing cryptography. The people that are on tor looking at child pornography are protected. The people that are on tor plotting terrorist activities are also protected. The only people not protected are people that don't care or don't know, and they're not the people that are worth spying on in the first place.
The NSA internet data collection is perhaps the most frivolous government program in the history of the United States. We've spent god knows how much money building their Utah data center, and it will be useless as soon as the tech community starts encrypting. [1]
People being inconvenient in pushing for social change are insufficiently protected. The CIA spied on MLK Jr., discovered he was having affairs, and used that to try to blackmail him into committing suicide. If he had, that would have been a major loss to society.
And now we have reports of the NSA developing dossiers of minor crimes and non-crimes of inconvenient people's behaviors for future use in discrediting them.
Is your suggestion that anyone who is (or may in the future) choose to be politically inconvenient should use strong encryption for everything even slightly unpopular they may do?
We can't contain cryptography, but neither can we depend on it being universally and effectively applied.
You shouldn’t trust them, but it’s hardly an extraordinary claim. We can extrapolate from King’s heroic figure, charm, and constant traveling that he would been positively drowning in opportunity, to say nothing of the temptation that comes of being away from home for extended periods.
If you care enough to explore the matter—although why you would consider it consequential I don’t know—you might start with Ralph David Abernathy, Sr., a close friend of King’s and a fellow civil rights leader, who confirms King’s alleged “weakness for women”.
Good point, but my understanding is that it was kind of an open secret in the civil rights community at the time. And I they include a tape containing proof, as I recall.
To which one might be tempted to say "Well, sure, but J. Edger Hoover was totally out of control", but that's the thing: we let a totally out-of-control guy abuse a extremely powerful agency and do these things.
Minor point: conservatives and liberals love their guns. What they say publicly doesn't change the fact that the gun manufacturers hold huge political power in the form of the NRA over both parties, and that's not likely to change. If this was not so, we'd have an Australia-style buyout a long time ago. As is, we are stuck with monthly (or is it weekly now?) mass shootings, staggering numbers of handgun murders, and a crazy amount of police brutality simply because access to guns is easy and protected by the NRA.
To bring it back to crypto: there is a correlation between easy to obtain $TECH and use of $TECH. Currently, HTTPS is not as easy as HTTP, so its adoption is less. Let's Encrypt will change that. Currently, access to guns is easy, so their adoption and use is high. With the current political climate that will never change.
>As is, we are stuck with monthly (or is it weekly now?) mass shootings, staggering numbers of handgun murders, and a crazy amount of police brutality simply because
it's not simple, it's not all because of guns, and until you modify the 2nd amendment, there is no right of the government to remove guns from the public.
I could go on about how our homicide rate is not too far out of line with other developed countries, how many many gun deaths are self inflicted, how there are a million things that kill more people each year than guns, but this goes way off the NSA topic.
to crypto, that's been the whole discussion today with PGP, isn't it? That the reason it's not adopted is because it isn't easy.
A police office would be more likely to overreact to a situation if he/she believed a suspect carried a firearm (in fairness, for the sake of the officers own defence). In a state where guns aren't common, the police officer would feel less threatened and be less likely to overreact.
Note that police brutality is the unjustified use of excessive force, not an appropriate response to an attack or a credible threat.
Our police in the US use this excuse far too often. They don't need to believe that someone has a weapon; many treat everyone as if it were the default when that simply isn't the case.
In fairness to the victims of police violence, this has got to stop.
>In a state where guns aren't common, the police officer would feel less threatened and be less likely to overreact.
We've allowed our police to develop a culture of brutality and cheating. Taking guns from the public (assuming that's possible) might make things worse.
>>> The NSA internet data collection is perhaps the most frivolous government program in the history of the United States.
This.
If you listen to the old NSA guys who worked during the heights of the Cold War, who keep tabs on Russians and all the chaos in the Middle East, and had some of these tools at their disposal, they all say the NSA was a great machine for intelligence. It was a great machine for developing assets and tracking bad people. As soon as those weapons and the machine were turned inward on the people they were supposed to protect, they all said it was the worst possible scenario.
Also, if you look at some of the higher profile hacker cases, and to some degree the Ross Ulbricht case, how were they all cracked? Not by the NSA and all its tools, they were all done with your standard, "feet on the street" agents developing leads, connecting dots, and capturing human surveillance.
It wasn't some Flame or Stuxnet bug that brought down these guys, it was just solid detective work.
As long as there's a chance that the NSA could be able to break strong encryption and thus gain a huge leg up on other nations/potential lawbreakers, the governmental sentiment will remain in favor of retaining the NSA in the face of whatever pie-in-the-face leaks come out. Last I heard, they're working on a quantum computer to do exactly that.
1- tor is broken.
2- they know and use ways to get around encrypting. We got to give them some credit they knew encryption was an issue that at some point they had to dealt with. And they found ways to do just that from the beginning.
If I encrypt something client-side, the Patriot Act has no influence over it whatsoever. The only person who can decrypt it is me.
So, yes, they do need to break encryption. Especially as more and more apps move towards the "smart/encrypted client, dumb server as a storage dump" model.
The parent comment could be interpreted as "They do not need to break encryption as they do not need to prove guilt due to the patriot act, and breaking encryption is a dog and pony show when they can just hide you in Guantanamo or a Romanian black site."
Broken means it doesn't do what it claims, is assumed, or is known to do. I think the general consensus is that Tor is supposed to enable a person to browse the internet anonymously.
Are seatbelts and airbags broken because people still die in crashes? Most security mechanisms can be circumvented by a sufficient state actor. For most purposes, when not being targeted, Tor does its job.
Second, all surveillance of Americans should be moved to the FBI.
The FBI is charged with counterterrorism in the United States, and it needs to play that role. Any operations focused against U.S. citizens need to be subject to U.S. law, and the FBI is the best place to apply that law.
No no no a thousand times no.
One of the only saving graces about the massive surveillance from the NSA is that, I'm willing to wager, very little of it at all has made it over to where it could be used to oppress the citizens directly.
Bruce's claim that "FBI is charged with counterterrorism" means that they are also charged (along with DEA, ATFE, etc.) with the application of undue force on citizens--something we've been only somewhat spared from because of the difficulty they have in collecting information.
Turning over to them that capability--or even the just the current stockpile and archives of information!--would be a gigantic blow against freedom.
But.. what about parallel construction? We know that the NSA is feeding tips to, among others, the DEA and ATFE -- they're just pretending to find out about criminal activity in other-than-blanket-surveilance ways. The practice is so commonplace that the NSA has a special division for seeding the evidence to other agencies, and there are indications that even state and local law enforcement agencies are in on the fun.
Exactly. Right now the NSA can escape all legal oversight because it has historically operated physically outside the US and under military governance. Since 9-11 and the Patriot Acts, BSA operations have moved inside the US. And in concert with the sharing of intel across military and civilian, the NSA now operates freely across all spaces. This was never intended by statute, and virtually no oversight is in place to ensure 1) intel is gathered lawfully or 2) info is shared lawfully. Unlike the NSA, the FBI must operate wholly within the US and state civilian court system, so its gathering and disbursing of info is much more closely overseen and regulated.
It's also become very clear from their response to Snowden's revelations that NSA is not going to get any closer oversight any time soon. The FBI and its partners cannot hope to maintain a comparable cloak of invulnerability. To Bruce's suggestion, I vote yea.
Giving NSA powers (or archives) to the NSA is a really, really, really bad idea.
The court system and legal system in the US these days is a joke and a farce--just look at the number of cases that make it to trial. We can't afford to give this sort of power over to any law enforcement agency.
The argument being made by the parent, is that it would be far worse than the abuse that is already occurring, were the FBI to have direct control of the equivalent spying systems and data trove that the NSA already has on US citizens.
Yes, but I disagree. It's a matter of avoidance of oversight. NSA is designed to avoid it and FBI is not, they simply cannot. FBI is tightly constrained by the process of law in ways that Guantanamo and NSA were created and operate in order to escape.
What's more, FBI is also a MUCH leakier boat when it comes to intel gathering, storage, analysis, and sharing. Law enforcement personnel and practice could not possibly hide the decade+ worth of mass surveillance practices from US senators, congress, and the office of the President as NSA has.
As it happens I know something about the mindset within both orgs. With FBI, eventually the truth will come out. Not so with NSA - unless another Snowden is willing to commit suicide, professionally and personally.
"Actively attacking enemy networks is an offensive military operation, and should be part of an offensive military unit."
Key word here is offensive military unit, like a bomber squad or tank devision. You should not send out this kind of units to allies, neutral states or neighbors, not matter how "valuable" it would be in trade negotiations. Its to the benefit of all that on-line communication is restored to peace, rather than a free-for-all combat zone.
Of the 3 changes suggested by Schneier, this I feel is the most important change that internationally need to happen. Since NSA is the biggest offender here, fixing that actor would encourage other nations to do the same.
Tell that to people who died needlessly during a civil war thanks to the sabotaged communication system that NSA caused. I'm sure their death felt like a diplomatic problem, something people discuss between drinking port wine and eating walnuts on the embassy.
Attacking civil infrastructure of a foreign nation is not spying, especially if that nation has an ongoing war. If one uses the term spying like that, then the term spying has been extended beyond what can possible be reasonable. Just because someones intent is information extraction does not make it any less of an offensive military operation if the method used are offensive military in nature.
There's a distinction to be drawn between James Bond-style spying ("Humint" - which is the kind you're actually referring to) and the large-scale, indiscriminate, archived, mass-surveillence of otherwise ordinary people ("Sigint" - which is what we've learned about over the last couple of years).
Sigint has been around signals signals were around.
The only reason I see a reason to distinguish is what the info collected is being used to so America can blackmail German citizens, that is shitty. But if we are just trying to collect information about Germany or people who just happen to be in German who are people of interest? That is the NSA mission.
The real issue is the potential for abuse. But the US government has plenty of stuff it could really abuse.
That is just not true. Sure, they are collecting some limited information on every, but mostly because its harder to collect targeted information than to just get it all.
So maybe the US has a record of every call made in Germany, but nobody is tracking some random bus driver in Bavaria.
Right now there aren't is the manpower to actually look at even a tiny fraction of what is collected.
I guess in the future, if an AI with human like ability is created, the actual monitoring of every person could occur. But it just isn't a fear right now.
Do you really think the disagreement is because we've never heard that argument before? That all the people who think this way have just never been exposed to Brazil, or Minority Report, or any of the other thousand works of fiction in which this idea is shown?
the NSA's surveillance is an unprecedented power grab. add Moore's Law to the mix, let that policy sit for 20 years, and what kind of power do they have? they can predict everything, they can track everything, they have no oversight - what they're doing is setting themselves up to completely replace the government in 2035.
hopefully, that's not deliberate. hopefully, they're just that naively convinced of their own goodness. but that's what they're doing.
the NSA's unconstitutional surveillance is a total disgrace, a national shame, a total failure to uphold the Constitution. that's the GOOD news. that's what it is today. add Moore's Law and 20 years, it's going to be something much worse.
(shoutout to everyone who was on Hacker News back when mentioning how Moore's Law ties into this would be worth an upvote.)
Right now it's Orwellian and sophisticated-- if they have Amazon's level of data crunching and prediction ability, they might be able to predict certain things about you, and, on average, be more right than wrong.
Wait until they have 20 more years of data on you, and 20 more years of advancing the quality of their algorithms and machine intelligences. You will be owned, and your buttons will be pushed as necessary to maintain what has already been built.
As the cost of doing so diminishes, so does the requirement for justification. These days, the only noticeable cost is psychological. IMO, sufficiently justified by "we might need it one day".
Of course, 20 years ago, or even 5 years ago, that wouldn't have been true, and that's the mindset most critics are coming from. That you need a really strong reason to be doing some kind of mass data collection like this. I just don't agree with that claim. If you can do it, you'd be stupid not to.
This reminds me a little of the breakup of the Atomic Energy Commission. The AEC was supposed regulate and promote nuclear energy. This conflict of interest was recognized in the 70s and it was split into the Nuclear Regulatory Commission and ERDA (which soon became the DOE).
This reminds me of the surreal world of the stock market, where organizations largely make their own rules and regulate and enforce them themselves.
In 1971, the National Association of Securities Dealers (NASD) gave birth to NASDAQ, which became publicly traded in 2000, and then a national securities exchange in 2006. NASDAQ wasn't really independent of NASD until 2000, so for a while the same people who owned the exchange also regulated it.
The NYSE is much older and became a Not-for-Profit in 1971. In 2006 it merged with ArcaEx and became a publicly owned for-profit, later merging with Euronext in 2007 and acquiring AMEX in 2008.
Here's the weird thing: exchanges are supposed to self-regulate, with the SEC basically just approving the rules they make for themselves. And the exchanges kind of 'outsource' their regulation - but not all of it - and that's not all that well defined anyway.
In 2007, NASD's and NYSE's regulatory and enforcement committees were merged into a new organization, FINRA, which basically makes the rules their members are supposed to abide by and enforces them in coordination with the SEC.
The SEC has been investigating exchanges since the "flash crash" of 2010, when it was shown how completely fragile the market had become by large players making very large trades, as well as new high-frequency automated trading.
In 2011, NYSE Euronext tried to merge with Deutsche Börse, which would have become the largest stock market in the world by far. It actually passed US antitrust investigation. But in 2012 the European Commission blocked the merger as it would have created a 93% monopoly on European derivatives trading. This doesn't have anything to do with the exchanges violating rules, but it does show how without regulation, monopolies would be a virtual certainty.
In 2012 NYSE was fined 5 million for giving data to its customers before the public. In 2014 NYSE was fined 4.5 million when it was found to have violated its own rules, or lacked rules it should have had.
Compare this to NASDAQ settling with the SEC for 10 million just for mishandling Facebook's IPO in 2013. This is apparently because the SEC stopped short of finding the NYSE's actions as felonies. And all of this is relatively new, as exchanges historically were never legally scrutinized or punished for their actions. (Their revenue is in the billions, so these fines are basically just for show)
Bruce makes a good point here. There is a balance between the COMSEC and SIGINT. Any advance you make in SIGINT is a failure of COMSEC and vice versa. The issue is then the 'viruses' of our internet ecosystem, the hackers and state level threats. How do you balance the two? Will the nature of the system self-balance as threats are discovered and then bandaged?
Still, good job not just demonizing the NSA, they serve a purpose in the game of international relations, one that the free world may not like, but that we all need.
It seems to be a sort of universal truth in that the people trying to break a system will always be ahead of people trying to secure/protect it. Why then, would prioritizing COMSEC over SIGINT change any of that? COMSEC will never catch up to SIGINT.
I'm curious to know what exactly the NSA currently does to protect the US. Do they already use their existing SIGINT knowledge to update systems ahead of attacks?
Well, maybe the lemma is flawed. Maybe they are not always ahead. I mean, to date, no one has even been able to decode Kryptos, right out front of the CIA in plain view: https://en.wikipedia.org/wiki/Kryptos
Again, what the NSA does to protect the US is an open question; if they did their job right, you'll likely not know it. Updating systems, at least large commercial ones that foreign governments use as well as the US citizenry, is not in the purview of their mandate, its the opposite. They do try to tell the world what they do, so as to justify themselves in some degree to their ultimate bosses (the US voting public). The Iranian nuke viruses are a good example, though, as far as I know, they have not claimed that particular hack yet.
Regarding NSA and CIA, what do they have to do to get shut down completely? Do we wait until genocide? It doesn't seem like a re-org is the proper response to institutionalized torture, semi-automated assassination campaigns, and creation of a panopticon.
The fundamental issue isn't their culture or organizational structure, it's their unethical missions, which breed cultures of secrecy and opaque, unaccountable and defensive institutions. I don't see how you can set up a spy agency to prevent it from evolving in that direction. Would love to hear of counter-examples, though.
It's better to keep the good parts and reform the bad parts than to throw the entire baby out completely.
Let's draw a parallel to something more tangible than the cyberwar we don't see. Recently there was a number of high-profile cases where police got into a clash with unarmed civilians, with disastrous results. Should police be shut down completely? Would you be safe in a city with no police? Many cities in the world have places where the police don't go, and those are dangerous places.
NSA and CIA serve important functions. They just need to be properly balanced.
Are you aware of the recent guardian article about a Chicago police blacksite[0]? Your analogy is inappropriate in the face of systematic torture, killing, and corrupition of law by American institutions. Simplistic analogies will not fix this problem nor do they help the discourse.
There is a middle ground here, but people are (rightfully) foaming at the mouth with anti-NSA rage. In my eyes, this whole situation (NSA going off the map and doing whatever they want) stems from giving them free range with little to no oversight. They simply need better oversight and real consequences for leadership who don't act in the public interest (as determined by a neutral party, albeit a neutral party with top secret clearances).
'foaming at the mouth' is an Orwellian characterization of what is a profound and rational aversion to totalitarian state surveillance. Stop using the metaphor of a rabies infected dog to describe those who wish to live without the government spying on them.
Imagine if the Centers for Disease Control, instead of researching cures for diseases, had a budget in the billions for buying weaponized viruses and bacteria, and was subverting disease prevention. Nobody would stand for that. It would be poisoning health care worldwide.
As another commenter pointed out here: "Can we just flip their budget over to making sure US companies are secure?" That is, of course, what should be done. We get the results we spend money on. If the NSA's budget were spent on making security easy and routine, we would have easy and routine security. But that's not how we express our intentions with the budget right now.
The NSA is probably the worst-case of the general public not trusting government institutions. However, it seems that government has lost trust across all functions, despite only marginal increase in corruption. Is new, faster communication just making us more acutely away of the corruption that inevitably happens? I don't think it's bad to be aware, but we really need to learn to scale our response. A program can have a % of corruption and still achieve success. Also, I wonder whether mistrust of institutions stems from the record wealth disparity. In general, institutions seem much less trustworthy when a small percentage of people can disproportionately influence them.
While the level of corruption may not be that much bigger, the ability of the corrupt to cause harm has greatly increase through use of modern technology.
Is it possible to hold the position that the NSA should be conducting signals intelligence, data collection, and code-breaking (and yes, email snooping) -- yet at the same time hold the position that the blatantly malicious activities: 0day exploits, software and hardware backdooring, etc should not be allowed?
Why commit ourselves to a massive overhaul of the entire NSA when we can address the actual problem here with some granularity and minimal cost yielding an impact almost all of us would enjoy?
> Why commit ourselves to a massive overhaul of the entire NSA when we can address the actual problem here with some granularity and minimal cost yielding an impact almost all of us would enjoy?
Because they've been exposed as untrustworthy. Any attempt at reasonable reform will be met with obstruction, obfuscation, and lies.
> 0day exploits, software and hardware backdooring
Up until it was proven, they denied doing these kind of things. What makes you think they'd tell the truth in the future?
True, I think the Snowden events have uncovered the unfortunate reality that there is a gigantic hole in the boat. In the end, the only way we get out of this is to redesign the system, from hardware on up, to be secure. The NSA, as per their mandate from Congress as an expression of the will of the people of the USA, is using the holes in the boat to advance the security of the nation. It is literally their job to do this. Again, the issue is that the boat is leaky. Maybe we humans decide that this leaky problem is not all that bad, and like biology, a certain percentage of 'sinking' is acceptable versus the cost to make a better boat. I dont think this is true though, because lawyers. Making a better and more secure net is the end of the game, it is only time that stands between us.
That's to say that you're starting from false premises. It is not the NSA's job to advance the security of the nation at all. Hence the need to split it up now. It's time to move the legal basis from executive order to something else, that something else publicly debated and mandated by the people.
Read "The Puzzle Palace" and find out why the NSA is structured like it is. The US gov has been re-orging the NSA and factions inside the gov have been fighting over its control since its inception. To use an annoyingly beat to death phrase: we haven't seen its final form yet.
Actually a pretty good article overall, but these two lines bother me greatly:
> "What was supposed to be a single agency with a dual mission—protecting the security of U.S. communications and eavesdropping on the communications of our enemies"
That was never the mission and is not the mission of any similar org in the past 100+ years. It is to eavesdrop on everyone, including ones allies. The Brits were eavesdropping on everyone's telegrams over 100 years ago. This isn't something new.
> "The result is an agency that prioritizes intelligence gathering over security"
Again, that is the #1 goal of the NSA and other similar organizations. Security never has and never will be its #1 goal.
Technically, you are wrong. NSA has a signals intelligence side and an information assurance side. It does have two dual missions. You may argue that they haven't done a good job with the information assurance side of their mission, but you cannot argue that it is not a stated mission of the NSA.
"collecting data on innocent Americans either incidentally or deliberately, and data on foreign citizens indiscriminately. It doesn't make us any safer, and it is liable to be abused. "
If you are collecting data in order to analyze and identify threats to national security, how would you possibly exclude "the innocent" beforehand? These people are not innocent as much as they aren't guilty - however blinding oneself to observation seems like a knee-jerk alternative.
If these practices are "liable to be abused" isn't the solution proper oversight or accountability and not to shut down the entire program?
I would rather not agree with this "Break up the NSA" thing. I do follow the public opinion that its surveillance is wrong, but this is not the fix.
NSA is a organization, a empty shell without its people. If the people are not going to change their mindset in short-term (social change in mentality), it means that law has to be changed in short-term, so that very mentality gets more time to change.
But this is where I must contradict myself, does these people who are benefiting from such "Its abuse, not use of power" deserve such a delay? Given that for every second the situation remains the same, countless bottom-of-pyramid-people across the globe would keep suffering? Or have we become TOO used to looking away?
Also, a very important question is, that 'has NSA's Information Collection System become such a tool, where bulk of Americans are used to collect data on Bulk of Americans, and put that in the hands of Few, who then abuse it?' Or NSA has more to it than just the empty shell called: "Interest".
As Voltaire said: "You must ask, whether it is 'Just Interest' or 'National Interest'. "
A supporting question is, who is the Nation anyway? A few or all? Abraham Lincoln ought to be right here. But, fast forward 200 years, It is also important to question, whether "Nations" especially the idea of "America" stands as it is, given the fact that it is America itself that pushed for a "Globalized World" and still does.
It's easy to casually propose such things, on a blog, while lobbing the same tired criticisms about over-zealous intelligence gathering programs. But to actually implement such grand, sweeping measures would require resources that don't justify the benefits. Just scale back and increase oversight on troubling programs, and otherwise let the NSA do its critical job as an intelligence gathering agency.
Finally, a pragmatic voice amongst those calling for an anarchist solution. I will add my vote to those calling for increased oversight, and regulation over the all out "scrapping" of these programs.
If you take it as a given that the NSA is spying on all parties, that includes those supposedly providing oversight. Those providing oversight can then be coerced into rubber-stamping whatever the NSA wishes. Therefore, "increased oversight" is all but impossible.
What about the problem of distinguishing domestic vs foreign communications? NSA already minimizes American information, plus FBI doesn't have authority to track who called to or from the US to a foreign nation like Pakistan from what I understand, so no phone meta data. The NSA may be too big but I haven't seen anyone bring an actual technical solution for setting the boundaries and so forth.
As long as you believe in Santa Claus, how about the NSA also be put in charge of delivering Christmas presents to children who are nice by drone, and punishing children who are naughty (also by drone), since they are already monitoring everyone and everything, and they make it their business to know who's naughty and nice.
I think holding the position "the United States should not be spying on anyone, ever" is perhaps too far over on the spectrum of idealism. You do need some spying on countries that pose genuine threats such as North Korea, Iran, China, Russia and the like.
I'm thankful to live in a country where we have the freedom to publish this kind of thing. (That said, I think that freedom will no last too much longer.)
I've got an idea. In the faux name of net neutrality, let's give one of the most abusive governments when it comes to privacy, vast control over regulating the domestic Internet, and let's allow them pass those new regulations without anyone external being allowed to review them ahead of time. What could possibly go wrong? It's not like the government will massively expand their direct control of the Internet, and use that to chill free speech. And it's not like we'll be sitting here in ten years, listening to pro net neutrality campaigners making excuses about how those weren't the laws they had in mind; after all, who knew the government would abuse their new powers, nobody could have guessed such a thing.
I agree with the general thrust of what you're saying, and I think the FCC takeover of the internet is much more problematic than the NSA spying scandal.
That said, the EFF is getting what it has been advocating for: A government takeover of the internet.
That is what net neutrality has always been for and about.
Once we grant that the internet infrastructure is not private property and is open to government regulation, that means it's open to all government regulation, including speech regulation. There is no middle ground.
To think otherwise is to not understand principles and politics.
Defund them, it's not perfect (as with the CIA and it's ah interesting funding mechanisms) but it is one of the more effective of the least worst options.
To me, it's pretty obvious that the supposedly "dual" mission of NSA, that of both anti-terrorism and cybersecurity, are completely incompatible. They are at the extreme ends of the spectrum.
One seems to need the abolishing of (true) secure systems and privacy (although, so far there is no evidence that mass surveillance actually helps thwart terrorist plots - and it may never be able to do so [1] [2]), and the other is supposed to be about having super-secure systems and strong encryption.
However, since the NSA is in charge of both, it seems the anti-terrorism side has won, and it now causes the NSA to make terrible cyber-policy.
To Schneier's new post, I believe the EU is already getting ready to propose that a civil agency (not one that is run in secret) should be in charge of cybersecurity in EU nations. Although, I think the NSA is working hard to convince EU spy agencies to push legislation that makes them responsible for cybersecurity, at least in some EU countries that are more easily "persuaded".
EDIT: So I actually disagree with Scheneir here. I see no reason why a secretive unaccountable agency should be in charge of cybersecurity. Why should it be a state secret that a hacker hacked into a US company? Just because the NSA has the "expertise" in cybersecurity? If you want to keep the experts, fine, but then turn the NSA into a civil agency.
I agree with his suggestion that surveillance (not mass surveillance, though - that should be banned for all agencies) should only be the domain of FBI.
To recap:
1) Cybersecurity = civil agency
2) Surveillance of local citizens = civil agency (FBI in US, I guess. Mind you, this is what already happens, when referring to targeted surveillance, so the real proposal here is that the NSA or anyone else shouldn't be spying on local citizens, too - only the FBI and with warrants. This is not, or should not be about giving the FBI "mass surveillance powers". If that's what Schneier is proposing, then I completely disagree with this, too)
4) I'm unsure whether we need another agency for spying on "world leaders", but right now I'm strongly inclined to give this one to the military too. Also, it would be best if this wasn't actually targeted at allies (like Merkel), but actual rival (Russia) or rival-like (China) countries. I think it's just good foreign policy not to do nasty stuff to your allies, just to be slightly "ahead" in negotiations.
Interesting, but I doubt it would go far in helping anything. You can't cut and disperse the cancer growing inside of the US Government and expect anything to be solved or fixed, it needs to be uprooted and burned. Would any of this address secret courts, police brutality, domestic propaganda, or corruption? It'll have to be all at once, otherwise it's just rearranging the furniture in our cell.
