Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Are We Ready for the Post-Snowden Internet?

It has been nearly six months since government surveillance revelations from Edward Snowden began to be published in the Guardian, Washington Post, and other outlets. Snowden turned over as many as 200,000 classified documents to journalists, and they’ve revealed a myriad of intelligence-gathering tools and operations aimed squarely at our electronic lives, regardless of location, citizenship, activities, or legal status. And the hits keep coming: nearly every week sees new details published from Snowden’s cache, momentum that has stirred up many independent revelations. Some have been minor, but others — like PRISM, tapping internal network links at services like Google and Yahoo, and collecting location data on mobile phones worldwide — have been astonishing.

It’s easy to enjoy “Snowden schadenfreude.” (Or perhaps “Snowdenfreude?”) Who doesn’t like seeing the powers-that-be taken down a notch or two? It’s also easy to believe the ongoing scandals don’t matter to ordinary people. After all, who cares if the NSA knows about your online pizza order last Saturday?

The disclosures are clearly impacting government policy and diplomacy, but may also change the fundamental architecture of the Internet. A broad range of countries and companies are openly talking about forming isolated and compartmentalized networks to protect themselves (and their citizens) from surveillance regimes.

And that might break up the Internet.

It Just Works -- It seems obvious, but the Internet’s greatest strength is interoperability. If you can get an IP “dialtone” on any of the Internet’s 40,000+ networks, you can access any site, app, or service anywhere else in the world. Sure, there are practical concerns: you might not have much bandwidth, access might be expensive, your device or software may not be compatible, a site might be down or blocked, your connection might be unreliable, et cetera. But that fundamental interoperability is the heart and soul of why the Internet has become humanity’s dominant communications medium, and has made things ranging from smartphones to the Arab Spring possible.

This year’s mass surveillance revelations — and the legal frameworks behind them — may represent the biggest interoperability challenge the Internet has faced. Now, being part of the Internet community means being subject to monitoring by the Five Eyes — the intelligence agencies of the United States, the United Kingdom, Canada, Australia, and New Zealand — in addition to lawful intercept and domestic surveillance conducted by national and local governments. Countries can pass laws to monitor communications amongst their own people or within their own borders — most countries have — but those same countries almost certainly consider the activity of the Five Eyes an infringement on their sovereignty. And they’re not happy about it.

Slouching Towards Balkanization -- The human reaction to external threats is predictable: circle the wagons, bar the gates, hide the children, and raise the drawbridge. In the extreme, a country could block Internet access at its borders, creating a walled garden. Internet services would work domestically, but be disconnected from (or even incompatible with) the global Internet, keeping out the Internet’s broadest dangers and the Five Eyes.

Few nations would risk the economic damage that would come from disconnecting from the global Internet. A more realistic option is requiring Internet behemoths like Google, Facebook, Yahoo, Amazon, and Apple to locate services and store data within a country’s borders — where they would be subject to the country’s laws. The Five Eyes’ surveillance regime is effective because so much everyday Internet traffic is routed through data centers in North America and Europe — where major Internet companies are headquartered — and subject to those countries’ laws. As of January 2013, more than 100 countries had no domestic Internet exchanges, meaning they were entirely dependent on foreign services. Requiring major providers to locate data centers within a country’s borders means local traffic would stay local, theoretically beyond the reach of the NSA’s legal and clandestine tentacles into American companies.

It’s not a new idea. China mandates that Internet businesses comply with the censorship and data handover requirements of the so-called “Great Firewall.” It’s not just a pro-forma requirement: China has imprisoned a number of dissident bloggers, some on the basis of information turned over by Yahoo’s Chinese subsidiary, and in 2010 Google moved its Chinese search engine from Beijing to Hong Kong to sidestep Chinese censorship requirements. The same year, countries like India, Saudi Arabia, and Indonesia moved to shut down the BlackBerry service unless they were granted a way to intercept messages. BlackBerry kept running, most likely by parking servers in those jurisdictions where they can be monitored without involving international law. Of course, Internet users may not be comfortable with what their governments do and don’t allow within their online borders: according to the latest World Wide Web Foundation’s Web Index (founded by Web creator Sir Tim Berners-Lee), 30 percent of the world’s nations engage in moderate to extensive blocking of online content and services they deem objectionable or sensitive.

Some of these examples predate recent surveillance disclosures. Who might be next? Consider Brazil. Brazil had previously pondered its own national secure email service (through its post office), but is now getting serious, with President Dilma Rousseff laying out proposals to bolster Brazil’s domestic bandwidth (keeping Brazilian traffic in Brazil), require Internet companies to locate data centers within its borders, and encourage network operators to use networking equipment designed and produced in Brazil.

The notion of Brazilian-designed networking gear could be important. In the next two years Brazil is scheduled to light up five new undersea fiber links to Africa, Europe, and Asia, (and, yes, to the United States), potentially enabling Brazil (and its overseas partners like China and South Africa) to bypass the Five Eyes. If those links — or Brazil’s expanded networks — eventually work only with Brazilian gear, the country could become the Internet’s largest walled garden. But Rousseff sees the moves as a way to protect values that historically have been championed by the United States.

“In the absence of the right to privacy, there can be no true freedom of expression or opinion, and therefore no effective democracy,” she told the UN General Assembly. Then, driving her point home, Rousseff announced (ironically, via Twitter) that Brazil will be hosting an ICANN summit on Internet privacy and security in April 2014, and cancelled a state dinner with the Obamas.

Brazil is not alone in considering carving away from the Five Eyes. In the European Union, France and Germany have been highly critical of recent surveillance revelations. The EU’s internal market commissioner Michel Barnier has called for a “European data cloud”, and EU justice commissioner Viviane Reding characterized the European Parliament’s vote on data protection regulations as a declaration of independence, requiring non-EU companies to “deal responsibly” with user data or be fined up to 5 percent of their annual worldwide revenue. If EU member states adopt the policies, Internet users will see warnings when their personal data is about to leave servers covered by EU data protection laws.

Some “Email Made In Germany” services piggybacking on popular concern over NSA surveillance already do something similar. Raising the ante, Deutsche Telekom is currently proposing an “all-German” domestic Internet with an eye towards encompassing the whole Schengen Area, twenty-six European countries that have mutually set aside passport and immigration controls. (The UK and Ireland opted out.)

Think Global, Act Local -- If Internet balkanization can protect privacy, is it a bad thing? On some levels, keeping user information, data processing, and communication within a country or region is just common sense. Do we need to use a server halfway around the world to send a quick message across town? It certainly isn’t efficient, purely on the basis of resource consumption, electricity, network infrastructure, and complexity.

The flip side is that balkanization — even when well-intentioned — can impact the interoperability and communicative power of the Internet. Requiring companies to run separate facilities in each country in which they operate is both expensive and cumbersome. Those costs could impede innovation if companies have to choose between setting up a data center in (say) Austria or investing in R&D.

Sometimes Internet services pick up their most loyal followings in unexpected places — that would be far less likely to happen with a balkanized Internet. Remember Orkut, Google’s early experiment in social networking? Most people don’t, but it was huge in Brazil and India for years — and Google eventually moved it to Brazil entirely. Similarly, Canadian instant messaging service Plurk never managed to rival Twitter, but it became so popular in Taiwan it accepted millions to relocate there in early 2013. How about San Francisco’s social/gaming service Hi5? It’s now part of Tagged, but its biggest audience has always been in Latin America.

Can social networks and modern apps survive in a world with online border checkpoints? Imagine installing a new collaborative music app or game from the App Store, only to find you can’t use it with your friends because it hasn’t been approved in their jurisdiction. Want to share a tagged photo? Maybe you can’t because your preferred social network doesn’t support a “right to be forgotten.” Maybe you’re travelling and want to check back in with family via FaceTime, but it’s blocked because Apple has not granted the local government a back door to tap into video chats. Or maybe all these services will work great once you register your devices, verify your identity, and pay a fee to another country. A global patchwork of Internet regimes — each with its own quirks and requirements — quickly undermines the free exchange of data and information on which the modern Internet has thrived.

Perhaps most importantly, countries that decide to require Internet services host and process data locally will have the capability to monitor that data much more closely — and decide what can and cannot flow across their borders, what they will and won’t collect. This might not be a major issue in democratic countries like Brazil and Germany — although they operate their own sophisticated intelligence regimes. However, authoritarian states may decide to engage in (more) internal censorship and surveillance. Further, some firms will choose not to operate in particular countries — like Google in China — due to legal requirements, technical complexity, or the burden setting up subsidiaries. What if Facebook and Twitter had been required to run data centers in Tunisia, Egypt, or Yemen under the thumb of those countries’ former governments? Could the Arab Spring have taken place without the extra-territorial communications channels made possible by Facebook and Twitter?

What About International Law? -- Before we start carving the Internet into separate fiefdoms with unique rules, border guards, and access requirements, isn’t there some legal remedy to the Five Eyes’ increasingly exposed surveillance regime? Perhaps secret U.S. law can enable the NSA to collect metadata on hundreds of millions of Americans, but how can U.S. law legally empower the NSA to collect phone records on hundreds of millions of German, French, Dutch, Italian, and Spanish citizens, and others — not to mention dozens of world leaders? Couldn’t these people — or these nations — just take the United States to court?

The short answer is the mass surveillance regime is probably not legal in many nations where individuals’ data is being collected. The United States can authorize the NSA and other agencies to spy on other nations’ communications under U.S. law, but that does nothing to de-criminalize those acts under other nations’ laws. So the unofficial eleventh commandment of intelligence agencies — “Thou shalt not get caught” — holds true. Because if they’re caught they’ll go to prison.

The long answer is much more complicated. The United States and many other countries have data-sharing and safe-harbor agreements that permit international sharing of communications and business information — these facilitate communications, finance, and business all around the world. Once that information is in the United States (legally) and being processed by U.S. businesses and agencies, it’s subject to U.S. law and, essentially, fair game to intelligence agencies. Further, Internet traffic that transits the United States is subject to U.S. law — and possibly even if it’s handled entirely overseas by U.S. companies. Warrants from the Federal Intelligence Surveillance Court (FISA) are sealed, so we don’t currently know if the United States has extended its reach overseas this way. Maybe future disclosures will tell us.

In addition, the United States and the Five Eyes have a number of intelligence-sharing arrangements. The most significant is with Britain’s GCHQ but the Five Eyes do some sharing with at least a dozen allies ranging from Singapore to Sweden. Few details have been disclosed, but elements of other governments probably have had some knowledge of NSA activity within their borders. If mass surveillance is conducted with a government’s permission — perhaps as a quid pro quo arrangement — it may be legal.

Can mass surveillance be prosecuted under international law? Probably not. Most agreements dealing with surveillance only address government and diplomatic communication, not mass collection of commercial or private data. For instance, the Vienna Convention on Diplomatic Relations of 1961 bars espionage and is the basis for the modern concept of “diplomatic immunity.” It’s ratified by 189 countries but seems to be regularly ignored. Some early disclosures from Snowden include the NSA tapping communications at the United Nations, the Atomic Energy Agency, NATO, and EU offices — almost certainly in violation.

What about the United Nations? The 1966 International Covenant on Civil and Political Rights (ICCPR) lays out specific provisions that prohibit signatories from “unlawful or arbitrary interference” with any person’s privacy, whether by individuals, businesses, foreign countries, or a nation itself. Violations of the ICCPR are handled by the Human Rights Committee, a quasi-judicial group of 18 experts at the UN that meets three times a year.

The ICCPR sounds promising, but the devil is in the details. The ICCPR has been ratified by 74 countries, but the United States got around to it only in 1992 and, curiously, has not made legal changes to meet its requirements. (The U.S. has also refused optional portions that prohibit torture.) In 2006, a Human Rights Committee review all but declared the U.S. in violation — another review could start as early as March 2014. The United States and the UK also don’t accept the right of “individual complaint” under the Covenant, meaning a specific person cannot bring them up before the Human Rights Committee. However, entire nations (or coalitions like Latin America or the EU) could bring inter-state complaints under the ICCPR.

Even nations would find it tricky to bring ICCPR complaints against the Five Eyes. The privacy provision in the Covenant is quite short, and doesn’t include limitations or legal tests. In other words, it’s wide open to interpretation that could keep politicians, diplomats, and lawyers busy for years — and it’s not like the UN or the Human Rights Committee moves quickly even when members are in widespread agreement. The United States and its allies have consistently argued their mass surveillance regime is legal and all about going after international terrorists — and the ICCPR does not apply to espionage.

One option might be changing the ICCPR. Brazil and Germany have just put forward a proposal that would add a right to online privacy to the ICCPR, asserting the “same rights that people have offline must also be protected online, including the right to privacy,” and that “highly intrusive” online surveillance would violate rights to freedom of expression. If it’s ratified, digital privacy could become an international human right alongside things like freedom of movement, freedom of association, and non-discrimination. The United States has already delineated its objections, and the proposal has wiggle room allowing collection of sensitive information in the name of public safety.

What if the United States or the Five Eyes were found in violation of the ICCPR? Despite its worthy ideals, the Covenant is essentially toothless, relying on nations’ goodwill to correct their own behavior. If the Human Rights Committee were to find the United States or its allies violated the Covenant — highly unlikely considering the economic and diplomatic pressure the U.S. can bring to bear — the only requirement is that countries in violation submit updates every three months about how they’re trying to fix the problems. That’s it. The committee cannot invalidate or change U.S. law, assess financial punishments, enact trade sanctions, or anything else. Being in violation would certainly be an embarrassment to the United States and the Five Eyes — one that would be trumpeted loudly and frequently by critics — but that sort of international shaming hasn’t closed the U.S. prison camp at Guantanamo Bay.

The inefficacy of trying to go through the UN is one reason Brazil, Germany, and other nations are taking steps to cordon off their domestic Internet networks from the NSA. It’s a more practical solution under their control.

What About Encryption? -- If balkanization could wreak havoc with the Internet and there’s no realistic legal or international recourse to shut down mass surveillance, what can we little people do? Just accept the Five Eyes (and their friends)? Trust that our small, insignificant lives are beneath their notice, that agencies will never abuse their capabilities, and never make mistakes that matter to us?

One bright spot is data encryption. While documents disclosed by Snowden revealed that the NSA has worked to weaken encryption standards and devised methods to aggressively attack encrypted data, other documents also indicated that well-implemented, strong cryptography can still stymie the NSA — and the math seems to hold up. Sure, the NSA might be able to crack strong encryption, given enough time and resources, but they have to be motivated: it won’t happen for every email message or tweet generated by hundreds of millions of people every day. As a result, the NSA has preferred to conduct its surveillance before data gets encrypted or after it’s decrypted — like in the guts of data centers.

Internet companies are responding. Google was already beginning to encrypt its internal network before the Snowden revelations, and has since sped up the work; Yahoo says all connections in its data centers will be encrypted by April 2014. Disclosed documents indicate Microsoft assisted the NSA in accessing its services — ironic since the company’s new PR campaign claims Google can’t be trusted with private data. That said, although the company has taken flak recently for failing to encrypt data, Microsoft just announced ambitious plans to encrypt user data and its networks by the end of 2014, with many protections already in place. Dropbox, Facebook, Twitter and several others have taken major steps to encrypt communications internally and between each other: the EFF is maintaining a summary. However, most Internet companies must process unencrypted data from or about their users at some point: it’s impossible to run something like Google’s vast online advertising business (and extensive user profiling) and keep all user data encrypted all the time. Securing internal data links may take away one avenue the NSA has used to collect data from major Internet companies, but others almost certainly exist.

Strong encryption is available to everyday people, too: we can encrypt our email, use VPNs or Tor to shield our network connections, and use services that don’t store information about us. Joe Kissell’s “Take Control of Your Online Privacy” goes through the details and suggests real-world strategies for keeping our online lives private, but it focuses more on advertisers, local villains, and big media than on Big Brother.

Slouching Towards Transparency -- Encryption alone is no guarantee data will be safe from the NSA’s prying eyes, but, done well, broader use of strong encryption can at least reduce weak points being leveraged by the NSA or others.

So what about all those other bugs and exploitable problems that compromise encryption and security? There’s no easy answer other than fixing those problems and making better systems. Most companies handle this process behind closed doors (if they handle it at all), often considering the details proprietary. But the Internet industry as a whole might be able to move forward via transparency and certification authorities — if only companies would get on board.

In general terms, transparency would mean companies being open not only about problems and errors in their software and hardware products, but also about how they create their products so customers can understand their risks. For hardware makers, that might include information about design, parts, supply chain, firmware, and physical security at manufacturing facilities; for software makers, it might include what libraries and tools they use or license and details of how their software communicates. The idea is not just to let users (and customers) know whether products are vulnerable to a known problem (rather like the widely used CVE system that catalogs security vulnerabilities) but also to identify whether manufacturing or development processes are vulnerable to the end-runs the NSA seems to prefer.

When problems turn up — and they always do — solutions and case studies can be made available to the entire industry to be refined or perhaps adopted as a best practice. Such a process will inevitably look like the cat-and-mouse game software makers have played with hackers and virus writers for years, except it could be the global Internet and telecommunications industries going up against the NSA and its partners. And, like the fight against malware, it would probably be never-ending.

A big question is who would manage all this. No organization currently acts as a clearinghouse for digital security threats — aside, perhaps, from the NSA — and it’s a gargantuan task. Organizations and frameworks like the ISO, the ISA Security Compliance Institute, Common Criteria, and the National Institute of Standards and Technology (NIST) could play a role here — although NIST is working to regain trust in the computer security community following recent reports the NSA got a backdoor into a NIST encryption standard. (NIST immediately launched a review.) The Internet Engineering Task Force (IETF) appears ready to engage in a long-term effort to re-evaluate the security of many of the Internet’s core technologies. At least it’s a start.

Internet, mobile, and telecommunications industries could take a cue from standards bodies in other industries like aerospace, healthcare, and safety — consider government agencies like the National Transportation Safety Board and companies like Underwriters Laboratories. Standards bodies and certification agencies identify risks, establish best practices, and develop tests and compliance programs that confirm products meet security standards. NIST has issued a preliminary cybersecurity framework aimed at critical infrastructure, but it includes an appendix on privacy and civil liberties.

Telecommunications giant Huawei is also trying to get the ball rolling on international cybersecurity standards: it recently published a white paper detailing its own internal practices — so far as I can tell, that’s a first for the industry. Huawei is the world’s largest telecommunications gear maker but is essentially barred from the U.S. market over allegations that its equipment might contain secret backdoors for the Chinese government. Thus, Huawei’s call for standards may be self-serving, but the company’s semi-pariah status might enable it to take a leading role. After all, among companies in its industry, Huawei has the fewest connections to the U.S. government and Internet companies at the heart of this year’s mass surveillance revelations.

“We’re not saying that we have all the answers,” said Huawei USA Chief Security Officer Andy Purdy in a phone interview this October, “but we’ve got to come up with some areas of agreement and we have to have product assessment. That feedback loop is essential for the global industry generally. We know it’s hard — we have thousands of suppliers — but we’ve got to raise the bar.”

Cybersecurity standards and certification could become extremely important if countries like Brazil and Germany — and anyone who wants to partner with them — begin separating themselves from the global Internet and preferring infrastructure and gear designed and produced in their own countries.

What About Disclosure? -- One of the insidious things about the legal framework of the NSA’s surveillance regime is that it’s covered by gag orders. American companies can be required to turn over data en masse without saying a word. At that point, encryption, standards, and data center design just don’t matter: the NSA gets everything wrapped up with a nice bow. As other countries set up their own national networks, it’s reasonable to assume they’ll use similar legal frameworks to scoop up not just data about their own citizens, but also any other personal data that transits their networks.

It’s a given that the United States will always have national security concerns, and governments will always spy on each other. However, the ongoing outcry from this year’s mass surveillance disclosures may generate political momentum for legal change. President Obama’s response to the initial Snowden disclosure was to reassure the American public that no one was listening to their phone calls and everything was legal. That stance has since shifted substantially: Obama appointed a review panel to make recommendations (due 15 December 2013) on changes in the U.S. intelligence apparatus, and has been openly talking about “legitimate concerns” that technology has outpaced the legal framework governing the NSA’s activities. Few expect major changes overnight, but it might be the start of a broader reform process.

Several dozen Internet companies (including Apple, Facebook, Microsoft, Twitter, and Google) have petitioned the government to let them publish aggregate information about national security-related requests they receive. (Many companies, like Google, publish transparency reports for law enforcement requests.) Apple has taken things one step further in its own first transparency report, becoming the first major tech company to employ a so-called “warrant canary” for orders to turn over data under Section 215 of the PATRIOT Act. Apple says it has not received any such orders; if it does, that assertion should disappear when Apple’s next report comes out in six months. That’s a long delay, but the idea behind a warrant canary is that a gag order can legally keep a company quiet, but cannot compel it to lie. Warrant canaries haven’t been tested in court, but Apple has deep pockets to fund a legal challenge.

It’s Complicated -- If there were an easy solution to the conflict between individual privacy, personal and national security, and the mass surveillance being carried out by western powers, we would have figured it out by now. The reality is that these issues have been with us for years; solutions are going to be incomplete, long-term, and messy; and conflict will only become more pronounced with our dependency on the Internet and modern communications.

It’s a shame. From a humble beginning more than four decades ago, the Internet has developed into perhaps humanity’s most powerful tool for spanning cultural divides, expanding access to information and education, enabling freedom of expression, protecting human rights, and — despite the trolls — broadening the human experience. Let’s hope we don’t destroy it to spite ourselves.


Backblaze is unlimited, unthrottled backup for Macs at $5/month.
Web access to files means your data is always available. Restore
by Mail allows you to recover files via a hard drive or USB.
Start your 15-day trial today! <>

Comments about Are We Ready for the Post-Snowden Internet?
(Comments are closed.)

Thank you for this article. Highly highly appreciated and relevant.
Lindsey Thomas Martin  2013-12-08 21:41
Geoff Duncan  An apple icon for a Friend of TidBITS 2013-12-10 11:43
Discussion of "secure" email services is a separate topic, but (briefly) today's email will never be secure, and services like Hushmail already do what (it seems) StartMail is attempting.
Steven Oz  An apple icon for a TidBITS Contributor 2013-12-10 13:13
At least we now know that we're under surveillance for anything we do on the Internet.

Kinda like the traffic light cameras that catch you if you try to sneak through on red.

And here in NYC, there aren't many places where you don't have a camera lens focused on you when you're on the street or in a public place.

I think it's a crime deterrent for many.

But, being a normal human being, I want to have a private digital conversation when I want to as well.

It's a cat and mouse game... or chess... you move your surveillance here, I'll move there...

Geoff Duncan  An apple icon for a Friend of TidBITS 2013-12-10 15:29
In the United States (and many other countries) there are key legal distinctions between governments monitoring public activities in public places (like red light and ATM cameras), and monitoring activity (say) in a private residence, on private property, or behind closed doors. Do we consider using our computers, smartphones, and tablets akin to being in a public place, standing on a sidewalk?
robmorrison  2013-12-10 20:40
Between the governments and businesses, you can be sure that there will be no effective protection for the individual. Both entities have invaded our privacy, track everything we do on the internet and other electronic forms, and most likely will never stop doing so. Both have made themselves above the law and immune from it. Only honest government and business leaders will comply with any laws meant to protect us. I see very few honest people in either category. In short, without a full scale revolt by all the people, it will get worse, despite the best efforts of the many organizations named in this article. Gloomy outlook, but I see no compelling evidence that things will get better.
Steven Oz  An apple icon for a TidBITS Contributor 2013-12-11 09:11
I have to agree with you, Rob. For real change, it generally takes a million people, frothing at the mouth, protesting/rioting in the streets. Then the powerful people may take notice. Politicians and corporation heads love to have the power of covert and omniscient surveillance, either for profit, power-lust or rights-control.
Adam Engst  An apple icon for a TidBITS Staffer 2013-12-11 09:28
I've been pondering this, and it seems to me that the only way this sort of problem changes is if people who believe strongly in doing the right thing come to power in legitimate ways. So protest, and even revolt, aren't going to make people in power change their ways - if anything, they'd see such behavior as indication that they need all the more information to be safe.

What might be a good start is if an organization like the EFF starting tracking - and publicizing - the public activities of various politicians with regard to support for governmental transparency and support for privacy. That could shine a light on the people who are doing the right thing in Congress and elsewhere, and those who aren't.
Steven Oz  An apple icon for a TidBITS Contributor 2013-12-11 09:56
Adam, the EFF is a worthy organization, as is Amy Goodman's Democracy Now, but how bright are their lights? It might take both approaches: illumination of governmental and corporate privacy policies and then revolt and overthrow (ideally by peaceful means), by the people, of the offenders who don't want to change or go quietly.

Unfortunately, as the article suggests, even well-intentioned, legitimately-elected officials can slip over to the dark side if the price is right or the arm-twisting too painful.

The power of a mass of people in the streets can be sea-changing. In my experience of watching our world, most real change starts with the national or global awareness that the majority will not accept anything else without a fight.

Adam Engst  An apple icon for a TidBITS Staffer 2013-12-11 10:14
I just can't see enough people in the United States getting sufficiently worked up about this to gather in the streets, and anything beyond a peaceful protest is unthinkable to me. We're not talking Egypt here.

But maybe that's just me.
Steven Oz  An apple icon for a TidBITS Contributor 2013-12-11 10:26
Perhaps when the American people, now that we know we're being completely monitored all the time, start to connect the dots of surveillance and being controlled, by legal or illegal means, covert or not covert...

Some American allies of ours are now turning their backs on us to some extent, knowing that we were listening and taking notes during their confidential and important high-level conversations. How is that different from the ordinary citizen and his spying government?

Race riots in the 60s got our attention. Privacy riots may be next.

Geoff Duncan  An apple icon for a Friend of TidBITS 2013-12-11 12:42
Although I only touched on this in the article (there was a lot to cover), another venue for change is one of the most powerful motivators in human history: money. One reason Google, Facebook, Apple, Yahoo, and others are petitioning the government for transparency and surveillance reform is that, as American companies subject to NSA surveillance, their trustworthiness both inside the U.S. and (particularly) internationally has declined substantially. That's real money for these companies.

I can't speculate about privacy riots in the streets. But I'm more than willing to bet lobbyists and their checkbooks are at work.
Josh Centers  An apple icon for a TidBITS Staffer 2013-12-12 07:53
I don't even think street protests are necessary, or even effective. What it'll take is a large enough abuse that causes so much outrage that the government will have no choice but to stop. Two examples I can think of: 1) a massive security breach that leaks everyone's personal information or 2) an NSA analyst being outed as a pedophile.

That seems extreme, but otherwise, I don't think Americans care. Surveillance is easy to ignore, doesn't affect most people day to day (yet), and doesn't hit any of the right buttons.

In the meantime, I think the best course of action for the average concerned user is to take the advice of security expert Bruce Schneier and encrypt as much as possible.
artMonster  2013-12-11 19:27
I agree that street protests are not effective in this situation. Many people probably agree with all the surveillance. To keep us "safe". Of course this surveillance is not at all limited to keeping terrorists at bay, it is pure and simply, totalitarianism - pretending to be benign. That Snowden is not hailed as a hero is all we need to know.
Graham Samuel  2013-12-13 02:42
As a Tidbits subscriber, I forwarded this article to my friend Joel Brenner, a former Senior Counsel at NSA (and a lot more:see I think his response is interesting:

We are not slouching into transparency; we are there already. We are, however, slouching toward Balkanization, and it will be driven in part by the Snowden Affair, but with perverse results. The big diplomatic push led by Russian, China, Brazil, and others will be to move internet governance into the UN's ITU, whose next chairman will be Chinese. The goal of this group of countries is to exercise more, not less, government control over the Internet — to "re-sovereign" it and undermine the multi-stakeholder model favored by the Western democracies. Meanwhile there is likely to be convergence between the Five Eyes, France, and Germany over surveillance rules that are much in the news. If the ITU push is successful, the people who think of themselves as libertarians will find themselves in favor of a regime in which they prefer technical standards, connection rules, and surveillance protocols promulgated from China over those in the West. This is positively, absolutely insane. This is the biggest issue in network governance that most people have never heard of.
Geoff Duncan  An apple icon for a Friend of TidBITS 2013-12-13 11:37
Graham, thanks for passing along the article and posting the reply!

I agree with Mr. Brenner that efforts from Brazil, China, Russia, and potentially countries like Germany to more-strongly assert national sovereignty over domestic Internet activity could be a major step towards Balkanization, and ultimately represents a fundamental shift in the Internet as we've come to know it.

I'm not so sure we're "already there" on transparency, but Mr. Brenner and I are probably using different definitions. It is certainly true that public knowledge of data collection, government surveillance, and privacy limits is much broader than it was (say) a year ago, and that standards, ITC gear makers' processes, and supply chains are becoming less hidden. In broad terms, however, I don't think we've reached a level of "informed consent" of the general public, either in the United States or in other nations.
Steven Oz  An apple icon for a TidBITS Contributor 2013-12-15 15:35
Thanks for introducing us to Joel Brenner!

A couple elucidating snippets from his blog:

"It’s time to get closer to both the Germans and the French, but that will require substantial movement on all sides, not just ours. Some have suggested the way to do it is to bring these nations into the “Five Eyes” treaty under which the United States, Britain, Canada, Australia, and New Zealand share intelligence and do not collect against one another."


"The public appears to like privacy and transparency in equal measure and hasn’t yet figured out yet that it cannot have unlimited amounts of both. Privacy says: This you may not see, may not hear, may not know. Its fundamental principles are reticence, boundaries, and modesty. Transparency insists on seeing, hearing, and knowing everything. As the most exhibitionist culture in history we are struggling with this. In the meantime the transparency revolution means that your children are making decisions about sharing information that should make your hair curl; your own personal information is liable to be hijacked in bulk; and your employer’s trade secrets, which create corporate value and very possibly your job, are probably being stolen remotely and carried abroad. The government’s secrets are enjoying the same fate. Very little can be kept secret any longer, and that which can be kept secret will not stay secret for long. As massive leaks demonstrate, policy makers who cannot come to grips with this sea change will continue to make serious errors of judgment."
Geoff Duncan  An apple icon for a Friend of TidBITS 2013-12-18 15:37
FWIW, the report from the Review Group on Intelligence and Communications Technologies was released today:

Among the recommendations:

- Legislation to require phone metadata be kept by phone companies or private third party until a federal court order authorizes NSA to collect it;

- National security letters allowing access to financial and phone records would require a prior "judicial finding;"

- Barring NSA from attempting to undermine secure encryption standards;

- Public interest advocate to represent civil liberties interests before the FISA court.
Paul Findon  2013-12-29 07:55
Failure to supply encryption keys or decrypted copies of encrypted data is a criminal offence under Part 3 of RIPA here in the UK and two people have already been jailed for failure to supply keys, so encryption seems futile.