Placeholder Image

Subtitles section Play video

  • Ben Wizner: Not a lot of applause for us. Chris Saghoian: I know.

  • Ben Wizner: Are they ready? Chris Saghoian: I think so.

  • Ben Wizner: Ok, I think we'll get started. Thank you all so much for being here. There

  • wasn't a lot of applause when we came on stage so I guess you're here to see somebody else. (( Applause ))

  • My name is Ben Wizner; I'm joined by my colleague Chris Saghoian from the ACLU. Maybe we can

  • bring up on screen the main attraction.

  • Edward Snowden: Hello. Ben Wizner: With his very clever green screen. Please bear with us today, the technology

  • may have some kinks. The video may be a little bit choppy. Our friend is appearing through

  • 7 proxies so if the video is a little slow.

  • You're joining us for the event that one member of congress from the great state of Kansas hoped would not occur. He wrote to the organizers

  • or SXSW urging them rescind the invitation to Mr. Snowden. The letter included this very

  • curious line, "The ACLU would surely concede that freedom expression for Mr. Snowden has

  • declined since he departed American soil". No one disputes that freedom of expression

  • is stronger here than there but if there's one person for whom that's not true, it's

  • Ed Snowden. If he were here in the United States he would be in a solitary cell, subject

  • probably to special administrative measures that would prevent him from being able to

  • communicate to the public and participate in the historic debate that he helped launch.

  • We're really delighted to be here. One more bit of housekeeping. As I'm sure

  • most of you know, you can ask questions for Mr. Snowden on twitter using the hash tag

  • AskSnowden. Some group of people backstage will decide which of those questions we see

  • here. We'll try to leave at least 20 minutes or so for those questions. As I said, Ed Snowden's

  • revelations and the courageous journalism of people like Bart Gellman who you just heard,

  • Glenn Greenwald, Laura Poitras, and others has really launched an extraordinary global

  • debate. You might think of that debate as occurring over 2 tracks. There is a debate

  • in Washington in the halls of power about law and policy about what democratic controls

  • we need to reign in NSA spying that takes place in courts that are considering the legality,

  • the constitutionality of these programs in the legislature, considering legislation.

  • There's a very different conversation that you here in conference rooms in technology

  • companies, particularly among people working on security issues. Those people are talking

  • less about the warrant requirement for meta data and more about why the hell the NSA is

  • systematically undermining common encryption standards that we all use. Why is the NSA

  • targeting telecommunication companies, internet companies, hacking them to try to steal their

  • customer data, basically manufacturing vulnerabilities to poke holes in the communication systems

  • that we all rely on? We're hoping to mostly focus on that latter conversation here.

  • With that in mind, Ed if you're with us, maybe you could say a few words about why you chose

  • for some of your first public remarks to speak to the technology community rather than say

  • the policy community in Washington. Edward Snowden: Well thank you for the introduction.

  • I will say SXSW and the technology community, the people who are in the room at Austin right

  • now, they're the folks who can really fix things. Who can enforce our rights through

  • technical standards even when congress hasn't yet gotten to the point of creating legislation

  • to protect our rights in the same manner? When we think about what's happened with the

  • NSA in the last decade, in the post 9/11 era... the result has been an adversarial internet,

  • a sort of global free fire zone for governments that's nothing that we ever asked for. It's

  • not what we wanted. It's something we need to protect against.

  • When we think about the policies that have been advanced... sort of erosion of fourth

  • amendment protections, the proactive seizure of communications, there's a policy of response

  • that needs to occur. There's also a technical response that needs to occur. It's the makers,

  • it's the thinkers, it's the development community that can really craft those solutions and

  • make sure we are safe. The NSA... the sort of global mass surveillance

  • that's prying at all of these countries not just the US, and it's important to remember

  • that this is a global issue, they're setting fire to the future of the internet. The people

  • who are in this room now, you guys are all the firefighters. We need you to help us fix

  • this. Ben Wizner: So Chris, you heard Ed say that

  • the NSA offensive mass surveillance programs, the sort of manufacturing of vulnerabilities,

  • is setting fire to the future of the internet. Do you want to comment on that?

  • Chris Saghoian: Sure. Many of the communications tools that we all rely on are not as secure

  • as they could be. Particularly for the apps and services that are made by small companies

  • and small groups of developers, security is often an afterthought if it's a thought at

  • all. What that's done is enable global passive surveillance by the US but other governments

  • too. What I think has been the most lasting impression

  • for me from the last 8 months is the fact that the real technical problems that the

  • NSA seems to have are not, "How do we get people's communications" but, "How do we deal

  • with the massive amounts of communication data that we're collecting?" The actual collection

  • problem doesn't seem to be a bottleneck for the NSA. That's because so many of the services

  • that we're all relying on are not secure by default.

  • I really think for this audience, one of the things that we should be thinking about and

  • hopefully taking home is the fact that we need to lock things down. We need to make

  • services secure out of the box. That's going to require a rethink by developers. It's going

  • to require the developers start to think about security early on rather than later on down

  • the road. Ben Wizner: Let me pick up on that. Ed, you

  • submitted written testimony last week to the European parliament. I want to quote a very

  • short part of that and have you elaborate on it. You said, "In connection with mass

  • surveillance, the good news is that there are solutions. The weakness of mass surveillance

  • is that it can very easily be made much more expensive through changes in technical standards".

  • What kind of changes were you talking about and how can we ensure that we make mass surveillance

  • more expensive and less practical? Edward Snowden: The primary challenge that

  • mass surveillance faces from any agency, any government of the world, is not just how do

  • you collect to communications as they cross the wires, as they sort of find their way

  • through the global network, but how do you interpret them? How do you understand them?

  • How do you direct them back out and analyze them? [inaudible 00:08:35] at least on the

  • easiest, the simplest, most cost effective basis by encryption.

  • There are 2 methods of encryption that are generally used, one which is deeply problematic.

  • One of those is what's called key escrow. It's sort of what we're using with Google

  • type services, Skype type services, right now where I encrypt a video chat and I send

  • it to Google. Google decrypts it and then re-encrypts it to you guys and we have it.

  • End-to-end encryption, where it's from my computer directly to your computer, makes

  • mass surveillance impossible at the network level without a crypto break. They are incredibly

  • rare and they normally don't work. They're very expensive. By doing end-to-end encryption,

  • you force what are called threat model global passive adversaries to go through the end

  • heads, that is the individual computers. The result of that is a more constitutional,

  • more carefully overseen sort of intelligence gathering model, law enforcement model, where

  • if they want to gather somebody's communications, they'd have to target them specifically. They

  • can't just target everybody all the time and then when they want to read your stuff, they

  • go back in a time machine and they say, "What did they say in 2006?"

  • They can't pitch exploits in every computer in the world without getting caught. That's

  • the value of end-to-end encryption and that's what we need to be thinking about. We need

  • to go, "How can we enforce these protections in a simple, cheap, and effective way that's

  • invisible to [users 00:10:17]. I think that's the way to do it.

  • Ben Wizner: So Chris, one of the obstacles to widespread end-to-end encryption is that

  • many of us get our e-mail service from advertising companies that need to be able to read the

  • e-mails in order to serve us targeted ads. What are steps that even a company like Google

  • that's an advertising company or companies like that can do to make mass surveillance

  • more difficult? Are there things or do we really need new business models to accomplish

  • what Ed is talking about? Chris Saghoian: In the last 8 months, the

  • big Silicon Valley technology companies have really improved their security in a way that

  • was surprising to many of us who have been urging them for years to do so. Yahoo was

  • kicking and screaming the whole way but they finally turned on SSL encryption in January

  • of this year after Bart Gellman and Ashkan Soltani shamed them on the front page of the

  • Washington Post. The companies have locked things down, but

  • only in a certain way. They've secured the connection between your computer and Google's

  • server or Yahoo's server or Facebook's server which means that governments have to now go

  • through Google or Facebook or Microsoft to get your data instead of getting it with AT&T's

  • help or Verizon's help or Comcast or any party that watches the data as it goes over the

  • network. I think it's going to be difficult for these

  • companies to offer truly end-to-end encrypted service simply because it conflicts with their

  • business model. Google wants to sit between you and everyone you interact with and provide

  • some kind of added value whether that added value is advertising or some kind of information

  • mining, improved experience, telling you when there are restaurants nearby, where you can

  • meet your friends. They want to be in that connection with you. That makes it difficult

  • to secure those connections. Ben Wizner: Is this the right time for a shout

  • out to Google that is in this conversation with us right now?

  • Chris Saghoian: The irony that we're using Google hangouts to talk to Ed Snowden has

  • not been lost on me or our team here. I should be clear; we're not getting any advertising

  • support from Google here. The fact is that the tools that exist to enable secure end-to-end

  • encrypted video conferencing are not very polished. Particularly when you're having

  • a conversation with someone who's in Russia and who's bouncing his connection through

  • several proxies, the secure communications tools tend to break.

  • This I think reflects the state of play with many services. You have to choose between

  • a service that's easy to use and reliable and polished or a tool that is highly secure

  • and impossible for the average person to use. I think that reflects the fact that the services

  • that are developed by large companies with the resources to put 100 developers on the

  • user interface, those are the ones that are optimized for security. The tools that are

  • designed with security as the first goal are typically made by independent developers,

  • activists, and hobbyists. They're typically tools made by geeks for geeks.

  • What that means is the world... the regular users have to pick. They have to pick between

  • a service they cannot figure out how to use or a service that is bundled with their phone

  • or bundled with their laptop and works out of the box. Of course rational people choose

  • the insecure tools because they're the ones that come with the devices they buy and work

  • and are easy for people to figure out. Ben Wizner: Let's bring Ed back into this.

  • In a way, this whole affair began with Glenn Greenwald not being able to use PGP which

  • is somewhat of a joke in the tech community but really not outside the tech community.

  • PGP is not easy to install and it's not easy to use. Using Tor, using Tails... I feel like

  • I need new IT support in my office just to be able to do this work. You're addressing

  • an audience that includes a lot of young technologists. Is there a call to arms for people to make

  • this stuff more usable so that not only technologists can use it?

  • Edward Snowden: There is. I think we're actually seeing a lot of progress being made here.

  • Whisper Systems, the sort of Moxie Marlinspike of the world, are focusing on new user experiences,

  • new UIs. Basically ways for us to interact with cryptographic tools which is the way

  • it should be, where it happens invisible to the user, where it happens by default. We

  • want secure services that aren't [opt in 00:14:46]. It's got to pass the Glenn Greenwald test.

  • If any journalist in the world gets an e-mail from somebody saying, "Hey, I have something

  • that the public might want to know about" they need to be able to open it. They need

  • to be able to access that information. They need to be able to have those communications

  • whether they're a journalist, an activist, or it could be your grandma. This is something

  • that people have to be able to access. The way we interact with it right now is not

  • good. If you have to go to command log, people aren't going to use it. If you have to go

  • 3 menus deep, people aren't going to use it. It has to be out there. It has to have it

  • automatically. It has to happen seamlessly. That's [inaudible 15:27].

  • Ben Wizner: So who are we talking to, Chris? Are we talking now to technology companies?

  • Are we talking to foundations to support the development of more usable security? Are we

  • talking just to developers? Who's the audience for this call to arms?

  • Chris Saghoian: I think the audience is everyone. We should understand that most regular people

  • are not going to go out and download an obscure encryption app. Most regular people are going

  • to use the tools that they already have. That means they're going to be using Facebook or

  • Google or Skype. A lot of our work goes into pressuring those companies to protect their

  • users. In January of 2010, Google turned on SSL,

  • the lock icon on your web browser. They turned it on by default for Gmail. It had previously

  • been available but it had been available through an obscure setting, the 13th of 13 configuration

  • options. Of course, no one turned it on. When Google turned that option on, suddenly they

  • made passive bulk surveillance of their users' communications far more difficult for intelligence

  • agencies. They did so without requiring that their users

  • take any steps. One day their users logged into their mail and it was secure. That's

  • what we need. We need services to be building security in by default an enabled without

  • any advanced configuration. That doesn't mean that small developers cannot play a role.

  • There are going to be hot new communications tools.

  • WhatsApp basically came out of nowhere a few years ago. What I want is for the next WhatsApp

  • or the next Twitter to be using encrypted end-to-end communication. This can be made

  • easy to use. This can be made useable. You need to put a team of user experience developers

  • on this. You need to optimize. You need to make it easy for the average person.

  • If you're a startup and you're working on something, bear in mind that it's going to

  • be more difficult for the incumbents to deliver secure communications to their users because

  • their business models are built around advertising supported services. You can more effectively

  • and more easily deploy these services than they can. If you're looking for an angle here,

  • we're slowly getting to the point where telling your customers, "Hey, 5 dollars a month for

  • encrypted communications. No one can watch you" I think that's something many consumers

  • might be willing to pay for. Edward Snowden: If I could actually take you

  • back on that real quick, one of the things that I want to say is for the larger company,

  • it's not that you can't collect any data. It's that you should only collect the data

  • and hold it for as long as necessary for the operation of the business. Recently EC-Council,

  • one of the security certification providers intact, they actually spilled my passport,

  • a copy of my passport and my registration, and posted them to the internet when they

  • defaced the site. I submitted those forms back in 2010. Why

  • was that still [inaudible 00:18:20]? Was it still necessary for the business? That's a

  • good example of why these things need to age [off 00:18:26]. Whether you're Google or Facebook,

  • you can do these things in a responsible way. You can still get the value out of these that

  • you need to run your business [inaudible 00:18:38] without [inaudible 00:18:40]

  • Ben Wizner: We didn't have great audio here that response but what Ed was saying is that

  • even companies whose business model relies on them to collect and aggregate data don't

  • need to store it indefinitely once its primary use has been accomplished. His example was

  • that some company was hacked and they found some of his data from 4 years ago that clearly

  • there was no business reason for them still to be holding on to.

  • Let's switch gears a little bit. Last week General Keith Alexander who heads the NSA

  • testified that the disclosures of the last 8 months have weakened the country's cyber

  • defenses. Some people might think there's a pot in the kettle problem coming from him

  • but what was your response to that testimony? Edward Snowden: It's very interesting to see

  • officials like Keith Alexander talking about damage that's been done to the defense of

  • our communications. More than anything, there have been 2 officials in America who have

  • harmed our internet security and actually our national security because so much of our

  • country' economic success is based on our intellectual property. It's based on our ability

  • to create, share, communicate, and compete. Those two Officials are Michael Hayden and

  • Keith Alexander, two directors of the National Security Agency in the post 9/11 era who made

  • a very specific change. That is they elevated offensive operations, that is attacking, over

  • the defense of our communications. They began eroding the protections of our communications

  • in order to get an attacking advantage. This is a problem for 1 primary reason. America

  • has more to lose than anyone else when every attack succeeds. When you are the one country