Snowden Revelations Cause Internet Engineers to Look at Encryption
VANCOUVER -- Reactions to the revelations of former National Security Agency contractor Edward Snowden were a key feature of the Internet Engineering Task Force in Vancouver Wednesday. “We need to figure out a new Internet governance model; it has been run by the U.S. under the perception that the U.S. was acting in the best interest of all,” said encryption expert Bruce Schneier, author and fellow at the Berkman Center for Internet and Society at Harvard Law School: “That’s over. And it needs to be something good or it will be the ITU.”
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Schneier said Internet providers should integrate much more encryption into their protocols to force signal intelligence services to go after high value targets again. He had in June appealed to the engineering community “to take back the Internet.” Based on his review of material provided by Edward Snowden of a long list of surveillance programs, from “XKeyscore” and “Prism” to “Muscular,” Schneier said he concluded that the surveillance programs were politically, legally and technically scarily robust.
"The NSA has developed the Internet into a giant surveillance platform,” Schneier warned. Legislative reforms being discussed in the U.S. would still allow the NSA and other services to use legal loopholes, he said, and the potential changes in U.S. law would not be effective for non-U.S. citizens or protect against other secret services globally. Schneier said he’s also very worried about the Internet of things: “It is not just drones, drones plus cameras, plus facial recognition, plus everything else tagged in a data base file.” The problem, he said, was the combination of all these technologies.
The IETF participants generally indicated broad support for the idea for more encryption and consideration of the “new threat model” in their protocol work. Seeking technical answers to pervasive surveillance, a standard check on surveillance vulnerability before new specifications are accepted, and the possibility the IETF would work on secure specs for popular, but very insecure, services like Dropbox were approved by consensus by the approximately 1,500 participants.
Pervasive surveillance is “an attack and that is the way we should treat it,” said Stephen Farrell, security area director of the IETF. “Forget about the motives, forget the political things; if you look at the actions that the NSA and their partners are doing, whether coerced or not, it’s essentially a multifaceted form of attack."
More encryption, even sloppy encryption, would raise the cost of surveillance considerably, Schneier said. Google engineer Erik Kline said most providers charge more for SSL-encrypted traffic, so the economics are difficult and first-movers are subsidizing those who started to use new technology later. But IETF Chair Jari Arkko said, “I think we have a unique opportunity now and that’s because of all of this publicity. This is like a one-time opportunity that we have in this decade or in a long time to actually do a major change.”