NSA Leaks Could Spur Security Renaissance
The recent revelation that the National Security Agency not only scoops up much Internet traffic but also breaks encryption codes, installs easy-access “backdoors” in hardware and encryption systems and has weakened industry encryption standards was, for the tech world, the straw that broke the camel’s back.
Some major players in the tech industry have been implicated as collaborators, because they either willingly or under duress agreed to make their products less secure in ways that allowed the NSA easy access — and simultaneously exposed user data to criminal hackers and foreign intelligence. (When you open a backdoor, you can’t be sure who will come in.)
Unlike previous revelations, this latest round has driven a backlash from the industry.
Most tech players are now engaged in a race to distance themselves from the NSA by safeguarding user data.
Google revealed that it was speeding up its efforts to encrypt communications between its data centers. Those communications take place on an Internet backbone which a big player like the NSA could tap.
Box, which bills itself as the most secure cloud storage provider for mainstream users, recently told Ars Technica that it was trying to develop a system that would give users sole access to the encryption keys for their files, echoing the goal of the niche cloud provider SpiderOak to allow users to share files without exposing them to the company. (If a cloud company can’t read its users files, it can’t share plain text versions with the government.)
Such efforts, if they reach fruition, will help users, who have ever-expanding parts of their lives in digital format stored with a handful of tech companies. But they shouldn’t be mistaken for altruism.
Silicon Valley’s fortunes are held in two currencies. Money from Internet commerce is one, and private user data — whether it’s paid for by user subscription fees or sold to advertisers — is the other. Both are at risk from compromised data security practices.
As soon as the NSA disclosures began, American tech firms started losing money. Even before the encryption-breaking program Bullrun was revealed, reports predicted the industry would lose between $35 and $180 billion, according to industry groups.
“Facebook, Google, Microsoft and Apple are all pushing back, We’re not going to trust Apple with our data if we think the NSA is going to get it. These companies are losing enormous business, especially overseas but also in the U.S. because of this. They are no longer the willing allies, because it hurts their credibility,” said digital security expert Bruce Schneier, who has seen many of the documents whistleblower Edward Snowden obtained, in a Democracy Now interview.
There are already products on the market that offer additional privacy protection for wary users. They include Off the Record instant messaging, Tor web browser, email encryption applications and encrypted Internet phone services.
To date, mainly hacker types have used such applications, which are often laborious to install and operate. With mainstream users now looking for ways to avoid the NSA’s prying eyes, security products could be poised to go mainstream. But first they will have to simplify their user experiences.
Privacy technology has been developing in the last couple of years in response to users’ growing concerns about nosy ad networks, but the sector is getting an added boost as more users start thinking about steering clear of government spooks, said University of Maryland cybersecurity expert Richard Forno.
The potential market has gotten the attention of tech companies large and small.
“I think there’s a lot of renewed interest in user-oriented crypto tools,” Michah Lee, the chief technologist at the Electronic Frontier Foundation, told Singularity Hub.
Forno said the interest could bring more products to market, a hypothesis backed by a recent Reuters report of growing spending in the security sector.
“It would not surprise me that privacy-enhancing services are becoming more popular and/or being ‘kickstarted’ both as a necessary thing in 2013 generally but also as a form of protest against the various NSA revelations,” he told Singularity Hub.
SpiderOak, for instance, has seen all of its user metrics double since the NSA leaks began, according to CEO Ethan Oberman.
Most agree that if the NSA wants your data badly enough, it can get it. It could potentially demand that Google turn over the keys to the encryption it uses for its internal communications. But with encryption, both companies and users can make their communications less appealing by pushing up the labor costs of obtaining it.
“We do know the NSA is constrained by economics. If you look at their techniques, they tend to go for techniques that have bulk payoff … So the more you can do to raise the cost of being eavesdropped on, the safer you are,” Schneier said.
Economics have driven the expansion of government surveillance. The digital revolution put our lives in an easy obtainable format. It’s much cheaper for the government to scoop up the information passing through a single line or server than it is to collect suspicious documents and tap phone calls.
Just as dollar signs have propelled a change of course in Silicon Valley, changing economics could be the best signal to send to get the NSA out of your inbox.
Photos: Amaze646, Brothers Good, wongwean via Shutterstock.com