Well-known cryptologist and IT security expert Bruce Schneier thinks so. In a recent post for The Guardian, Schneier suggested that the NSA’s digital surveillance program, and telecommunications providers’ willingness to help, have amounted to a large-scale betrayal of public confidence in the Internet. And he believes it's time for action.
“To the engineers, I say this: We built the Internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.”
It’s hard to argue with Schneier, especially given a recent Washington Post report on how the NSA has been paying telecommunications companies for access to their networks. It’s kind of hard to protect ourselves when the stewards of our information are literally selling our data to a government entity that’s built on snooping.
But Schneier’s also a realist, and in a subsequent post, he acknowledged, “If the NSA wants in to your computer, it’s in. Period.” Given that ominous assumption, he advises users to make themselves as anonymous as is possible with services such as Tor and to use public-domain encryption such as TLS as opposed to proprietary encryption products. He simply does not trust commercial vendors at this point.
Pete Lindstrom, principal analyst with research firm Spire Security, said in an email interview that he supports at least part of what Schneier proposes users do.
“I think obfuscation offers more long-term opportunity for success than encryption,” said Lindstrom.
The NSA is likely to get your data no matter what barriers you put up, but as Schneier suggested in his post, if you make it harder for it to pinpoint data as yours, it probably won't make the additional effort.
Lindstrom has long been a believer in not leaving too obvious of a digital trail. “I used to say I hired 20 people around the world to impersonate me just for plausible deniability," he joked.
[SEDs may be attractive in this time of heightened data security awareness but they're not necessarily a better option than software-based encryption for data protection. Find out why in "Self-Encrypting Drives Aren't Magic Security Dust."]
Lindstrom said Schneier’s call for action provides a valuable reminder for people to think about what they want to keep private, but he believes the NSA doesn’t pose the real threat.
“I wouldn't be wasting too much time trying to figure out how to protect my sensitive info from the NSA,” said Lindstrom. “I would be spending time trying to figure out how to protect it from the thought police--employers, neighbors, friends, even family. It is a much more difficult job.”
Perhaps the media also should be added to the list, given Facebook’s disturbing decision to give news outlets back-door access to its data. It’s a very strangely timed move from a company that shoulders a huge responsibility to protect consumer data and has a spotty record of doing so.
At the same time, another company that’s come under fire in the past for privacy violations--Google--has taken a step in the right direction. According to a Washington Post report, Google is working to ramp up its encryption efforts to better protect consumers from the NSA and other prying eyes.
It’s hard to know how much of that is a Google smoke screen to get critics to back off. On the surface, at least, it gives consumers a reason to believe that someone has their backs. Time will tell if it slows the steady stream of users switching to anonymous search engines like Start Page and DuckDuckGo.
In the meantime, consumers will have to operate on some level of faith that the companies they trust with their information will get better not only at protecting it, but also at resisting the piles of money they’re offered to look the other way. “The world will figure this stuff out,” said Lindstrom, “but we're in for a bumpy ride.”
[Get deep insight into the current state of information risk management and security and how its evolving to meet business requirements in the workshop "Securing the Business" at Interop New York, from Sept. 30-Oct. 4. Register today!]