Kathy Gibson reports from CeBit in Hannover – Don’t be lulled into a sense of false security because laws and behaviours in the US may be aimed at curtailing abuses pertaining to data collection about individuals.
Edward Snowden, the world’s best-known whistle-blower, says there are still many ways that intelligence agencies can gather data about individuals – and non-US citizens are not protected by the same laws and procedures that US citizens enjoy.
Described as the man who changed forever the way the world thinks about data and security, Snowden was interviewed via a video link at the CeBit conference in Hannover yesterday evening.
“The worst abuses have begun to be curtailed,” he says. This has combined with moves by technology companies to contain data sharing, and action by individuals themselves who are tending towards encrypted communications.
“But none of this affects metadata, which can be collected without a warrant in the US and in most other states around the world.”
While metadata collection means that actual content of mails and phone calls remains private, it is still possible to build up a comprehensive picture of a person’s communications and activities.
“Even if you shift to using https, there is still a perfect record of your private life, from every web site you’ve visited and every email you’ve sent – any communication going out via a common network,” Snowden says.
This is not the only collection technology that governments employ, though.
The interception of plain text emails is used by all governments, Snowden says. Suppliers trying to monetise their own data sets, or ordered to hand over information by a court, could be another source – and data about foreign citizens is freely provided without a court order.
There is another knock-on effect when the state or intelligence agencies actively seek individual data: they could be guilty of keeping security holes open on the Internet.
“In general, if they are discovering zero-day exploits and not closing them, they are making the whole infrastructure of the Internet vulnerable.
“Plus, if a government is creating a marketplace where they are buying zero-day exploits, and investing in companies that develop these exploits to use for intelligence collection purposes; and if a company develops one and a particular government declines to buy it – they will sell it to the next one.”
Thanks to the good work of Internet engineers and corporate policies, intelligence agencies are being forced to move away from bulk data collection, Snowden says. However, this means they are moving to more targeted attacks.
The whole issue of statewide hacking and data collection has to be challenged, he says. “We have to change the game.
“The paradigm of being able to hack anyone is ultimately harming the most developed and connected nations. We have the most to lose because we are the most dependent on our systems.”
Snowden pours cold water on the idea of cameras in microwaves being used to spy on people, if only because microwave manufacturers would baulk at the cost of adding cameras to their products.
“But there is no need to worry about the microwave when you have a camera in your pocket,” he points out. “This is a disaster if we don’t secure it.”
The world is rapidly starting to come to a consensus the we cannot secure the whole environment – largely because most states don’t want the problems to be solved, Snowden says.
“The UN affirms that it’s true, and governments recognise it. Surveillance has never been easier than it is today; they have more insight into our lives to a degree far beyond what is proportionate to the terrorism threat.
“We need intelligence. But we need to balance that with the need to keep the lights on in hospitals, to keep dams closed and to keep traffic lights functioning.”
Recent concerns about the privacy of data held in US clouds has raised a question about whether organisations in other countries can trust cloud providers to protect their data from intelligence gathering.
“It’s a bit more complicated than that,” Snowden says. “The reality is: who are you being targeted by? And where is the real risk?
“If your data is so sensitive that it shouldn’t be exposed to a government, then it shouldn’t be held in a US cloud. Or a German cloud, come to that.”
Questions to ask are whether the cloud provider has access to a company’s data; whether the data is encrypted end to end; and whether the service provider or the data owner has the key to use the data.
“As of today, you can hack one server room and get access to 500-million accounts,” says Snowden, referencing last year’s breach at Yahoo.
“These things have to change; and they will be changed by engineering decisions. We need to create better technology and apply it to all services to guarantee the rights of consumers everywhere.”