It’s been nearly a year since the first NSA leaks were published and a lot has happened in the meantime. While the American government hasn’t really addressed the main issues, the world’s Internet users have reacted strongly to the news that they were likely being spied on.
Bruce Schneier is a cryptographer, as well as a specialist in computer security and privacy. He has authored several books on these topics and has been working with The Guardian on figuring out the files that Edward Snowden has provided the journalists, making sure that the technical details are ironed out.
Now, the famed author has also agreed to talk to Softpedia about the NSA, mass surveillance and the importance of encryption.
Softpedia: It's been a year since the first reports on the Snowden documents. What are the most important changes you've noticed in the past year that have these reports at the root?
Bruce Schneier: The only major change is that the world is discussing the NSA and global surveillance. We haven't seen much change in actual policy, though. Hopefully that is coming.
Softpedia: One of the main goals of the NSA is to break most encryption on the Internet by cheating its way in through backdoors. What should be done so that we can all feel safe?
Bruce Schneier: We need to know that the NSA is not doing that anymore, and we need their help preventing others from doing that. Other than that, nothing else will fix the problem.
Softpedia: Internet companies have been tightening security left and right, changing SSL certificates, encrypting the data flow between data centers and so on. Will this help keep the NSA at bay or is it just a matter of time?
Bruce Schneier: Of course it helps. Encryption is the best tool we have to defend ourselves against bulk surveillance. The only reason the NSA collects everything is because it's easier than targeting. Encryption forces them to target. And while the NSA might have a larger budget than the rest of the world's intelligence services combined, they are still constrained by economics.
Softpedia: Can the average Internet user rely solely on the encryption layers applied by companies such as Yahoo, Google and so on?
Bruce Schneier: Are you asking me if the average Internet user can protect himself from a targeted investigation by the NSA with these tools? No. Are you asking me if the average Internet user can protect himself from his family by using these tools? Yes. All of these questions need a threat model to answer. What do you think the average Internet user is concerned about?
You are right, the average user may be more concerned about immediate family finding out about their online habits and questionable actions online, but there's a rising fear of mass surveillance, especially among the younger generation, the one that's most often than not connected to the Internet.
Softpedia: Let’s paint the next picture: the NSA targets, let's say, Germany and collects all online activity. Will the added layers of encryption from companies such as Google and Yahoo be enough to keep the citizens' private data safe – unless the NSA decides to take a closer look at certain individuals?
Bruce Schneier: I see. Yes, basic encryption protects from bulk surveillance.
Softpedia: The US government continues to claim that everything the NSA does is for national security. Does this trump user privacy? How can we reach a balance between safety and privacy?
Bruce Schneier: Privacy is not the opposite of security; privacy is a part of security. No one feels secure when they're exposed. What's really happening is that there are many threats, and they are sometimes in conflict. The US government hasn't made the case that these violations of privacy enhance our security in any way. They need to make that argument, with data, and then we get to decide.
Softpedia: How can Internet users outside the United States be safe from the NSA's all-seeing eye and who should assure this protection?
Bruce Schneier: This is a political problem, and the solutions are political. Governments need to protect their citizens.
Softpedia: How can they do this? Is creating national Internet networks, like those that Germany and Brazil have considered, a solution to this problem?
Bruce Schneier: Not really. It's a partial solution to some of the problems, but it's only a piece. In the end, this is a political problem. Governments like Germany and Brazil need to convince the US not to spy on them. Yes, I agree that this is unlikely. They also need to implement encryption broadly so that bulk surveillance just isn't possible.
Softpedia: OpenSSL vulnerability Heartbleed put in danger most of the world's Internet users. The NSA has denied knowing anything about it prior to the formal announcement, but then the US admitted that such bugs could be kept secret if that suited the country's security needs. What's your take on this story?
Bruce Schneier: In today's cyberwar arms race, unpatched vulnerabilities and stockpiled cyber-weapons are inherently destabilizing, especially because they are only effective for a limited time. The world's militaries are investing more money in finding vulnerabilities than the commercial world is investing in fixing them. The vulnerabilities they discover affect the security of us all. No matter what cybercriminals do, no matter what other countries do, we in the U.S. need to err on the side of security and fix almost all the vulnerabilities we find. But not all, yet.