What can ‘Snowden’ teach us about cybersecurity?
With the release of a new film about Edward Snowden, the man who revealed secret documents detailing a massive U.S. government spying program, the debate about his character continues. That includes a renewed effort to encourage President Obama to pardon him. But, as Snowden himself might point out, what should give us pause is government intelligence agencies’ power.
The extent and scope of their ability to intercept communications and collect information is mind-boggling. “Snowden” the movie lays bare National Security Agency surveillance programs that show little regard for citizen privacy, and the duplicitous statements the NSA makes about its activities.
Edward Snowden. WikiLeaksChannel, CC BY
The movie’s narrative tells the story of Snowden himself(fictionalized and dramatized somewhat), including his military training, his medical discharge and his work in the intelligence community. It provides a new vehicle for the layperson to learn about how the government uses modern communications technology.
The movie doesn’t take a nuanced view of why intelligence agencies do what they do. Nor does it provide sufficient context about the NSA’s practices in relation to those of agencies in other countries. Its portrayal of the technology involved (and of U.S. government efforts to apprehend and prosecute whistleblowers) is, however, mostly accurate.
Collection, but not inspection
The film discusses three distinct aspects of the NSA’s efforts: data collection, analysis and the legal basis for surveillance. The movie accurately shows the agency’s systems for collecting bulk data from across the country – through direct connections to the networks of major telephone and internet companies, including AT&T, Verizon, Google, Microsoft and Facebook. The suggestion, though, is that not only are data collected on all citizens, but – misleadingly – that all citizens are being investigated continuously.
Given the volume of communications, and the constantly changing threat landscape, intelligence agencies can’t respond to every lead they get in real time. Under its PRISM program, the NSA collects data on every citizen, including emails, web-browsing histories, social media activity records, voice and video chat records, phone calls, text documents, images and videos.
Rather than monitor that immense stream as information flows through it, the agency archives it so as to be able to search it later, as new leads arise and investigations begin. The movie does not make clear this important distinction between having the ability to spy on every citizen and actually doing so.
Simplifying data mining
The film also depicts the NSA’s XKeyScore system, which can tap into all the data being collected. The information revealed by Snowden includes details on how XKeyScore can analyze the massive data trove, finding connections between people and matching voice patterns, among other abilities.
In the movie, scenes where analysts use XKeyScore suggest that just by typing very basic data about individuals (such as a name or email address) into an on-screen form, analysts can easily find exactly what they are looking for. This is a bit misleading. Data mining is a very challenging problem, especially in a set so large as to contain every communication in the U.S. Lots of innocent data surround a very small amount of what might be called useful intelligence.
Data mining can help narrow down a large batch of information to a more manageable amount, but human analysts – not a computer search screen – are the key to discerning actionable intelligence. Rules and constraints govern who has access to the information. What analysts actually do is also closely supervised. A further limit on the abilities of technology and human analysts alike is that truly dangerous people are very careful to cover their tracks, using temporary email accounts and strong encryption on their transmissions.
What’s in the law?
The movie also strongly suggests that all of the NSA programs are illegal. While they are controversial, the legality of these programs is an unclear, and even moving, target. The 1978 Foreign Intelligence Surveillance Act provides legal procedures for physical and electronic surveillance and collection of communications between foreign powers and their agents in the U.S.
It also allows surveillance of American citizens and permanent residents suspected of espionage or terrorism. While the law was designed to collect data from specific individuals, the NSA has used its powers to justify mass data collection and analysis.
Some federal laws have been changed in the wake of Snowden’s revelations, in some cases retroactively legalizing practices that might have been illegal. The NSA itself has also made changes to some of its programs, due more to the public – and congressional – outcry against them than their legality.
As a result of Snowden’s disclosures, the NSA has stopped its bulk collection of phone records and limited surveillance of leaders of foreign allies. It has also offered more transparency to Congress on some of its efforts, and reduced the length of time it stores information on individuals.
The international context
“Snowden” reveals details of the NSA’s cooperation with other intelligence agencies, and shows its surveillance of international leaders – including Germany’s Angela Merkel and Brazil’s Dilma Rousseff. The reality is that every country is trying to gather intelligenceinformation to get leverage in international diplomacy, whether with friends or foes.
Snowden’s revelations will make it harder for U.S. intelligence agencies to conduct this sort of diplomatic surveillance, but does not similarly affect other countries’ practices. The world’s awareness of the level of spying conducted by the U.S. has also provided legitimacyto citizen-monitoring efforts in less democratic countries such as China and Russia.
Is there any real privacy?
The impact of all this information has been enormous, both for the U.S. government and Snowden’s own personal life. Since releasing the information to the world, he has been holed up in Russia, with only temporary permission to stay. His American passport has been revoked. He cannot move around freely or communicate easily, for fear of U.S. covert agents seeking to apprehend him – or worse.
The movie doesn’t depict much of his Russian life, a decision that tends to reinforce the film’s message that there is no privacy anymore. If it showed more about how Snowden communicates now, it might provide useful insights into how Americans – and others around the world – could potentially use encrypted software to communicate without being subject to government surveillance.
What it does show of secure communications is a good start, though. Not surprisingly, Snowden suggests using software that prevents tracking of user activities such as browsing, shopping and communicating. He also recommends using the Tor network, which anonymizes data by sending it through a series of encrypted computer links. He suggests whistle-blowers use tools like SecureDrop to communicate with journalists anonymously.
“Snowden” the movie shows the long reach of the government in collecting intelligence on its citizens, and the fight of one disillusioned citizen against that unrestricted and unacknowledged governmental power. It highlights some of the complexities of the intelligence world, and the challenges of collecting information in the internet-dominated world.
Finally, it portrays the challenges in the personal life of a highly driven individual who followed his convictions in pursuit of social justice. Whether he is a patriot or a pariah depends on the lens you use – but he has certainly brought to the fore important discussions of privacy and cybersecurity for ordinary citizens, as well as free speech and government surveillance power.
thank you