The NSA/GCHQ spying scandal is far reaching in both scope and the damage it has done to our liberal democracies. It is primarily a political problem, as well as being an IT security issue.
It is also, and this gives me some hope that we can beat this thing, an economic problem.
One important thing that the recently leaked black budget tells us, is what the government considers to be a reasonable price tag for the mass surveillance of every man, woman and child on the planet.
$250 million dollars per year (British figure not known at time of writing, but likely to be in a similar ballpark), is not a particularly large amount of money, and is a figure based on a number of storage and processing assumptions.
Much of the internet traffic is unencrypted and so can be processed live, the contents not stored. Encrypted traffic carries an extra processing and storage overhead; encrypted messages are kept until they can be broken, and processing resources spent trying to break them. Even if some of the algorithms used have been deliberately weakened, there is still a significant number of messages they can’t break.
The $250m/y budget is calculated based on estimates based on these assumptions.
Raising the cost of doing business
What does all this mean?
Well, what this means is that we, the citizens, have a very real way of changing the economics of mass surveillance programs like PRISM and TEMPORA, and significantly increase the price tag. Hopefully, to a level where it becomes politically and economically impractical to run them.
These programs are budgeted and resourced based on the assumption that relatively few people use hard encryption (HTTPS having been compromised), so if there was a marked increase the level of encrypted traffic going over the network, it follows that there would need to be a corresponding increase in resource expenditure in order to maintain the same level of capability. To a point, hopefully, where they are unable to keep up.
Every time you use encryption you help increase the cost of the program, and provide herd protection to your fellow citizen. Even if that encryption has been deliberately weakened, there is still a net gain for the good guys, since some processing resources will still be spent.
Additionally, since they feed data collected through various pattern analysis algorithms (in order to better profile us and to optimise resource allocation), if a significant portion of the dataset were to become unavailable, we can dramatically screw around with the baseline calculations, which may act like a force multiplier.
What I’d like to see
We need to dramatically increase the amount of encrypted traffic on the internet at large (remember, it seems that the security services have been compromising the implementations of algorithms, and sometimes the hardware and RNGs they depend on, not the algorithms themselves. Backdoors will be fixed – in free software implementations at least – and compromised hardware replaced or worked around).
I would like to see everybody making a pledge that everything they send over the internet will be encrypted. As technologist we need to take the lead on this; we have the moral duty to help protect our users, which means designing systems and networks so that they are resilient to subversion and surveillance, and to help people without technical knowledge protect themselves (friends don’t let friends use cleartext, as I’ve discussed before).
Remember, every time you send an encrypted message, you – in a small way – help protect everyone else on the planet.