When Spark interviewed Ron Deibert back in late May, about his book, Black Code we talked about espionage, and the growing role of governments in shaping the future of the internet. Little did we know, though, that about a week after we talked, the first of many sensational news stories would come out about spying, based on leaks by Edward Snowden. We are now told there are more stories to come, including more allegations about Canada.
It's a subject Ron is very well-versed in, and he's just come out with an expanded paperback version of the book, which includes commentary on the US National Security Agency revelations. We checked back in with him to get his take on the past six months of news.
We have copies of the new, expanded version of Ron's book to give away. For your chance to win, leave a comment answering the following question: Do you care about surveillance, and have the revelations changed the way you act online? The contest closes at 5:00 pm Eastern on Thursday, November 28th. CBC contest rules apply.
You can read a lightly edited transcription of our conversation or hear the full interview below.
Were you surprised by the Snowden revelations?
I wasn't surprised so much by the content as by the scope of the documents that he had taken, and insights that are now being published about the NSA and other programs like it.
I knew the general contours. Maybe not the code names of the programs or the exact details. The broad-brush of it is not a surprise but it's certainly interesting to see the level of public discussion generated by the leaks.
I have to say I was surprised by how bush-league some of it was. I mean, the sticky note with a smiley face describing how they tap into Google and Yahoo's servers. And the fact that Edward Snowden wasn't some kind of really high-level black ops guy, but this low-level person. Were you surprised by that?
That is certainly interesting. He's a a system administrator first of all, which is interesting that a person in that position would have access.
I mean, sysadmins usually know the insides and outsides of computer networks. But really, coming from the point of view of a contractor for a private company, working only three months at Booz Allen Hamilton and yet able to access all this data, certainly says something about the number of people who have access to classified documents in the US defense industrial complex. It's really something that's grown out of all proportion.
Here in Canada there have been questions about CSEC, the Communications Security Establishment Canada. For instance, the suggestion that CSEC monitored communication from Brazil's Mines and Energy Ministry. What's your primary concern about CSEC?
I have a number of concerns.
First of all, CSEC has been essentially joined at the hip with the National Security Agency going back to at least 1946. That's many decades of cooperation, and of course that raises questions about to what extent CSEC is doing similar things to the NSA. We've seen little bits and pieces of that, glimpses of it from allusions to CSEC in some of the slides. And of course, there was the Brazil episode which was much more of a spotlight directly on CSEC.
The big thing for me, I think -- and I raised this long ago -- is that we really do not have anywhere near meaningful oversight around CSEC in this country. If you look at comparable oversight mechanisms in the United States you may criticize them for not being effective. Or maybe, they have been subverted to some degree. But at least they exist. The programs were approved by three branches of government.
Here, we have CSEC which reports to the Minister of Defense, is not accountable to Parliament, and really the only oversight -- if you can call it that at all -- is an audit undertaken by a retired judge and his staff once a year.
I thought it was interesting that in all the time the CSEC commissioner had been doing these annual audits, not once had he reported a problem. That is, until the Snowden revelations came out and then he dropped a bombshell saying that he does not have enough information to verify whether the agency is operating within the rule of law.
So I think we have some very serious open-ended questions in this country that we need to address, at a time when we've gone through this profound change in communications, essentially turning our digital lives inside out. We need to ask ourselves, "What is the proper role of security agencies in relation to this new social media universe that we live in now?"
According to the Ottawa Citizen, Glenn Greenwald is actually preparing more leaks with that are dealing with CSEC spying and close ties with the NSA. What do you know about how tightly CSEC is connected to the NSA?
Well like most Canadians, I know very little. And that's a problem. We apportion a lot of tax dollars to this agency. As you may have heard, they're building an enormous complex in Ottawa, a billion dollar headquarters. They have a large and growing staff. Their budget has quadrupled over the last decade, maybe even more. But we know very little about what they do and that includes what they do in cooperation with the world's largest signals intelligence agency: the NSA.
We do know that they have worked together since the 1940s as part of the so-called "Five Eyes" arrangement that includes the United Kingdom, New Zealand and Australia. And that means that in some respects our national security priorities could be skewed in the interest of another country.
That may be a good thing. It may be a bad thing. But the point is we need to have better optics on what's going on, and independent oversight to be able to confidently answer those questions.
One of the other things that's come up is the idea of spy agencies wanting so-called "back doors" to Internet giants' systems. What do we mean by this idea of a back door?
A back door is a surreptitious mechanism -- usually built into the coding of a program, an application, or even hardware -- that allows law enforcement or security agencies of the state secret access in order to essentially bypass whatever security mechanisms that protect those systems, without the user being aware of it.
It came to light recently in Canada that part of the licensing requirements for mobile carriers in this country is to provide Ottawa with back doors to their equipment. It's kind of a new paradigm in the information age today. It's the reflex among security agencies to try to impose access through the back door because it's an easy and effective way to get access to that data. As opposed to going through the front door and handing the company a warrant from a judge, then asking for the data. Instead, you just tap in from the inside out through the back door.
I think the problem with it should be obvious to anyone. We're effectively creating an applied insecurity in the name of security.
Obviously when you create a backdoor, you're not just creating a back door for the good people -- for the law enforcement and intelligence agencies of our own country -- you're creating a vulnerability that could be potentially exploited by a lot of bad people as well. And this is in a context where automated tools exist that allow you to scan for those back doors and exploit them.
It's the wrong approach to security overall in my opinion.
But presumably the argument is that they need those kinds of back doors to facilitate rapid access or easy access to that kind of information.
Sure, and access is a fair question. We do need to provide law enforcement with access to customer data. The same argument could be made with respect to intelligence agencies.
We face very real security threats. And so it's a fair question that needs to be addressed. It's just that the answer that's being proposed is really a kind of lazy mechanism to get at something.
We live in a world of big data. There's so much data around us already. There are many new tools and methods that allow us to to interrogate and analyze and visualize the data that's already out there in the ether. So, in my opinion, drilling holes in the back of our equipment and infrastructure for law enforcement creates vulnerabilities. We should properly equip them with the capabilities to analyze the existing data that's out there.
One thing I've wondered is the extent to which we've seen the privatization of spying. In the sense that you don't necessarily need to have the Stasi in the next room over when, in fact, we're contributing all of this data to private companies. To Facebook or whoever.
I think this is where it's important step back and look at the historical context around the Snowden revelations. We've gone through this enormous change in how we communicate with social media, cloud computing and mobile. I think the one thing that unites all three of those is the amount of data that we entrust to third parties -- usually private companies.
If you think about how many applications a typical user has on their smartphone, it could be dozens. Each of those harvest off a bit of private data -- your contact book, your messages, maybe even your emails, the images you take with your camera -- and extracts them and stores them on a server somewhere operated by a private company, maybe even in another jurisdiction.
And this is happening simultaneously when security issues are becoming more and more of a concern. Governments are imposing themselves in cyberspace for security issues, and national security threats are focusing inward on all society. That combination of factors has really a opened up a new terrain that really requires us to have a conversation on the level of a new social contract.
Because we've not gone through something like this before, where we're on the one hand turning our lives inside out, and on the other hand entrusting authority to secure cyberspace to some of the world's most secretive agencies. It just doesn't make sense to me and I think as a society we need to step back and address that properly.
So for the average Canadian, what are the practical implications of all this? I mean, will they have -- or should they have -- an impact on how we live our daily lives online?
A lot of people have commented on public opinion polls where people are more or less reacting along the lines of, "Well, if I've got nothing to hide I don't have anything to worry about. I don't really care if people are spying on me."
This is precisely the problem with this type of overarching surveillance. Short of a Watergate-like scandal where you see that type of abuse being demonstrated in a front-and-centre way, it's hard to conjure up the kind of concern among the average person as to what might go wrong.
There's a connection between surveillance and self-censorship. People being intimidated over time. They don't want to freely express themselves because they feel like they're being watched. The analogy I think of is dropping a frog in boiling water. It'd jump out. But if you slowly turn up the heat it won't notice. That's kind of the fear I have, that we'll gradually head down a path that we can't escape from into a more totalitarian type of society. Obviously that's not a good thing for liberal democracy. I think it requires a discussion of some nuance and sophistication about the proper role of checks and balances around concentrated power in a liberal democratic society that we haven't had yet.
So what do you think it'll take to make us care? Do we need to have a Watergate-scale event? I mean, it seems like for the last six months, revelations make the news for a few days, then everything seems to go back to normal.
Yea, I suppose so. Most people go about their daily lives not really noticing something like surveillance. It's not like you're bumping up against a wall, or a Watergate-type scandal where you see somebody using this information for personal, partial reasons in a very clear case of abuse.
As you've pointed out already, Greenwald has signaled that he has a lot more information on CSEC that may very well come to light. We just don't know yet.
But short of that, I think it's something that we might not be able to escape from. It might be the new reality that we live in this type of total surveillance society. And that really is a problem in the long run, both for an open internet where we can freely express ourselves and exchange information, sometimes privately, but also for liberal democracy. It's just not something that it's easy to get people excited about.