Saturday, August 17, 2013

'The NSA Doesn't Care About You Or Your Customers' - Bruce Schneier To ISPs

Well-known security consultant Bruce Schneier has advice to ISPs faced with the choice of simply acceding to the demands of the NSA for their customer data, or fighting and (inevitably) losing battles for their customers' data security. Schneier's advice: fight them. But what of your company's relationship with the NSA? You have no such relationship, Schneier reminds you; the NSA will burn you... or any of your customers... as soon as it is convenient, and your history of cooperation with the NSA will not change that fact. Here's a short segment of the beginning of Schneier's article linked above:
The NSA is Commandeering the Internet

It turns out that the NSA's domestic and world-wide surveillance apparatus is even more extensive than we thought. Bluntly: The government has commandeered the Internet. Most of the largest Internet companies provide information to the NSA, betraying their users. Some, as we've learned, fight and lose. Others cooperate, either out of patriotism or because they believe it's easier that way.

I have one message to the executives of those companies: fight.

Do you remember those old spy movies, when the higher ups in government decide that the mission is more important than the spy's life? It's going to be the same way with you. You might think that your friendly relationship with the government means that they're going to protect you, but they won't. The NSA doesn't care about you or your customers, and will burn you the moment it's convenient to do so.

We're already starting to see that. Google, Yahoo, Microsoft and others are pleading with the government to allow them to explain details of what information they provided in response to National Security Letters and other government demands. They've lost the trust of their customers, and explaining what they do -- and don't do -- is how to get it back. The government has refused; they don't care.

It will be the same with you. There are lots more high-tech companies who have cooperated with the government. Most of those company names are somewhere in the thousands of documents that Edward Snowden took with him, and sooner or later they'll be released to the public. The NSA probably told you that your cooperation would forever remain secret, but they're sloppy. They'll put your company name on presentations delivered to thousands of people: government employees, contractors, probably even foreign nationals. If Snowden doesn't have a copy, the next whistleblower will.

They say a word to the wise is sufficient. I haven't found that to be true. Remember how you (well, many of you, including me) really thought Obama the candidate was the best thing since sliced bread, and really wanted to believe him? How's that working out for you? And the NSA has even less reason... like, ZERO accountability... not to put a sharp stick in your eye when it's convenient.

ISPs: for your own sake and for ours, please fight them. If nothing else, you will at least establish a trail of actions in court against the process of wanton, needless privacy violation AGAINST EVERYONE by the various security agencies. Perhaps that trail can be used in saner times, say, 20 or 30 years from now. Corporations live that long, and therefore have even more good reason to fight the agencies' most drastic actions than individuals. Yes, you'll lose... but the battle lines will at least be drawn.


  1. Schneier is right, as was Secret Circle, a business depends on its customers to survive, not on the government. If you don't act to protect your customers don't expect them to hang around after they find out that their data was taken.

    Frankly, I would throw a due process claim in the mix if I was confronted with a 'sniffer'. How can the government expect me to pay for the resources they are using without a court hearing?

  2. Bryan, before I retired, I frequently exchanged data with my clients over the internet. We were all engaged in legal business enterprises, never anything shady and never anything to do with national security. Often enough, I'd ask my client whether I should encrypt something I needed to send them; often enough, they'd say no, send it in the clear. Occcasionally something needed to be encrypted for simple business reasons.

    The three-letter agencies need to learn that this is known as PRIVACY, NOT SECRECY. It really pisses me off that my reasonable expectationa of privacy in business communications far removed from any kind of security issues were violated and my data harvested and now kept in some government agency's database, presumably forever. Whatever the agencies think, that is just plain wrong. It is the kind of thing totalitarian states do, not "the leader of the free world."

    Somehow, though, I don't see this practice ever changing. And O'Bummer certainly has declared his intent to keep the practice in place.

    1. Correction: "Occcasionally" -> "Occasionally". If I could only type, and especially if I could only actually catch things when I proofread...



• Click here to view existing comments.
• Or enter your new rhyme or reason
in the new comment box here.
• Or click the first Reply link below an existing
comment or reply and type in the
new reply box provided.
• Scrolling manually up and down the page
is also OK.

Static Pages (About, Quotes, etc.)

No Police Like H•lmes