Edward Snowden stands in front of the First Amendment of the US Constitution
Edward Snowden stands in front of the First Amendment of the US Constitution as he speaks from on video from a secret location in Russia.

Encryption works as it has ensured that the US government still has no idea what documents journalists have and do not have, according to NSA whistle blower Edward Snowden.

In a rare live speaking appearance, Snowden, who was directed through seven proxy servers to appear live on screen at the SXSW Conference in Austin, Texas and on streamed live across the internet, spoke alongside Ben Wizner and Chris Soghoian from the American Civil Liberties Union on his revelations and protecting yourself online.

Snowden talked of how the internet was now an "adversarial" one and what we have is "nothing we asked for or wanted, but what we have to protect against". He said that the NSA set fire to the internet and everyone in the room is a firefighter.

Much of the discussion focused on two areas: the point of surveillance not being bad in principle, but how the NSA had abused its privilege and had turned this into a mass effort; and how more use of end-to-end encryption could help users protect their privacy.

Security an afterthought

Soghoian said that an issue for both of these factors is that technologies are not as secure as could be, and that security is often an afterthought and this attitude has enabled passive surveillance.

"It is not a problem for the NSA as so many services are not secure by default. We need to lock things down and make services secure out of the box and think about security early on rather than later own the road," he said.

Snowden talked up the concept of end-to-end encryption "that makes mass surveillance impossible without breaking crypto", but what people need to think about is how to force it in a simple, cheap, effective way?

Soghoian said that those services offering end-to-end encryption were not very good and this reflects the state of play with services, as users have to choose between a tool that is highly secure and impossible to use, or cheap and simple to use. "Rational people choose insecure tools as simple to use."

"Arcane black art"

The panel agreed that there is progress being made, with Soghoian making several references to Yahoo's enablement of SSL and calling on the next Twitter or Whatsapp to use end-to-end encryption by default.

Snowden called encryption not an "arcane black art", but something that should be prepared better now for tomorrow's users, while Soghoian said that regular consumers do not pick encryption, they use what is provided to them. "If you want a secure service you have got to pay for it. It will not cost $1000s a year, but it can be something that is sustainable and doesn't revolve around your data."

Tellingly, Snowden praised encryption as the reason that the US government does not know what journalists have been given by him and the only way it can be broken is by the NSA breaking in and stealing the keys.

Asked if it is inevitable that the NSA will break encryption, Soghoian said that if the government want to get in then it will find a way, as "if you are a target of the NSA, game over no matter what".

More to lose

Looking at Snowden's revelations of last summer, he said that the NSA had elevated its offensive operations over the defence of communications to get an attack advantage.

"America has more to lose than anyone else when an attack succeeds. It doesn't make sense to attack all day and not defend, and have a big back door that anyone can walk into. These affect everyone in the world as we rely on ability to rely on standards and without it we cannot succeed."

Soghoian said that the US Government works with companies to intentionally weaken security and this leaves everyone to defend themselves online, as by prioritising efforts to surveil it leaves itself as a target waiting to be attacked.

Public advocates

In a question from internet godfather Sir Tim Berners-Lee about building an accountability system, and finding a way to make it more accountable and improved, Snowden said that this will not work with "officials who lie and do not face criticism", he said that we "need public advocates and trusted figures to make sure it is applied, and a watchdog who can tell you just been lied to".

Soghoian said that there is a concern when the most popular browser and mobile OS is open source, but said that Snowden's disclosures have improved security, as it "took the most profound whistleblower in history" to show how weak or broken encryption was, "and we all have Ed to thank for this".

The message from the session was that without Snowden's revelations, Yahoo wouldn't have switched on SSL, and there wouldn't be the focus on encryption of data. It was also interesting that Snowden named NSA officials as being responsible and still seems to harbour the grudge over their abuse of power.

His claim that the US government does not know what journalists have been given by him suggest that there is more to come, and time will tell on what the whistleblower will reveal.

Dan Raywood is editor of IT Security Guru.

IT Security Guru