The Snowden effect

2013-08-02

A lot has been written about the whole Snowden case and some of the NSA practices for spying on us. You could argue all sorts of things about this case. A popular thing that people keep pointing out is that actually, if you know anything about security and the NSA, none of this should come as a surprise. This is indeed a valid point and a lot of crocodile tears are being shed and there is a lot of mock outrage by especially some governments that are trying to distance themselves from the whole affair. Hypocrisy is a rampant.

But it is an interesting point and it actually completely destroys the case against Snowden by the USA. The central point in that case is that Snowden supposedly leaked crucial information that will cause ‘enemies’ to adapt their behavior. In fact, that has already happened years ago. So, yes people knew and have long adapted their behavior. Whether it is terrorists, Chinese activists, or the Russian mafia, they all have learned the hard way to use technology to evade detection and keep their communication private a long time ago.

This brings me to the core point of this post: so should all of us. Snowden has clearly demonstrated that any trail you leave on the internet is subject to archiving and analysis, and may be used against you outside of the usual checks and balances provided by the law of wherever you happen to live. Some of us already knew this, some others thought those people were conspiracy theorists, and now we all know that it is about as bad as these people were saying it was all along.

This brings me to another point some people have been making. It’s the “I have nothing to hide” argument that a lot of people are using. The reasoning is that if you are a law abiding citizen, there is little of interest to discover in your online behavioral patterns so what’s the harm? The fallacy in this argument is that it depends entirely on those that do the analyzing and collecting to respect your rights and generally mean well. This is not the case. Dictators, Nigerian scammers, Terrorists, criminals, and indeed the NSA all largely have the same tools at their disposal to access your data and a wide range of motives for doing so. Your current government may be well behaved but there are no guarantees about the one that comes after. Times change. Besides, you don’t control who does the collecting. If you think the NSA is the only institute currently engaged in data collection you are a fool. The Chinese invented and perfected this game a long time ago. Most authoritarian regimes actively spy on their own citizens as well as foreign nationals using whatever technology is available to them. You may be comfortable with the NSA tracking your communications but what about the KGB, the Chinese secret service, or the Iranian government? You’d be a fool to assume you are safe from them.

So, what can be done about all this? You could argue that we should all turn into paranoid conspiracy theorists and behave accordingly by adopting all sorts of oddball technology ranging from tin foil hats to advanced encryption. This is neither feasible nor practical since tin foil hats are kind of ineffective and encryption is notoriously hard to get right even for people who supposedly know what they are doing. What’s much more practical is to scrutinize internet services for their track record regarding protecting your privacy, applying best practices regarding security, and generally doing the right things. One of the first things that happened after the Snowden case is that several major internet services started lobbying for permission to provide greater transparency on what they had been forced to expose to them. Reason: they don’t want to be caught lying to their customers about what they are doing and what they are not doing.

That is actually interesting. These companies are very worried about alienating their user base and clearly feel that they have an interest in explaining to their users how they go about protecting their privacy. That’s a start. The solution is to take this to the next level. Avoid dealing with companies and services that are known to do the wrong things and instead flock to those companies that do the right thing. The rest is a matter of darwinism: bad companies will be exposed and will adapt or perish.

The Snowden effect will be that doing so will be made a lot easier by a large crowd of people analyzing what different companies are doing with respect to your privacy and sharing their knowledge with others. That means that where some companies have been able to get away with sloppy practices and mildly aggressive tracking (e.g. Facebook and Google), it will be a lot harder for them to continue doing this without risking bad PR.

A second effect will be that the same scrutiny will be applied to politicians. After calling Snowden a traitor, there is now quite widespread support for actually taking some political action to undo some of the legislation that allowed the NSA to do their thing in the first place. Never mind the contradiction of denying the man is a whistle blower and then suddenly being in favor of backing measures that are basically about addressing some of the issues that the man exposed. Flip flopping like that is just business as usual for politicians. But whistle blower or not, it is already having a political effect. This will extend into elections, cause future scandals, and have political consequences for those that continue backing the wrong things.

The long term Snowden effect will be accountability. This is exactly what is needed.