The Snowden effect

A lot has been written about the whole Snowden case and some of the NSA practices for spying on us. You could argue all sorts of things about this case. A popular thing that people keep pointing out is that actually, if you know anything about security and the NSA, none of this should come as a surprise. This is indeed a valid point and a lot of crocodile tears are being shed and there is a lot of mock outrage by especially some governments that are trying to distance themselves from the whole affair. Hypocrisy is a rampant.

But it is an interesting point and it actually completely destroys the case against Snowden by the USA. The central point in that case is that Snowden supposedly leaked crucial information that will cause ‘enemies’ to adapt their behavior. In fact, that has already happened years ago. So, yes people knew and have long adapted their behavior. Whether it is terrorists, Chinese activists, or the Russian mafia, they all have learned the hard way to use technology to evade detection and keep their communication private a long time ago.

This brings me to the core point of this post: so should all of us. Snowden has clearly demonstrated that any trail you leave on the internet is subject to archiving and analysis, and may be used against you outside of the usual checks and balances provided by the law of wherever you happen to live. Some of us already knew this, some others thought those people were conspiracy theorists, and now we all know that it is about as bad as these people were saying it was all along.

This brings me to another point some people have been making. It’s the “I have nothing to hide” argument that a lot of people are using. The reasoning is that if you are a law abiding citizen, there is little of interest to discover in your online behavioral patterns so what’s the harm? The fallacy in this argument is that it depends entirely on those that do the analyzing and collecting to respect your rights and generally mean well. This is not the case. Dictators, Nigerian scammers, Terrorists, criminals, and indeed the NSA all largely have the same tools at their disposal to access your data and a wide range of motives for doing so. Your current government may be well behaved but there are no guarantees about the one that comes after. Times change. Besides, you don’t control who does the collecting. If you think the NSA is the only institute currently engaged in data collection you are a fool. The Chinese invented and perfected this game a long time ago. Most authoritarian regimes actively spy on their own citizens as well as foreign nationals using whatever technology is available to them. You may be comfortable with the NSA tracking your communications but what about the KGB, the Chinese secret service, or the Iranian government? You’d be a fool to assume you are safe from them.

So, what can be done about all this? You could argue that we should all turn into paranoid conspiracy theorists and behave accordingly by adopting all sorts of oddball technology ranging from tin foil hats to advanced encryption. This is neither feasible nor practical since tin foil hats are kind of ineffective and encryption is notoriously hard to get right even for people who supposedly know what they are doing. What’s much more practical is to scrutinize internet services for their track record regarding protecting your privacy, applying best practices regarding security, and generally doing the right things. One of the first things that happened after the Snowden case is that several major internet services started lobbying for permission to provide greater transparency on what they had been forced to expose to them. Reason: they don’t want to be caught lying to their customers about what they are doing and what they are not doing.

That is actually interesting. These companies are very worried about alienating their user base and clearly feel that they have an interest in explaining to their users how they go about protecting their privacy. That’s a start. The solution is to take this to the next level. Avoid dealing with companies and services that are known to do the wrong things and instead flock to those companies that do the right thing. The rest is a matter of darwinism: bad companies will be exposed and will adapt or perish.

The Snowden effect will be that doing so will be made a lot easier by a large crowd of people analyzing what different companies are doing with respect to your privacy and sharing their knowledge with others. That means that where some companies have been able to get away with sloppy practices and mildly aggressive tracking (e.g. Facebook and Google), it will be a lot harder for them to continue doing this without risking bad PR.

A second effect will be that the same scrutiny will be applied to politicians. After calling Snowden a traitor, there is now quite widespread support for actually taking some political action to undo some of the legislation that allowed the NSA to do their thing in the first place. Never mind the contradiction of denying the man is a whistle blower and then suddenly being in favor of backing measures that are basically about addressing some of the issues that the man exposed. Flip flopping like that is just business as usual for politicians. But whistle blower or not, it is already having a political effect. This will extend into elections, cause future scandals, and have political consequences for those that continue backing the wrong things.

The long term Snowden effect will be accountability. This is exactly what is needed.

Welcome to the USA!

I spent yesterday traveling to Baltimore, USA. Quite a lot of stress and uncertainty is involved these days due to the USA overreacting to terrorist threats. Most of the measures are not really effective but they certainly are time consuming.

The first part of my journey was a regular european flight from Helsinki to Frankfurt. Everthing was pretty much normal. Me, my hand luggage and suitcase were checked for dangerous/illegal objects and substances (e.g. a bottle of water 🙂 ), I proceeded to the gate, got on the plane and flew to Frankfurt.

In Frankfurt I had to move from one terminal to another to get to gate B22. For this purpose there is a nicely designed tunnel that is several hundred meters long. Once in the B terminal there were a lot of people and they were all queueing for something this was around gate B4. So I walked along the queue towards my gate when I started te realize that these people were queueing for a security checkpoint. A security checkpoint that I had to pass. With the plane already boarding I started to get a little nervous. By my estimation there were about 1500 people waiting to get to their gate. And they were all in a hurry.

Like the rest of the people I tried my luck with the indifferent security people. In short, they don’t care if you miss your plane. They said it politely but the message was basically to try your luck at the other end of the queue (several hundred meters away) and go F*** yourself. So I squeezed in about 30 meters back and ignored the angry looks from the people behind me (you have to be pragmatic). Slowly the queue moved forward, about a meter per minute.

At last the security people started to do something smart: removing the people from the queue who had time to spare and moving the people forward that like me were supposed to be on the plane already (and still had a good chance of getting on it). The desperate faces of people who were pulled out and told to come back later was heartbreaking. Some had been queuing for 2 hours or more. About 30 minutes later I was searched (no rubber gloves type treatment, don’t worry). The search was pretty quick since there was a lot of pressure on the security guards to hurry up. They glanced in my bag in a way that convinced me that I could have easily hidden stuff in there provided it would not look too suspicious on the scanner.

Anyway, I made it to the plane just in time, that is about 30 minutes after it was supposed to leave and about an hour before it actually left.  The trip was uneventful except for the fact that Lufthansa sees no problems in handing out metallic cuttlery. Yep, that’s right after having been stripsearched for nailcutters, pocketknives and other mettalic objects they gave me a knife and fork that would definately have set off all alarms if I would have had them in my pocket at the security checkpoint. The knife was definately usable as a weapon (though not of mass destruction). Weird.

Arrival in the US (Washington Dulles airport) was a lot smoother. They have these weird shuttles that move between the terminals there. Apparently having dozens of custom made shuttle vehicles that can elevate the cabin to the right height (3 or 4 meters) to move in and out of the terminal is cheaper that just digging a 400 meter tunnel or letting people use an escalator + normal buses. Weird, who’se paying for that?

Security checks were aimed at preventing illegal entry of the country this time. I only had to wait for about 45 minutes this time (last time in the US it was 2 hours). After that I collected my luggage and left the terminal.
Welcome to the USA!

My hotel is quite nice. I’m on the 21st floor and have an excellent view over Baltimore including skyline, harbor and city behind the skyline. I’ll post some panorama pics when I’m back in Finland.