[liberationtech] Why we can't go back to business as usual post-PRISM.

Gregory Maxwell greg at xiph.org
Sun Jun 9 22:06:24 PDT 2013 

Many people in spheres of cryptography and digital rights activism
have long assumed (or—frankly—known about) pervasive government
surveillance of the Internet and other communications networks. So it's
unsurprising that there is something of an undertone in PRISM discussions
of "meh, it's terrible but it's not really news" or even "so far, this
is less bad than I was assuming".

It would be nice to think that we could go back to business as usual,
quietly fighting (or tolerating) these intrusions—but I don't believe
we can.  The recent revelations come with a radical increase in the risk
of harm from these programs, even to those who were already assuming
they existed.

To understand why, it might be helpful for me to share how I answer this
unrelated question:

 "Why would you use AES/RSA/etc. when the NSA employs more
  mathematicians than anyone else and may well have cracked them?"

The answer: if the popular cryptographic constructs have been cracked,
the knowledge that they were cracked—even without the "how"—would be
insanely valuable. So much so that unless you presented an existential
threat to the cracking party, they would be very hesitant to use that
ability against you if even a tiny risk existed that doing so could
reveal their capability and thereby make it less valuable.

In the case of mass surveillance programs not only is there a risk
that people would change behavior—switching to SSL with PFS for
all communications, making more use of high-delay mixing networks,
decentralized services, non-cloud open source software, etc.—but since
these programs are obviously illegal to many outside of the incestuous
world of intelligence, by revealing the capability they risk it being
simply taken away by the rule of law. (Even those who have convinced
themselves that these programs are lawful and righteous must recognize
that they are on thin ice and public opinion may go another way).

And so—before the capability was made public, it _likely_ wouldn't
have been used against mere political nuisances, at least not without
the additional cost of creating a solid pretext for the resulting
intelligence. But now this deterrent is gone: the burden of utter secrecy
is reduced. And if these programs are not eliminated, greatly curtailed,
or made moot, we can expect them to be employed much more freely.

More information about the liberationtech mailing list