NSA's spying powers don't mean encryption is obsolete: Dan Misener

Like many privacy-conscious Canadians, I'm troubled by recent reports that suggest the U.S. National Security Agency has cracked most online encryption and that they can access BlackBerry, Android, and iPhone data.

But if the reports are accurate, and the NSA and its partner agencies do indeed have hitherto unknown surveillance and encryption-cracking capabilities, what exactly are regular human beings supposed to do with that information?

Should I stop using the web? Unlikely.

Throw away my smartphone? Probably not.

Perhaps I should just live my life knowing that communications I once thought were secure aren't.

Take a deep breath

"The important thing is to not resort to privacy nihilism," Dan Auerbach tells me when I phone him up.

'HTTPS still is pretty strong, and by default, will protect people.' —Dan Auerbach, Electronic Frontier Foundation

Auerbach is a staff technologist at the Electronic Frontier Foundation (EFF), and says "there's good reason to believe that the mathematical underpinning of the crypto systems that are in widespread use are strong."

He says security advice like using websites that begin with https:// or looking for a closed-lock browser icon is still sound. "HTTPS still is pretty strong, and by default, will protect people."

He says even though spy agencies may have previously unknown capabilities, additional technical tools can help make online communication more secure.

Assemble a privacy and security toolbox

The good news is that strong privacy tools exist.

The bad news is that there's no magic bullet. There isn't a single comprehensive tool that will completely protect you.

"You're not going to be able to out-gun the NSA — you as an average person — when it comes to an arms race."  —Tamir Israel, CIPPIC

Auerbach suggests technical solutions that offer "end-to-end encryption." These include PGP for encrypted email, OTR for encrypted chat, and Redphone for encrypted voice calls.

Strong encryption isn't a panacea, though.

Tamir Israel, a staff lawyer at the Ottawa-based Canadian Internet Policy and Public Interest Clinic, likened the use of encryption to an ongoing arms race.

"It seems that the rate at which the NSA and other spy agencies are throwing resources at these types of issues, it's starting to look like [technical tools are] not going to be the solution, because they're solving these problems a lot faster than people thought and by more diverse means," he says.

"You're not going to be able to out-gun the NSA — you as an average person — when it comes to an arms race."

What's more, secure encryption technologies face very real usability challenges. Many are tricky for non-technical users to get up and running. Auerbach recognizes that's a problem.

"Cryptographers really downplay usability concerns," he says. "And I think that we really need to rethink that a lot. Cryptographers should be working very closely with usability experts."

Steve Anderson, executive director of OpenMedia.ca, also advocates the use of encryption tools. He says they "make spying more cumbersome and costly and thereby undermine such efforts. The more people use these tools the more costly spying on us all becomes."

But, he argues, "there will not be a technical solution to what is essentially a political problem."

Push for policy change

Instead, Anderson wants Canadians to reach out to their elected officials, to help put online security and privacy on the agenda.

"The best practical real-world activity people can undertake is [to] take some time each day or week and spend it reaching out to representatives and encouraging friends and family members to do the same."

Anderson points to two campaigns, both running online petitions.

The first is StopWatching.Us, which was spearheaded by Mozilla. It calls for the "U.S. Congress to reveal the full extent of the NSA's spying programs."

The second, called No Secret Spying, is run by OpenMedia.ca here in Canada. It calls "on the government to make public the details of Canadian foreign intelligence agencies online spying and data sharing activities, including those involving foreign states."

Anderson hopes that a call for policy changes will bring "proper legal safeguards and oversight" to government surveillance programs.

And Tamir Israel of CIPPIC says, "there needs to be a lot more transparency over what these agencies are doing, and how they're doing it."

For Dan Auerbach of the EFF, the way forward includes both legal and technological change.

"There's a lot that we don't know," he says, "but we hope that through increased legal pressure, and through increased technological awareness, we can really change the situation and stop a lot of the unchecked spying that's been taking place."