Interesting essay by Bruce Schneier (who’s been on great form recently). He starts by observing that, once upon a time, there was no downside for Internet companies if they cooperated with the NSA — because nobody (least of all their users) would know. But Snowden changed all that.
The Snowden documents made it clear how much the NSA relies on corporations to eavesdrop on the Internet. The NSA didn’t build a massive Internet eavesdropping system from scratch. It noticed that the corporate world was already eavesdropping on every Internet user — surveillance is the business model of the Internet, after all — and simply got copies for itself.
Now, that secret ecosystem is breaking down.
Over the past few months, writes Schneier, the companies have woken up to the fact that the NSA is basically treating them as adversaries, and are responding as such.
In mid-October, it became public that the NSA was collecting e-mail address books and buddy lists from Internet users logging into different service providers. Yahoo, which didn’t encrypt those user connections by default, allowed the NSA to collect much more of its data than Google, which did. That same day, Yahoo announced that it would implement SSL encryption by default for all of its users. Two weeks later, when it became public that the NSA was collecting data on Google users by eavesdropping on the company’s trunk connections between its data centers, Google announced that it would encrypt those connections.
We recently learned that Yahoo fought a government order to turn over data. Lavabit fought its order as well. Apple is now tweaking the government. And we think better of those companies because of it.
Now Lavabit, which closed down its e-mail service rather than comply with the NSA’s request for the master keys that would compromise all of its customers, has teamed with Silent Circle to develop a secure e-mail standard that is resistant to these kinds of tactics.
All this is evidence of a promising start. But the real question is whether the Snowden revelations just point to a scandal, or represent a crisis (to use David Runciman’s distinction). Scandals happen all the time, and generally make little difference in the grand scheme of things. (Think of the phone-hacking business in the UK: it looked for a time like a crisis, but little significant change will result from it, despite all the hoo-hah, so it was really just a scandal.) Crises, on the other hand, lead to real changes. Is the realisation of the scale of comprehensive surveillance a crisis? Only time will tell.