BY Fabio Chiusi | Wednesday, June 4 2014

A protest against the European parliament's refusal to offer Snowden protection (greensefa/flickr)

One year has passed since Edward Snowden revealed himself to the world as the whistleblower who leaked hundreds of National Security Agency documents and exposed the true scope and workings of its mass surveillance operations. “I have no intention of hiding who I am because I know I have done nothing wrong," the former CIA technical assistant and Booz Allen Hamilton contractor told the Guardian's Glenn Greenwald from a hotel room in Hong Kong.

A number of stories based on the leaks began to circulate in the press. The Guardian and the Washington Post broke news that the NSA had been collecting the phone records of millions of Verizon users and that the NSA PRISM program has direct access to user data from major Internet companies like Google, Facebook and Apple. Many more revelations followed, detailing the NSA's infrastructure of control and manipulation of phone and Internet communications and computer networks, which has since sparked a global debate about how to strike an appropriate balance between national security and civil liberties, a debate that is about, as Snowden put it, “what kind of world we want to live in."

Snowden has spent the last year in Russia and is possibly seeking asylum in Brazil. Now, one year into the NSA scandal, what have we learned thanks to Snowden's revelations? What has the government done and has anything changed for the better?

What We Know

Snowden was right. We did need a public debate about mass digital surveillance and how the balance between liberty and security has been lost in the last decade (more precisely, after 9/11) in favor of the latter, and with no public scrutiny or awareness. Even president Barack Obama acknowledged it in a January 2014 speech: “One thing I'm certain of: this debate will make us stronger,” he said. What Obama still fails to recognize, however, is that the debate he now welcomes wouldn't have taken place without Snowden. The former defense contractor is still being called a “coward” and a “traitor," most recently by Secretary of State John Kerry even though he admitted last November to have learned from the “traitor” that the NSA has "reached too far.”

"Collect it all." A couple of weeks after the scandal first broke, security expert Bruce Schneier predicted, “You have to assume everything is collected.” We can now say he was right. Collecting, storing and analyzing every single bit of information is indeed the ultimate aim of the NSA, as Greenwald shows in a series of slides in, "No place to hide," the NSA's "New Collection Posture" is to: “Sniff it all, know it all, collect it all, process it all, exploit it all, partner it all.”

The same holds true for U.S. allies. “Any mobile device, anytime, anywhere,” writes the British security agency GCHQ explaining its “vision” in a 2011 internal slide published by Der Spiegel. The dream (nightmare) is one of total control and domination of phone and Internet communications, so as to never “go dark” again. The underlying assumption is that only by knowing everything everywhere in real time is it possible to avoid terrorist threats and guarantee the safety of the nation. Problem is:

1) It doesn't work: Mass surveillance has been completely ineffective, as shown by a New America Foundation study, by a Privacy and Civil Liberties Oversight Board report and by a ProPublica investigation among others. These studies raise serious doubts about the validity of US administration claims that mass surveillance programs thwarted 54 terrorist plots 2) It's not compatible with any democratic views of the society, as it implies the acceptance of permanent, indiscriminate scrutiny by the State, leaving no room for privacy and anonymity. It creates a totalitarian, rather than democratic, environment in which, as Greenwald writes, there is effectively “no place to hide.” 3) It's not about security: There have been several cases of industrial and commercial espionage of late, such as the targeting of American competitors like China's Huawei, Brazil's Petrobras and – through the GCHQ – Belgium's Belgacom, just to name a few. There has also been the surveillance of world leaders like German Chancellor Angela Merkel and Brazilian President Dilma Rousseff. None of this has to do with the digital war on terror.

Metadata is content. Since the revelation of the Verizon scandal, the distinction between metadata and content has been put into question, arguably becoming meaningless. As former deputy CIA director Michael Morrell put it, “There's quite a bit of content in metadata." Enough to let the NSA “kill people based on metadata," as ex-NSA chief Michael Hayden had admitted (and Snowden confirmed through documents published by the Intercept).

Crowdsourced experiments like the ones conducted by Stanford researchers Jonathan Mayer and Patrick Mutchler show how much the distinction between "metadata" and "content" been effectively eroded by our hyperconnected ecosystem. You can check it out yourself by using the Guardian's interactive guide to metadata. This fact has become relevant at a policy level, as now, it has become difficult to argue that such a distinction should be preserved as a legal justification for mass surveillance, especially when the only oversight mechanism resides within the powers of a Court that “in its total 34 year history - from 1978 through 2012 has rejected a grand total of 11 government applications while approving more than 20,000," writes Glenn Greenwald.

What We're Doing About It

Ending bulk collection is easier said than done. President Obama said that bulk collection of phone records has to stop. But the only proposal that made it through the Congress, the USA Freedom Act, has been losing its strength with each passage. As EFF's Trevor Timm brilliantly put it on Twitter, “In the span of two weeks the USA Freedom Act has gone from good, to weak, to horrible.”

In the span of two weeks the USA Freedom Act has gone from good, to weak, to horrible. And it's up for vote Thursday. http://t.co/SXWrkOFRXt — Trevor Timm (@trevortimm) May 20, 2014

The quest for meaningful reform of mass surveillance practices has just started, and it remains to be seen whether the overall outcome of proposed changes will be beneficial at an international governance level. A global, multi-stakeholder meeting on the future of the Internet, Net Mundial, did not prove conclusive and stirred fears of a possible “balkanization” of the Internet. There has also been discussions of a less US-centric control of the Internet and of giving each government control over its own piece of the Internet.

Privacy is not dead. Data gathered from a number of surveys (such as the Pew Research Center, GlobalWebIndex, Harris, and Quinnipiac) show that the public has become more concerned about online privacy after Snowden, though not as much as one expected. Enough, however, to say that advocates of the “privacy is dead” hypothesis were wrong.

Cryptography has gone mainstream. Use of anonymity tools is on the rise -- it hovers at around 28 percent of all Internet users according to GlobalWebIndex. Several tech giants have started encrypting all traffic flowing through their servers. Since Snowden's revelations about the NSA weakening cryptographic standards worldwide, breaking SSL encryption and trying to break TOR has resulted in:

1) A significant loss of trust in US-based cloud services by ICT decision-makers, estimated to create a loss of $35 billion by 2016 for IT service providers and possibly even much more. 2) A whole new market of crypto-products such as phones and even masks to hide from the NSA's gaze. The result is a whole series of "NSA proof" products of which the only thing we know for sure is that there is no such thing as an "NSA proof" product: "If someone tells you that it’ll protect you from the NSA, I’ll fire them," said PGP inventor Phil Zimmermann of its security-focused smartphone, the BlackPhone. That's because of another major and yet to be tackled consequence of Snowden's disclosures: the NSA operates to weaken, not strengthen, Internet security. What to do about it? Use crypto tools, but with caution, as they don't always live up to their promises.

What Still Needs to Be Done

Fort Meade and Silicon Valley still too close. We now know that the ties between tech giants and intelligence agencies are stronger than expected. Private companies have been arguing that they were unaware of the NSA gaining “direct access” to their servers through PRISM, intercepting communications between their data centers with MUSCULAR, inserting malware and backdoors into their products (for example, in Cisco routers).

But compare what Eric Schmidt, for example, has said about mass surveillance and privacy before and after the scandal to see that there is a bit of hypocrisy floating around the private and tech sectors. Before the leaks, as the executive chairman of Google put it, surveillance was “the nature of our society”; and, after all, it is Schmidt who famously said in 2009, “If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

After the MUSCULAR revelation, however, he started calling the NSA practices “outrageous.” Other relevant factors include both the revelations about the extensive cooperation between the NSA and Microsoft -- at work with the FBI to break the very encryption it designed to protect Outlook messages -- and the extensive negotiations between them, as detailed by the New York Times in a striking example of what NYU professor Jay Rosen labeled “the Snowden effect.”

All of this suffices to say that this private-public connection has to be reworked if users want to stand a chance of actually owning their data and shielding them from unjustified searches. A positive development is the fact that all the tech giants analyzed in the EFF's “Who has your back” report for 2014 show signs for the first time of “major improvements” concerning “industry standards for informing users about government data requests, publishing transparency reports, and fighting for the user in Congress.”

However, we are far away from disentangling this web of relationships that has cost millions of dollars. The business model upon which our whole web experience revolves is based on the collection and tracking of all users activities: companies need it to better profile and serve personalized, targeted ads to users; governments rely on the data in their attempt to enact total control and security; and the users themselves happily agree to this, voluntarily sharing each moment of their lives and ultimately becoming themselves products, since we need to share our data in order to keep our Internet user experience free of charge. In other words, the way out of the Surveillance State or Surveillance World might imply not only technological countermeasures and political reforms, but also a major rethinking of our digital economy.

Whistleblowing is here to stay. Despite saying differently while still a senator, Barack Obama prosecuted more whistleblowers than all other presidents in history combined; the harsh sentence imposed upon Chelsea, formerly Bradley, Manning -- 35 years in jail -- sends a strong signal that there are not to be exceptions.

At the same time, whistleblowing initiatives have multiplied worldwide, as the rapidly growing list of GlobaLeaks adopters confirm. Be it from WikiLeaks or some other organization, whether it's a “dump” or a carefully redacted limited set of top secret material, it seems that the act of leaking has become a very important part of today's digital media.

The US administration still needs to work on recognizing the importance of whistleblowers and to pass legislation that guarantees true whistleblower protection (one that includes contractors like Snowden, for example) rather than holding so rigidly to the Espionage Act, a law conceived in 1917 for a country grappling with the First World War and which would offer no recourse for Snowden if he was ever to return to the US. Then, that would finally be a step towards the transparency Obama has been consistently promoting, at least in principle.

Fabio Chiusi is a freelance journalist (Wired, L'Espresso), blogger (ilNichilista, Chiusi nella rete) and author who regularly writes about Internet censorship, surveillance and the complex relationship between digital technologies, politics and society. He tweets at @fabiochiusi.