Just days left to kill mass surveillance under Section 215 of the Patriot Act, Edward Snowden did an AMA on Reddit. These are the top questions and answers.

sf_frankie:

See the latest poll: 60% of Americans want their privacy back. What the f*ck is wrong with the other 40%?

Edward Snowden:

They’re not bad or stupid. They’re just like you or me, only they’ve been repeated presented with misinformation. You surely hold misconceptions of your own, and it’s a matter of public record that I have a history of naive trust in the claims of authority. Whether through media, pundits, or intentionally inaccurate statements intended to sway their beliefs, we can be manipulated to believe things that simply aren’t true.

The latter is unfortunately far more accepted in our domestic political culture that it should be. It is documented by the government itself that, for example, mass surveillance occurring under Section 215 of the Patriot Act (the poll is about this kind of thing) has not only never stopped a terrorist attack in the US, but it has never even made a “concrete difference” in even a single terrorism investigation.

Despite that, all week we’ve had Senators claiming “this program saves lives” or “keeps us safe.” It’s simply not true, and all of the senators know this: they’ve got aides to fact check them on these things.

The question is what to do with elected representatives who knowingly lie for political benefit, and how to disincentivize the root behavior.

You can start by letting them know that after a decade of watching us, now you’re watching them.

Tomcat1108:

Even if section 215 is not renewed, do you believe that the NSA/ US government will still accomplish phone surveillance without approval and in secret?

Edward Snowden:

There are always reasons to be concerned that regardless of the laws passed, some agencies in government (FBI, NSA, CIA, and DEA, for example, have flouted laws in the past) will miscontrue the intent of Congress in passing limiting laws — or simply disregard them totally. For example, the DOJ’s internal watchdog, the Office of the Inspector General (OIG) released a report claiming, among other abuses, that it could simply refuse to tell government oversight bodies what exactly it was doing, so the legality or illegality of their operations simply couldn’t be questioned at all.

However, that’s no excuse for the public or Congress to turn a blind eye to unlawful or immoral operations — and the kind of mass surveillance happening under Section 215 of the Patriot Act right now is very much unlawful: the Courts ruled just two weeks ago that not only are these activities illegal, but they have been since the day the programs began.

123choji:

Hey there! Since I don’t live in the US, what can we do to help?

Edward Snowden:

The first thing is to correct misinformation whenever you see this topic being debated. For example:

Supporters of mass surveillance say it keeps us safe. The problem is that that’s an allegation, not a fact, and there’s no evidence at all to support the claim. In fact, a White House review with unrestricted access to classified information found that not only is mass surveillance illegal, it has never made a concrete difference in even one terrorism investigation.

Some claim the Senate should keep Section 215 of the Patriot Act (which will be voted on in two days) because we need “more time for debate,” but even in the US, the public has already decided: 60% oppose reauthorization. This unconstitutional mass surveillance program was revealed in June 2013 and has been struck down by courts twice since then. If two years and two courts aren’t enough to satisfy them, what is?

A few try to say that Section 215 is legal. It’s not. Help them understand.

The bottom line is we need people everywhere — in the US, outside the US, and especially within their own communities — to push back and challenge anybody defending these programs. More than anything, we need to ordinary people to make it clear that a vote in favor of the extension or reauthorization of mass surveillance authorities is a vote in favor of a program that is illegal, ineffective, and illiberal.

4a4a:

Should kids be encouraged to pursue careers in cryptography?

Edward Snowden:

Yes, but good luck keeping tabs on them as teens.

“Where have you been?” “Out.” “If you don’t tell me, I’ll just check your ph– Oh.”

swartzcr:

A few days ago a group of researchers published what’s being called the ‘logjam attack’ (https://weakdh.org/) and seem to think that it fits the description of some of the capabilities described in some of the NSA slides you released. Does it seem plausible to you that this was in fact a vulnerability that was being exploited by the NSA?

Edward Snowden:

I wish I could help more, because this vulnerability represents the central folly of government interference in cryptographic standards. For those who are not familiar with it, this vulnerability exists in most browsers and server packages only because the US Government regulations meant “weak cryptography” fallbacks were mandated in 90s-era software exports… the problem is today, those fallbacks still exist, and even domestic US communications can be tricked into “falling back” to them. Basically, due some truly brilliant researchers published a paper yesterday proving you modern smartphones or laptops can be tricked into using awful paper-thin crypto mandated as a result of long-dead policies from the 90s. This constitutes a central threat to the security of the internet that is so central to our economy, but few journalists and politicians have a meaningful understanding of cryptography or its implications.

Unfortunately, even to people work directly with mass surveillance tools like XKEYSCORE, the details and capabilities of NSA’s CES (Cryptographic Exploitation Service) office are a black box. The way it worked for someone like me, who analyses computer-to-computer communications (rather than the legacy phone networks) for NSA, is that you’d basically query your way through the rolling buffer of the previous days’ internet traffic — the de rigeur — until you find something that is relevant to your actors (the people/groups you’re targeting) that is clearly enciphered but (based on a review of the data flow and knowledge of the target’s pattern of life) doesn’t look it would be a low-value waste of time (like an encrypted video streaming site) to decrypt.

You then flag those comms and task them to CES for processing. If they’ve got a capability against it and consider your target is worth using it against, they’ll return the plaintext decrypt. They might even set up a processor to automate decryption for that data flow going forward as matching traffic gets ingested as they pass the mass surveillance sensors out at the telecom companies and landing sites. If you don’t meet CES’s justifications for the capability use or they lack a capability, you get nothing back. In my experience NSA rarely uses meaningful decryption capabilities against terrorists, firstly because most of those who actually work in intelligence consider terrorism to be a nuisance rather than a national security threat, and secondly because terrorists are so fantastically inept that they can be countered through far less costly means.

The down side of this is most analysts who aren’t already technically high speed (and the average NSA analyst is an unimpressive uniform who learned to paint by numbers in a government class, but knows how to punch the buttons, although there are also people who are almost impossibly talented) just stop bothering to request decrypts on anything that they don’t know from rumor or personal experience there is a capability against, because they figure it’s not worth the effort of writing an email. On the plus side, it’s great opsec.

I try not to speculate on this topic, because a bad answer can be worse than no answer, so I have to limit my replies to things that I both have personal knowledge of and journalists have done a public-interest review of.

To summarize the linked response: I don’t know, and none of our representatives in Congress have been willing to tell us. What I can say is that some of the finest minds in cryptography find it unbelievable that NSA did not have knowledge of this weakness. The fact that they did not publicly disclose it is concerning in either case:

If they knew about it and did exploited the vulnerability rather than publicly disclosing it, they placed critical US (and international) infrastructure at risk for over a decade, which has certainly been exploited by the adversaries of any sophistication.

If they did not know about it, but a team of academics with no access to nation state resources could both find the vulnerability and prove that it works, it’s incompetent to the point of negligence.

Tomcat1108:

Even if section 215 is not renewed, do you believe that the NSA/ US government will still accomplish phone surveillance without approval and in secret?

Edward Snowden:

There are always reasons to be concerned that regardless of the laws passed, some agencies in government (FBI, NSA, CIA, and DEA, for example, have flouted laws in the past) will miscontrue the intent of Congress in passing limiting laws — or simply disregard them totally. For example, the DOJ’s internal watchdog, the Office of the Inspector General (OIG) released a report claiming, among other abuses, that it could simply refuse to tell government oversight bodies what exactly it was doing, so the legality or illegality of their operations simply couldn’t be questioned at all.

However, that’s no excuse for the public or Congress to turn a blind eye to unlawful or immoral operations — and the kind of mass surveillance happening under Section 215 of the Patriot Act right now is very much unlawful: the Courts ruled just two weeks ago that not only are these activities illegal, but they have been since the day the programs began.

A Final Thought From Edward Snowden:

Our fight to rein in the surveillance state got a shot in the arm on May 7 when a federal appeals court ruled the NSA’s mass call-tracking program, the first program to be revealed by Edward Snowden, to be illegal. A poll released by the ACLU this week shows that a majority of Americans from across the political spectrum are deeply concerned about government surveillance. Lawmakers need to respond.

The pressure is on Congress to do exactly that, because Section 215 of the Patriot Act is set to expire on June 1. Now is the time to tell our representatives that America wants its privacy back.

Senator Mitch McConnell has introduced a two-month extension of Section 215 – and the Senate has days left to vote on it. Urge Congress to let Section 215 die by:

Calling your senators: https://www.aclu.org/feature/end-government-mass-surveillance

Signing the petition: https://action.aclu.org/secure/section215

Getting the word out on social media: https://www.facebook.com/aclu.nationwide/photos/a.74134381812.86554.18982436812/10152748572081813/?type=1&permPage=1

Attending a sunset vigil to sunset the Patriot Act: https://www.endsurveillance.com/#protest