Security Lessons From Snowden’s SXSW Discussion


The annual South by Southwest (SXSW) conference fills Austin with tech entrepreneurs looking to attract some buzz, but the buzziest speaker at this year’s edition was actually thousands of miles from Texas: Edward Snowden, former NSA contractor, current government whistleblower, temporary (perhaps) resident of Russia, gave a very long keynote discussion March 10 about online privacy, encryption, and security.

“The way we interact with [encrypted email and communications] is not good,” he told an auditorium full of SXSW attendees via Google Hangouts. “It needs to be out there, it needs to happen automatically, it needs to happen seamlessly.”

Snowden and ACLU principal technologist Christopher Soghoian, who moderated the discussion from a seat onstage, spent the majority of the time discussing the National Security Agency’s extensive online surveillance programs, and how individuals can improve their own online privacy and security. Here are some tips gleaned from that discussion:

When In Doubt, Encrypt: In a sea change from a few years ago, a number of large tech companies (most notably Google and Facebook) either encrypt their communication products by default, or offer a relatively easy way of switching such encryption on. It behooves anyone communicating via the Internet to ensure that these measures are in place for whatever platform they use, and to obey common-sense security policies (such as creating long and complex passwords).

Better Yet, Use Specialized Tools: For many people, using popular communications platforms—even if encrypted—simply isn’t good enough, especially in the wake of reports that the NSA and other government agencies have managed to penetrate the datacenters of the world’s largest tech companies. In search of near-perfect security, those folks often turn to smaller security vendors such as Silent Circle, Geeksphone and Freedom Pop, all of which are building hardware and software capable of hosting ultra-secure communications.

For the ultra-paranoid, there’s also Tor, a network that relies on relays that make it difficult to trace a user’s Internet activity (although that tool takes some time to learn and use effectively). Ultra-secure storage is available via vendors such as SpiderOak, but beware—many of those services feature host-proof cryptography, meaning if you lose your access credentials, you’ll have no way to access your data.

Wait: At several points in the discussion, Snowden encouraged the entrepreneurs and developers in the audience to build better software for thwarting government surveillance: “They [agencies such as the NSA] are setting fire to the future of the internet and the people who are in this room now are the firefighters and we need you to help us fix this.” And fix it they probably will: software and cloud companies know that, if they lose customer trust, their business could easily implode. As a result, popular communications tools will likely boast additional layers of security within the next few years.

Doubt: If you don’t know what a company is doing with your data, it might be worth questioning whether you actually need to download and use that company’s apps and services.

Much of this advice seems straightforward, and that’s exactly the point: Snowden and Soghoian argued that the tools and techniques are already out there for people to use, provided the processes behind them become hassle-free. That seems to be the next big challenge facing the online-security industry: how do you make encryption seamless, easy, and maybe even—hey, it needs to be said—fun?


Image: rvlsoft/