Our fall pledge drive ends on Friday, and we're still $5,000 short of our goal.
Help make in-depth reporting sustainable with your tax-deductible donation today.
Earlier today, in a post about the latest Edward Snowden leak, I wrote that "I'm a lot less certain that this one should have seen the light of day." After some further thought and conversation, I'm now a lot less certain I should have said that.
Needless to say, not everyone agrees with my second bullet. Judging from my Twitter stream, there are people who seem to think that it's illegal for the NSA to engage in decryption. Others apparently believe that foreign surveillance serves no actual purpose and is really just a sham to keep the power elite in power. Still others seem to think that governments should never keep anything secret. There's not much to say to these people except to disagree with them.
But for the rest of us, this is a tough issue. If NSA is actively weakening internet security in ways that could blow back on us all, it absolutely ought to be reported. But to the extent that NSA is simply figuring out new decryption techniques that don't weaken security, they're just doing the job we've asked them to do. I don't see much sense in alerting anyone to the details or scope of how successful they've been.
The problem is that a close reading of the Times and Guardian stories makes it really hard to figure out how much of these two things the NSA is doing. The Guardian says categorically that inserting back doors and vulnerabilities into commercial crypto systems is the "key component" of the NSA's efforts. The Times is more circumspect, and the documents available to the Guardian and the Times are apparently fairly vague on this point. In 2010, for example, NSA says it developed "groundbreaking capabilities" against web encryption. Is this the product of a decade-long effort to insert vulnerabilities into commercial systems? Or something else?
We don't know, though there are several hints that NSA is spending an awful lot of time and money on decryption capabilities that have no connection to back doors or inserted weaknesses. And the companies that have responded so far to this story have mostly denied having allowed anything like this.
For now, then, I'll just say that I'm more uncertain about this than I was yesterday when I first read these stories. Some of the stuff they revealed I have no problem with. Some of it I think I do. I realize I'm breaking the pundit code that says we should all have absolute and unchangeable views on every subject, but I just don't this time. I need to learn more, and unfortunately I'm not likely to.