Security Versus Surveillance After Snowden

Just published in the latest issue of the open-access Surveillance & Society journal is a piece I originally wrote while attending the Surveillance Studies Network conference in Barcelona in 2014. By that point, nearly a year after the first Snowden disclosures, the most significant revelations had come out and it was possible to take stock of their impact. I was studying the Canadian telecom policy at the time, attending industry conferences and international events like NANOG and the IETF. At both kinds of meetings, discussions of privacy, surveillance and Snowden were unavoidable that year. We had entered the post-Snowden era, and this was evident beyond conferences’ discussion topics.

When the first Snowden disclosures happened in June 2013, conflicts between the NSA and private industry had cooled (and relations warmed), following mid-1990s fights over the clipper chip. Many information security practitioners in 2013 had not been involved in these political battles from twenty years ago. Some infosec professionals had started out as troublesome hackers, but the NSA now saw domestic hackers as less of a threat and more of a recruitment opportunity, with the head of NSA (Gen. Hayden) giving a keynote at Def Con in 2012. Individuals from the NSA had also participated at the IETF, and many in the private sphere had come to see themselves as essentially fighting on the same side as government. The biggest enemies were foreign state-backed hackers (“advanced persistent threats”), concern over which had reached an all-time high in 2013, particularly through the threat emanating from China. Snowden changed all that; Chinese hackers dropped from the headlines, the IETF took a public stand, and the NSA took a “time out” from hacker conferences. It wasn’t just that the Five Eyes were carrying out mass surveillance — they were doing so by compromising the security of technologies, institutions, and people they claimed to protect.

As many (including Snowden) argued, secret government surveillance in a democracy is a political issue, and the disclosures brought secret programs to public attention to make an informed policy debate possible. But other than the USA Freedom Act, meaningful political action did not materialize, and in the United States the debate largely centered on the question of whether Americans were illegitimately spied upon by their own government (as opposed to larger questions of international mass surveillance and governments compromising technologies used by their own citizens). But some institutional relationships and technologies were immediately altered because of Snowden, and the practical consequences of changes undertaken in the private sector and civil society have been more significant than political reforms.

Post-Snowden security responses include Google securing its own international links, a wider shift toward encrypting web traffic (through HTTPS), or Apple’s post-Snowden security upgrade, which set off a massive legal fight with the FBI over an iPhone in 2016. It’s not that mass surveillance has become more difficult across the board — Apple now faces new concerns about iPhone security and the privacy compromises it has made to enter into the Chinese market, but the company’s pre-Snowden cooperation with U.S. authorities is over.

More broadly I hope this piece will be useful in distinguishing between different kinds of security: cyber, national, and information technology (IT), and how these relate to privacy and surveillance. Before Snowden, many in Five Eyes nations saw national, cyber, and IT security as working together. After Snowden, IT security has become a form of resistance against surveillance tied to national security and cyber security projects.