When the government is caught with their hand proverbially in the cookie jar – violating no less than the Constitution – you’d expect a platitude about what will be done to fix the situation, a kind of bureaucratic “mea culpa” if you will.
Sadly the US government has not provided a coherent and rational explanation as to why their covert intelligence agency was spying on the telephone calls and internet data of millions of perfectly law abiding Americans, and let us not forget the “Five Eyes” and the violations of a plethora of other nation’s countrymen.
Nope. We are told only that it is “us” – the IT security professionals, the journalists, the whistleblowers – who are at fault, or perhaps even a little misguided. The White House spin may even paint us as unpatriotic when the reverse is clearly the case. The official response has been one of confusion (“did we do that? I don’t have that information? Oh, that’s classified.”), minimization (“we are only collecting metadata”) and even flat out ridicule of those of us who would dare question a government that has effectively gone rogue and turned its spying apparatus on its people.
We must stop being naive and begin treating the Internet as an insecure place where all our data may be intercepted without our knowledge and kept for an indeterminate amount of time (and perhaps used to populate some kind of database on who you are based on your search habits, time of use, email contacts etc). This means that we need to get wise and stop using the Internet for tasks that we wouldn’t want our neighbors or business competitors to see.
Encryption is the key to solving this problem as it is clear that any political due process would be ineffective. But when major software companies are in bed with the US government, how can we even trust our operating system let alone our mail client, crypto software etc. Open source software projects have not been immune to subversion although the availability of source code for scrutiny serves as a disincentive for obvious modification (assuming people actually compile the software rather than download a binary; also it would be wise to mention the potential for an evil compiler aka a Thompson attack). The waters get murkier when we start looking at the potential for “bad” hardware. That RAID controller has DMA access and a nice little embedded OS of its own – imagine what it could do?
There are no clear answers here, unfortunately, just more questions as the paranoia and distrust reach higher and higher levels.
At a minimum we should be avoiding closed source operating systems and open source OS distributions with a commercial agenda. None of us can audit the entire kernel of, say Linux or FreeBSD so ultimately you have got to trust something. But you can build rings around your kingdom, so to speak and try and take a mutually distrustful approach to engineering any solution.