This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.theguardian.com/commentisfree/2013/sep/06/nsa-surveillance-revelations-encryption-expert-chat

The article has changed 7 times. There is an RSS feed of changes available.

Version 2 Version 3
Explaining the latest NSA revelations –Q&A with internet privacy experts Explaining the latest NSA revelations –Q&A with internet privacy experts
(35 minutes later)
Today, beginning at 3pm ET | 8pm BST, the Guardian's James Ball, who reported on the latest NSA and GCHQ revelations, and cryptology expert Bruce Schneier, who wrote about the implications, will take your questions on the new revelation that the US and UK governments can crack much of the encryption protecting personal data, online transactions and emails – as well as the ongoing debate over surveillance. Toss your questions below and as you wait for a response, re-visit yesterday's stories:Today, beginning at 3pm ET | 8pm BST, the Guardian's James Ball, who reported on the latest NSA and GCHQ revelations, and cryptology expert Bruce Schneier, who wrote about the implications, will take your questions on the new revelation that the US and UK governments can crack much of the encryption protecting personal data, online transactions and emails – as well as the ongoing debate over surveillance. Toss your questions below and as you wait for a response, re-visit yesterday's stories:
• How US and UK spy agencies defeat internet privacy and security• How US and UK spy agencies defeat internet privacy and security
• How internet encryption works • How internet encryption works 
• The US government has betrayed the internet. We need to take it back• The US government has betrayed the internet. We need to take it back
The Q&A is now live:The Q&A is now live:
First Question: First Question: 
Can we trust open source? Of course it is more transparent than properietry, but if NSA has been influencing standard documents, what is stopping them penetrating free software?Can we trust open source? Of course it is more transparent than properietry, but if NSA has been influencing standard documents, what is stopping them penetrating free software?
Do we have evidence supporting/denying contamination of open source?Do we have evidence supporting/denying contamination of open source?
Answer: Answer: 
James Ball: Because the NSA and GCHQ have been influencing standards, and working to covertly modify code, almost anything could potentially have been compromised. Something as simple as – hypothetically – modifying a basic random-number-generator could weaken numerous implementations of open-source code.James Ball: Because the NSA and GCHQ have been influencing standards, and working to covertly modify code, almost anything could potentially have been compromised. Something as simple as – hypothetically – modifying a basic random-number-generator could weaken numerous implementations of open-source code.
That said, anything done to open source projects, particularly popular ones, will have to be subtle, as anyone can audit the code. So I do believe they’re more trustworthy/dependable than other things. But almost nothing is certain, and we see quite regularly bugs/vulnerabilities discovered in major open source projects that have lain undiscovered for months.That said, anything done to open source projects, particularly popular ones, will have to be subtle, as anyone can audit the code. So I do believe they’re more trustworthy/dependable than other things. But almost nothing is certain, and we see quite regularly bugs/vulnerabilities discovered in major open source projects that have lain undiscovered for months.
Question:Question:
Is there any reason to believe that these back doors have also been built into hardware?Is there any reason to believe that these back doors have also been built into hardware?
Answer: Answer: 
Ball: There’s every reason to think this. The Washington Post mentioned in passing last week the use of ‘implants’, and the New York Times’ take on this story made reference to efforts against “encryption chips”.Ball: There’s every reason to think this. The Washington Post mentioned in passing last week the use of ‘implants’, and the New York Times’ take on this story made reference to efforts against “encryption chips”.
Question:Question:
How hard do you think it will be to get people to take security seriously when people are willing to type so much personal data into Facebook/Google+ etc?How hard do you think it will be to get people to take security seriously when people are willing to type so much personal data into Facebook/Google+ etc?
Answer:Answer:
Ball: I think we need more awareness of privacy and security generally, and I think as generations grow up net-native (as today’s teens are), that’s taking care of itself. I don’t think people who volunteer information to a strictly-controlled network on Facebook (or webmail, etc) are automatically willing to share that same information with their governments. That’s a large part of what the whole privacy and security debate the NSA files are fueling is about, I think.Ball: I think we need more awareness of privacy and security generally, and I think as generations grow up net-native (as today’s teens are), that’s taking care of itself. I don’t think people who volunteer information to a strictly-controlled network on Facebook (or webmail, etc) are automatically willing to share that same information with their governments. That’s a large part of what the whole privacy and security debate the NSA files are fueling is about, I think.
Question:Question:
How would one go about selecting a VPN service that is still viable? All US-based ones are likely compromised via National Security Letters, and many foreign ones are probably hacked. Is there anything specific about a VPN service's transmission protocol (key exchange method) that may make it more reliable?How would one go about selecting a VPN service that is still viable? All US-based ones are likely compromised via National Security Letters, and many foreign ones are probably hacked. Is there anything specific about a VPN service's transmission protocol (key exchange method) that may make it more reliable?
Answer: Answer: 
Ball: As you say, I think this is quite difficult, but one thing that is worth flagging is we have a sense of what the US and the other “Five Eyes” nations (the UK, Canada, Australia and New Zealand) are doing, because we have a whistleblower from those agencies.Ball: As you say, I think this is quite difficult, but one thing that is worth flagging is we have a sense of what the US and the other “Five Eyes” nations (the UK, Canada, Australia and New Zealand) are doing, because we have a whistleblower from those agencies.
It’s not inconceivable that intelligence agencies in other countries are doing a lot of the same things (it would be surprising if they weren’t doing some of it) – but we won’t hear about them unless a Chinese, Russian, German, Indian, etc, Edward Snowden comes along. I hope they do.It’s not inconceivable that intelligence agencies in other countries are doing a lot of the same things (it would be surprising if they weren’t doing some of it) – but we won’t hear about them unless a Chinese, Russian, German, Indian, etc, Edward Snowden comes along. I hope they do.
Question:Question:
First off -- thanks to James and Bruce for taking some time to answer people's questions! I know a lot of us need answers in these uncertain times.First off -- thanks to James and Bruce for taking some time to answer people's questions! I know a lot of us need answers in these uncertain times.
Mine is a two-part question:Mine is a two-part question:
1.) What can the average internet user do to protect him- or herself from government snooping online?1.) What can the average internet user do to protect him- or herself from government snooping online?
2.) What can the average citizen do to help stop the NSA?2.) What can the average citizen do to help stop the NSA?
Thank you.Thank you.
Answer: Answer: 
Ball: Bruce had a great article yesterday (http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance) on what to do to try to secure your own communications. I think it’s a brilliant starting place, especially for journalists and activists. Even though he’s described it well, of course, I think it’s beyond the expertise levels of 95%+ of internet users. This stuff is seriously hard, and I hope the crypto community carries on trying to make it easier.Ball: Bruce had a great article yesterday (http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance) on what to do to try to secure your own communications. I think it’s a brilliant starting place, especially for journalists and activists. Even though he’s described it well, of course, I think it’s beyond the expertise levels of 95%+ of internet users. This stuff is seriously hard, and I hope the crypto community carries on trying to make it easier.
As to the second question, the solution is going to have to be political: if your view is that what the NSA is doing isn’t acceptable, I think contacting congressmen, petitioning, and campaigning are the right steps. I’m sure the EFF, ACLU, EPIC and similar organizations will be stepping up their long-running efforts in the near future.As to the second question, the solution is going to have to be political: if your view is that what the NSA is doing isn’t acceptable, I think contacting congressmen, petitioning, and campaigning are the right steps. I’m sure the EFF, ACLU, EPIC and similar organizations will be stepping up their long-running efforts in the near future.
Question:Question:
Bruce's article giving advice on staying more private online included selecting certain encryption algorithms based on their mathmatical features etc -- what are some direct examples of the most 'safe' encryption techniques to use, key lengths etc?Bruce's article giving advice on staying more private online included selecting certain encryption algorithms based on their mathmatical features etc -- what are some direct examples of the most 'safe' encryption techniques to use, key lengths etc?
How can Tor be any safer than VPN if both SSL/TLS and VPN methodologies have been exploited? Is the Tor routing process still a good security?How can Tor be any safer than VPN if both SSL/TLS and VPN methodologies have been exploited? Is the Tor routing process still a good security?
Answer:Answer:
Ball: GCHQ’s phrasing of beating “30” then “300” VPNs suggest it’s done on a case-by-case basis, rather than a blanket capability. It’s also worth noting that just because the NSA can, say, beat SSL in some (or many, or most) cases, it doesn’t mean they can do it all the time, especially as they often seem to circumvent rather than directly beat security. Tor also has its onion methodology. I think Bruce’s take – that Tor makes tracing you harder, rather than impossible – seems a sensible one.Ball: GCHQ’s phrasing of beating “30” then “300” VPNs suggest it’s done on a case-by-case basis, rather than a blanket capability. It’s also worth noting that just because the NSA can, say, beat SSL in some (or many, or most) cases, it doesn’t mean they can do it all the time, especially as they often seem to circumvent rather than directly beat security. Tor also has its onion methodology. I think Bruce’s take – that Tor makes tracing you harder, rather than impossible – seems a sensible one.
Note: Bruce Schneier has been traveling but will be online answering questions shortly.Note: Bruce Schneier has been traveling but will be online answering questions shortly.
Question:Question:
The questions I find myself asking are "Who is chiefly responsible for this breach of trust?", "Will anyone be held accountable?" and "What sort of backlash will there be, if any, from society at large?".The questions I find myself asking are "Who is chiefly responsible for this breach of trust?", "Will anyone be held accountable?" and "What sort of backlash will there be, if any, from society at large?".
Answer:Answer:
Ball: Me too! There are a lot of issues here, not least that the technological capabilities of the NSA have hugely outpaced the efforts of most lawmakers to meaningfully understand them, let alone regulate them.Ball: Me too! There are a lot of issues here, not least that the technological capabilities of the NSA have hugely outpaced the efforts of most lawmakers to meaningfully understand them, let alone regulate them.
In the environment after 9/11, the agency had a permissive environment to expand its remit, masses more funding, and technological advancements making surveillance possible on a scale never previously imaginable. For privacy advocates, the past decade was essentially the perfect storm.In the environment after 9/11, the agency had a permissive environment to expand its remit, masses more funding, and technological advancements making surveillance possible on a scale never previously imaginable. For privacy advocates, the past decade was essentially the perfect storm.
That encroachment happened under three Presidents, from two parties. I don’t think this is a partisan issue. It feels a little like the (apocryphal) tale of a frog in boiling water: if the water is slowly heated, the frog never notices it’s being cooked.That encroachment happened under three Presidents, from two parties. I don’t think this is a partisan issue. It feels a little like the (apocryphal) tale of a frog in boiling water: if the water is slowly heated, the frog never notices it’s being cooked.
A final note is that at a bare minimum we need to hold senior intelligence officials accountable in public, and demand honest answers. Obama’s Director of National Intelligence has been accused of outright lying to Congress, seemingly with no adverse consequences. If you’re looking to increase accountability and transparency, surely you’ve got to start there.A final note is that at a bare minimum we need to hold senior intelligence officials accountable in public, and demand honest answers. Obama’s Director of National Intelligence has been accused of outright lying to Congress, seemingly with no adverse consequences. If you’re looking to increase accountability and transparency, surely you’ve got to start there.
Question:Question:
Thus far the focus has been on the US and UK. But we see the five-eyed acronym on some of the documents. Should Aussies, Kiwis and Canadians be concerned about their privacy too?Thus far the focus has been on the US and UK. But we see the five-eyed acronym on some of the documents. Should Aussies, Kiwis and Canadians be concerned about their privacy too?
Answer:Answer:
Ball: The short answer is yes – the techniques revealed in the whole NSA Files series are shared with the five eyes nations, as is access to most of the databases of intelligence and communications the agencies collect.Ball: The short answer is yes – the techniques revealed in the whole NSA Files series are shared with the five eyes nations, as is access to most of the databases of intelligence and communications the agencies collect.
Of course, there’s a flipside, which is that (in theory at least) the citizens of the five-eyes nations get a little bit extra protection against being spied on by the others – so perhaps you should be more worried if you’re NOT in the US, UK, Canada, Australia or New Zealand. Hard to say!Of course, there’s a flipside, which is that (in theory at least) the citizens of the five-eyes nations get a little bit extra protection against being spied on by the others – so perhaps you should be more worried if you’re NOT in the US, UK, Canada, Australia or New Zealand. Hard to say!
Question:
Could the spooks sell the information or keys when they retire?..Would it be impossible?
Answer: 
Ball: If the NSA’s internal security was perfect, Edward Snowden would never have been able to leak. We’re essentially lucky he chose to release to the press – and it’s worth remembering he asked for responsible, measured publication, not mass-release – rather than simply sell it to hackers or criminals.
If someone in a similar position to Snowden decided to just take what they could and sell it to a foreign government, or criminal gang, would we ever know? It seems unlikely we’d be told. And given the NSA has repeatedly said they don’t know which documents Snowden accessed, maybe they wouldn’t know either.
That’s an important, additional, reason to be very concerned about the scope of NSA surveillance and activities, in my view – whatever your take on the need/legitimacy of mass-surveillance in general.
Question:
Your article states:
$250m-a-year US program works covertly with tech companies to insert weaknesses into products
Answer:
Ball: I think this is a serious risk of what the NSA has been doing: if I ran a US security company, I’d be concerned about my reputation (maybe deservedly so, though) – and I’m sure overseas competition will be stressing their ability to refuse US government requests in their advertising (though maybe their own government have similar programs).
That does seem to have been a concern of the NSA and GCHQ. I find that quite telling: if companies are just doing what the government requires, and no more, why such a need for secrecy around it? Why can’t they level? I think the efforts some of the silicon valley firms seem to be making are a good start – though what seems to be happening with Lavabit (a secure email company that shut down) are concerning.
Finally: this could be a boost to the free software / open source movement, too. That would be no bad thing.
Question: 
They may have broken various methods of encryption (I'd assumed as much), but my question is; is this legal/viable evidence, that can be used in court? My understanding is that evidence that is acquired via snooping in on a secure/encrypted connection is illegitimate, and thus unusable in a court of law? (Not that legality seems to bother these people)
Answer: 
Ball: I can’t speak for the US system, as I don’t know it in detail (if you do, please chip in, in the comments) but in the UK intercept evidence isn’t admissable in court – it can be used as part of an investigation, and to get information which is then obtained ‘again’ by means of a warrant (so it can be used in court), but you can’t use it towards a conviction.
All three of the UK’s major political parties have said they want to make intercept evidence available in court, but the intelligence agencies have long opposed it – so far, with success.
Question: 
Details may be protected by one or more ECIs and/or the secure BULLRUN COI
COI = Community of interest
So what does ECI stand for? The term is used frequently in the documents.
Answer: 
Ball: ECI stands for “Exceptionally Controlled Information” – it’s another level above top-secret, which keeps information to a very select group of individuals.
Question: 
In the face of the larger Snowden revelations, has The Guardian made any website changes, or critiqued business partners data usage, like Google and Facebook [for example how they may use the comments on this very page], in exploration of ways to insure, or at least enhance, TheGuardian.com users' privacy?
Answer: 
Ball: I can only really speak on this from the journalists’ perspective, as a reporter, but here I know we’re definitely thinking about what we can do to help make it clear how potential sources can communicate with us safely and securely (something we obviously think about anyway).
Obviously it’s something reporters have thought about for a long time, in terms of technical and legal protections (I use things like OTR, GPG email, etc, and have for several years), but I think in the wake of this particular story any responsible reporter at any outlet in the world should be reassessing what they do. I’d like to see outlets doing more to learn about security, train their staff in it, and I’d like to see outside groups doing more to help with training – and building new tools to help. It takes a village, and all that.