How the NSA betrayed the world's trust -- time to act | Mikko Hypponen

406,980 views ・ 2013-11-07

TED


Please double-click on the English subtitles below to play the video.

00:12
The two most likely largest inventions
0
12492
4634
00:17
of our generation
1
17126
2247
00:19
are the Internet and the mobile phone.
2
19373
3193
00:22
They've changed the world.
3
22566
2135
00:24
However, largely to our surprise,
4
24701
3515
00:28
they also turned out to be the perfect tools
5
28216
4398
00:32
for the surveillance state.
6
32614
3150
00:35
It turned out that the capability
7
35764
2897
00:38
to collect data, information and connections
8
38661
4044
00:42
about basically any of us and all of us
9
42705
4218
00:46
is exactly what we've been hearing
10
46923
1813
00:48
throughout of the summer through revelations and leaks
11
48736
4607
00:53
about Western intelligence agencies,
12
53343
3091
00:56
mostly U.S. intelligence agencies,
13
56434
3026
00:59
watching over the rest of the world.
14
59460
3173
01:02
We've heard about these starting with the
15
62633
3198
01:05
revelations from June 6.
16
65831
3686
01:09
Edward Snowden started leaking information,
17
69517
3069
01:12
top secret classified information,
18
72586
2304
01:14
from the U.S. intelligence agencies,
19
74890
1467
01:16
and we started learning about things like PRISM
20
76357
2469
01:18
and XKeyscore and others.
21
78826
3267
01:22
And these are examples of the kinds of programs
22
82093
3105
01:25
U.S. intelligence agencies are running right now,
23
85198
4279
01:29
against the whole rest of the world.
24
89477
3516
01:32
And if you look back about the forecasts
25
92993
3708
01:36
on surveillance by George Orwell,
26
96701
4101
01:40
well it turns out that
27
100817
2118
01:42
George Orwell was an optimist.
28
102935
2504
01:45
(Laughter)
29
105439
2480
01:47
We are right now seeing a much larger scale
30
107919
2700
01:50
of tracking of individual citizens
31
110619
1898
01:52
than he could have ever imagined.
32
112517
3632
01:56
And this here is the infamous
33
116149
3535
01:59
NSA data center in Utah.
34
119684
3844
02:03
Due to be opened very soon,
35
123528
3156
02:06
it will be both a supercomputing center
36
126684
2791
02:09
and a data storage center.
37
129475
2137
02:11
You could basically imagine it has a large hall
38
131612
2893
02:14
filled with hard drives storing data
39
134505
2456
02:16
they are collecting.
40
136961
2274
02:19
And it's a pretty big building.
41
139235
2157
02:21
How big? Well, I can give you the numbers --
42
141392
1851
02:23
140,000 square meters --
43
143243
2022
02:25
but that doesn't really tell you very much.
44
145265
2606
02:27
Maybe it's better to imagine it as a comparison.
45
147871
3176
02:31
You think about the largest IKEA store
46
151047
2456
02:33
you've ever been in.
47
153503
1747
02:35
This is five times larger.
48
155250
3469
02:38
How many hard drives can you fit in an IKEA store?
49
158719
3076
02:41
Right? It's pretty big.
50
161795
2007
02:43
We estimate that just the electricity bill
51
163802
2846
02:46
for running this data center
52
166648
1876
02:48
is going to be in the tens of millions of dollars a year.
53
168524
3398
02:51
And this kind of wholesale surveillance
54
171922
2509
02:54
means that they can collect our data
55
174431
2736
02:57
and keep it basically forever,
56
177167
2003
02:59
keep it for extended periods of time,
57
179170
2509
03:01
keep it for years, keep it for decades.
58
181679
3246
03:04
And this opens up completely new kinds of risks
59
184925
3379
03:08
to us all.
60
188304
1946
03:10
And what this is is that it is wholesale
61
190250
3628
03:13
blanket surveillance on everyone.
62
193878
4857
03:18
Well, not exactly everyone,
63
198735
1554
03:20
because the U.S. intelligence only has a legal right
64
200289
4028
03:24
to monitor foreigners.
65
204317
1970
03:26
They can monitor foreigners
66
206287
1750
03:28
when foreigners' data connections
67
208037
2810
03:30
end up in the United States or pass through the United States.
68
210847
3490
03:34
And monitoring foreigners doesn't sound too bad
69
214337
2784
03:37
until you realize
70
217121
2367
03:39
that I'm a foreigner and you're a foreigner.
71
219488
3001
03:42
In fact, 96 percent of the planet are foreigners.
72
222489
3786
03:46
(Laughter)
73
226275
1670
03:47
Right?
74
227945
1887
03:49
So it is wholesale blanket surveillance of all of us,
75
229832
4449
03:54
all of us who use telecommunications and the Internet.
76
234281
4102
03:58
But don't get me wrong:
77
238383
1891
04:00
There are actually types of surveillance that are okay.
78
240274
5226
04:05
I love freedom, but even I agree
79
245500
3029
04:08
that some surveillance is fine.
80
248529
2279
04:10
If the law enforcement is trying to find a murderer,
81
250808
3903
04:14
or they're trying to catch a drug lord
82
254711
3102
04:17
or trying to prevent a school shooting,
83
257813
3604
04:21
and they have leads and they have suspects,
84
261417
1677
04:23
then it's perfectly fine for them to tap the suspect's phone,
85
263094
3717
04:26
and to intercept his Internet communications.
86
266811
3356
04:30
I'm not arguing that at all,
87
270167
1938
04:32
but that's not what programs like PRISM are about.
88
272105
2824
04:34
They are not about doing surveillance on people
89
274929
2885
04:37
that they have reason to suspect of some wrongdoings.
90
277814
3204
04:41
They're about doing surveillance on people
91
281018
1677
04:42
they know are innocent.
92
282695
3760
04:46
So the four main arguments
93
286455
2245
04:48
supporting surveillance like this,
94
288700
2152
04:50
well, the first of all is that whenever you start
95
290852
2235
04:53
discussing about these revelations,
96
293087
1895
04:54
there will be naysayers trying to minimize
97
294982
2293
04:57
the importance of these revelations, saying that
98
297275
2188
04:59
we knew all this already,
99
299463
1613
05:01
we knew it was happening, there's nothing new here.
100
301076
3580
05:04
And that's not true. Don't let anybody tell you
101
304656
3215
05:07
that we knew this already, because we did not know this already.
102
307871
5712
05:13
Our worst fears might have been something like this,
103
313583
3773
05:17
but we didn't know this was happening.
104
317356
1951
05:19
Now we know for a fact it's happening.
105
319307
2777
05:22
We didn't know about this. We didn't know about PRISM.
106
322084
2579
05:24
We didn't know about XKeyscore. We didn't know about Cybertrans.
107
324663
2906
05:27
We didn't know about DoubleArrow.
108
327569
1950
05:29
We did not know about Skywriter --
109
329519
2148
05:31
all these different programs
110
331667
1695
05:33
run by U.S. intelligence agencies.
111
333362
3241
05:36
But now we do.
112
336603
3029
05:39
And we did not know
113
339632
2166
05:41
that U.S. intelligence agencies go to extremes
114
341798
3075
05:44
such as infiltrating standardization bodies
115
344873
3837
05:48
to sabotage encryption algorithms on purpose.
116
348710
4748
05:53
And what that means
117
353458
2037
05:55
is that you take something which is secure,
118
355495
1820
05:57
an encryption algorithm which is so secure
119
357315
2421
05:59
that if you use that algorithm to encrypt one file,
120
359736
3107
06:02
nobody can decrypt that file.
121
362843
1742
06:04
Even if they take every single computer on the planet just to decrypt that one file,
122
364585
4413
06:08
it's going to take millions of years.
123
368998
2060
06:11
So that's basically perfectly safe, uncrackable.
124
371058
2247
06:13
You take something which is that good
125
373305
2074
06:15
and then you weaken it on purpose,
126
375379
2484
06:17
making all of us less secure as an end result.
127
377863
5610
06:23
A real-world equivalent would be that
128
383473
2131
06:25
intelligence agencies would force
129
385604
2652
06:28
some secret pin code into every single house alarm
130
388256
2827
06:31
so they could get into every single house
131
391083
1793
06:32
because, you know, bad people might have house alarms,
132
392876
2246
06:35
but it will also make all of us
133
395122
2439
06:37
less secure as an end result.
134
397561
2229
06:39
Backdooring encryption algorithms
135
399790
3740
06:43
just boggles the mind.
136
403530
3096
06:46
But of course, these intelligence agencies are doing their job.
137
406626
3775
06:50
This is what they have been told to do:
138
410401
1757
06:52
do signals intelligence,
139
412158
2230
06:54
monitor telecommunications,
140
414388
2012
06:56
monitor Internet traffic.
141
416400
1422
06:57
That's what they're trying to do,
142
417822
1708
06:59
and since most, a very big part of the Internet traffic today is encrypted,
143
419530
3082
07:02
they're trying to find ways around the encryption.
144
422612
1957
07:04
One way is to sabotage encryption algorithms,
145
424569
3057
07:07
which is a great example
146
427626
1885
07:09
about how U.S. intelligence agencies
147
429511
2221
07:11
are running loose.
148
431732
1749
07:13
They are completely out of control,
149
433481
1841
07:15
and they should be brought back under control.
150
435322
4442
07:21
So what do we actually know about the leaks?
151
441629
2950
07:24
Everything is based on the files
152
444579
2110
07:26
leaked by Mr. Snowden.
153
446689
2498
07:29
The very first PRISM slides
154
449187
2848
07:32
from the beginning of June
155
452035
1989
07:34
detail a collection program where the data
156
454024
2094
07:36
is collected from service providers,
157
456118
1786
07:37
and they actually go and name the service providers
158
457904
2878
07:40
they have access to.
159
460782
1331
07:42
They even have a specific date
160
462113
2942
07:45
on when the collection of data began
161
465055
2664
07:47
for each of the service providers.
162
467719
1639
07:49
So for example, they name the collection from Microsoft
163
469358
2287
07:51
started on September 11, 2007,
164
471645
3720
07:55
for Yahoo on the March 12, 2008,
165
475365
2732
07:58
and then others: Google, Facebook,
166
478097
3016
08:01
Skype, Apple and so on.
167
481113
3244
08:04
And every single one of these companies denies.
168
484357
2848
08:07
They all say that this simply isn't true,
169
487205
4395
08:11
that they are not giving backdoor access to their data.
170
491600
4608
08:16
Yet we have these files.
171
496208
4123
08:20
So is one of the parties lying,
172
500331
2321
08:22
or is there some other alternative explanation?
173
502652
3323
08:25
And one explanation would be
174
505975
2922
08:28
that these parties, these service providers,
175
508897
2887
08:31
are not cooperating.
176
511784
1916
08:33
Instead, they've been hacked.
177
513700
3021
08:36
That would explain it. They aren't cooperating. They've been hacked.
178
516721
3217
08:39
In this case, they've been hacked by their own government.
179
519938
4178
08:44
That might sound outlandish,
180
524116
2421
08:46
but we already have cases where this has happened,
181
526537
2214
08:48
for example, the case of the Flame malware
182
528751
3046
08:51
which we strongly believe was authored
183
531797
2033
08:53
by the U.S. government,
184
533830
1897
08:55
and which, to spread, subverted the security
185
535727
3899
08:59
of the Windows Update network,
186
539626
2886
09:02
meaning here, the company was hacked
187
542512
4093
09:06
by their own government.
188
546605
2358
09:08
And there's more evidence
189
548963
1599
09:10
supporting this theory as well.
190
550562
2551
09:13
Der Spiegel, from Germany, leaked more information
191
553113
4005
09:17
about the operations run by the elite hacker units
192
557118
4265
09:21
operating inside these intelligence agencies.
193
561383
3035
09:24
Inside NSA, the unit is called TAO,
194
564418
2626
09:27
Tailored Access Operations,
195
567044
1845
09:28
and inside GCHQ, which is the U.K. equivalent,
196
568889
3564
09:32
it's called NAC, Network Analysis Centre.
197
572453
3999
09:36
And these recent leaks of these three slides
198
576452
3844
09:40
detail an operation
199
580296
2204
09:42
run by this GCHQ intelligence agency
200
582500
3158
09:45
from the United Kingdom
201
585658
1809
09:47
targeting a telecom here in Belgium.
202
587467
4233
09:51
And what this really means
203
591700
2276
09:53
is that an E.U. country's intelligence agency
204
593976
3888
09:57
is breaching the security
205
597864
2215
10:00
of a telecom of a fellow E.U. country on purpose,
206
600079
4813
10:04
and they discuss it in their slides completely casually,
207
604892
3835
10:08
business as usual.
208
608727
1601
10:10
Here's the primary target,
209
610328
1668
10:11
here's the secondary target,
210
611996
1378
10:13
here's the teaming.
211
613374
1424
10:14
They probably have a team building on Thursday evening in a pub.
212
614798
3856
10:18
They even use cheesy PowerPoint clip art
213
618654
3041
10:21
like, you know, "Success,"
214
621695
1707
10:23
when they gain access to services like this.
215
623402
3264
10:26
What the hell?
216
626666
2826
10:31
And then there's the argument
217
631685
1833
10:33
that okay, yes, this might be going on,
218
633518
1660
10:35
but then again, other countries are doing it as well.
219
635178
2637
10:37
All countries spy.
220
637815
2423
10:40
And maybe that's true.
221
640238
1738
10:41
Many countries spy, not all of them, but let's take an example.
222
641976
2438
10:44
Let's take, for example, Sweden.
223
644414
2111
10:46
I'm speaking of Sweden because Sweden
224
646525
1376
10:47
has a little bit of a similar law to the United States.
225
647901
2279
10:50
When your data traffic goes through Sweden,
226
650180
2123
10:52
their intelligence agency has a legal right by the law
227
652303
2810
10:55
to intercept that traffic.
228
655113
2001
10:57
All right, how many Swedish decisionmakers
229
657114
3205
11:00
and politicians and business leaders
230
660319
2872
11:03
use, every day, U.S.-based services,
231
663191
3073
11:06
like, you know, run Windows or OSX,
232
666264
3268
11:09
or use Facebook or LinkedIn,
233
669532
2210
11:11
or store their data in clouds like iCloud
234
671742
3400
11:15
or Skydrive or DropBox,
235
675142
3894
11:19
or maybe use online services like Amazon web services or sales support?
236
679036
4303
11:23
And the answer is, every single Swedish business leader does that every single day.
237
683339
3957
11:27
And then we turn it around.
238
687296
1599
11:28
How many American leaders
239
688895
1905
11:30
use Swedish webmails and cloud services?
240
690800
4293
11:35
And the answer is zero.
241
695093
2040
11:37
So this is not balanced.
242
697133
2269
11:39
It's not balanced by any means, not even close.
243
699402
4625
11:44
And when we do have the occasional
244
704027
2441
11:46
European success story,
245
706468
2001
11:48
even those, then, typically end up being sold to the United States.
246
708469
3566
11:52
Like, Skype used to be secure.
247
712035
2264
11:54
It used to be end-to-end encrypted.
248
714299
2733
11:57
Then it was sold to the United States.
249
717032
2041
11:59
Today, it no longer is secure.
250
719073
2649
12:01
So once again, we take something which is secure
251
721722
3221
12:04
and then we make it less secure on purpose,
252
724943
1870
12:06
making all of us less secure as an outcome.
253
726813
4484
12:12
And then the argument that the United States
254
732855
2247
12:15
is only fighting terrorists.
255
735102
2018
12:17
It's the war on terror.
256
737120
1166
12:18
You shouldn't worry about it.
257
738286
2547
12:20
Well, it's not the war on terror.
258
740833
2230
12:23
Yes, part of it is war on terror, and yes,
259
743063
2173
12:25
there are terrorists, and they do kill and maim,
260
745236
2976
12:28
and we should fight them,
261
748212
1551
12:29
but we know through these leaks
262
749763
1606
12:31
that they have used the same techniques
263
751369
2582
12:33
to listen to phone calls of European leaders,
264
753951
3336
12:37
to tap the email of residents of Mexico and Brazil,
265
757287
3455
12:40
to read email traffic inside the United Nations Headquarters and E.U. Parliament,
266
760742
4806
12:45
and I don't think they are trying to find terrorists
267
765548
3154
12:48
from inside the E.U. Parliament, right?
268
768702
3018
12:51
It's not the war on terror.
269
771720
1948
12:53
Part of it might be, and there are terrorists,
270
773668
4142
12:57
but are we really thinking about terrorists
271
777810
2427
13:00
as such an existential threat
272
780237
2169
13:02
that we are willing to do anything at all to fight them?
273
782406
3676
13:06
Are the Americans ready to throw away the Constituion
274
786082
3491
13:09
and throw it in the trash just because there are terrorists?
275
789573
4241
13:13
And the same thing with the Bill of Rights and all the amendments
276
793814
2524
13:16
and the Universal Declaration of Human Rights
277
796338
2317
13:18
and the E.U. conventions on human rights and fundamental freedoms
278
798655
5151
13:23
and the press freedom?
279
803806
1517
13:25
Do we really think terrorism is such an existential threat,
280
805323
3815
13:29
we are ready to do anything at all?
281
809138
3126
13:34
But people are scared about terrorists,
282
814490
2664
13:37
and then they think that maybe that surveillance is okay
283
817154
2414
13:39
because they have nothing to hide.
284
819568
2044
13:41
Feel free to survey me if that helps.
285
821612
2707
13:44
And whoever tells you that they have nothing to hide
286
824319
2888
13:47
simply hasn't thought about this long enough.
287
827207
4713
13:54
(Applause)
288
834520
5865
14:00
Because we have this thing called privacy,
289
840385
2772
14:03
and if you really think that you have nothing to hide,
290
843157
2345
14:05
please make sure that's the first thing you tell me,
291
845502
2216
14:07
because then I know
292
847718
1550
14:09
that I should not trust you with any secrets,
293
849268
1640
14:10
because obviously you can't keep a secret.
294
850908
3298
14:17
But people are brutally honest with the Internet,
295
857065
3829
14:20
and when these leaks started,
296
860894
2696
14:23
many people were asking me about this.
297
863590
1878
14:25
And I have nothing to hide.
298
865468
1574
14:27
I'm not doing anything bad or anything illegal.
299
867042
3290
14:30
Yet, I have nothing that I would in particular
300
870332
2785
14:33
like to share with an intelligence agency,
301
873117
2793
14:35
especially a foreign intelligence agency.
302
875910
4137
14:40
And if we indeed need a Big Brother,
303
880047
2855
14:42
I would much rather have a domestic Big Brother
304
882902
3478
14:46
than a foreign Big Brother.
305
886380
3160
14:49
And when the leaks started, the very first thing I tweeted about this
306
889545
5059
14:54
was a comment about how,
307
894604
2074
14:56
when you've been using search engines,
308
896678
1688
14:58
you've been potentially leaking all that to U.S. intelligence.
309
898366
3649
15:02
And two minutes later, I got a reply
310
902015
1972
15:03
by somebody called Kimberly from the United States
311
903987
2336
15:06
challenging me, like, why am I worried about this?
312
906323
2167
15:08
What am I sending to worry about this? Am I sending naked pictures or something?
313
908503
4032
15:12
And my answer to Kimberly was
314
912535
1968
15:14
that what I'm sending is none of your business,
315
914503
3029
15:17
and it should be none of your government's business either.
316
917532
4265
15:21
Because that's what it's about. It's about privacy.
317
921797
2252
15:24
Privacy is nonnegotiable.
318
924049
1914
15:25
It should be built in to all the systems we use.
319
925963
3960
15:31
(Applause)
320
931968
3578
15:38
And one thing we should all understand
321
938830
2619
15:41
is that we are brutally honest with search engines.
322
941449
4599
15:46
You show me your search history,
323
946048
2751
15:48
and I'll find something incriminating
324
948799
2366
15:51
or something embarrassing there in five minutes.
325
951165
3437
15:54
We are more honest with search engines
326
954602
1788
15:56
than we are with our families.
327
956390
1762
15:58
Search engines know more about you
328
958152
2091
16:00
than your family members know about you.
329
960243
2766
16:03
And this is all the kind of information we are giving away,
330
963009
3088
16:06
we are giving away to the United States.
331
966097
4375
16:10
And surveillance changes history.
332
970472
2478
16:12
We know this through examples of corrupt presidents like Nixon.
333
972950
3209
16:16
Imagine if he would have had the kind of surveillance tools that are available today.
334
976159
4472
16:20
And let me actually quote
335
980631
2309
16:22
the president of Brazil, Ms. Dilma Rousseff.
336
982940
3133
16:26
She was one of the targets of NSA surveillance.
337
986073
3286
16:29
Her email was read, and she spoke
338
989359
2276
16:31
at the United Nations Headquarters, and she said,
339
991635
3023
16:34
"If there is no right to privacy,
340
994658
2013
16:36
there can be no true freedom of expression and opinion,
341
996671
2827
16:39
and therefore, there can be no effective democracy."
342
999498
5111
16:44
That's what it's about.
343
1004609
2345
16:46
Privacy is the building block of our democracies.
344
1006954
3868
16:52
And to quote a fellow security researcher, Marcus Ranum,
345
1012611
3465
16:56
he said that the United States is right now treating the Internet
346
1016076
3827
16:59
as it would be treating one of its colonies.
347
1019903
3093
17:02
So we are back to the age of colonization,
348
1022996
2565
17:05
and we, the foreign users of the Internet,
349
1025561
3062
17:08
we should think about Americans as our masters.
350
1028623
3705
17:15
So Mr. Snowden, he's been blamed for many things.
351
1035005
3975
17:18
Some are blaming him for causing problems
352
1038980
2654
17:21
for the U.S. cloud industry and software companies with these revelations --
353
1041634
3191
17:24
and blaming Snowden for causing problems for the U.S. cloud industry
354
1044825
4296
17:29
would be the equivalent of blaming Al Gore
355
1049121
2459
17:31
for causing global warming.
356
1051580
2317
17:33
(Laughter)
357
1053897
2254
17:36
(Applause)
358
1056151
5071
17:43
So, what is there to be done?
359
1063853
6208
17:50
Should we worry. No, we shouldn't worry.
360
1070061
1780
17:51
We should be angry, because this is wrong,
361
1071841
2436
17:54
and it's rude, and it should not be done.
362
1074277
2739
17:57
But that's not going to really change the situation.
363
1077016
2268
17:59
What's going to change the situation for the rest of the world
364
1079284
3221
18:02
is to try to steer away
365
1082505
2282
18:04
from systems built in the United States.
366
1084787
2633
18:07
And that's much easier said than done.
367
1087420
2630
18:10
How do you do that?
368
1090050
1709
18:11
A single country, any single country in Europe
369
1091759
1799
18:13
cannot replace and build replacements
370
1093558
2793
18:16
for the U.S.-made operating systems and cloud services.
371
1096351
2762
18:19
But maybe you don't have to do it alone.
372
1099113
1893
18:21
Maybe you can do it together with other countries.
373
1101006
1769
18:22
The solution is open source.
374
1102775
3496
18:26
By building together open, free, secure systems,
375
1106271
5613
18:31
we can go around such surveillance,
376
1111884
3108
18:34
and then one country doesn't have to solve the problem by itself.
377
1114992
3223
18:38
It only has to solve one little problem.
378
1118215
2472
18:40
And to quote a fellow security researcher, Haroon Meer,
379
1120687
5523
18:46
one country only has to make a small wave,
380
1126210
2969
18:49
but those small waves together become a tide,
381
1129179
3467
18:52
and the tide will lift all the boats up at the same time,
382
1132646
3620
18:56
and the tide we will build
383
1136266
1651
18:57
with secure, free, open-source systems,
384
1137917
3441
19:01
will become the tide that will lift all of us
385
1141358
2399
19:03
up and above the surveillance state.
386
1143757
5582
19:09
Thank you very much.
387
1149339
2112
19:11
(Applause)
388
1151451
2398
About this website

This site will introduce you to YouTube videos that are useful for learning English. You will see English lessons taught by top-notch teachers from around the world. Double-click on the English subtitles displayed on each video page to play the video from there. The subtitles scroll in sync with the video playback. If you have any comments or requests, please contact us using this contact form.

https://forms.gle/WvT1wiN1qDtmnspy7