Panel at PETS 2014: Privacy Enhancing Technologies Post-Snowden

Our plan for a panel on the implications of the disclosed NSA and GCHQ surveillance programs for PETs researchers is materializing. The panel will take place on the 17th of July in Amsterdam at the PETs Symposium. We expect to have a lively discussion with Susan Landau, Wendy Seltzer, Stephanie Hankey, Nadia Heninger and George Danezis. In fact, thanks to a blog post on “The Dawn of Cyber-Colonialism”, it is maybe better to state, George has already kicked off the discussion.

Great thanks goes out to the program committee who have supported the idea from the first minute, and to the general chair Hinde ten Berge, Jaap Henk Hoepman from the PI.lab, and NWO for their material support.

PETs Post-Snowden: Implications of the revelations of the NSA and GCHQ Surveillance Programs for the PETs community

Despite the entertainment value of program names like “egotistical giraffe”, “onion breath” and “moth monster”, the revelations about the NSA and GCHQ surveillance programs are more than troubling. Specifically, BullRun (attacks on crypto) and the egotistical series (attacks on Tor) pose challenges to the PETs community and the solutions they work on. This panel focuses on some of these challenges, discuss their implications for PETs researchers and practitioners, and explore ways forward.

According to some, the revelations show that law and policy have failed to protect citizens around the globe from surveillance. It falls, among others, upon the shoulders of the PETs community to build technical solutions that are resilient to “mass surveillance” practices. But while Edward Snowden announced that “crypto still works”, intelligence agencies will continue to find ways to work around it. So others have argued that technology is far from a complete answer and that working with policy and law is more necessary than ever. If so, the challenges here range from finding ways to convince policy makers that weakening the Internet for surveillance is not acceptable to actually regulating “good” security and “bad” surveillance practices.

Both positions are troubled by motions to prevent companies from applying secure designs that may be seen as obstructing law enforcement agencies from conducting investigations. Further, governments around the globe are likely to consider implementing “back doors” as well as utilizing zero-day exploits as a way to guarantee law enforcement and intelligence access. These aggressive policies raise questions about where PETs can and should live; and, how to guarantee that their design remains robust, e.g., by keeping the implementation open to scrutiny?

Simultaneously with the revelations, cybersecurity for critical infrastructures has gathered force. Governments around the globe now bring intelligence agencies, standards bodies, contractors as well as academic researchers around tables in order to align technical security issues with national security interests. Cybersecurity funding abounds, affecting research trajectories as well as what gets done. How are PETs researchers and practitioners to manage these increasingly politicized demands along national lines?

Finally, people in their everyday lives navigate the implications of the revelations about the surveillance programs as much as engineers and researchers. Prominent security engineers have favored prioritizing developing measures against mass surveillance rather than for targeted surveillance. How “targeted” end users may be impacted by the prioritization of protections against “mass surveillance” is unclear. And indeed, the distinction itself may not be as clear cut as some of its proponents suggest. In other words, the issues raised here beg the question as to how we can ensure that user interests can be a continuous part of the PETs community’s priorities?