Ask Slashdot: What Will It Take To End Mass Surveillance?

Nicola Hahn writes: Both the White House and the U.S. Intelligence Community have recently announced reforms to surveillance programs sanctioned under Section 215 of the Patriot Act and Section 702 of the Foreign Intelligence Surveillance Act. But do these reforms represent significant restructuring or are they just bureaucratic gestures intended to create the perception that officials are responding to public pressure?

The Executive's own Privacy and Civil Liberties Oversight Board has written up an assessment (PDF) of reform measures implemented by the government. For those who want a quick summary the Board published a fact sheet (PDF) which includes a table listing recommendations made by the board almost a year ago and corresponding reforms. The fact sheet reveals that the Board's mandate to "end the NSA's bulk telephone records program" has not been implemented.

In other words, the physical infrastructure of the NSA's global panopticon is still in place. In fact, it's growing larger (PDF). So despite all of the press statements and associated media buzz very little has changed. There are people who view this as an unsettling indication of where society is headed. Ed Snowden claimed that he wanted to "trigger" a debate, but is that really enough? What will it take to tear down Big Brother?

Close, but the answer is encryption.

[thesupraman]

The ONE think they fear is effective encryption.

It is a sad situation, because that will also get in the way of legitimate (and yes, it can exist) investigation, however that is the arms race they are forcing you in to.
NOT encryption-when-you-have-something-to-hide, but encryption of EVERYTHING, as standard operating principle.

Right now exception is a nice bold flag to them that you should be monitored, however if even 20% of the population are regularly using it, that no longer works.

We are starting to see some very small movements in the encryption systems to escape from the over-complex not interoperable situation they let themselves
be pushed in to, and THAT is a big part of the problem, but some people now get it, and in a few years we may well have a much better choice in the area of
easy to use, interoperable, and open enough to be trustable encryption systems... and then the monitoring will work much less.

They will of course still see who is 'communicating' with who for some forms of link, that will be the next step.. protect the content first.

Like many things, the governments stupidity is going to make sensible law enforcement more difficult.
Go USA! and all that.. sigh.

Re:The answer is 42, er...I mean, encryption.

[dgatwood]

Wide spread, end to end encryption would need to be implemented.

Nice in theory. Not so much in practice. With crypto, the devil's in the details. Here are just a few of the hard problems:

• Initial key exchange: How do you know whether that public key really belongs to the person you want to talk to? Physical exchange of a key? Key signature? Web of trust? Or just trust a service provider and hope for the best?
• Key updates: Periodically, you'll need to upgrade to a longer key and a new cert. How do things work during that interim period?
• Expired certs: At some point, those keys are going to be crackable. How long do you trust the expired certs for messages that have already been received?
• Key revocation: How do handle it in a way that ensures that it can't be readily blocked without also blocking the main data channel?
• Key revocation: How do you handle the inevitable situation where someone's device dies and they don't have a copy of the original key at all?
• Key storage: What sort of protection is in place to minimize the risk of the key leaking?
• New devices: How do you migrate the key to new devices securely?
• Ability to audit: How do you know that things really are being encrypted end-to-end? What about after the software gets updated?

If it were easy to do it properly, end-to-end crypto would be ubiquitous.