“Our most paranoid friends were completely right”
We now know just how much of what happens on or near the internet is being catalogued by our government (basically, everything). Environmental activists have a history of drawing the attention of the surveillance-minded, especially if they are working in landscapes — forests, tar sands — that are financially valuable to someone.
I’ve been asking people to connect these dots. Some of the most interesting answers came from Ethan Zuckerman, director of the Center for Civic Media at MIT and co-founder of the international news blog Global Voices. As someone who works with activists around the world, Zuckerman has a unique take on the social and technological aspects of living under surveillance. He talked with me recently about how changes in the technological landscape have forced changes in privacy strategies.
Q. Were you at all surprised by the documents leaked by Edward Snowden?
A. Yes. And then recently we had the NSA revelations where we basically found out that our most paranoid friends were completely right, and that the worst scenarios that any of us could have imagined turned out to be true.
So there has been a really panicky moment in the security space. Even the most hyper-hyper technical and hyper-paranoid folks are having a great deal of trouble securing themselves.
Q. Based on what you know now, what advice would you give to a young activist who is worried about being under surveillance?
A. That’s not a good question. Everything is situational. Ten years ago, we would give very general security trainings. We would say, “OK, here’s this key. Here’s how you use it for email. OK, here’s how you wipe your hard drive.” It seemed like a really good thing. These days, we try to be very specific.
What are you doing? Who are you working with?
Q. Hm. Let’s say I’m a Keystone activist. I’m looking to chain myself to a pipeline without anyone finding out first.
A. In that case — that’s domestic, in the U.S. The NSA revelations show that there is a very broad pretext to search your records but there are ways to secure your communications.
PGP works. Or, I believe it is workable if implemented correctly. I would want to be sure that both ends of the conversation are as up to date as possible.
The trick with PGP is that once you start using it, it looks like you’re trading secrets. If suddenly a group of people start to use PGP all at once, it’s suspicious. You can spend a lot of time trying to be anonymous and still be found out.
It’s just the way of things right now that when you try to protect the content of your conversations you may be revealing the structure of your organization. If you’re going to use PGP, you need to use it to encrypt boring and routine communications too so that you aren’t showing a network map.
Also: If you were going to use PGP or OTR you would want to start using it and putting Silent Circle onto your mobile phones well in advance of whatever you’re planning.
Q. Silent Circle?
A. Another one of the communications tools we use. It was developed by Phil Zimmermann, who invented PGP. It’s not doing email but it’s doing voice chat and active chat. And it’s a pretty robust program.
As far as general, baseline security, the main organization is Tactical Tech. They’re really thoughtful. They distribute a lot of open tools, like Security-in-a-Box.
Another way is to do as much as possible in public. Do you need to do this in secret? Yes, if the NSA wants your communications and they’re trying to get it, they probably will get your communications.
But maybe that’s not the adversary you want to bother with. If you’re chaining yourself to a pipeline, well — you’re going to want a lot of people to be there. You’re going to want the media around.
Our lives are different than those of activist in the Sudan, Ethiopia, and Vietnam. The best response to people in the U.S. I think is still in the press and in the courts.
Q. OK. Say I’m an environmental activist interested in collaborating with activists in other countries.
A. You want to learn from who is the best in your particular country, or situation. Do you work in China? Talk to someone who works in China, who has government sponsored APT (Advanced Persistent Threat) hackers banging on their network day and night?
For maybe the last 10 years, the people working in technology and activism have been trying to assess the question of the threat model. And what I mean by that is that it’s really hard to secure your self against every possible attack. Even for the really technologically savvy.
So that has a really weird, chilling effect. Secrecy can be isolating. If you are a civil rights activist in Sudan or in Egypt knowing that someone is hearing your communications is relatively harmless compared to what else they could do.
So what we really try to do is say: What will this threat be? Who is trying to find you out? What can and can’t they do? And so we have for 10 or so years tried to get people to think about what are the steps they can take that are reasonable and that are sane and that make you a little bit safer, while understanding that we can’t guarantee complete safety.
Like Vietnam, one of my favorite repressive societies that no one talks about. We talked to pro-democracy activists on Skype there, before we knew that Skype was riddled with back doors. We were talking to them and they said, “Well, what do we do about the people who sit across the street from us and point these satellite dishes at our windows?” If someone is using a parabolic mic off the street to eavesdrop on you, there is nothing in the digital world that we can do to help you.
Q. So what advice do you give a person in that situation, then?
A. In countries like these, the risks are more about making sure someone knows what they’re getting into. It’s about helping someone isolate themselves from their friends and family in order to protect them. You are free to take these risks, but how do you constrain those risks for the people around you?
And knowing that people can potentially hear what you’re going to say has this really weird effect of — well, fuck it. I have friends in Egypt in gay rights groups who know how to encrypt and use PGP and they chose not to. It’s almost like they’re taunting the government. This is why surveillance is not a tech problem. It’s a combination of a technological and social problem. There are no straightforward answers.
Really, most leaks are social, not technological. There’s a saying in Zimbabwe: “Every boat leaks.” Someone gets drunk and they brag. Like in the case of Chelsea Manning. The problem was not with the security of WikiLeaks. It was that Manning started bragging in a chat room.
Even if you’re the one worried about security, maybe you are the leak. There is no such thing as a widely shared secret.