J. Appelbaum Speaks at Euro Parliament - Addresses issues of Privacy, Security, Encryption, Spying, and Govt Abuses of Journalists
You can watch his full speech here. It's about 25 minutes long.
Terrifying Quotes From This Speech:
"My family has been targeted. My partner woke up in the middle of the night with men with night vision goggles watching her sleep in her own home. These kinds of things are a part of press freedom in the United States now."
"Surveillance is not an end toward totalitarianism, it is totalitarianism itself. Limited in scope for the moment, but when the Golden Dawn [party] in Greece has access to these systems, with their racist ideology, what will happen?"
"These kinds of legal instruments are terrifying, in particular because they use the language of terrorism about Wikileaks, which is nonsense. Wikileaks is not terrorism, it is effective journalism."
"How do we detect this kind of surveillance? It's easy. Do you have a phone? You have a tracking device. You make a call? It was probably intercepted."
Full Transcript Below:
Thanks again, that's a tough act to follow. That report on Echelon that Duncan Campbell was involved in is very influential for me in learning about cryptography and in considering that there was hope for resisting surveillance, or that actual legislators cared about the surveillance. Not every single person thought it was legitimate for it to be secret.
A couple of things I wanted to do, I guess there's a ridiculous number of questions to answer and I'll try to sum up my answers as quickly and succinctly as possible. One thing I wanted to encourage is that this topic is very dense. It requires what we had in the Unites States called a Church Committee. We require a Church Committee in the United States again because we need subpoena power, we need the ability to ask the people who are in a position of power, who aren't in a political position, to answer specific questions. I'd like to encourage all of you to help. Help Myself or Duncan Campbell to get our dossiers from all of the relevant Intelligence Agencies in the world. If you'd like to see what the capabilities of these systems are, I assure you that between the two of us, we have some files that are worth reading. He has to consent, but I consent. Feel free to put it on the internet, as well.
That said, you mentioned the purpose. I think that the purpose is exactly as stated. The job of an Intelligence Agency is to assist with control, and slowing things down, as Allen said. The fundamental ways that this can help politicians, but in general it can help many different groups to have a kind of control. So, slowing down the publication so that you have more time to understand what's coming so that you can shred documents, so that you can change program names, so that you can find out if anybody inside is planning to leak anything by giving them an extra polygraph and firing them, or bringing them up on charges. I think, fundamentally, the purpose of surveillance systems is control. And that is exactly what we see these systems being used for. So, surveillance is not an end toward totalitarianism, it is totalitarianism itself. Limited in scope for the moment, but when the Golden Dawn [party] in Greece has access to these systems, with their racist ideology, what will happen? Well, it will be very different with or without surveillance systems. In the history of Europe, we've seen this in with the IBM punch-card system. Those punch-card system are the difference between millions of lives in France and in Holland. So, I think the purpose is clear; It's control. Now, what that control will be used for for the United States is very different than what it will be used for by the German services or by the Deutsche services. But we know at least in the United States that this surveillance data is used towards: Illegal Wars, Assassination of our own citizens without a trial, so in this sense, it's the ultimate kind of control, which includes the death penalty. So, that's also a kind of censorship - an extreme form.
And then to the German - Heir Foss - I think is his name, he wanted to know some of the usage and from what I can tell there is definitely Economic Espionage. The US actually claims that it stops Economic Espionage using this - which I think is fascinating. I'm not sure that that is true - I'm not exactly sure how to tell if that was true at all. I think it's something like "Your democratic process works great for you, but it doesn't work great for us - but trust us, we're helping you." It's definitely used for war. In my experience, personal, and professional, with my colleagues, it's used for political persecution - it's very clear. What to do to find balance? I think a key thing to understand here is: that we have a whole bunch of spies, which is to say generally criminals, who say that we need to use them as a vanguard for securing ourselves, and the way that we do that is that we leave ourselves intentionally insecure in hopes that they will protect us. But what we see in Germany is that the German Government says that German businesses, German people, they're on their own to protect themselves. And this is I think, not the right balance. If the network itself is insecure, if all networks by design are insecure, we have some serious problems. And that I think is not the right balance. I think in fact, when someone tells us that they're securing us that we should be secure. That's actually a fundamental prerequisite of that being an honest thing. And, to that end, Alberequet(sp?) had mentioned that question about collaboration between agencies. And, I think that there's a massive amount of collaboration between agencies. It's apparent by what has been said in public and in documents, and conversations that people have had with Snowden as well as other journalists that are involved in writing about these things. In the 20th century we could say that Intelligence Agencies were working for their States, against the rest of the States. These days it seems to be case that all the Intelligence Agencies are collaborating with each other against us. Which is terrifying, to say the least.
I was speaking with Laura Poitress(sp?) a couple of days ago, and she was suggesting to me that the about 70% of the SigInt intake comes from collaboration with companies. So that means that we could secure 70% of our data if we incentivise, if we create protection in the way that we actually communicate with businesses and with each other. It's not just a question of what happens when US or European Intelligence collaborates with each other, but what happens when the Chinese Govt compromises one of those companies? In Google's case, they were able to compromise, as I understand it, the FISA wiretap system inside of Google. So the Chinese were able to find out who the Foreign Intelligence Targets were in Google. So, it's not about whether or not we trust Google. It's about if we acknowledge that we don't get to make that choice, someone else gets to make that choice in regards to what the law or policy says.
So, what can we actually do? We need to actually secure ourselves. I have in my pocket a cryptographic telephone, which actually helpfully told me that there's some interception-like capabilities in this building - just a sidenote. It might be a bug, but maybe it's a feature. This phone, short of breaking into it when I make a phone call, no one here, short of a mathematical breakthrough, is going to be able to intercept it. I have a couple different encrypted text messaging services. I have the TOR project, Orbot, Progra, Cryptophone, Redphone, TextSecure. So, doing research into how to build decentralized, distributed, secure, systems that are freely specified, openly specified, with no backdoors, with no ability to coerce developers into including backdoors, to actually embrace liberal democracy and the idea that we have the right to speak freely, that is something which I think we really can do. It's not like a pipedream, or something we can do in the future. It exists right here, and you don't have it, probably. But why do I have it? Shouldn't you have this? I think the answer is yes, you should. And most of you don't, and most of you are, without question, targeted. So, but the point is not this specific device, because it's some prototype. The point is - every single person in the world should have that when they pick up their phone normally, and why is that not the case? And the answer is this fundamental tension between people that are supposed to be keeping us secure, and the way that they keep us secure is by keeping us insecure literally and technically. There was a different version of GSM constructed for export so that Intelligence Services could spy on some of those nations that would deploy it.
The Washington Post published a cost estimate. It was along the lines of 52.6 Billion Dollars a year. So since 9/11, more than half a trillion dollars. I don't think that it includes all intelligence activities, I don't think for example that the CIA torture & rendition flights were included in that budget.
There's so many terrifying aspects to the way some of the questions were asked - just as a meta-point. So, for example, do 5 eyes countries - UK, USA, New Zealand, Canada - Do they help each other out as a way to circumvent national laws? The answer to that is very clear - it's yes. There's a place in Washington DC where some British and American Intelligence agencies share a building, where it's a re-transmission of data between the two parties, that one party can intercept on one side, and the other party can intercept on the other. This is something that's worth looking into, I sort of hope Duncan will do that in his spare time.
Has the NSA compromised European computers? I'll just say yes to that, that is totally, completely, without question the case. I wouldn't think about it in terms of computers, I would think of it in terms of atomic power plants, hospitals, parliamentarians. I would be pretty upset about that. It's very serious, because when these guys are messing around with control systems, what happens when they accidentally do something to a control system and it fails? Who is responsible for that? Is that an act of war? Do they have any economic responsibility for that? So there's really serious consequences when we talk about that. There's a lot of talk about Chinese Hackers or Hacktivists and not a lot of talking about how if the Chinese are so terrible for having compromised a whole bunch of people and gotten caught - what are the NSA for having compromised everyone and having gotten away with it? I mean if the Chinese are concerning, It seems to follow that the NSA's compromise of these systems is actually more concerning.
There's a lot of psychological costs as well. I've been targeted by the United States Government for the last 4 years for my involvement with Wikileaks. I've been targeted by 2703D Orders, those are administrative subpoenas, sealed search warrants, probably if I knew I wouldn't be allowed to tell you - legal processes that if they were to exist I wouldn't be able to tell you about their existence. An FBI agent actually let me know once that at one point I did actually become aware of a National Security Letter, thus actually leaking that there was one. These kinds of legal instruments are terrifying, in particular because they use the language of terrorism about Wikileaks, which is nonsense. Wikileaks is not terrorism, it is effective journalism. In the case of indiscriminate document dumping, it's important to note that it was actually The Guardian who made that mistake, and not Wikileaks. Wikileaks took great steps to redact names. In fact, they were criticized heavily for that by the Free Information world, for taking the steps of redacting informants names. The State Dept. actually stopped using that talking point after accidentally leaking my name, which is worth talking about later. But this kind of thing does not end with technology. It's not just that my computers, phones, accounts have been compromised or targeted. My family has been targeted. My partner woke up in the middle of the night with men with night vision goggles watching her sleep in her own home. These kinds of things are a part of press freedom in the United States now. And they use the language of terrorism. So when detaining me and seizing my property, they have literally called me a terrorist. denied me access to a lawyer, denied me access to a bathroom, and literally threatened my life in various ways. There's tons of legal actions going on. But as a result of all that, I live in Germany now. Because it is better to be an immigrant in Berlin than it is to be a citizen in the United States. And you can look at Glen, who lives in Rio now, and Linda Poitress, who is my neighbor in Berlin, and you can see that people who are working on these types of issues as journalists, and you can see that their actions speak for themselves. Regardless of how brave they are in public, none of us are really in a hurry to go back to the United States and end up like Chelsea Manning. Or to end up like James Rissen. This is a huge problem, because Obama does not stick to his talking points about protecting journalists, and instead wiretaps them. The Dept. of Justice wiretaps them. And when Clapper lies under oath about NSA surveillance, we see exactly the same problem; total impunity for people, in some cases who are not even elected, and absolute ruthlessness for those targeted by them.
The only thing that I see that really seems to give me a lot of hope is that in Europe there is a huge debate about these things, and there's a really fantastically free press. Despite the fact that the 1st amendment is very good, there are many American publications who literally run their articles by the CIA before going to publish them. That is, what I believe Bill Keller did with the Wikileaks cables before going to publish them in the New York Times, and all due respect to the New York times, none to Bill Keller. This is the kind of thing I find really offensive. Working with Der Speiggel, you don't see that kind of collaboration, you see people who are in service to the truth. Who do verify these documents. Who are caring about what is actually happening. This is something that I wouldn't do from the United States again, at least not for a very long time.
We should also address the myth that this is a post 9/11 issue. It is not. The NSA has been doing this kind of widespread collection since before 9/11, including on US Citizens. There is a program called Shamrock which I would encourage you to look into. And also another program which was actually the FBI, it's called CoIntelPro, this is where they tried to blackmail Martin Luther King Jr. This is where they went after a number of people and the types of harassment that we see now, like what my partner experience with the night vision goggles or what I've experienced being detained at airports, or having blackbag jobs where people break into my house, but don't leave a note to even mention it. That kind of stuff is like CoIntelPro, except it also happens electronically. And now, unlike in the 70's, the US Government asserts that it is completely legal, and in some cases they might be correct thanks to things like the PATRIOT Act.
There's far too much for me to actually answer every single question, so I'll just be very brief.
When Obama says that we don't need to be afraid, first of all, it's insulting to every single one of you in the room. When he says to Americans "Don't worry, we don't spy on Americans." I think "What about every other human being on this planet?" And I apologize on behalf of my incredibly insulting President for saying that about each and every one of you, because that is not acceptable. He's also wrong, because in my experience with Wikileaks, Americans actually have more to be afraid of. The reason is that there is a system and culture of repression that is so total that in some cases, people will not pick up the phone to talk for fear of the meta-data linking that person to my telephone. So in the US I basically don't have a telephone that people know about. I have one for emergencies that is never powered on.
Is it used for coercion? Is data passed to autocratic regimes? Is it used to study groups? Is it used to disrupt? Yes, yes, and yes. Might they force or forge data? Absolutely. In fact, I've been detained at borders where they've let me know how utterly in trouble I was going to be but that they could not arrest me, which is a very fascinating thing. I'm not allowed to see this file, I'm not allowed to correct this file, I'm not allowed to know it. They've accidentally let me see the file while holding me in an interrogation cell. Their two-way mirror wasn't quite so good. In this case I said "hey, that data's wrong." They said "you can't see that data." I said "but I already did" They said "no, you didn't." "okay." So, clearly, someone makes mistakes, and whether or not it's an intentional mistake is a good question.
How do we detect this kind of surveillance? It's easy. Do you have a phone? You have a tracking device. You make a call? It was probably intercepted.
In some cases, the billing of your cellphone data is sent to Israeli billing companies where they are cut-rate, because the product is actually your social graph. They don't care at all about what they're doing, billing wise. So having some legislation where that kind of thing isn't possible would be a real useful thing to do.
The Wikileaks spyfile version 3 was just released yesterday and is continuing to be released now. This shows the techniques that corporations have and the marketplace, the multi-billion dollar marketplace for surveillance equipment. And it shows the complicity with many of those executives, about 20 of them were investigated by the Wikileaks counter-intelligence unit. The Wikileaks counter-intelligence unit found that many of them were traveling from Europe to repressive regimes to sell repressive regimes surveillance equipment. Including targeting people that I personally know who are journalists in Morroco.
Finally, I want to say, Privacy vs. Security is one of these points I keep hearing people touch on. I think it's absolutely critical to do away with this talking point. With all due respect, it's the wrong one. Privacy is actually a function of having security. It is not the case that we will have privacy by having no privacy. That does not make sense. By having a total surveillance state, we can't say that our data is private when we have things like LoveInt. For those of you not familiar, this is the NSA term for survileling your love interests. It's so frequent that they have a term for it, like SigInt. signals intelligence - love intelligence. It's sounds funny, but it's not if you've ever had somebody do something like that to you. I would say that it's actually about dignity, and agency, and liberty, and these concepts rest on the concepts of confidentiality, integrity, and authenticity, but most of all: consent. This is something that is not actually present in any of these systems. We're offered security, but we're actually given intentionally weakened systems that are exploited and used against us. This creates a horrible chilling effect.
Research and development in the European context to decentralize and secure these systems, and to recognize that it's not the exception that we need the security, but the rule that these systems should be secure.