ZEIT ONLINE: You're doing research on government surveillance in countries like Bahrain and Syria. It was always easy to call these governments evil for spying on their own citizens. In the light of the NSA revelations: Is the U.S. government just as evil?
Morgan Marquis-Boire: We've seen countries all over the world deploy hacking techniques in order to gain visibility into the online communications of their citizens and opponents. There is much about the NSA revelations and reported activities of other governments that are certainly very worrying. As a global society, we’re learning about the pervasiveness of spying by Western governments at a level of detail that was previously unthinkable. But I tend not to call any governments evil or good. This is a binary distinction which I’m not particularly comfortable with.
ZEIT ONLINE: In your opinion: What is the scariest NSA revelation so far?
Marquis-Boire: It has been suggested that RSA accepted money from the NSA to adopt DUAL_EC_DRBG as a random number generator in their BSAFE product. This is widely and very credibly suspected of containing a subtle backdoor that allows the NSA to predict its output under certain conditions. The idea that the NSA is actively undermining the security of cryptographic products which are built to protect people is deeply troubling.
ZEIT ONLINE: What does this mean for dissidents or activists in countries like Syria, Bahrain or anywhere else – do they have to fear that the products they use to protect themselves and their communications are fundamentally broken and insecure in general? In other words: If the NSA can circumvent these protections, can other regimes do so, too?
Marquis-Boire: At the moment, the RSA situation is very murky, so suggesting that common tools have been tampered with by the NSA seems a little pre-emptive. I wish the NSA would clear this up, because it leads to reputational harm for companies that may not be able to defend themselves. While in theory backdoors should only be accessible by the agencies that created them, there has been considerable public discussion around the possibility that such backdoors might be discoverable by other actors. High-risk individuals, such as those who live in countries in conflict, have very pressing concerns around the security of their communications. This includes trusting the integrity of the tools they use. As a very basic piece of advice, I’d lean towards the recommending the use of open source software and tools, due to the difficulties with placing overt backdoors.
ZEIT ONLINE: Do you trust the U.S. government not to spy on U.S. citizens for unlawful reasons?
Marquis-Boire: History has shown that any mass government surveillance apparatus is likely to be abused.
ZEIT ONLINE: What about citizens of other countries? Citizen Lab's director Ron Deibert called them "fair game" for the NSA since they are even less protected by law than U.S. citizens are. Do we have to accept that?
Marquis-Boire: The Internet has changed the way we communicate and the way in which communications travel. We can now communicate in real-time with people all over the world. This is possible precisely because the Internet doesn't have physical borders. Creating artificial borders for the Internet to match national boundaries directly contradicts the Internet's architecture. In order to prevent the balkanization of the Internet, which would deplete all its benefits, governments will have to understand that the Internet belongs to all of us, and that traditional borders have to be re-examined.
ZEIT ONLINE: You're also working as a security engineer for Google. Did Silicon Valley ignore the rise of massive intercept technology for too long? Most companies don't even charge the government for its data requests and some, like Yahoo, are only beginning just now to encrypt their traffic by default.
Marquis-Boire: The surveillance problem has preoccupied the technology scene for decades. The Cypherpunk movement (out of which came anonymous remailers, The Tor Project, FreeNet, PGP, OTR, BitCoin, and many other technologies), was very concerned with free expression, privacy, and government monitoring. From the late 80s, they had warned about how surveillance technologies could be used for harm and why the failure to encrypt traffic was such a problem.