How the NSA betrayed the world’s trust — time to act | Mikko Hypponen

How the NSA betrayed the world’s trust — time to act | Mikko Hypponen

The two most likely largest inventions of our generation are the Internet and the mobile phone. They’ve changed the world. However, largely to our surprise, they also turned out to be the perfect tools for the surveillance state. It turned out that the capability to collect data, information and connections about basically any of us and all of us is exactly what we’ve been hearing throughout of the summer
through revelations and leaks about Western intelligence agencies, mostly U.S. intelligence agencies, watching over the rest of the world. We’ve heard about these starting with the revelations from June 6. Edward Snowden started leaking information, top secret classified information, from the U.S. intelligence agencies, and we started learning about things like PRISM and XKeyscore and others. And these are examples of the kinds of programs U.S. intelligence agencies are running right now, against the whole rest of the world. And if you look back about the forecasts on surveillance by George Orwell, well it turns out that George Orwell was an optimist. (Laughter) We are right now seeing a much larger scale of tracking of individual citizens than he could have ever imagined. And this here is the infamous NSA data center in Utah. Due to be opened very soon, it will be both a supercomputing center and a data storage center. You could basically imagine it has a large hall filled with hard drives storing data they are collecting. And it’s a pretty big building. How big? Well, I can give you the numbers — 140,000 square meters — but that doesn’t really tell you very much. Maybe it’s better to imagine it as a comparison. You think about the largest IKEA store you’ve ever been in. This is five times larger. How many hard drives can you fit in an IKEA store? Right? It’s pretty big. We estimate that just the electricity bill for running this data center is going to be in the tens of millions of dollars a year. And this kind of wholesale surveillance means that they can collect our data and keep it basically forever, keep it for extended periods of time, keep it for years, keep it for decades. And this opens up completely new kinds of risks to us all. And what this is is that it is wholesale blanket surveillance on everyone. Well, not exactly everyone, because the U.S. intelligence only has a legal right to monitor foreigners. They can monitor foreigners when foreigners’ data connections end up in the United States or pass
through the United States. And monitoring foreigners doesn’t sound too bad until you realize that I’m a foreigner and you’re a foreigner. In fact, 96 percent of the planet are foreigners. (Laughter) Right? So it is wholesale blanket surveillance of all of us, all of us who use telecommunications and the Internet. But don’t get me wrong: There are actually types
of surveillance that are okay. I love freedom, but even I agree that some surveillance is fine. If the law enforcement is trying to find a murderer, or they’re trying to catch a drug lord or trying to prevent a school shooting, and they have leads and they have suspects, then it’s perfectly fine for them
to tap the suspect’s phone, and to intercept his Internet communications. I’m not arguing that at all, but that’s not what programs like PRISM are about. They are not about doing surveillance on people that they have reason
to suspect of some wrongdoings. They’re about doing surveillance on people they know are innocent. So the four main arguments supporting surveillance like this, well, the first of all is that whenever you start discussing about these revelations, there will be naysayers trying to minimize the importance of these revelations, saying that we knew all this already, we knew it was happening, there’s nothing new here. And that’s not true. Don’t let anybody tell you that we knew this already,
because we did not know this already. Our worst fears might have been something like this, but we didn’t know this was happening. Now we know for a fact it’s happening. We didn’t know about this.
We didn’t know about PRISM. We didn’t know about XKeyscore.
We didn’t know about Cybertrans. We didn’t know about DoubleArrow. We did not know about Skywriter — all these different programs run by U.S. intelligence agencies. But now we do. And we did not know that U.S. intelligence agencies go to extremes such as infiltrating standardization bodies to sabotage encryption algorithms on purpose. And what that means is that you take something which is secure, an encryption algorithm which is so secure that if you use that algorithm to encrypt one file, nobody can decrypt that file. Even if they take every single computer on the planet just to decrypt that one file, it’s going to take millions of years. So that’s basically perfectly safe, uncrackable. You take something which is that good and then you weaken it on purpose, making all of us less secure as an end result. A real-world equivalent would be that intelligence agencies would force some secret pin code into every single house alarm so they could get into every single house because, you know, bad people
might have house alarms, but it will also make all of us less secure as an end result. Backdooring encryption algorithms just boggles the mind. But of course, these intelligence agencies
are doing their job. This is what they have been told to do: do signals intelligence, monitor telecommunications, monitor Internet traffic. That’s what they’re trying to do, and since most, a very big part
of the Internet traffic today is encrypted, they’re trying to find ways around the encryption. One way is to sabotage encryption algorithms, which is a great example about how U.S. intelligence agencies are running loose. They are completely out of control, and they should be brought back under control. So what do we actually know about the leaks? Everything is based on the files leaked by Mr. Snowden. The very first PRISM slides from the beginning of June detail a collection program where the data is collected from service providers, and they actually go and name the service providers they have access to. They even have a specific date on when the collection of data began for each of the service providers. So for example, they name
the collection from Microsoft started on September 11, 2007, for Yahoo on the March 12, 2008, and then others: Google, Facebook, Skype, Apple and so on. And every single one of these companies denies. They all say that this simply isn’t true, that they are not giving
backdoor access to their data. Yet we have these files. So is one of the parties lying, or is there some other alternative explanation? And one explanation would be that these parties, these service providers, are not cooperating. Instead, they’ve been hacked. That would explain it. They aren’t cooperating. They’ve been hacked. In this case, they’ve been hacked
by their own government. That might sound outlandish, but we already have cases where this has happened, for example, the case of the Flame malware which we strongly believe was authored by the U.S. government, and which, to spread, subverted the security of the Windows Update network, meaning here, the company was hacked by their own government. And there’s more evidence supporting this theory as well. Der Spiegel, from Germany, leaked more information about the operations run by the elite hacker units operating inside these intelligence agencies. Inside NSA, the unit is called TAO, Tailored Access Operations, and inside GCHQ, which is the U.K. equivalent, it’s called NAC, Network Analysis Centre. And these recent leaks of these three slides detail an operation run by this GCHQ intelligence agency from the United Kingdom targeting a telecom here in Belgium. And what this really means is that an E.U. country’s intelligence agency is breaching the security of a telecom of a fellow E.U. country on purpose, and they discuss it in their slides completely casually, business as usual. Here’s the primary target, here’s the secondary target, here’s the teaming. They probably have a team building
on Thursday evening in a pub. They even use cheesy PowerPoint clip art like, you know, “Success,” when they gain access to services like this. What the hell? And then there’s the argument that okay, yes, this might be going on, but then again, other countries are doing it as well. All countries spy. And maybe that’s true. Many countries spy, not all of them,
but let’s take an example. Let’s take, for example, Sweden. I’m speaking of Sweden because Sweden has a little bit of a similar law to the United States. When your data traffic goes through Sweden, their intelligence agency has a legal right by the law to intercept that traffic. All right, how many Swedish decisionmakers and politicians and business leaders use, every day, U.S.-based services, like, you know, run Windows or OSX, or use Facebook or LinkedIn, or store their data in clouds like iCloud or Skydrive or DropBox, or maybe use online services like
Amazon web services or sales support? And the answer is, every single Swedish
business leader does that every single day. And then we turn it around. How many American leaders use Swedish webmails and cloud services? And the answer is zero. So this is not balanced. It’s not balanced by any means, not even close. And when we do have the occasional European success story, even those, then, typically end up being sold
to the United States. Like, Skype used to be secure. It used to be end-to-end encrypted. Then it was sold to the United States. Today, it no longer is secure. So once again, we take something which is secure and then we make it less secure on purpose, making all of us less secure as an outcome. And then the argument that the United States is only fighting terrorists. It’s the war on terror. You shouldn’t worry about it. Well, it’s not the war on terror. Yes, part of it is war on terror, and yes, there are terrorists, and they do kill and maim, and we should fight them, but we know through these leaks that they have used the same techniques to listen to phone calls of European leaders, to tap the email of residents of Mexico and Brazil, to read email traffic inside the United Nations Headquarters and E.U. Parliament, and I don’t think they are trying to find terrorists from inside the E.U. Parliament, right? It’s not the war on terror. Part of it might be, and there are terrorists, but are we really thinking about terrorists as such an existential threat that we are willing to do anything at all to fight them? Are the Americans ready
to throw away the Constituion and throw it in the trash
just because there are terrorists? And the same thing with the Bill of Rights
and all the amendments and the Universal Declaration of Human Rights and the E.U. conventions on human rights
and fundamental freedoms and the press freedom? Do we really think terrorism
is such an existential threat, we are ready to do anything at all? But people are scared about terrorists, and then they think that
maybe that surveillance is okay because they have nothing to hide. Feel free to survey me if that helps. And whoever tells you that they have nothing to hide simply hasn’t thought about this long enough. (Applause) Because we have this thing called privacy, and if you really think that you have nothing to hide, please make sure that’s the first thing you tell me, because then I know that I should not trust you with any secrets, because obviously you can’t keep a secret. But people are brutally honest with the Internet, and when these leaks started, many people were asking me about this. And I have nothing to hide. I’m not doing anything bad or anything illegal. Yet, I have nothing that I would in particular like to share with an intelligence agency, especially a foreign intelligence agency. And if we indeed need a Big Brother, I would much rather have a domestic Big Brother than a foreign Big Brother. And when the leaks started,
the very first thing I tweeted about this was a comment about how, when you’ve been using search engines, you’ve been potentially leaking all that
to U.S. intelligence. And two minutes later, I got a reply by somebody called Kimberly from the United States challenging me, like, why am I worried about this? What am I sending to worry about this?
Am I sending naked pictures or something? And my answer to Kimberly was that what I’m sending is none of your business, and it should be none
of your government’s business either. Because that’s what it’s about. It’s about privacy. Privacy is nonnegotiable. It should be built in to all the systems we use. (Applause) And one thing we should all understand is that we are brutally honest with search engines. You show me your search history, and I’ll find something incriminating or something embarrassing there in five minutes. We are more honest with search engines than we are with our families. Search engines know more about you than your family members know about you. And this is all the kind
of information we are giving away, we are giving away to the United States. And surveillance changes history. We know this through examples
of corrupt presidents like Nixon. Imagine if he would have had the kind
of surveillance tools that are available today. And let me actually quote the president of Brazil, Ms. Dilma Rousseff. She was one of the targets of NSA surveillance. Her email was read, and she spoke at the United Nations Headquarters, and she said, “If there is no right to privacy, there can be no true freedom
of expression and opinion, and therefore, there can be no effective democracy.” That’s what it’s about. Privacy is the building block of our democracies. And to quote a fellow security researcher, Marcus Ranum, he said that the United States
is right now treating the Internet as it would be treating one of its colonies. So we are back to the age of colonization, and we, the foreign users of the Internet, we should think about Americans as our masters. So Mr. Snowden, he’s been blamed for many things. Some are blaming him for causing problems for the U.S. cloud industry
and software companies with these revelations — and blaming Snowden for causing problems
for the U.S. cloud industry would be the equivalent of blaming Al Gore for causing global warming. (Laughter) (Applause) So, what is there to be done? Should we worry. No, we shouldn’t worry. We should be angry, because this is wrong, and it’s rude, and it should not be done. But that’s not going to really change the situation. What’s going to change the situation
for the rest of the world is to try to steer away from systems built in the United States. And that’s much easier said than done. How do you do that? A single country, any single country in Europe cannot replace and build replacements for the U.S.-made operating systems
and cloud services. But maybe you don’t have to do it alone. Maybe you can do it together with other countries. The solution is open source. By building together open, free, secure systems, we can go around such surveillance, and then one country doesn’t have
to solve the problem by itself. It only has to solve one little problem. And to quote a fellow security researcher, Haroon Meer, one country only has to make a small wave, but those small waves together become a tide, and the tide will lift all the boats up at the same time, and the tide we will build with secure, free, open-source systems, will become the tide that will lift all of us up and above the surveillance state. Thank you very much. (Applause)


100 thoughts on “How the NSA betrayed the world’s trust — time to act | Mikko Hypponen”

  • Jacopo Casasole says:

    Awesome 😀 i thought nooo this would never work but when i tried it i was like OMFG :O ITS ACTUALLY WORKED!!!

  • Thank you. I dont think honestly there is much to do about it though. Even if you make a local Internet in every country and a local Microsoft and a local Skype and so on, in every single country, the NSA and its brethren will have hacked it before it even leaves Alpha level programming. Its all they do, all day and all night. If we invent mental telepathy for private conversations, the NSA will employ telepaths that intercept your thoughts. I dont see a win anywhere. But for the record, I totally agree with you that it is wrong wrong wrong.

  • The slides he's talking about are on cryptome(dot)org and eff(dot)org as well as underground sites, which by the way not harbour child photos or weapons. That is sensationalism used by media and users (trolls) to filter narrow minded people from disturbing the freedom of expression that exists underground.

  • The slides he's talking about are on cryptome(dot)org and eff(dot)org as well as underground sites, which by the way not harbour child photos or weapons. That is sensationalism used by media and users (trolls) to filter narrow minded people from disturbing the freedom of expression that exists underground.

  • But the evidence is it front of your eyes. For example the collect history checkbox is unticked on my youtube settings but it still collects history. This can also be seen in your browser with the disable javascript function. You cant blame them, it's our responsibility to check. most of us are grown adults

  • I started a blog with 3 post and already had 200 views within an hour all from the US and one from Poland on the day i was setting it up.   While the post all had 0 views.   I didn't touch the blog for a week and there was 0 view when i wasn't on it.  I checked my computer for viruses and there was none. 

  • About "I got nothing to hide" – whoever think this is OK is wrong, very wrong. I work from Serbia for one Swedish company on internal tools as a programmer. Boss wanted to know how efficient his sales personnel is so he tasked me to make some sort of reports yet each report would base it's resources ONLY on regular input data they leave in system. No mail tracking, no IM tracking – nothing. Turns out, with the data they leave in the system (which company they called, how many times, how many calls, meetings scheduled, made, being logged into a system) I was able to reconstruct several dynamic report types. One report is not enough but when we look upon several reports for one individual. Even making really good estimation what they are doing when they do not leave the data into a system (going to pick up a kid, have a smoke/coffee/breakfast, distinct general idling from being incompetent to work…) One of them noticed that boss always knows how they are performing and pressed the boss that we give him rights to see those reports. So he had meeting with me and after I explained to him purpose of each report he said only this "You who are thousands kilometres away know how I work here!". Yes, that was truth, but he wasn't pleased yet he understood I made that since boss told me to do so. Remember, no mail tracking, no IM spying or phone tapping. And that is only trough one program that did nothing especially spy-like or being spyware except one thing – when they are using system (for example I needed to distinct when they leave system running while being away from PC and browsing data in the system). This guy pressed boss to refrain himself from using these reports and instead think other ways to track efficiency of his sales personnel. And we did that! He changed the way he is paying them and payment was based on the signed contracts they bring in company. Now, we don't care about original reports, we don't care when they take smoke/coffee/breakfast or go to pick up kid or simply slack – we care only about final efficiency – money they bring in company. Which I think it is more correct. Even though they never put in system "I will have breakfast" I knew this info and that is not right. So refrain yourself from "I got nothing to hide" and do know there is always another way.

    We leave data on the net daily (AND WILLINGLY!) and every data can be reconstructed to give image of particular person what's that person doing. If they want to fight for terrorism, they don't need to put noses in our daily lives with whom we cheat our spouse and what kind of furniture we prefer.

  • I agree with a lot….  But not Nixon.  I like Nixon.  He got the US out of Vietnam.   That was much more important than Watergate.   Besides there are much more blatant RECENT scandals that make Watergate pale in comparison.  Yet nothing is done.

  • This can be understood both ways. NSA can not only monitor history but after you re long dead or forgotten or both, they can REWRITE history. You as an individual are insignificant and a future misinformed generation of individuals as a whole are priceless. 

  • Brilliant. Hyopponen, Snowden and others like them are opening the worlds eyes to to the most critical issue of our time. 

  • People should consider how people act in crowds, like head-less chickens. 
    Don't claim people are some kind of highly rational or logical beings, because most people are not. You really think NSA just started one day, like "Let's do some surveillance!", no it comes out of an undestanding of human nature, terrorism is just a simple framework for explaining why they do it, people don't want to be called stupid by their government. The fact that people do not act in the light of these revelations (and the misinterpretation of these revelations) is just proving the previously stated.

  • The problem is not the fact that it disgraces our privacy as a whole (which mind you is one of the most basic human rights to ever exist) it is also the fact that nobody anywhere on the face of this planet should be granted the ability to have such great power at such great convenience. Not only because it will be abused & will always be abused, but because of the fact that it is abused.

  • So it is okay that Sweden has the same surveillance policies as the US because they do not make as popular/useful software? Or the US should be punished and have more limited surveillance options than Sweden because of the popularity of its creations?

    Also, you do not know what it means to be an American and have gone through September 11th, 2001. Do not suppose that you know what are "reasonable" lengths for the US to go to when looking for terrorists. 

  • The search engine theory is right on the money, I cant believe how much you can learn about another human by simple scrolling through his search history. My God, were we fools to allow this to happen…

  • This is an interesting perspective on American surveillance. I think foreign countries are correct in their attempts to separate from the U.S. surveillance state, and I hope that in doing so they will persuade Americans to take a better look at why they continue to live under it. I also think he hit the solution right on with open source, and I hope an international open source movement will also bring American citizens along with it in a pursuit of a better Internet.

  • Joseph Landreth says:

    USA watching the rest of the world, for what reason lol? Meanwhile China is watching us and always now is 2 steps ahead of us.

  • RobinHoodFox74 says:

    Saying "I don't care about NSA spying on me because I have nothing to hide" is like saying "I don't care about free speech because I have nothing to say"

  • In Conclusion, NSA – Path to new World Order, The Illuminati.

    NSA do not have the "rights" for everyone. Everyone either has their rights or no rights.
    End of Story.

  • ./echo.set("If you all knew. First the PRISM decoy, then Northern Lights, now… me.");
    Level of control: Irrelevant.

  • A good talk, angry, but also informed and thoughtful; how, in using and becoming dependent on US computer technology, we have become surveyed en masse and thus their colonial subjects.

  • I am afraid we are all already pwn3d, even if we use theoretically secure Open Source Software.
    The modern computers all use huge UEFIs and all the modern hard drives have huge user-inaccessible partitions, that can be easily used to install sophisticated penetration software to any computer, even run by the secure software with encryption enabled.
    This way nobody can be safe (apart from the terrorist – they do not use computers and cell phones when preparing attack) – and this cannot be easily by-passed.
    I believe that the European Parliament has got a lot to do about it, as Europe does not produce safe motherboards or hard disk drives – so we are completely vulnerable.
    We all use imported devices, and all them are designed to allow the USA government agencies to spy on us.
    This should not be acceptable and this should not be left ignored

  • generally a great presentation but I can't help but wonder how on earth he thinks open sourcing is going to help the matter. at the end of the day you still need a server to store the data somewhere and to enable quick access to the people in north america (note that this includes foreigners) there would need to be at least one US server. I would imagine a more practical solution is the usage of proper encryption methods and TOR networks etc to circumvent the surveillance.

  • Jean-Louis Blackburn says:

    One point that needs to be made is that information gained from this surveillance is not for the government, but for individuals and their parties. The government doesn't need all that info, but political parties do. If the info were only used by the government, this wouldn't be a threat, because it's so boring, no civil servant wants to study it.

    So yeah, Snowden's revelations are quite important. The way to find the culprit, as with Watergate, is look for who would benefit from the info being collected and find the point where it crosses from government into private interest. Then use the government's own power to apprehend those people.

  • Kind of a smart things really. The celviliion population doing espionage. Every thing is on google or YouTube. You can just pick what you want from there.

  • :Amadeus :Țurcanu-Moisl. says:


  • Alejandro Moreno S. says:

    It seems like this is especially relevant recently, where the FBI has been trying to hack the iPhone because they couldn't force Apple to help them.

  • I enjoy listening to this guy, and he makes me feel good about having purchased F-Secure. I also have there booster and VPN app and Windows application. Call me paranoid, but I rather be safe than sorry.

  • Mikko, why did you not mention state sponsored russian and chinese surveilance and hacking and more,? Blame all at fault not just one country.

  • pathologicaldoubt says:

    the argument that we shouldn't be spying on other countries is bogus. the issue should be focused on the american people

  • Peter Mikoláš says:

    Paranoia or not? Does anybody know personally someone who was harmed by NSA? Otherwise:

  • The problem with American society is that the majority of our population is too stupid to realize that the government and large corporations lie or severely blow things out of proportion to advance their agenda. The propaganda that is fed to us capitalizes on fear letting them pass whatever laws and policies to give them a false sense of security.

    and no no no.
    No domestic big brother either, thats the fallacy of the middle ground, like one enity wants to take your house, you want to keep your home solution, you loose half the wonership of your house, is not a solution. With of course here a local big brother can be as worse as a foreign one, eg takes the whole house any way. As a tiny note in lacking argumentation

  • I can't help but think it is a bit naive for him to conclude that every other country should cooperatively build a system to surpass NSA, especially when he suggests that the solution should be open source, it just gets messy for average consumers. Also such systems would very likely become the infrastructure of worldwide surveillance. He specifically said he would not deny that many other countries are spying either, so why would he come up with such conclusion?

    There are many ways for the US to combat this as well, as most mainstream software are developed by US companies, they could either boycott developing applications for this utopian operating system or open back-doors in these applications.

  • he totally skipped over the fact that these commercial entities that the NSA is mining for information are the architects of the data collecting, and they are less scrupulous about how that data is used than the NSA is…

  • Mikko, love ya but the NSA does NOT exist to have the trust of the world. It is an intel branch of the US gov and acts accordingly. If a foreigner puts data through a US gov controlled piece of equip, you better encrypt it or it WILL be read by the US Gov.

  • The fear-mongering and disinformation spread in the video, is far too damn high!
    FAA Section 702 ONLY targets NON-US persons, located OUTSIDE the US.
    FISC opinions note this, PCLOB notes this, leaks note this, the White paper notes this, the SSCI etc note this, etc.
    It is TARGETED intercepts of communications, on SPECIFIC individuals, such as state actors and terrorists.

  • Silverhand290 says:

    Too bloody right. I have to put a piece of tape over the webcam in my laptop so the NSA can't see me smoking my crack pipe. (and/or masturbating)

  • Michael Martin says:

    Satan would invade the privacy of the confessional. Of course he cannot forgive sin. But he can and will use everything learned in the most horrible way. "Who is like unto God"?

  • The thing is that, I don’t know why humans make pollution and destroy themselves, I don’t know why humans SPY on each other… I just don’t get this..

  • Zion Thomas-Harmon says:

    Why does everyone seem to forget GCHQ, he mentioned it, but briefly, their surveillance programs, especially Tempora, are far worse than NSA's. Mass surveillance has little to do with jurisdiction, the internet is a global network, American data ends up on servers in Japan, British data ends up on servers in the US, let us not forget that the United States is also home to companies and software like Lavabit, the email Snowden used, and Spider Oak, a zero knowledge cloud storage platform, Facebook, Google, Twitter, Dropbox, these companies may be headquartered in the US but they are international. Approaching this as an us vs America issue is short sighted and wrong headed, this is a governed vs governing issue. Every country does it, especially the major nations that are part of the 5, 9, and 14 eyes alliances. Data on the internet is everywhere and nowhere.

  • David Fitzpatrick says:

    nothing has changed in the American terrorist police state regime since the late 1940's …. the freedom Joseph Stalin and his countrymen gave the World by defeating Nazism at an enormous human cost to their Motherland, the Soviet Union, has been hijacked by this boorish american rat nation to the detriment of all of us. Time for an online and comms revolution …. this man has shown one path to achieve this. There are other paths of course ……

  • Shaun Weavers says:

    I care that a friggin American Organisation can get off coming into a Canadian cell phone ip on Canadian soil. listen in and act on it and the government here or CSIS do nothing. I have nothing to hide either but I don't like my convo's coming out the mouths of other people in another country or actions then taken by that country. I'm spiritual and depend on privacy and autonomy for ease of discerning spirits. this abuse just creates problems for guys like me. It's a clear menace and malice gone AMOK!

  • apparently US is ready do throw away the constitution. Govt contractors are targeting citizens with directed energy weapons. Check it out

  • As a patriot of this country I would like to reiterate 2 everybody here on this platform , be careful what you say because what these platforms are is to profile you by the NSA and if they don't like your political views or religious beliefs you can become a targeted individual they've weaponize homes and they can send frequencies right to your house and I suspect probably right from the NSA building in Utah right to your home so be careful what you say.

  • Alacoque Gervais says:

    That's why I use vpn to get rid of government snooping around my online actives. Always use encryption to encrypt your online traffic.

  • The one million dollar question here is: Why was Mikko not arrested after this video by the US government and sent Guantanamo Bay? ?

Leave a Reply

Your email address will not be published. Required fields are marked *