sponsored links
TEDxBrussels

Mikko Hypponen: How the NSA betrayed the world's trust -- time to act

October 28, 2013

Recent events have highlighted, underlined and bolded the fact that the United States is performing blanket surveillance on any foreigner whose data passes through an American entity -- whether they are suspected of wrongdoing or not. This means that, essentially, every international user of the internet is being watched, says Mikko Hypponen. An important rant, wrapped with a plea: to find alternative solutions to using American companies for the world's information needs.

Mikko Hypponen - Cybersecurity expert
As computer access expands, Mikko Hypponen asks: What's the next killer virus, and will the world be able to cope with it? And also: How can we protect digital privacy in the age of government surveillance? Full bio

sponsored links
Double-click the English subtitles below to play the video.
The two most likely largest inventions
00:12
of our generation
00:16
are the Internet and the mobile phone.
00:19
They've changed the world.
00:22
However, largely to our surprise,
00:24
they also turned out to be the perfect tools
00:28
for the surveillance state.
00:32
It turned out that the capability
00:35
to collect data, information and connections
00:38
about basically any of us and all of us
00:42
is exactly what we've been hearing
00:46
throughout of the summer
through revelations and leaks
00:48
about Western intelligence agencies,
00:53
mostly U.S. intelligence agencies,
00:56
watching over the rest of the world.
00:59
We've heard about these starting with the
01:02
revelations from June 6.
01:05
Edward Snowden started leaking information,
01:09
top secret classified information,
01:12
from the U.S. intelligence agencies,
01:14
and we started learning about things like PRISM
01:16
and XKeyscore and others.
01:18
And these are examples of the kinds of programs
01:21
U.S. intelligence agencies are running right now,
01:25
against the whole rest of the world.
01:29
And if you look back about the forecasts
01:32
on surveillance by George Orwell,
01:36
well it turns out that
01:40
George Orwell was an optimist.
01:42
(Laughter)
01:45
We are right now seeing a much larger scale
01:47
of tracking of individual citizens
01:50
than he could have ever imagined.
01:52
And this here is the infamous
01:55
NSA data center in Utah.
01:59
Due to be opened very soon,
02:03
it will be both a supercomputing center
02:06
and a data storage center.
02:09
You could basically imagine it has a large hall
02:11
filled with hard drives storing data
02:14
they are collecting.
02:16
And it's a pretty big building.
02:19
How big? Well, I can give you the numbers --
02:21
140,000 square meters --
02:23
but that doesn't really tell you very much.
02:25
Maybe it's better to imagine it as a comparison.
02:27
You think about the largest IKEA store
02:30
you've ever been in.
02:33
This is five times larger.
02:35
How many hard drives can you fit in an IKEA store?
02:38
Right? It's pretty big.
02:41
We estimate that just the electricity bill
02:43
for running this data center
02:46
is going to be in the tens of millions of dollars a year.
02:48
And this kind of wholesale surveillance
02:51
means that they can collect our data
02:54
and keep it basically forever,
02:56
keep it for extended periods of time,
02:58
keep it for years, keep it for decades.
03:01
And this opens up completely new kinds of risks
03:04
to us all.
03:08
And what this is is that it is wholesale
03:10
blanket surveillance on everyone.
03:13
Well, not exactly everyone,
03:18
because the U.S. intelligence only has a legal right
03:20
to monitor foreigners.
03:24
They can monitor foreigners
03:26
when foreigners' data connections
03:27
end up in the United States or pass
through the United States.
03:30
And monitoring foreigners doesn't sound too bad
03:34
until you realize
03:36
that I'm a foreigner and you're a foreigner.
03:39
In fact, 96 percent of the planet are foreigners.
03:42
(Laughter)
03:46
Right?
03:47
So it is wholesale blanket surveillance of all of us,
03:49
all of us who use telecommunications and the Internet.
03:54
But don't get me wrong:
03:58
There are actually types
of surveillance that are okay.
04:00
I love freedom, but even I agree
04:05
that some surveillance is fine.
04:08
If the law enforcement is trying to find a murderer,
04:10
or they're trying to catch a drug lord
04:14
or trying to prevent a school shooting,
04:17
and they have leads and they have suspects,
04:21
then it's perfectly fine for them
to tap the suspect's phone,
04:22
and to intercept his Internet communications.
04:26
I'm not arguing that at all,
04:29
but that's not what programs like PRISM are about.
04:31
They are not about doing surveillance on people
04:34
that they have reason
to suspect of some wrongdoings.
04:37
They're about doing surveillance on people
04:40
they know are innocent.
04:42
So the four main arguments
04:46
supporting surveillance like this,
04:48
well, the first of all is that whenever you start
04:50
discussing about these revelations,
04:52
there will be naysayers trying to minimize
04:54
the importance of these revelations, saying that
04:57
we knew all this already,
04:59
we knew it was happening, there's nothing new here.
05:00
And that's not true. Don't let anybody tell you
05:04
that we knew this already,
because we did not know this already.
05:07
Our worst fears might have been something like this,
05:13
but we didn't know this was happening.
05:17
Now we know for a fact it's happening.
05:19
We didn't know about this.
We didn't know about PRISM.
05:21
We didn't know about XKeyscore.
We didn't know about Cybertrans.
05:24
We didn't know about DoubleArrow.
05:27
We did not know about Skywriter --
05:29
all these different programs
05:31
run by U.S. intelligence agencies.
05:33
But now we do.
05:36
And we did not know
05:39
that U.S. intelligence agencies go to extremes
05:41
such as infiltrating standardization bodies
05:44
to sabotage encryption algorithms on purpose.
05:48
And what that means
05:53
is that you take something which is secure,
05:55
an encryption algorithm which is so secure
05:57
that if you use that algorithm to encrypt one file,
05:59
nobody can decrypt that file.
06:02
Even if they take every single computer on the planet just to decrypt that one file,
06:04
it's going to take millions of years.
06:08
So that's basically perfectly safe, uncrackable.
06:10
You take something which is that good
06:13
and then you weaken it on purpose,
06:15
making all of us less secure as an end result.
06:17
A real-world equivalent would be that
06:23
intelligence agencies would force
06:25
some secret pin code into every single house alarm
06:28
so they could get into every single house
06:30
because, you know, bad people
might have house alarms,
06:32
but it will also make all of us
06:34
less secure as an end result.
06:37
Backdooring encryption algorithms
06:39
just boggles the mind.
06:43
But of course, these intelligence agencies
are doing their job.
06:46
This is what they have been told to do:
06:50
do signals intelligence,
06:51
monitor telecommunications,
06:54
monitor Internet traffic.
06:56
That's what they're trying to do,
06:57
and since most, a very big part
of the Internet traffic today is encrypted,
06:59
they're trying to find ways around the encryption.
07:02
One way is to sabotage encryption algorithms,
07:04
which is a great example
07:07
about how U.S. intelligence agencies
07:09
are running loose.
07:11
They are completely out of control,
07:13
and they should be brought back under control.
07:15
So what do we actually know about the leaks?
07:21
Everything is based on the files
07:24
leaked by Mr. Snowden.
07:26
The very first PRISM slides
07:29
from the beginning of June
07:31
detail a collection program where the data
07:33
is collected from service providers,
07:35
and they actually go and name the service providers
07:37
they have access to.
07:40
They even have a specific date
07:41
on when the collection of data began
07:44
for each of the service providers.
07:47
So for example, they name
the collection from Microsoft
07:49
started on September 11, 2007,
07:51
for Yahoo on the March 12, 2008,
07:55
and then others: Google, Facebook,
07:57
Skype, Apple and so on.
08:00
And every single one of these companies denies.
08:04
They all say that this simply isn't true,
08:07
that they are not giving
backdoor access to their data.
08:11
Yet we have these files.
08:16
So is one of the parties lying,
08:20
or is there some other alternative explanation?
08:22
And one explanation would be
08:25
that these parties, these service providers,
08:28
are not cooperating.
08:31
Instead, they've been hacked.
08:33
That would explain it. They aren't cooperating. They've been hacked.
08:36
In this case, they've been hacked
by their own government.
08:39
That might sound outlandish,
08:43
but we already have cases where this has happened,
08:46
for example, the case of the Flame malware
08:48
which we strongly believe was authored
08:51
by the U.S. government,
08:53
and which, to spread, subverted the security
08:55
of the Windows Update network,
08:59
meaning here, the company was hacked
09:02
by their own government.
09:06
And there's more evidence
09:08
supporting this theory as well.
09:10
Der Spiegel, from Germany, leaked more information
09:12
about the operations run by the elite hacker units
09:16
operating inside these intelligence agencies.
09:21
Inside NSA, the unit is called TAO,
09:24
Tailored Access Operations,
09:26
and inside GCHQ, which is the U.K. equivalent,
09:28
it's called NAC, Network Analysis Centre.
09:32
And these recent leaks of these three slides
09:36
detail an operation
09:40
run by this GCHQ intelligence agency
09:42
from the United Kingdom
09:45
targeting a telecom here in Belgium.
09:47
And what this really means
09:51
is that an E.U. country's intelligence agency
09:53
is breaching the security
09:57
of a telecom of a fellow E.U. country on purpose,
09:59
and they discuss it in their slides completely casually,
10:04
business as usual.
10:08
Here's the primary target,
10:10
here's the secondary target,
10:11
here's the teaming.
10:13
They probably have a team building
on Thursday evening in a pub.
10:14
They even use cheesy PowerPoint clip art
10:18
like, you know, "Success,"
10:21
when they gain access to services like this.
10:23
What the hell?
10:26
And then there's the argument
10:31
that okay, yes, this might be going on,
10:33
but then again, other countries are doing it as well.
10:34
All countries spy.
10:37
And maybe that's true.
10:40
Many countries spy, not all of them,
but let's take an example.
10:41
Let's take, for example, Sweden.
10:44
I'm speaking of Sweden because Sweden
10:46
has a little bit of a similar law to the United States.
10:47
When your data traffic goes through Sweden,
10:50
their intelligence agency has a legal right by the law
10:52
to intercept that traffic.
10:54
All right, how many Swedish decisionmakers
10:56
and politicians and business leaders
11:00
use, every day, U.S.-based services,
11:03
like, you know, run Windows or OSX,
11:06
or use Facebook or LinkedIn,
11:09
or store their data in clouds like iCloud
11:11
or Skydrive or DropBox,
11:14
or maybe use online services like
Amazon web services or sales support?
11:18
And the answer is, every single Swedish
business leader does that every single day.
11:23
And then we turn it around.
11:27
How many American leaders
11:28
use Swedish webmails and cloud services?
11:30
And the answer is zero.
11:34
So this is not balanced.
11:36
It's not balanced by any means, not even close.
11:39
And when we do have the occasional
11:43
European success story,
11:46
even those, then, typically end up being sold
to the United States.
11:48
Like, Skype used to be secure.
11:51
It used to be end-to-end encrypted.
11:54
Then it was sold to the United States.
11:56
Today, it no longer is secure.
11:58
So once again, we take something which is secure
12:01
and then we make it less secure on purpose,
12:04
making all of us less secure as an outcome.
12:06
And then the argument that the United States
12:12
is only fighting terrorists.
12:14
It's the war on terror.
12:16
You shouldn't worry about it.
12:18
Well, it's not the war on terror.
12:20
Yes, part of it is war on terror, and yes,
12:22
there are terrorists, and they do kill and maim,
12:25
and we should fight them,
12:28
but we know through these leaks
12:29
that they have used the same techniques
12:31
to listen to phone calls of European leaders,
12:33
to tap the email of residents of Mexico and Brazil,
12:37
to read email traffic inside the United Nations Headquarters and E.U. Parliament,
12:40
and I don't think they are trying to find terrorists
12:45
from inside the E.U. Parliament, right?
12:48
It's not the war on terror.
12:51
Part of it might be, and there are terrorists,
12:53
but are we really thinking about terrorists
12:57
as such an existential threat
13:00
that we are willing to do anything at all to fight them?
13:02
Are the Americans ready
to throw away the Constituion
13:05
and throw it in the trash
just because there are terrorists?
13:09
And the same thing with the Bill of Rights
and all the amendments
13:13
and the Universal Declaration of Human Rights
13:16
and the E.U. conventions on human rights
and fundamental freedoms
13:18
and the press freedom?
13:23
Do we really think terrorism
is such an existential threat,
13:25
we are ready to do anything at all?
13:28
But people are scared about terrorists,
13:34
and then they think that
maybe that surveillance is okay
13:36
because they have nothing to hide.
13:39
Feel free to survey me if that helps.
13:41
And whoever tells you that they have nothing to hide
13:44
simply hasn't thought about this long enough.
13:47
(Applause)
13:54
Because we have this thing called privacy,
14:00
and if you really think that you have nothing to hide,
14:02
please make sure that's the first thing you tell me,
14:05
because then I know
14:07
that I should not trust you with any secrets,
14:09
because obviously you can't keep a secret.
14:10
But people are brutally honest with the Internet,
14:16
and when these leaks started,
14:20
many people were asking me about this.
14:23
And I have nothing to hide.
14:25
I'm not doing anything bad or anything illegal.
14:26
Yet, I have nothing that I would in particular
14:30
like to share with an intelligence agency,
14:32
especially a foreign intelligence agency.
14:35
And if we indeed need a Big Brother,
14:39
I would much rather have a domestic Big Brother
14:42
than a foreign Big Brother.
14:46
And when the leaks started,
the very first thing I tweeted about this
14:49
was a comment about how,
14:54
when you've been using search engines,
14:56
you've been potentially leaking all that
to U.S. intelligence.
14:58
And two minutes later, I got a reply
15:01
by somebody called Kimberly from the United States
15:03
challenging me, like, why am I worried about this?
15:06
What am I sending to worry about this?
Am I sending naked pictures or something?
15:08
And my answer to Kimberly was
15:12
that what I'm sending is none of your business,
15:14
and it should be none
of your government's business either.
15:17
Because that's what it's about. It's about privacy.
15:21
Privacy is nonnegotiable.
15:23
It should be built in to all the systems we use.
15:25
(Applause)
15:31
And one thing we should all understand
15:38
is that we are brutally honest with search engines.
15:41
You show me your search history,
15:45
and I'll find something incriminating
15:48
or something embarrassing there in five minutes.
15:50
We are more honest with search engines
15:54
than we are with our families.
15:56
Search engines know more about you
15:57
than your family members know about you.
16:00
And this is all the kind
of information we are giving away,
16:02
we are giving away to the United States.
16:05
And surveillance changes history.
16:10
We know this through examples
of corrupt presidents like Nixon.
16:12
Imagine if he would have had the kind
of surveillance tools that are available today.
16:15
And let me actually quote
16:20
the president of Brazil, Ms. Dilma Rousseff.
16:22
She was one of the targets of NSA surveillance.
16:25
Her email was read, and she spoke
16:29
at the United Nations Headquarters, and she said,
16:31
"If there is no right to privacy,
16:34
there can be no true freedom
of expression and opinion,
16:36
and therefore, there can be no effective democracy."
16:39
That's what it's about.
16:44
Privacy is the building block of our democracies.
16:46
And to quote a fellow security researcher, Marcus Ranum,
16:52
he said that the United States
is right now treating the Internet
16:55
as it would be treating one of its colonies.
16:59
So we are back to the age of colonization,
17:02
and we, the foreign users of the Internet,
17:05
we should think about Americans as our masters.
17:08
So Mr. Snowden, he's been blamed for many things.
17:14
Some are blaming him for causing problems
17:18
for the U.S. cloud industry
and software companies with these revelations --
17:21
and blaming Snowden for causing problems
for the U.S. cloud industry
17:24
would be the equivalent of blaming Al Gore
17:28
for causing global warming.
17:31
(Laughter)
17:33
(Applause)
17:35
So, what is there to be done?
17:43
Should we worry. No, we shouldn't worry.
17:49
We should be angry, because this is wrong,
17:51
and it's rude, and it should not be done.
17:54
But that's not going to really change the situation.
17:56
What's going to change the situation
for the rest of the world
17:59
is to try to steer away
18:02
from systems built in the United States.
18:04
And that's much easier said than done.
18:07
How do you do that?
18:09
A single country, any single country in Europe
18:11
cannot replace and build replacements
18:13
for the U.S.-made operating systems
and cloud services.
18:16
But maybe you don't have to do it alone.
18:18
Maybe you can do it together with other countries.
18:20
The solution is open source.
18:22
By building together open, free, secure systems,
18:26
we can go around such surveillance,
18:31
and then one country doesn't have
to solve the problem by itself.
18:34
It only has to solve one little problem.
18:38
And to quote a fellow security researcher, Haroon Meer,
18:40
one country only has to make a small wave,
18:46
but those small waves together become a tide,
18:48
and the tide will lift all the boats up at the same time,
18:52
and the tide we will build
18:56
with secure, free, open-source systems,
18:57
will become the tide that will lift all of us
19:01
up and above the surveillance state.
19:03
Thank you very much.
19:09
(Applause)
19:11

sponsored links

Mikko Hypponen - Cybersecurity expert
As computer access expands, Mikko Hypponen asks: What's the next killer virus, and will the world be able to cope with it? And also: How can we protect digital privacy in the age of government surveillance?

Why you should listen

The chief research officer at F-Secure Corporation in Finland, Mikko Hypponen has led his team through some of the largest computer virus outbreaks in history. His team took down the world-wide network used by the Sobig.F worm. He was the first to warn the world about the Sasser outbreak, and he has done classified briefings on the operation of the Stuxnet worm -- a hugely complex worm designed to sabotage Iranian nuclear enrichment facilities.

As a few hundred million more Internet users join the web from India and China and elsewhere, and as governments and corporations become more sophisticated at using viruses as weapons, Hypponen asks, what's next? Who will be at the front defending the world’s networks from malicious software? He says: "It's more than unsettling to realize there are large companies out there developing backdoors, exploits and trojans."

Even more unsettling: revelations this year that the United States' NSA is conducting widespread digital surveillance of both US citizens and anyone whose data passes through a US entity, and that it has actively sabotaged encryption algorithms. Hypponen has become one of the most outspoken critics of the agency's programs and asks us all: Why are we so willing to hand over digital privacy?

 

 

Read his open-season Q&A on Reddit:"My TED Talk was just posted. Ask me anything.

See the full documentary on the search for the Brain virus

sponsored links

If you need translations, you can install "Google Translate" extension into your Chrome Browser.
Furthermore, you can change playback rate by installing "Video Speed Controller" extension.

Data provided by TED.

This website is owned and operated by Tokyo English Network.
The developer's blog is here.