TORONTO—Edward Snowden appeared via a live web conference link at the SecTor conference here to deliver a keynote on the state of internet security and privacy today. Snowden's comments covered a wide range of topics, including the use of back doors and what users can do to help protect their own privacy and that of the internet as a whole.
Edward Snowden vaulted to global notoriety in 2013 after revealing classified details on the National Security Agency (NSA) and its mass surveillance programs.
At SecTor, Snowden provided a grim estimation of the current state of IT security. "Offense has greatly surpassed defensive capabilities."
Snowden noted that today's attackers aren't all that worried about being detected, as they're typically confident that they can get back into any given system. In the past, intelligence services used to treat compromised systems as fragile resources, but today that's no longer the case, as it's easy for attackers to compromise new systems, he added.
"Surveillance technology has outpaced democratic controls," Snowden said.
A generation ago, surveillance was expensive and governments typically needed to spend huge sums of money and have large teams tasked with tracking any single individual, he said, adding that the situation has changed, and one person in front of a monitor can track a very large number of individuals.
"For the first time in human history, it is feasible for the government to track and have a complete record of all of our lives," Snowden warned. "This is not science fiction; it's happening now."
Snowden commented that the lesson of the last few years, which he helped bring to light, is that government agencies doesn't always ask for permission when it comes to surveillance. It happens that governments will deploy capabilities in secret, even if they know them to be unlawful. Snowden told the SecTor audience that the issue of government surveillance isn't just a U.S. issue. It's now known that the Canadian intelligence services routinely share information with the NSA.
Fundamentally, Snowden is worried about a lack of proper oversight when it comes to government surveillance. Without proper oversight, Snowden said that the general public is forced to rely on the media and whistleblowers to reveal what is going on.
"If we only knew what the government wanted us to know, we'd know very little," Snowden said.
While laws are important, at the end of the day, they are just letters on a page and can't actually enforce individuals' rights, Snowden remarked. He wants users and technology vendors to help take action to protect individual rights.
"We need collectively to make surveillance expensive again," Snowden said.
What Snowden wants to see in both the United States and Canada is some form of proper oversight for surveillance activities. There should be a case-by-case review of all surveillance requests after the fact to make sure that the surveillance was necessary, Snowden said. This level of oversight would mean that if people at spy agencies break rules, they would be held accountable, he said.
Snowden is also wary of different government spy agencies in Canada and in the United States sharing information on individuals, without any real necessity.
"Our information is being traded like baseball cards. We need some form of transparency and accountability."
Snowden also commented on the ongoing public debate about enabling back doors in software that provide access for U.S. intelligence services. In Snowden's view, inserting a back door is never a good idea. He believes back doors decrease rather than increase security.
"Everything is getting hacked all the time now," Snowden said.
Having a backdoor makes hacking by attackers easier, whether they are affiliated with a nation-state or not, he said.
Determining who is behind an attack is also very difficult in the modern world, Snowden said. "The only people that get caught are the least sophisticated and lazy adversary groups."
Snowden wants technology vendors to remember to work for their customers and not for the government. That means that companies should only hold data that is needed for their operational goals and nothing else, he said.
Snowden suggests that end-users make use of two-factor authentication, full-disk encryption, password management systems as well as secure operating systems. That said, Snowden added that it's important to help those that are working on protecting individual rights and privacy online.
"The average person doesn't have time to become a security expert, but what we can do is give $10 to a civil liberties organization that can contest illegal laws on our behalf," Snowden said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.