Snowden advocates at SXSW for improved data security

The best encryption may conflict with the business model of Google and Facebook, speakers said at the show

Edward Snowden speaks via video link to the SXSW conference on March 10, 2014

Edward Snowden speaks via video link to the SXSW conference on March 10, 2014

Encryption technologies can be a powerful tool against government surveillance, but the most effective techniques are still largely out of reach to the average Internet user, Edward Snowden said Monday.

"Encryption does work," Snowden said, speaking via satellite video from Russia at the South by Southwest Interactive technology festival in Austin, Texas. "We need to think of encryption not as an arcane black art, but as a basic protection in the digital realm," the former U.S. National Security Agency contractor said.

Snowden chose to speak at SXSW rather than before a legislative or policy group because it's the technology community that can really fix security and digital rights, he said. "This is something we should not only implement, but actively research and improve on an academic level," he said.

But now, the best encryption, like end-to-end encryption, often does not find its way into mainstream product and is not always employed by major Internet companies that depend on advertising.

Ideally, more companies would make strong encryption a default part of their services, without requiring action from the consumer, or burying the option several menus deep. It may be difficult, however, for companies like Google and Facebook to adopt the strongest encryption protocols like end-to-end encryption, Snowden said during a discussion about security with two representatives from the American Civil Liberties Union. Those companies gather lots of data about their users and use it for advertising. It's harder to gather that data when the endpoints are encrypted, the speakers said.

Since the disclosures began last June from documents leaked to reporters by Snowden, "companies have improved their security," said Chris Soghoian, a senior policy analyst with the ACLU Speech, Privacy and Technology Project. There is security, for instance, between user's computers and Google's servers, he said.

But it's difficult for major Internet companies providing a free service to offer end-to-end encryption because it conflicts with their business model, he said. And. unfortunately, the tools that offer secure, end-to-end online communications are not polished or easy to use, speakers said. "The tools designed with security as a first goal are often developed by independent developers, activists and hobbyists," he said.

After previously classified documents were leaked by Snowden, a number of large technology companies, including Google, Microsoft and Yahoo announced new protocols for encrypting users' data. But the problem is that one of the most commonly used encryption technologies, known as TLS (Transport Layer Security) is not all that strong against the intelligence gathering community, Snowden said.

TSL encryption, which is used by services owned by Google and Skype, encrypts communications at the point of transport and then the companies de-crypt and re-encrypt it, Snowden said. End-to-end encryption, on the other hand, forces intelligence-gathering groups to target individual computers, which are much harder to crack.

"I think that's the way to do it," Snowden said, speaking on the value of end-to-end encryption.

Some of the most advanced encryption technologies are difficult to use and they're not always free. Still, Snowden identified several steps Internet users can take to protect their data from surveillance. There's disk encryption, which protects data stored on hardware; there are browser security plug-ins like NoScript; and apps like Ghostery for Web cookie tracking, Snowden said. He also recommended Tor, which is designed to conceal online activity by routing Internet traffic through a networked relay system.

If people take those steps to encrypt their hardware and network communications, their online data would be better protected from massive government surveillance. But targeted surveillance is still harder to evade.

Snowden did not say that companies like Google and Facebook should not collect any data about their users. Rather, companies should not store data for long periods of time.

"You can do these things in a responsible way where people can still get value of the services ... without putting users at risk," he said.

The appropriate length of time that companies should retain user data was not, however, addressed during the talk.

Zach Miners covers social networking, search and general technology news for IDG News Service. Follow Zach on Twitter at @zachminers. Zach's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesmobiledata protectioninternetprivacyFacebookSXSWGoogleMicrosoftsecuritydata breachDesktop securitylegalencryption

More about FacebookGoogleIDGInteractiveMicrosoftNational Security AgencySkypeTechnologyYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Zach Miners

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts