Fifty prominent American computer scientists have signed an open letter urging the United States to reject mass surveillance and preserve privacy. At the heart of the letter is a warning against systems that encourage abuse:
Indiscriminate collection, storage, and processing of unprecedented amounts of personal information chill free speech and invite many types of abuse, ranging from mission creep to identity theft. These are not hypothetical problems; they have occurred many times in the past. Inserting backdoors, sabotaging standards, and tapping commercial data-center links provide bad actors, foreign and domestic, opportunities to exploit the resulting vulnerabilities.
In June, Microsoft revealed that they informed the NSA about bugs before sending out a general patch, giving the spies a chance to explore vulnerabilities and backdoors before anyone else. This leaves computers vulnerable for longer, and also hands those vulnerabilities to someone that will exploit them. The letter goes on, clarifying that this isn’t the rejection of spying itself, only spying that makes citizens less safe.
The choice is not whether to allow the NSA to spy. The choice is between a communications infrastructure that is vulnerable to attack at its core and one that, by default, is intrinsically secure for its users. Every country, including our own, must give intelligence and law-enforcement authorities the means to pursue terrorists and criminals, but we can do so without fundamentally undermining the security that enables commerce, entertainment, personal communication, and other aspects of 21st-century life.
In the month since Edward Snowden leaked information about NSA spying projects to the public, the agency has been at the center of two parallel revelations: the incredible reach it has in creepy-but-legal targeted surveillance, and the fantastic breadth it has for mass collection of bulk information. The targeted surveillance, which includes intercepting computers before they’re delivered and installing hardware that then spies on the user, has stronger legal precedence, and fits a regular definition of surveillance that targets only those allowed by a judge, given reasonable suspicion.