- Christopher Soghoian
privacy researcher and activist. He is the principal technologist at the American Civil Liberties Union. He is also a visiting fellow at Yale Law School’s Information Society Project.
A new investigation by The Intercept reveals the National Security Agency and its British counterpart, the GCHQ, hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe. The secret operation targeted the Dutch company Gemalto. Its clients include AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world.
In part two of our interview, we speak with Christopher Soghoian of the American Civil Liberties Union about ways to securely use your cellphone.
Watch Part 1 here.
AMY GOODMAN: This is Democracy Now!, democracynow.org, The War and Peace Report. I’m Amy Goodman, with part two on a new investigation by The Intercept that reveals the National Security Agency and its British counterpart, the GCHQ, hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe. The secret operation targeted the Dutch company Gemalto. Its clients include AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. It produces two billion SIM cards a year.
To talk more about the significance of this story, we’re joined by Chris Soghoian. He’s the principal technologist at the American Civil Liberties Union, a visiting fellow at Yale Law School’s Information Society Project. The piece is in The Intercept that reveals all of this, and it’s by former Democracy Now! correspondent, Intercept co-founder, Jeremy Scahill.
Chris Soghoian, in part two of our discussion, first quickly summarize what the great SIM heist is.
CHRISTOPHER SOGHOIAN: So, in this operation, GCHQ, which is Britain’s intelligence agency, hacked into this major Dutch supplier of SIM cards. This is a company that provides these microchips to wireless carriers around the world, and these are the chips that provide the security that’s in our phones. They secure the communications between our phone and the phone network and are intended to protect our calls and text messages from interception by private parties.
AMY GOODMAN: Should Gemalto be doing—can they protect the SIM card?
CHRISTOPHER SOGHOIAN: I mean, what’s in the story, the anecdotes that are revealed in the story suggest that Gemalto and its wireless carrier partners have at times followed pretty pathetic security practices, and so it didn’t seem like—that GCHQ had to work too hard in some cases. But, you know, that was just for some of the collection. In other cases, it seems like GCHQ—GCHQ’s hackers targeted and hunted individual engineers and employees. I mean, they were stalking these engineers online in an effort to compromise their email accounts, their Facebook accounts, and then ultimately to compromise their computers as a way to gain access to the inner sanctum of Gemalto’s network. That kind of stalking of engineers is really terrifying, particularly given that, you know, we’re not talking here about a government stalking or targeting a terrorist. These engineers are not accused of breaking any law. These are law-abiding people who have mortgages and families and husbands and wives, and they just happen to work for companies that these intelligence agencies, you know, think are fair game. And, you know, I think this article, building on The Intercept's piece last year about GCHQ's hacking of Belgacom, Belgium’s largest phone company, is really going to serve as a wake-up call to the entire technical industry, because, you know, in essence now, it seems clear that any engineer at any company that does anything remotely interesting is now fair game for GCHQ and NSA and their other partners.
AMY GOODMAN: How do AT&T and Verizon compare to companies like Google and Apple?
CHRISTOPHER SOGHOIAN: So, the phone companies don’t do a very good in securing their communications. The encryption technology that’s built into your phone, the technology that protects your telephone calls and text messages as they go over the air, the encryption was built in the late '80s and early ’90s. It was—forms of it were broken in the 1990s by graduate students, and we're still using it today. These carriers are—these large, multibillion-dollar telephone companies are really not that interested in providing a secure method of communication. They’re certainly not interested in designing or deploying methods of communication that our own governments cannot intercept, let alone other governments. And, you know, for more than a hundred years, the U.S. telephone companies have been happily providing wiretapping assistance to law enforcement and intelligence agencies. We should just—we should give up on this idea that AT&T or T-Mobile or Verizon are ever going to deliver truly secure communications to their customers.
You know, in contrast, it really does seem like Silicon Valley companies are much more interested in providing strong, secure communications services, to the extent that their business models permit. And what I mean by that is, you know, at the end of the day, you’re not paying Google for their services, and so they want to read your emails, but a company like Apple, who—you know, Apple doesn’t make money by selling you email service. They make money by selling you an expensive phone. And as long as you keep buying the phones, Apple makes lots of money. For companies like that, where their business model and your privacy are more aligned, I really do think we can expect that these companies will provide us with much stronger and much more secure methods of communication, particularly given that they’re competing in a global market where, you know, German consumers don’t want a phone that can be easily spied on by the NSA. And so, you know, these tech companies really are having to up their game.
AMY GOODMAN: So, Chris Soghoian, you started in part one of our interview talking about how people can protect themselves. Explain further what people can do.
CHRISTOPHER SOGHOIAN: Sure. So, again, the voice and text message services provided by your wireless carrier, if you’re just sending a text message through your phone or making a telephone call through your phone, those calls can be intercepted by your own government, by police and intelligence agencies. They can be intercepted by foreign governments who are operating domestically. They can be intercepted by sophisticated criminals and by hackers and by stalkers. You should not expect that those kinds of communications services can deliver real security.
On the other hand, there are now a number of apps and Internet-based services that you can run on your smartphone that will give you much, much more secure communications. So, Apple has built iMessage into its iPhone product for several years. If you have an iPhone and you’re sending a text message to someone else who has an iPhone, this is used by default. Those messages are encrypted in a strong way. They’re sent via Apple’s system, and it’s very, very difficult for governments to intercept those. If you’re using WhatsApp, which is a service now owned by Facebook and used by hundreds of millions of people around the world, if you’re using WhatsApp on Android, it’s encrypted, again, in a very strong way. And if you have an Android or iPhone, you can download third-party apps, the best of which are called Signal for iOS and TextSecure, T-E-X-T Secure, from Android. These are best-of-breed free applications made by top security researchers, and actually subsidized by the State Department and by the U.S. taxpayer. You can download these tools today. You can make encrypted telephone calls. You can send encrypted text messages. You can really up your game and protect your communications.
To be clear, if you are a target of a law enforcement or intelligence agency and they really care about you, they can hack into your phone, and these tools won’t stop that. But you can make it much more difficult. You can make it so that they have to work really hard. And, you know, it’s unfortunate that the phone companies, that AT&T and Verizon haven’t warned their customers. They should be telling the public. They haven’t. But we can do things right now to make wiretapping much more difficult and much more expensive.
AMY GOODMAN: Is it possible to use a phone without a SIM card?
CHRISTOPHER SOGHOIAN: No, the SIM card is sort of like the driver’s license for the phone. The SIM card proves that you have a valid account. That’s, you know, what lets the phone company know who to send the bill to. So, you need a SIM card. You know, think of it this way. When you go to Starbucks, you don’t expect Starbucks to provide you with a secure Internet connection. You expect them to provide you with an Internet connection, and then you bring your own security on top. If you’re using Gmail or Facebook or Twitter, all of those services build their own security in. They don’t rely on the Internet provider to do that for you. By the same token, we should stop relying on the AT&Ts and Verizons of the world to provide security. We should just use them for data, and then we should run secure, encrypted communications apps that go over the data portion of the network. We know how to do this. These apps exist. We can secure our communications. And, you know, it’s been delightful post-Snowden. You know, the journalism community is really starting to take note of this. And I now regularly have encrypted telephone calls with national security reporters around the world. I send encrypted emails with reporters, with lawyers. These tools really are getting to be easy to use, and it’s just—we just need more people to start using them.
AMY GOODMAN: So, explain again, if you just want to make a phone call, but you don’t want it to be listened to or tracked, how would you do that? How would you encrypt a phone call?
CHRISTOPHER SOGHOIAN: So, if you have an Apple device, you could download—so FaceTime is already installed in your iPhone. It’s built by Apple. It’s built into the iPhone. If you make a FaceTime audio or video call from your iPhone to someone else’s iPhone or iPad, it’s encrypted with very strong technology, and it will be very, very difficult for a government to intercept. If you have an—if you don’t want to use an Apple encryption product, there’s a fantastic app in the app store called Signal, S-I-G-N-A-L. It’s free. It’s open source. It’s very, very good. That makes encrypted telephone calls anywhere in the world for free. Even if you’re not worried about security, it’s actually a way of saving money on your phone bill. And then if you’re using Android, there’s a great app by the same people who do Signal called RedPhone, R-E-D-P-H-O-N-E. Again, it’s free. It’s supported by the U.S. government. So you’re paying for it anyway; you might as well use it. And that will also let you make free encrypted telephone calls. These tools work, and they make—they make wiretapping much more expensive, which is what we want. We want governments to have to focus their resources on the people that really matter, the real threats, but they shouldn’t be able to spy on everyone at low cost.
AMY GOODMAN: I also wanted to ask about another NSA story in the news this week, this new probe that finds the NSA has embedded spying devices deep inside hard drives in computers around the world. The Russian firm Kaspersky Lab says it uncovered the spyware in personal computers across 30 countries, from Iran to Russia, Pakistan, Libya, China, Belgium, Ecuador and the United States. The targets include government institutions, oil and gas firms, Islamic activists, scholars and the media. Can you comment on this, Chris Soghoian?
CHRISTOPHER SOGHOIAN: Sure. So, the NSA has a multibillion-dollar budget. They hire some of the best and brightest hackers, and they give these really smart people a lot of resources and basically tell them that they can do whatever they want. And, you know, it’s not surprising that a well-resourced team, that is not constrained by the law, can get up to a lot of really interesting and terrifying things. You know, they’ve been given a mandate by their superiors to go out and hack and get access to every system they can, and they’re doing that. You know, in one way, as someone with a technical background, I’m impressed with what they’ve been able to do. But I think, you know, we should all be very scared about what the NSA is doing, the capabilities they have and the extreme lack of effective oversight that’s taking place. For an agency that is engaged in this degree of highly sophisticated technical compromise of computer systems, the extent to which policymakers and agency overseers lack technical competence, I think, should be terrifying. We need to make sure that those in Congress, those in the courts, who are supposed to perform oversight over the NSA, we need to make sure they have technical understanding or technical advisers. And the fact that there’s no technical oversight of these agencies, I think, is one of the reasons why they’ve been able to do as much as they have with as little oversight.
AMY GOODMAN: Chris, why is the government funding the apps that you’re recommending, that make it harder to break into, eavesdrop on texts or calls?
CHRISTOPHER SOGHOIAN: Because they’re tools of foreign policy. You know, the U.S. government isn’t this one machine with one person, you know, dictating all of its policies. You have these different agencies squabbling, sometimes doing contradictory things. The U.S. government, the State Department has spent millions of dollars over the last 10 years to fund the creation and the deployment and improvement to secure communications and secure computing tools that were intended to allow activists in China and Iran to communicate, that are intended to allow journalists to do their thing and spread news about democracy without fear of interception and surveillance by—
AMY GOODMAN: But maybe—
CHRISTOPHER SOGHOIAN: —the Chinese and other governments.
AMY GOODMAN: But maybe the U.S. government has a way to break in.
CHRISTOPHER SOGHOIAN: Well, you know, it’s possible that they’ve discovered flaws, but, you know, they have—the U.S. government hasn’t been writing the software. They’ve been giving grants to highly respected research teams, security researchers and academics, and these tools are about the best that we have. You know, I agree. I think it’s a little bit odd that, you know, the State Department’s funding this, but these tools aren’t getting a lot of funding from other places. And so, as long as the State Department is willing to write them checks, I’m happy that the Tor Project and WhisperSystems and these other organizations are cashing them. They are creating great tools and great technology that can really improve our security. And I hope that they’ll get more money in the future.
AMY GOODMAN: And, Chris, very quickly, what’s the legislation you think needs to be passed, at least in the United States, to protect privacy?
CHRISTOPHER SOGHOIAN: I mean, we need so much. We need a technically informed FISA court. We need controls over domestic surveillance. But we also need—we need strict oversight and legislative controls over what NSA does abroad, which right now are largely regulated under Executive Order 12333. Most of the scary things that NSA does, it doesn’t have to go the FISA court to get approval for, and I think we really need to rein that in.
AMY GOODMAN: Chris Soghoian, we want to thank you so much for being with us, privacy researcher and activist, principal technologist at the American Civil Liberties Union, also visiting fellow at Yale Law School’s Information Society Project. You can also go back to democracynow.org to see part one of this conversation. I’m Amy Goodman. Thanks so much for joining us.