Why widespread electronic surveillance is pointless

he thesis here is that while widespread surveillance is possible, it is fundamentally incapable of penetrating defenses that even computer novices can deploy will minimal effort. It therefore follows that if there are individuals that are intent on harming the US or its interests, and they have the requisite knowledge and resources to be harmful, widespread electronic surveillance will be ineffective in stopping them.

The following bullets detail barriers that prevent widespread surveillance from being effective:

  1. The basics of what is knowable: If one assumes that everything that is going across the internet is visible to US government, in order for that to be useful to preventing an attack of some kind, the information must be linked to a real person. Assuming that none of the information that is being transmitted contains the identity of the parties for certain[1], the first step in finding the parties is the location information. This is mostly going to be impossible, as while it would be possible for the government (or an ISP for that matter) to determine who the intermediaries are, they have no way of knowing if those intermediaries are merely acting as proxies, or are the actual parties to the communication.
  2. The above is rather permissive in assuming that it is possible to read everything that is going across the internet (assuming that they have some type of on-site access). Encryption is a way to prevent anyone other than the intended recipient from being able to view the contents of a message (including the sender). The mathematics of such a system have been carefully examined for decades, and the fundamental system is secure. Even if the government was years ahead of the rest of the world, and we assume that they have access to the combined power of the world’s top 500 supercomputers (around 223.7 petaflops)[2] it would still require about 101198 times the age of the universe to break a 4096 bit key (easily possible to create on even a small old laptop today). Quantum computers will make cracking some types of encryption easier, but there are forms of encryption that are resistant to that as well (and quantum systems have not been demonstrated at any appreciable scale).
  3. Another issue is that it is hard to find the data that is actually useful when so much is being collected. The proof for this can be found in numerous articles that claim that the NSA stores all the data, and then when that have a lead on something, they then go back to their massive data store and retrieve all of the relevant information. While this is a nice capability to have, the first problem listed does not go away. How do you know what user that you have logged is the one that you are looking for? Again, making the assumption that some protection has been employed (a relatively trivial task)[3], there is still no way to map all network information that has been collected to a person (or vice versa).

While each of the above three points excludes a significant amount of technical detail, and dumb users can make everything easier to track, anyone with a modicum of interest in keeping their online activities truly confidential will be able to. As an aside, all of this technology was developed far in advance of the NSA data collection leaks. That one is able to circumvent this type of surveillance is not news. It has always been possible.


[1] Even if information that is being sent contains the name of the person, this is not guaranteed to be true. Anything could have been typed in there. Additionally, credit card numbers could either be fake, or be anonymous gift cards that serve the same purpose.

[3] Tor browser, any one of a number of VPN or proxy services, etc

Advertisements