Do you really believe that it is wise to treat our government as a virus writer and put ourselves in the position of antivirus software writers? Do you want them in the exploit business while we, the citizenry, resolve to simply apply patches? Do you really want them to have legal carte blanche to use their unlimited resources (including your own tax dollars) to do as they please, then scurry off to try to erect some defense against whatever you think they are doing next?
When the NSA approaches Google, I want Google's General Counsel to deny the request with solid legal standing. Likewise with backbone providers and on down the line.
We are either a nation of laws or we're not. Our government is either beholden to those laws or they are not. Had we the proper laws and commitment to our Constitution, then Snowden's revelations would have resulted in trials and prosecutions. Instead, too many seem to be ceding to the government the right to surveil its citizens with impunity, and are instead focusing on technical defenses against their own government.
It's lunacy, and if the primary emphasis is not on legal redress, then we have already lost.
In case you didn't get the news, the NSA already does not bother to approach Google. They just install secret taps on Google's private lines between data centres, and siphon off all the replication traffic.
The NSA is a rogue agency that does not respect laws (or reinterprets them as they see fit). Going through the legal process to shut it down is certainly worthwhile, as is throwing its criminal elements in jail, particularly those that are happy to lie in congress.
However, the reality is that a rogue agency can evolve in the dark corners of the government, and that therefore it is likely that it will happen again. And even if it never happens in the US again, there are other countries out there, you know?
A strong technological solution that makes large-scale snooping impractical is a sine-qua-non no matter what happens on the legal side.
>In case you didn't get the news, the NSA already does not bother to approach Google...
I got the news. They approach Google AND they plug into private lines. The latter case is what I referred to when I mentioned "backbone" providers. Again, I want any private entity to have legal standing to refuse NSA requests.
>The NSA is a rogue agency that does not respect laws (or reinterprets them as they see fit)
I agree that if an agency goes rogue, then laws are only retroactive. That is, laws provide a penalty that is triggered only after an offense has occurred. But, clear (i.e. not ambiguous) laws with clear penalties can be a powerful deterrent. Whistle-blowers like Snowden are then empowered to stop abuses and illegal activity. They are automatically branded as heroes instead of traitors who must flee the country or worry for their safety. As it is, the good guys like Snowden are being put on the wrong side of the law and vice-versa. This must change.
>However, the reality is that a rogue agency can evolve in the dark corners of the government, and that therefore it is likely that it will happen again.
That's true and always has been. But, we don't just say "well, laws will be broken, so let's not bother having them". It's really the entire point: to prescribe what is acceptable behavior and provide penalties for violations.
>A strong technological solution that makes large-scale snooping impractical is a sine-qua-non no matter what happens on the legal side.
We actually agree to some extent. I don't advocate that we not implement technical measures. Where we depart is on priority. The wording of your last sentence signals this departure. I would flip "technical solution" with "legal side".
Ultimately, if the emphasis is on technical solutions, then we will all be pwned with impunity. Period. Are you going to write your own firmware? Manufacture your own chips? Are you going to personally write all of the security and other endpoint software in your stack, including the OS? Even if you did, would you be able to guarantee zero vulnerabilities in your own code?
Checking rogue agencies, providing more oversight and enforcing clear laws are the only way out. Technological solutions are but a backstop that we hope will provide us with some defense in the event that a rogue agency goes undetected for some period.
I agree with your response on the whole, but one point is worth quibbling with:
> I got the news. They approach Google AND they plug into private lines. The latter case is what I referred to when I mentioned "backbone" providers.
As far as I understand, these were not lines provided by "backbone providers". These were private lines laid and paid for and owned by Google. There was no third party who bent - Google got pwned directly, in secret, with impunity.