Citizenfour (the film) – when pervasive monitoring became public

Details

The film poster shows Edward Snowden. When the STREWS project started, in October 2012, the plan included a workshop for early 2014 about WebRTC. The workshop would be a complement to the project's first case study. But in June 2013, something happened. Edward Snowden, an NSA employee at the time, talked to the Guardian newspaper and revealed details of the secret electronic surveillance operations conducted by the NSA and GCHQ.

One of the journalists present at the first meetings between Snowden and the Guardian, Laura Poitras, made a documentary about how it all started, based on film material she made at the time. The film, called Citizenfour, is already in cinemas in a few dozen countries and it receives high scores on IMDB.

By its sheer scale, pervasive monitoring, as this family of attacks is now called, is a completely new kind of threat to Internet security. And if the NSA can do it, then others can, too. Even if it's still expensive today, it won't be so tomorrow. Pervasive monitoring undermines people's trust in existing technologies and thus requires a response from the organisations developing those technologies. The IETF and W3C right away started discussions in their working groups and the STREWS project decided that it was more urgent to talk about pervasive monitoring at the workshop than about WebRTC.

The first workshop thus became a joint event by IANA, W3C and STREWS, with as goal to come up with recommendations to standards organisations for countermeasures to pervasive monitoring. The workshop had immediate effects on the ways the IETF, W3C and other organisations develop technical standards.

E.g., two recent results are the W3C TAG statement on securing the Web and the Internet Draft about effects of encryption on the Internet.

Some security experts already suspected wide-scale surveillance before the revelations by Edward Snowden, but there was no proof. And few people imagined the immense scale of the operations.

New technologies are now almost unthinkable without built-in encryption and the IETF is promoting an upgrade path for old technologies, called opportunistic encryption. But making Internet communications secure is still an ongoing process.

The second STREWS workshop, b.t.w., will be about more “traditional” (but not less important) Web security. It will take place in Berlin at the end of June. (Detailed announcements will follow.)

.