News flash: National security through obscurity doesn’t work

How did secrecy become ubiquitous in the Information Age?

It looked good on paper.

Pervasive surveillance would be needed to protect the populace, and technology could facilitate the enormous challenge of inspecting global telecommunications. Scaling technology to identify threats is hard enough but asking for and getting permission would take forever. And that’s forever as in the public would never allow it. So we’ll just do it, they said. It’worked for the Chinese and they’re watching many times that number of souls, even more closely. Between the Great Firewall of China and its relentless state-sponsored hacking the passive-aggressive strategy has been a resounding success for them. So why not us, they said.

Let me tell you why.

When China does this kind of thing they’re open about it. Their motives may be ominous, but they don’t hide behind secret courts, alter their own laws or otherwise shock their people with a big reveal years later. They’re upfront about it. Much like a doting parent they may say: “we know you want the Internet because everyone else you know already has access. We don’t think it’s good for you, but you can have a taste. It will be filtered and monitored, but it’s better than nothing. It’s for your own good, trust us.” Same thing with Chinese companies, whose domestic and foreign activity is remotely monitored whether they like it or not. Although they’re probably selective about it, it sends a clear message. It’s intimidating, but at least everyone is on the same page. You can trust that some aspect of what you’re up to is being recorded. You may even have your own file.

In that sense, trust is a funny thing. You may not trust them to do the right thing, but you have been warned.

“I’m not upset that you lied to me, I’m upset that from now on I can’t believe you.”
– Friedrich Nietzsche


The flip side of that is a world where the words ‘freedom’ and ‘liberty’ and ‘human rights’ are so pervasive in political rhetoric and media messaging that the most polite ways to describe the phenomenon tend to include the well-worn term ‘propaganda’. And it really all starts with the term ‘secrecy’. The Wikipedia entry for FISA, the U.S. Foreign Intelligence Surveillance Act “was created to provide Judicial and congressional oversight of the government’s covert surveillance activities of foreign entities and individuals in the United States, while maintaining the secrecy needed to protect national security. It allowed surveillance, without court order…”


“You’re only as sick as your secrets” – Alcoholics Anonymous


Seriously? Secrecy is needed for security? In my world, that’s called “security through obscurity”. Although secrecy has its place, governments continue to indulge in a false dichotomy founded on the half-baked argument that you’re at the mercy of all the world’s threats, or you have to monitor all communications in order to have a chance at protecting freedom. Whatever that is.

The Wikipedia entry states: Security through obscurity has never achieved … acceptance as an approach to securing a system, as it contradicts the principle of “keeping it simple”. The United States National Institute of Standards and Technology (NIST) specifically recommends against security through obscurity in more than one document. Quoting from one, “System security should not depend on the secrecy of the implementation or its components.”


“Three may keep a secret, if two of them are dead” – Benjamin Franklin


So the NSA is in a peculiar position where the entire strategy – from whining about the overwhelming superiority of foreign espionage to justifying the sacrifice of privacy in favor of national security – the entire thing has been undermined by an irrational insistence on keeping the entire thing a secret. Or trying to. The notion of keeping anything secret when you have some 5 million people with government clearance to access state secrets is anything but rational, but it seems that losing the trust of the very people you’re trying to protect (the same ones who paid for it all, by the way) makes the whole dubious exercise pointless.

And I don’t mean pointless in an ‘oh well, that didn’t work’ kinda way. I mean that it probably wasn’t worth the international ridicule from unfriendly nations, the strained relationships with friendly ones and the apparent mass deception visited upon the domestic population. Not to mention the increasing resistance to cooperate on the part of private sector ‘partners’ – Internet companies, telecommunications firms, credit card and financial organizations – whose stock prices and reputations have taken a beating as a result of their dutiful compliance with FISA, the PATRIOT Act and PRISM (along with its 3 sister programs MAINWAY, MARINA and NUCLEON).


Where does that leave Canada and Canadians?


Let’s see, if we take Obama’s word for it, the NSA’s surveillance program is really intended to monitor foreign communications, and no other country’s Internet traffic spends more time in US cables than Canada’s. Some estimates indicate that upwards of 90% of Canadian Internet traffic is routed through the United States, bouncing through several physical locations where it may be inspected, stored and analyzed.  So really, Americans have less to worry about than we do. Their privacy rights – if any – may well resonate within their own country and – such as it is – the US does have a structure of legislative oversight that we lack, so not only are our communications fair game in the U.S. (read: as ‘foreigners’, Canadians are among the actual “targets” Obama spoke of) we may not even have much recourse at home if that kind of surveillance were to take place on Canadian soil.

But surely our government agencies can be trusted to respect our privacy, right? Between CSIS, the CSE, the RCMP and military intelligence there is certainly a lot of interest in protecting national security but would they stoop so low as to monitor our private communications with impunity and breach our privacy without our knowledge and consent? No way!

Indeed, the likelihood of this is low. The agency that has been making the news as being the Canadian equivalent of the NSA is the CSEC (Communications Security Establishment Canada) and its mandate is similar, with electronic interception powers going back to 9/11. Its outward focus on foreign communications is just as likely to intercept Canadian data in the process, and in so doing it may be required to collaborate with the RCMP and CSIS to analyze and adequately dispose of the information.

So far, we know that Canadian authorities have similar powers of surveillance, data-sharing agreements in place with dozens of countries, a history of collaboration with foreign agencies and the same unnerving practice of secrecy-by-default (or should I say, “secrecy just in case”). Although there is little evidence to demonstrate that any abuses of authority are taking place, there is still that distinct lack of independent oversight and almost zero transparency. That said, we’re assured that authorizations for surveillance do require Federal Court warrants. Not to by cynical, but it was only a few days ago that the US government insisted on the existence of strict anti-snooping laws and processes in place before backpedaling and confessing that pretty much any phone or Internet-based exchange can be intercepted without court authorization.

Even if Canada does take such requirements seriously, it is still unclear to what degree they actually amount to any degree of protection since the collection of what’s been termed ‘metadata’ is apparently fair game. Although it is implied to exclude the content of communications, this rich “digital network information” (in PRISM parlance) that includes traffic, time-stamps and identities of the interlocutors does constitute personally identifiable information protected under Canada’s federal privacy Law, but the extent to which even this kind of snooping has been taking place is still unclear. Again, I hope it’s only cynicism, but it is well known that Canada and the US have had a longstanding agreement to exchange intelligence information on each others citizens and bypass domestic privacy and anti-surveillance legislation.

Has it ever happened en masse? Unless a whistleblower surfaces we may never find out but that doesn’t mean we should abandon our curiosity about the process nor our interest in protecting our basic human right to privacy. Public outrage notwithstanding, the one thing we can safely assume is that no government would want to feel the heat of the spotlights the US government is currently under. Nor would any agency want to be the butt of every Orwellian joke in existence, although I suspect the U.S. will handle both of these situations with its characteristic aplomb (for lack of a better term). To that end, we can still find – perhaps misguided – comfort in the trust we place in our own government until such a time as it does something to seriously erode it.

“The best way to find out if you can trust somebody is to trust them.”― Ernest Hemingway



Claudiu Popa
Claudiu Popa
Claudiu Popa is a security and privacy advisor to Canadian enterprises, associations and agencies. He is an author, speaker and lecturer. Connect with him on Twitter @datarisk, Facebook, G+ or LinkedIn.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Latest Blogs

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.