The n-Category Café

The AMS ought to be ashamed of itself for publishing such a deceptive, specious, and self-serving column. Richard George makes vague references to unsupported allegations that the NSA weakened crypto standards–and such purposeful vagueness is his only hope of persuasion, given that the evidence we have at hand overwhelmingly supports the conclusion that the NSA engaged in misconduct.

In particular, the New York Times claimed in 2013 that some of the documents released by Edward Snowden “suggest that the N.S.A. generated one of the random number generators used in a 2006 N.I.S.T. standard — called the Dual EC DRBG standard — which contains a back door for the N.S.A,” a conclusion which has been largely acknowledged as overwhelmingly plausible, given the evidence at hand.

Moreover, the NSA’s 2013 budget request, also published in part by the New York Times, describes an NSA program with a stated aim to “insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets.” I am no cryptographic expert, but this seems unambiguously to declare that the NSA is in fact in the business of weakening cryptographic systems and protocols.

After his various falsehoods, George ends his column with ad hominem attacks against those who have released this information to the public, beginning with his strange declaration that he and his colleagues are “disappointed” and have “a feeling of betrayal” from Snowden & al. (Why should we care how he and his fellow NSA employees feel when the issue at hand is whether they are participating in injustice?), and ending with the oft-repeated claim that such defectors have done “immense” damage–a claim that Snowden’s allies are fond of making yet in support of which they find themselves unable to cite even a single example.

Finally, in the course of his denunciation of the leakers, George misgenders Chelsea Manning–referring to her as Bradley, a name she has since renounced–, a woman who has made the incredibly brave decision to publicly announce her gender identity while incarcerated in a men’s military prison which offers no support for gender dysphoria. Even those who, like George, believe Manning’s contribution to her country to be traitorous rather than heroic ought to have the basic decency to respect her gender identity and the difficulties she has suffered and continues to suffer as a trans woman.

Obviously the field of actual mathematics is amenable to a lot more logical rigour than general discussion (in this instance regarding ethics), but it would be interesting to look at if other writings AMS publishes have similar amounts of non-sequiturs and “assertions of facts not in evidence”.

Here’s another part of Richard George’s article that really bothered me:

The folks I knew in SIGINT, and I knew them very well, would not dream of violating U.S. citizens’ rights.

First, notice that word “U.S.”? Being part of the 95% of the world that isn’t the U.S., I’m not enormously comforted.

Second, it’s what we always hear: “I’ve worked in the secret services, and my colleagues are a decent bunch — you can trust them”. It doesn’t withstand factual examination. In similar articles for the LMS newsletter, GCHQ insiders Richard Pinch and Malcolm MacCallum invoked the head of GCHQ’s claim that if his staff were asked to “snoop” on the general public, they’d quit. In that case, I contrasted that claim with what we now know about GCHQ’s Optic Nerve programme, which surreptitiously collected images from ordinary people’s webcams.

That’s just one example. Virtually every revelation based on the Snowden documents describes some privacy-violating NSA or GCHQ programme. Even if you want to stick to US citizens only, there’s still masses of documentary evidence of privacy violations by the NSA; here’s a good recent example.

Against all the documentary evidence, warmth of feeling for one’s friends and fellow workers isn’t too persuasive. Maybe George’s colleagues weren’t involved in this kind of thing. Maybe they were, but didn’t consider that their work violated U.S. citizens’ rights, for one reason or another: heartfelt opinion, convenient rationalization, disinclination to question one’s superiors, …. Who knows? Whatever it is, it doesn’t change the documented facts.

The AMS articles are getting a bit of attention on Twitter now. Journalist Glenn Greenwald (who’s reported a lot of the Snowden stories):

CERN physicist Subodh Patil:

For those who may not have seen it, Peter Woit has a stack of links to NIST material dealing with analysis of the whole Dual EC DRBG debacle which more than blows what Richard George says out of the water.

More interesting, perhaps, and one for mathematicians to look at in detail is this statement:

One way this goes beyond the now-withdrawn NIST standard is that the committee also looked at other NIST current standards now in wide use, which in at least one other case depend upon a specific choice of elliptic curves made by the NSA, with no explanation provided of how the choice was made. In particular, Rivest recommends changing the ECDSA standard in FIPS186 because of this problem.

You can find the current version of NIST’s FIPS186 here and the ECDSA standard in ANSI X9.62:2005 here, which, scandalously, costs 100 dollars [hmm, the dollar sign killed the rest of the comment]. Thankfully, the mathematical details seem to all be contained in section 6 and appendix D of the NIST document. That appendix, in particular, contains lots of specific elliptic curves and ‘magic numbers’.

It would be great if someone could analyse these and if there are any suspicious features, write it up and plonk it on the arXiv or similar. Or better, in the comments section here :-)

Dave Tweed wrote:

The text goes … to statements about how much people who have decided to work at the NSA have their privacy dramatically reduced in order for the NSA to gain confidence about their reliability. I dont see why the fact that an entity (in this case its employees) deciding to submit itself to some severe constraint in an area X has any relevance to the legitimacy of it imposing weaker constraints in area X upon other people. (The standard example is if Im on a low-calorie diet, even if for a good reason for me, that doesnt have any relationship to whether I should be able to determine things about what you eat.)

An important question here is, how much choice employees had when giving up big parts of their privacy (please see also this comment), last but not least this is also a question about working conditions. Like pop stars usually also have to give up big parts of their privacy, however they have eventually more means to compensate for that loss (?). So even if due to “professionality” there should be a distinction between the different “rights for privacy”, there may still be psychological factors play a role.

I do think that the aspects of working conditions, moral and judicial inner conflicts of employees in secret services and similar institutions (that could include some companies) should have more a chance to be voiced.

I had mentioned the following already in a comment on the german blog Netzpolitik, and others had said similar, but may be it should be repeated more often - it could make sense to think about a kind of court together with security options for whistleblowers, similar to the International Criminal Court. Not all whistleblowing is good, the overall damage might be vastly bigger than the overall benefits, this seems to be a case by case decision. The current institutions seem not prepared for such cases. In particular it seems that even mass surveillance is not seen as Crimes against humanity, moreover I am not sure how well the International Criminal Courts is able to protect people who point out such crimes (i.e. whistleblowers of crimes against humanity).

According to the BBC, GCHQ is now in some kind of partnership to run master’s degrees in “cyber security” at several UK universities: Edinburgh Napier ($\neq$ Edinburgh), Lancaster, Oxford, and Royal Holloway (London). The story says very little about what these courses will consist of or how GCHQ is involved, and doesn’t contain any links to further information about the degrees.

The September issue of the Notices contains an article by famous NSA whistleblower William Binney. Binney was a senior cryptanalyst at the NSA up until October 2001, when he quit because of what he saw as the NSA’s unconstitutional and unethical surveillance of American citizens.

Eric Hobsbawm, is a famous historian, and his book ‘The age of extremes’ is his personal vision of the (short) 20C. In the final chapter ‘towards the new millenium’ he wrote:

“Nevertheless, some features of the global political landscape stood out. The first, as already noted, was the weakening of the nation-state…[by] losing its monolpoly on effective power and historic privileges within its own borders…

…[however] these developments did not make the state either redundant or ineffective. Indeed, in some respects its capacity to monitor and control the affairs of its citizens was reinforced by technology, since virtually all their financial and administrative transactions (other than small cash payments) were now likely to be recorded by computer, and all their communications (except for most face-to-face conversations in the open air) could now be intercepted and recorded”.

Hobsbawm, was writing in 1994: so quite prescient really.