Recognizing the reality that a powerful entity will seize whatever power or advantage it can find, is not a value judgment that that conduct is OK. I'm not clear on how you inferred such an endorsement from statements that people are going to resist by technical means.

"[W]hy don't we also make the NSA's activities illegal and/or enforce existing laws which already state as much?"

Who is "we" in your proposal? The people of the society? Some percentage don't mind the snooping - they think it is protecting us from terrorism. Another percentage object, and a third subset have little idea of what's going on.

Maybe you imagine there is some approximation of democracy in the US. Why do you think so? How well do you think the legislators represent the interests of citizens? How many viable parties compete for votes? Can you even verify that the announced election results have any definite relation to the votes cast at electronic machines?

Some elements in Congress have tried regulating the surveillance apparatus, at least since the Church committee in the 1970s. Obviously the effort has not succeeded, and I'm not perceiving much prospect of improvement on that front.

The only realistic avenue to improving privacy and digital security is some combination of (a) securing endpoint systems (b) an open-standard, no-back-door solution for pervasive encryption of data in transit and (c) services that somehow offer secure communications hubs without the operators having to shut down, sell out or be imprisoned.

These guys are working on (b), and I applaud their efforts.

>...not a value judgment that that conduct is OK. I'm not clear on how you inferred such an endorsement from statements that people are going to resist by technical means.

By "OK", I don't mean that you agree with it. I mean that by assuming the posture that you are going to focus on defending yourself technically, you are effectively ceding that the government has the right to access whatever it can. You're telling the government that it's OK to get whatever you are unable to protect. It is absolutely the wrong posture and it's what the NSA wants.

>Who is "we" in your proposal? The people of the society?

Yes. Exactly. Who else would "we" be? What does it matter that some don't get it yet when there is some group that finds it objectionable and contrary to our fundamental rights? I mean, it's really a strange position to take when you think of it. If the government was coming after you with tanks and guns, would you go buy a shotgun and stronger locks for your doors? Or would you spread the word and work to check the government per the laws of the land?

So, how about a grassroots campaign to change the public perception landscape?

>Maybe you imagine there is some approximation of democracy in the US.

An approximation of democracy is exactly what I think we have. Listen, you're preaching to the choir on the whole "our democracy is broken" thing. But, to the extent that there's anything left or any way back, fixing this democracy is our only hope. Again: grassroots.

It boggles my mind that the response is to cede everything--broken democracy, surveillance state, etc.--then just dig in to prepare to defend oneself from his/her government. If you actually believe that you can defend yourself from government lawlessness, then you ought to believe that you can play a role in fixing the government.

>Some elements in Congress have tried regulating the surveillance apparatus...I'm not perceiving much prospect of improvement on that front.

And, how long have we been patching zero-day exploits, fending off viruses, etc.? Why are you so confident that you are capable of defending yourself from a determined government with unlimited resources?

>The only realistic avenue to improving privacy and digital security is some combination of [technical solutions]".

I am not advocating that we don't take prudent, precautionary technical measures. Of course we should. I'm saying that they should be secondary and we must lead with legal measures to have any hope of reclaiming our rights and putting an end to this. All of the things you listed sound great. But, in truth, we know that there are exploits and vulnerabilities everywhere. Ironically, as technologists, we want to believe in technical solutions. At the same time, we also know better than anyone that a determined adversary will find a way to pwn us.

For instance, all of your technical "solutions" rely on an up-to-date OS with no zero-day vulnerability, perfect non-exploitable endpoint software, and even full knowledge of our hardware stack, firmware, etc.

In general, what you propose is exactly what the NSA would want. And, you will lose. If you are fortunate enough to even know when you've been pwned, you'll patch things up until the next time. You'll just play cat-and-mouse while your information floats away. Then, at some point, you will say "Wait, this is what we normally do to defend ourselves against criminals. Why am I having to do this to defend against my own government?"

At that point, you will realize that this is first and foremost a legal problem. Only then will you demand what I am advocating right now.

Because that amounts to leaving a note in the cookie jar that says we really, really promise not to take any cookies unless we absolutely need to.

If we don't at least try to enforce the law (as one prong of counterattack), then we may as well not have laws.

Do you really believe that it is wise to treat our government as a virus writer and put ourselves in the position of antivirus software writers? Do you want them in the exploit business while we, the citizenry, resolve to simply apply patches? Do you really want them to have legal carte blanche to use their unlimited resources (including your own tax dollars) to do as they please, then scurry off to try to erect some defense against whatever you think they are doing next?

When the NSA approaches Google, I want Google's General Counsel to deny the request with solid legal standing. Likewise with backbone providers and on down the line.

We are either a nation of laws or we're not. Our government is either beholden to those laws or they are not. Had we the proper laws and commitment to our Constitution, then Snowden's revelations would have resulted in trials and prosecutions. Instead, too many seem to be ceding to the government the right to surveil its citizens with impunity, and are instead focusing on technical defenses against their own government.

It's lunacy, and if the primary emphasis is not on legal redress, then we have already lost.

In case you didn't get the news, the NSA already does not bother to approach Google. They just install secret taps on Google's private lines between data centres, and siphon off all the replication traffic.

The NSA is a rogue agency that does not respect laws (or reinterprets them as they see fit). Going through the legal process to shut it down is certainly worthwhile, as is throwing its criminal elements in jail, particularly those that are happy to lie in congress.

However, the reality is that a rogue agency can evolve in the dark corners of the government, and that therefore it is likely that it will happen again. And even if it never happens in the US again, there are other countries out there, you know?

A strong technological solution that makes large-scale snooping impractical is a sine-qua-non no matter what happens on the legal side.

>In case you didn't get the news, the NSA already does not bother to approach Google...

I got the news. They approach Google AND they plug into private lines. The latter case is what I referred to when I mentioned "backbone" providers. Again, I want any private entity to have legal standing to refuse NSA requests.

>The NSA is a rogue agency that does not respect laws (or reinterprets them as they see fit)

I agree that if an agency goes rogue, then laws are only retroactive. That is, laws provide a penalty that is triggered only after an offense has occurred. But, clear (i.e. not ambiguous) laws with clear penalties can be a powerful deterrent. Whistle-blowers like Snowden are then empowered to stop abuses and illegal activity. They are automatically branded as heroes instead of traitors who must flee the country or worry for their safety. As it is, the good guys like Snowden are being put on the wrong side of the law and vice-versa. This must change.

>However, the reality is that a rogue agency can evolve in the dark corners of the government, and that therefore it is likely that it will happen again.

That's true and always has been. But, we don't just say "well, laws will be broken, so let's not bother having them". It's really the entire point: to prescribe what is acceptable behavior and provide penalties for violations.

>A strong technological solution that makes large-scale snooping impractical is a sine-qua-non no matter what happens on the legal side.

We actually agree to some extent. I don't advocate that we not implement technical measures. Where we depart is on priority. The wording of your last sentence signals this departure. I would flip "technical solution" with "legal side".

Ultimately, if the emphasis is on technical solutions, then we will all be pwned with impunity. Period. Are you going to write your own firmware? Manufacture your own chips? Are you going to personally write all of the security and other endpoint software in your stack, including the OS? Even if you did, would you be able to guarantee zero vulnerabilities in your own code?

Checking rogue agencies, providing more oversight and enforcing clear laws are the only way out. Technological solutions are but a backstop that we hope will provide us with some defense in the event that a rogue agency goes undetected for some period.

I agree with your response on the whole, but one point is worth quibbling with:

> I got the news. They approach Google AND they plug into private lines. The latter case is what I referred to when I mentioned "backbone" providers.

As far as I understand, these were not lines provided by "backbone providers". These were private lines laid and paid for and owned by Google. There was no third party who bent - Google got pwned directly, in secret, with impunity.