Snowden leaks lack context says security studies professor
Slideware is not a good place to start asessing an intelligence program says OMG Cyber! author Thomas Rid
With the wash-up from December's Snowden leaks still sloshing around the 'net, The Register decided to discuss how to interpret the leaked documents with Thomas Rid of King's College London.
In November, Rid (Professor of Security Studies) and colleague Robert Lee (currently undertaking his PhD at King's) published a piece looking at the hype surrounding the ongoing Snowden leaks, called OMG Cyber (in the RUSI Journal), a detailed examination of how hype creates bad policy.
In conversation with Vulture South, Rid said one reason hype takes over is that journalists are prone to ignoring the complex context in which each document leaked by Snowden exists.
It's more than just the fact that what hits the Internet is often a handful of slides from a 100-page presentation. There's also the organisational context to consider: documents written by individuals trying to put their work in the best light to their superiors (hoping, perhaps, for a promotion or to protect their project's budget), there's an inevitable mismatch between the technical knowledge between the author and the target, and there's the limitation of PowerPoint as a communications medium.
“My co-author Rob Lee says 'the more senior you are in an organisation like this, the more PowerPoint is between the leaders and the people that actually do the technical work',” Rid said.
Even before a journalist or editor makes a decision about what to publish and what to withhold, there's a lot of mediation between what the author knows and what gets into the slides.
“That's a very important point that gets lost in the media coverage,” Rid said. “These slides were not intended for public: they were intended for people higher up in the organisation.”
This, he said, inevitably means that organisational politics has to be considered in trying to interpret what's revealed by a particular leak.
Another subtext, Rid said, is more simple: the documents often suggest that the NSA doesn't really have good internal communications.
“As a scholar – and the same applies to good journalists – I find it very hard to sift and spot what matters in the Snowden slides, because they're so out of context.
“The people who make the slides are not the same people as have the technical insights,” he said, and often the information seems to be inaccurate.
Unlike something that's intended for the public, he noted, “you can't just pick up the phone and ask someone to explain Slide Seven”.
“That leads to speculation, and there's a a certain predisposition to assume that the NSA can do everything, and that they have very dark intentions. So I sense a degree of conspiracy theory in the coverage of the slides,” he added.
The fact-check conundrum
Fact checking before publication is also a problem. There's an unwillingness among journalists to seek comment too widely, for fear that the scoop will escape – and that can mean that apparent technical errors in a “Snowden document” will escape into news stories.
“Some stories are more inaccurate than others. The most recent story, as an example, the last release of files from Spiegel … that article was badly researched.
“A lot of people in the tech community were somewhat confused about the gross overstatements regarding SSL, TLS and HTTPS encryption,” Rid said.
(El Reg covered the Spiegel December release here.)
“Encryption by and large still works, and HTTPS is still better than not having it. There's no question about that at all,” he said.
“Humility should be the order of the day for everybody. The files cover such a vast spectrum of technical questions, you need many specialists to put that into context. Because someone knows about one area, doesn't mean they know the specifics of another area. You can't trust a single individual on every point,” he said.
“Journalism has to be honest about what you don't know.”
It's also hard to distinguish between what someone in a spy agency wants to achieve, what they want their superiors to believe they're close to achieving, and what has been achieved.
Rid offered an analogous example in the UK context: “Someone could leak files from the NHS, and those files said 'we are intending to cure cancer next year'. Everybody would be sceptical,” he said.
“When the NSA does the same thing, people say 'wow' they can do this! I don't know why we have the expectation that we have these superhero organisations.” ®
Sponsored: Becoming a Pragmatic Security Leader