You might argue that the NSA and other intelligence agencies simply need to tighten their security procedures to make it harder for insiders to repeat Snowden’s hack. That’s what they’re vowing to do now. Gen. Keith Alexander, the NSA’s director, has said the agency will institute a “two-man rule,” which would require two IT people to sign into secure systems in order to gain access to sensitive information. This is a reasonable measure but hardly a foolproof one. The NSA has 1,000 system administrators working on its tech infrastructure. If they vetted those guys as thoroughly as they did Snowden—i.e., not very well—then isn’t it plausible that there may be some who are working in pairs? OK, but what if they go back and re-vet their workers, scouring their histories for the sort of warning signs that might have tipped them off to Snowden (his professed distaste for the surveillance state, for instance)? Well, that might tip them off to the white hats, but the black hats aren’t going to be posting screeds online. They’re going to be clean as a whistle.
Maybe you think I’m being paranoid, or that I’m not considering all of the mitigating factors in the Snowden story. For one thing, while we know that Snowden could access court documents and presentations outlining surveillance systems, it’s still not clear that he had access to actual wiretapping intelligence itself. In an online chat with the Guardian, he reiterated his claim that, as an NSA systems administrator, he had the power to wiretap “anyone.” He suggested that while there are policies against doing so, there aren’t technical limits on wiretapping, and that even the policies—such as audit trails to monitor who is looking at what—are easily circumvented. But other evidence suggests he’s exaggerating. Large tech companies claim that the government did not have a mirror of their data and needed specific legal clearance to get information on their customers; if that was the case, it’s difficult to square with Snowden’s claim that he could have monitored federal judges or the president.
On the other hand, so what if I’m being paranoid? When so much information is at stake, and when the agencies charged with protecting it let their deepest secrets escape, paranoia seems to be the most reasonable stance. The Internet age has taught us that the only way to keep private information private is to keep it out of databases that are beyond our control. That’s the advice I always give readers about their most banal details: If you don’t want your boss to find out about your beer pong championship, don’t put that photo of the crowning ceremony online. Even if you post it under tight privacy settings, it can get out to a wider audience. When you make your data accessible, searchable, and sharable for your own purposes, the best assumption is the worst-case scenario—that it’s one step away from being accessible, searchable, and sharable for everyone. You should be paranoid about your data. To be anything but paranoid is to be careless.
That’s the fundamental problem with the NSA’s surveillance program. As a matter of course, the government is now collecting and saving our call records, and it might also have deep access into other electronic communications. It assures us that it has policies in place to prevent the misuse or distribution of this information. But if the information is valuable enough, lots of people have an incentive to get at it, and all it takes is one successful attack—after that, copies of the data could be distributed everywhere, instantly. Thus, even if the government is just collecting telephone metadata and isn’t reviewing it, you should be concerned. Someone has access to that data, and that someone might not be as noble as Snowden. He could post everything online. He could sell it to identity thieves. He could blackmail you. Or he might blackmail politicians, businesspeople, judges, TSA agents, or use the data in some other nefarious way.
Is this way over the top? Am I wandering into the realm of fantasy? Should I stop cooking up such outlandish scenarios? Yeah, maybe. But a just-turned-30-year-old has stolen the nation’s most secret documents and is now hiding out in Putin’s Russia. There’s really no other choice than to be worried.