A little over a week ago, it became
known that Verizon was surrendering data on all telephony traffic over its
networks to U.S. security agencies. A
day later, a young U.S. intelligence operative – a rare and anomalous “patriotic
traitor” – leaked the details of a top secret U.S. Government global digital
surveillance and data mining program built on access to the rich and
almost-endless data reservoirs of leading American Internet companies (PRISM).
This morning, Bloomberg reported (link)
that “Thousands of technology, finance
and manufacturing companies are working closely with U.S. national security
agencies, providing sensitive information…” ranging from advance notice of “zero
day-exploit” flaws in software, other vulnerabilities, hardware and software
specifications of gear shipped overseas, metadata from any individual
device. Further, as Bloomberg reports, “some U.S. telecommunications companies
willingly provide intelligence agencies with access to facilities and data
offshore that would require a judge’s order if it were done in the U.S.”
Among other things, the existence of such
programs calls into question the purpose of the much bally-hooed Cyber
Intelligence Sharing and Protection Act (CISPA), introduced in the House of
Representatives in 2011, which would allow for the sharing of vulnerability
information between the U.S. government and technology and manufacturing
companies to help the U.S government investigate cyber threats and ensure the
security of networks against cyberattacks.
It seems that this is already happening in the absence of any statutory
authority. (Aside: Ironically, in terms of recent PRISM and related news, the White House has in the past opposed CISPA because
it “lacks confidentiality and civil liberties safeguards”).
More importantly, what Bloomberg exposed
today goes well beyond sharing of vulnerability information. Indeed, according to Bloomberg, “In some cases, the information gathered may
be used not just to defend the nation but to help infiltrate computers of its
adversaries.” This is certainly true
in terms of zero-day vulnerabilities.
Consider the following excerpt from Gigaom’s reporting today (linked):
“Imagine
you’re a government customer of Microsoft’s, in some country that isn’t the
U.S. You’re already anxious over the PRISM scandal and its implications for
data processed in the firm’s cloud. Now this: according to a Bloomberg report
on Friday, when Microsoft finds a vulnerability in its software it informs U.S.
intelligence agencies before its own customers.
So,
in theory, apart from having advance notice to patch their own systems, those
agencies could exploit that zero-day vulnerability to hack into your data,
before Microsoft gives you a chance to patch the flaw. And it’s not just
Microsoft. According to the report, “thousands of [U.S.] technology, finance
and manufacturing firms” are closely aligned with American national security
agencies.”
Equally concerning, or more so
from an individual perspective, in terms of the metadata that is collected from
compromised U.S. hardware vendors in accord with another recently-unveiled U.S. Government program code-named “Blarney.”
While it remains unclear to what extent Blarney relies on “backbone
hacking” as referenced by PRISM leaker Snowden and/or the “software and hardware specifications”
that Bloomberg reports U.S. tech companies are sharing with security
agencies, whatever the combination,
the information gathered includes, per Bloomberg, “which version of the operating system, browser and Java software are
being used on millions of devices around the world, information that U.S. spy
agencies could use to infiltrate those computers or phones and spy on their
users.”
To the extent such activities are truly
extra-territorial, they are not subject to U.S. law nor is any oversight or
permission required by the Foreign Intelligence Surveillance Act or the FISA
Court. Interestingly, per Bloomberg, “Most of the arrangements are so sensitive
that only a handful of people in a company know of them, and they are sometimes
brokered directly between chief executive officers and the heads of the U.S.’s
major spy agencies.”
As for any potential violation of U.S.
law or the privacy and liberties of American citizens, Bloomberg reports that “before they agreed to install the system on
their networks, some of the five major Internet companies…asked for guarantees
that they wouldn’t be held liable under U.S. wiretap laws. Those companies that
asked received a letter signed by the U.S. attorney general…granting them
immunity from civil lawsuits.”
In a related and somewhat heartening
report, the New York Times detailed today (link)
how Yahoo!, one of the companies named as part of the NSA's PRISM data
collection program, didn't go quietly.
The company was behind a 2008 FISA court challenge to fight a court
order requiring the company to give data to the U.S. Government without a
warrant.
According to the Times, "the company argued that the order violated
its users’ Fourth Amendment rights against unreasonable searches and seizures.
The court called that worry “overblown.” Yahoo! lost. While Yahoo! was not identified as the plaintiff at the time of the
case, limited information about the case and its resolution was made partially
public, putting other American Internet companies on notice a legal challenge
would likely be fruitless.
A week ago today, just as PRISM was
being unveiled for the public, I posted my concern that PRISM might herald a
fracturing of the Internet as non-U.S. customers – governments, enterprises and
individuals – may well lose trust in American Internet incumbents and leaders (link
to my June 7 post). Today’s additional information
- claims that thousands of U.S. tech vendors are apparently engaged in
voluntary information exchange with America’s spy agencies – amplifies my
worry.
Indeed, Gigaom reported yesterday (link)
that “a division of the Swedish
government has prohibited government bodies from using Google Apps.” While the Swedish review predates the outing of
PRISM, per Gigaom,“it’s fair to view the
news as the latest proof point in the resistance to relying on shared
infrastructure certain United States companies run because the U.S. government
can access data.”
We will doubtless see more of this.
It is true that the Internet has ushered
in a new era of and architecture for espionage and crime. And our Government is correct to take measures to ensure our national security and safety. The over-reaching that has been
reported over the last week should be of concern to every American in terms of
the potential – or very real - violation of their personal privacy and
liberties. But we should also be
concerned about the broader impact.
Notwithstanding that spies and criminals
wield the Internet to their own ends, the benefits that the Internet has
extended far eclipse such concerns, as does the potential sacrifice of those benefits (and
I’m not just talking about the devastating commercial impact that a global loss
of trust might have on American Internet and tech companies, and, by extension,
the broader U.S. economy).
The Internet –
intrinsically global in nature by virtue of the globalization of information and
communications technologies – has been a powerful force for the exchange of
information, for freedom of speech, for democratic values. The fracturing, fragmentation or
Balkanization of the Internet is in no-one’s long-term interest, including even the U.S.
national security agencies whose overreach via PRISM and otherwise may well
have backfired in terms of future access to global intelligence.
No comments:
Post a Comment