Healthcare // Analytics
Commentary
6/7/2013
01:26 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

NSA Dragnet Debacle: What It Means To IT

PRISM shows companies can't assume their data is safe in the hands of commercial providers.

New York's 32-Story Data 'Fortress'
New York's 32-Story Data 'Fortress'
(click image for slideshow)
Director of National Intelligence James Clapper confirmed Thursday that the U.S. government has been secretly collecting information since 2007, exploiting backdoor access to the systems and data of major Internet and tech companies in search of national security threats. That NSA dragnet, revealed by The Washington Post and The Guardian and code-named PRISM, reportedly taps into user data from Facebook, Google, Apple and other U.S.-based companies. (Those providers have mostly denied that the NSA has such backdoor access.)

If news of the NSA dragnet is true -- and it's hard to believe at this point that it's not -- it's hard to justify combing through all of the providers' data and records without a specific due process. One contributor to Forbes.com, a fellow at the Adam Smith Institute in London, thinks it's a capital idea: "This is in fact what governments are supposed to do, so I'm at something of a loss in understanding why people seem to be getting so outraged about it."

I strongly disagree. While Clapper's release states that surveillance is "subject to oversight by the Foreign Intelligence Surveillance Court, the Executive Branch and Congress" and must be "specifically approved by the court to ensure that only non-U.S. persons outside the U.S. are targeted," the release also acknowledges that information about U.S. persons could be acquired in this dragnet. The release states that such acquisition, retention and dissemination of "incidental" findings about citizens will be minimized, but surely there are other, more nuanced ways to catch bad guys.

[ Find out how consumers are driving the government's video surveillance capabilities. Read What's Next In Video Surveillance. ]

Some sources also say that Americans were targeted. It's hard to know what the truth is.

In any case, we need to be extraordinarily careful of using surveillance technology in a way that ever starts to put ordinary, law-abiding citizens under the microscope, even "incidentally" or "minimally." There should always be probable cause and a precise investigation, not broad, sweeping data collection. There is always a tension and balance between liberty and security. This type of broad data collection is unbalanced and has a huge potential for abuse; it feels like a police state.

The NSA operation isn't only bad for personal freedom, it's also bad for business. What foreign company will want to do business in the U.S. if it's our government's acknowledged practice that it performs warrantless collection of the data stored in the cloud by major U.S. companies in order to combat non-specific threats? If I worked for a foreign company, I'd also suspect nationalized corporate espionage as part of the U.S. government effort.

And if you work for a multinational corporation, you're going to have to think seriously about how a provider might be disclosing your data to the U.S. government. While the disclosure thus far seems limited to consumer companies (AOL, Google, Yahoo, Skype, Facebook, Apple), that's only what we know now. It's not much of a leap to assume that the feds are also monitoring enterprise cloud providers. And the NSA trumps contractual obligations every time.

The NSA operation also calls into question the cloud computing movement -- because where there's scale and centralization, there's a far easier ability to monitor. It's much harder to monitor many small providers and thousands of businesses with on-premises computing.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

Another key takeaway for enterprise IT leadership: You better make sure that your data is encrypted when it leaves your premises. The paranoid among us might note that the Patriot Act, which gave U.S. law enforcement far-reaching powers, was signed into law in October 2001, and then the Advanced Encryption Standard was announced in November 2001 -- an eerie timing coincidence. However, AES, based on the work of Belgian researchers, has been publicly inspected globally and is considered technically sound.

But will the software itself be flawed? Would the U.S. government go so far as to coerce independent software vendors to install backdoors? In a country where officials can search your laptop at the border based on a "hunch," and where law enforcement can sample your DNA whenever you're arrested, and where the Patriot Act and Digital Millennium Copyright Act are allowed to stand, why would you be surprised by this dragnet or any further revelations?

My final business technology takeaway: The lack of clear boundaries on government surveillance should be a major motivation to use open source software for security and encryption. While the very largest multinational corporations have the buying power to make sure that proprietary software vendors don't allow a third party to inspect their source code for flaws and backdoors, smaller enterprises don't have such clout or finances. Proprietary software has better feature sets, but until the U.S. government regains the trust of citizens and businesses alike, better to ensure that the encryption software you use hasn't been tampered with.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
JoeBlowZCUI
50%
50%
JoeBlowZCUI,
User Rank: Apprentice
6/7/2013 | 6:29:19 PM
re: NSA Dragnet Debacle: What It Means To IT
I agree with this editorial kudos to the writer.

I don't care if you're a lefty or a righty. This is a level of government surveillance unseen in the history of the world. A vast majority of Americans are having their cell phone use monitored. A vast majority of the the world's internet users are being monitored.
.
Americans should be in the streets. And every globally concerned citizenGÇöregardless of nationalityGÇöshould be contacting their representatives to complain to their representatives about this highly unethical and secretive global surveillance.
.
I believe this behavior should be considered a crime against humanity. It is a violation of basic human decency, and is obscene. Heads should roll.
<<   <   Page 2 / 2
Big Love for Big Data? The Remedy for Healthcare Quality Improvements
Big Love for Big Data? The Remedy for Healthcare Quality Improvements
Healthcare data is nothing new, but yet, why do healthcare improvements from quantifiable data seem almost rare today? Healthcare administrators have a wealth of data accessible to them but aren't sure how much of that data is usable or even correct.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.