Just as investigative reporter Glenn Greenwald's book No Place To Hide, about whistleblower Edward Snowden and the National Security Agency, went on sale, two organizations took steps to restrain the online surveillance that came to light through reporting by Greenwald and others.
In the United Kingdom on Tuesday, advocacy group Privacy International filed a legal complaint seeking an end to unlawful hacking conducted under the auspices of GCHQ, the UK intelligence agency, and its US counterpart, the NSA. The lawsuit accuses the agencies of implanting malicious software on desktop and mobile devices to further intelligence gathering.
"The hacking programs being undertaken by GCHQ are the modern equivalent of the government entering your house, rummaging through your filing cabinets, diaries, journals, and correspondence, before planting bugs in every room you enter," said Eric King, deputy director of Privacy International, in a statement. "Intelligence agencies can do all this without you even knowing about it, and can invade the privacy of anyone around the world with a few clicks."
[Learn more about Greenwald's revelations in "No Place To Hide." See NSA Reportedly Adds Backdoors To US-Made Routers.]
Unchecked government spying of this sort, King asserted, is inconsistent with the rule of law and must be reined in. The complaint, the first to challenge government hacking by intelligence services in the UK, argues that GCHQ and the NSA have no legal authority to conduct hacking operations that would land individuals in jail, and that the agencies must stop immediately.
An example of the behavior in question surfaced on Monday. In advance of the publication of Greenwald's book, The Guardian published an article by Greenwald citing a June 2010 NSA report that reveals the agency regularly intercepts routers being exported from the US to implant backdoor surveillance tools prior to delivery.
In 2012, the US House Intelligence Committee advised against doing business with Chinese telecom equipment maker Huawei over fears the firm might allow the Chinese military to compromise its equipment. Evidently, national intelligence services do not need ties to network equipment makers to compromise networking gear; all they need is access to shipments.
The second organization to take action on Tuesday was the Internet Engineering Task Force, an international group of network designers, operators, vendors, and researchers. The group published a best practices document declaring, "Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible."
"Pervasive monitoring" refers to indiscriminate, large-scale gathering of application content and metadata, the very activities carried out on the Internet by intelligence agencies. In short, the IETF intends to take steps to restore online privacy by requiring that future Internet specifications consider the impact of pervasive monitoring and justify design decisions related to this "attack."
Last week in Washington, D.C., the USA Freedom Act, a legislative attempt to address NSA data collection, got a new lease on life when Republican Bob Goodlatte of Virginia, chairman of the House judiciary committee, decided to support the bill. This makes it likely there will be a vote on the bill in the House of Representatives.
Cyber-criminals wielding advanced persistent threats have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)