NSA Dragnet Debacle: What It Means To IT - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Healthcare // Analytics
Commentary
6/7/2013
01:26 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

NSA Dragnet Debacle: What It Means To IT

PRISM shows companies can't assume their data is safe in the hands of commercial providers.

New York's 32-Story Data 'Fortress'
New York's 32-Story Data 'Fortress'
(click image for slideshow)
Director of National Intelligence James Clapper confirmed Thursday that the U.S. government has been secretly collecting information since 2007, exploiting backdoor access to the systems and data of major Internet and tech companies in search of national security threats. That NSA dragnet, revealed by The Washington Post and The Guardian and code-named PRISM, reportedly taps into user data from Facebook, Google, Apple and other U.S.-based companies. (Those providers have mostly denied that the NSA has such backdoor access.)

If news of the NSA dragnet is true -- and it's hard to believe at this point that it's not -- it's hard to justify combing through all of the providers' data and records without a specific due process. One contributor to Forbes.com, a fellow at the Adam Smith Institute in London, thinks it's a capital idea: "This is in fact what governments are supposed to do, so I'm at something of a loss in understanding why people seem to be getting so outraged about it."

I strongly disagree. While Clapper's release states that surveillance is "subject to oversight by the Foreign Intelligence Surveillance Court, the Executive Branch and Congress" and must be "specifically approved by the court to ensure that only non-U.S. persons outside the U.S. are targeted," the release also acknowledges that information about U.S. persons could be acquired in this dragnet. The release states that such acquisition, retention and dissemination of "incidental" findings about citizens will be minimized, but surely there are other, more nuanced ways to catch bad guys.

[ Find out how consumers are driving the government's video surveillance capabilities. Read What's Next In Video Surveillance. ]

Some sources also say that Americans were targeted. It's hard to know what the truth is.

In any case, we need to be extraordinarily careful of using surveillance technology in a way that ever starts to put ordinary, law-abiding citizens under the microscope, even "incidentally" or "minimally." There should always be probable cause and a precise investigation, not broad, sweeping data collection. There is always a tension and balance between liberty and security. This type of broad data collection is unbalanced and has a huge potential for abuse; it feels like a police state.

The NSA operation isn't only bad for personal freedom, it's also bad for business. What foreign company will want to do business in the U.S. if it's our government's acknowledged practice that it performs warrantless collection of the data stored in the cloud by major U.S. companies in order to combat non-specific threats? If I worked for a foreign company, I'd also suspect nationalized corporate espionage as part of the U.S. government effort.

And if you work for a multinational corporation, you're going to have to think seriously about how a provider might be disclosing your data to the U.S. government. While the disclosure thus far seems limited to consumer companies (AOL, Google, Yahoo, Skype, Facebook, Apple), that's only what we know now. It's not much of a leap to assume that the feds are also monitoring enterprise cloud providers. And the NSA trumps contractual obligations every time.

The NSA operation also calls into question the cloud computing movement -- because where there's scale and centralization, there's a far easier ability to monitor. It's much harder to monitor many small providers and thousands of businesses with on-premises computing.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

Another key takeaway for enterprise IT leadership: You better make sure that your data is encrypted when it leaves your premises. The paranoid among us might note that the Patriot Act, which gave U.S. law enforcement far-reaching powers, was signed into law in October 2001, and then the Advanced Encryption Standard was announced in November 2001 -- an eerie timing coincidence. However, AES, based on the work of Belgian researchers, has been publicly inspected globally and is considered technically sound.

But will the software itself be flawed? Would the U.S. government go so far as to coerce independent software vendors to install backdoors? In a country where officials can search your laptop at the border based on a "hunch," and where law enforcement can sample your DNA whenever you're arrested, and where the Patriot Act and Digital Millennium Copyright Act are allowed to stand, why would you be surprised by this dragnet or any further revelations?

My final business technology takeaway: The lack of clear boundaries on government surveillance should be a major motivation to use open source software for security and encryption. While the very largest multinational corporations have the buying power to make sure that proprietary software vendors don't allow a third party to inspect their source code for flaws and backdoors, smaller enterprises don't have such clout or finances. Proprietary software has better feature sets, but until the U.S. government regains the trust of citizens and businesses alike, better to ensure that the encryption software you use hasn't been tampered with.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
6/12/2013 | 8:55:03 PM
re: NSA Dragnet Debacle: What It Means To IT
A good analysis. It's dispiriting that the government's surveillance has been confirmed in this manner-- but is it really surprising? As Andrew suggests, it's a bit unnerving that so much data is being collected, but the point about tax dollars puts the dragnet into perspective.

I don't think that makes it okay--but it makes me less concerned about being personally targeted than about (again, to follow Andrew) the dynamic between citizens and government. Things were already pretty bad; the far right has decided that "facts" matter less than "principles" and "faith," and the left hasn't held the Obama administration accountable for its failings (e.g. why has President Obama forgotten how much Candidate Obama talked about transparency? Would Candidate Obama have taken such a unilaterally harsh stance on whistle blowers?). These conditions, among others, had already polarized rhetoric and neutered Congressional efficacy.

Now, you have to wonder if there's any reversing the widespread disillusionment this will cause. The President points out that Congress has been briefed on this program-- but that's not nearly good enough, and he knows it. Perhaps the realities of a digital, post-9/11 world demand that certain assumptions and entitlements be discussed-- but that discussion never really happened. Never in my life have I seen such a huge gulf between Americans' collective perception of a law and what the law actually does. And that's not okay.

Effective democracy only works when there can be informed debate. I appreciate that national security must be maintained, and that means the government has to keep certain secrets. But I have to believe we could have, as a society, had some conversation about giving up privacy that would also have allowed the government to keep its methods and strategies under wraps. Instead of doing that, we rushed the Patriot Act into law. As a result, whenever the government doesn't feel like having a debate, it can point to "national security" and refuse to admit anything, let alone divulge additional details.

I don't think it's surprising that the government runs a program like this. To be honest, I'm not even sure how I feel about the way the data is being used, now that they have it. I just think it's discouraging that the government didn't have to have a conversation - let alone break any clear laws - to get this far.

Michael Endler
InformationWeek Associate Editor
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
News
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Commentary
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll