NSA Dragnet Debacle: What It Means To IT - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Analytics
01:26 PM
Connect Directly

NSA Dragnet Debacle: What It Means To IT

PRISM shows companies can't assume their data is safe in the hands of commercial providers.

New York's 32-Story Data 'Fortress'
New York's 32-Story Data 'Fortress'
(click image for slideshow)
Director of National Intelligence James Clapper confirmed Thursday that the U.S. government has been secretly collecting information since 2007, exploiting backdoor access to the systems and data of major Internet and tech companies in search of national security threats. That NSA dragnet, revealed by The Washington Post and The Guardian and code-named PRISM, reportedly taps into user data from Facebook, Google, Apple and other U.S.-based companies. (Those providers have mostly denied that the NSA has such backdoor access.)

If news of the NSA dragnet is true -- and it's hard to believe at this point that it's not -- it's hard to justify combing through all of the providers' data and records without a specific due process. One contributor to Forbes.com, a fellow at the Adam Smith Institute in London, thinks it's a capital idea: "This is in fact what governments are supposed to do, so I'm at something of a loss in understanding why people seem to be getting so outraged about it."

I strongly disagree. While Clapper's release states that surveillance is "subject to oversight by the Foreign Intelligence Surveillance Court, the Executive Branch and Congress" and must be "specifically approved by the court to ensure that only non-U.S. persons outside the U.S. are targeted," the release also acknowledges that information about U.S. persons could be acquired in this dragnet. The release states that such acquisition, retention and dissemination of "incidental" findings about citizens will be minimized, but surely there are other, more nuanced ways to catch bad guys.

[ Find out how consumers are driving the government's video surveillance capabilities. Read What's Next In Video Surveillance. ]

Some sources also say that Americans were targeted. It's hard to know what the truth is.

In any case, we need to be extraordinarily careful of using surveillance technology in a way that ever starts to put ordinary, law-abiding citizens under the microscope, even "incidentally" or "minimally." There should always be probable cause and a precise investigation, not broad, sweeping data collection. There is always a tension and balance between liberty and security. This type of broad data collection is unbalanced and has a huge potential for abuse; it feels like a police state.

The NSA operation isn't only bad for personal freedom, it's also bad for business. What foreign company will want to do business in the U.S. if it's our government's acknowledged practice that it performs warrantless collection of the data stored in the cloud by major U.S. companies in order to combat non-specific threats? If I worked for a foreign company, I'd also suspect nationalized corporate espionage as part of the U.S. government effort.

And if you work for a multinational corporation, you're going to have to think seriously about how a provider might be disclosing your data to the U.S. government. While the disclosure thus far seems limited to consumer companies (AOL, Google, Yahoo, Skype, Facebook, Apple), that's only what we know now. It's not much of a leap to assume that the feds are also monitoring enterprise cloud providers. And the NSA trumps contractual obligations every time.

The NSA operation also calls into question the cloud computing movement -- because where there's scale and centralization, there's a far easier ability to monitor. It's much harder to monitor many small providers and thousands of businesses with on-premises computing.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

Another key takeaway for enterprise IT leadership: You better make sure that your data is encrypted when it leaves your premises. The paranoid among us might note that the Patriot Act, which gave U.S. law enforcement far-reaching powers, was signed into law in October 2001, and then the Advanced Encryption Standard was announced in November 2001 -- an eerie timing coincidence. However, AES, based on the work of Belgian researchers, has been publicly inspected globally and is considered technically sound.

But will the software itself be flawed? Would the U.S. government go so far as to coerce independent software vendors to install backdoors? In a country where officials can search your laptop at the border based on a "hunch," and where law enforcement can sample your DNA whenever you're arrested, and where the Patriot Act and Digital Millennium Copyright Act are allowed to stand, why would you be surprised by this dragnet or any further revelations?

My final business technology takeaway: The lack of clear boundaries on government surveillance should be a major motivation to use open source software for security and encryption. While the very largest multinational corporations have the buying power to make sure that proprietary software vendors don't allow a third party to inspect their source code for flaws and backdoors, smaller enterprises don't have such clout or finances. Proprietary software has better feature sets, but until the U.S. government regains the trust of citizens and businesses alike, better to ensure that the encryption software you use hasn't been tampered with.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
<<   <   Page 2 / 2
Faye Kane, homeless brain
Faye Kane, homeless brain,
User Rank: Strategist
6/26/2013 | 5:10:04 AM
re: NSA Dragnet Debacle: What It Means To IT
The other shoe already dropped, but everyone seems to be politely ignoring it.

When Bush started all of this, a technician revealed that massive-bandwidth fiber trunks were being tapped into in special rooms at all the phone and internet providers.

Then last year, a Wired article quoted a systems-designer/whistleblower as saying that every phone call, email, ATM transaction, HTML request, electronic toll booth use, and library book loan that anyone in the country does is being tape recorded and stored in the new NSA data center in Utah at the rate of petabytes per day.

THIS is the data made available through PRISM, which is just a GUI into the massive database. I guess some of it is cached on disk.

That triggered a Senate investigation at which Clapper famously lied about it going on. For some reason, everyone insists on talking about mere telephone billing records--something their realtime data collection can't get.

It was also revealed then that there was a back door in every cell phone firmware allowing the NSA to turn on the GPS and microphone remotely.

I myself had a job interview with a friend of a friend contractor in an Arlington bar about a job tuning up the heuristics of the ontological model for the software that reads every single email anyone sends. I would have worked at UM, where the software was developed and where I did graduate work in knowledge representation and natural language understanding. I said "what about encryption", and he said they can brute-force anything, and if they can't, then they know it's important and they'll let the big machine crunch on it until they do.

I'm sure he wasn't supposed to tell me that, but he was drunk, bragging, and wanted to get in my pants. I didn't get the job because my DOJ security clearance had expired and the FBI was backlogged with clearance checks after 9/11. They needed someone NOW, with an active clearance.

I told the Washington Post, but they couldn't officially believe it unless I worked on the project or had documents.

We also now know details of the massively-parallel "big machine", also in Utah. I calculated that with 100 of the Nvidia CUDA arrays available now at Amazon, they could generate every 12-character password using every keyboard character in
20 minutes.

It also came out then that the NSA position is that they're not "intercepting" your phone calls until a human actually plays back the recordings.

Obama's statement "nobody's listening to your phone calls" was carefully worded. He would have preferred to say "nobody's recording your phone calls".

Y'all really need to WISE UP, and stop believing whatever the he11 you prefer to believe.

-faye kane GÖÇ girl brain
<<   <   Page 2 / 2
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
Graph-Based AI Enters the Enterprise Mainstream
James Kobielus, Tech Analyst, Consultant and Author,  2/16/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll