NSA Dragnet Debacle: What It Means To IT - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Analytics
01:26 PM
Connect Directly

NSA Dragnet Debacle: What It Means To IT

PRISM shows companies can't assume their data is safe in the hands of commercial providers.

New York's 32-Story Data 'Fortress'
New York's 32-Story Data 'Fortress'
(click image for slideshow)
Director of National Intelligence James Clapper confirmed Thursday that the U.S. government has been secretly collecting information since 2007, exploiting backdoor access to the systems and data of major Internet and tech companies in search of national security threats. That NSA dragnet, revealed by The Washington Post and The Guardian and code-named PRISM, reportedly taps into user data from Facebook, Google, Apple and other U.S.-based companies. (Those providers have mostly denied that the NSA has such backdoor access.)

If news of the NSA dragnet is true -- and it's hard to believe at this point that it's not -- it's hard to justify combing through all of the providers' data and records without a specific due process. One contributor to Forbes.com, a fellow at the Adam Smith Institute in London, thinks it's a capital idea: "This is in fact what governments are supposed to do, so I'm at something of a loss in understanding why people seem to be getting so outraged about it."

I strongly disagree. While Clapper's release states that surveillance is "subject to oversight by the Foreign Intelligence Surveillance Court, the Executive Branch and Congress" and must be "specifically approved by the court to ensure that only non-U.S. persons outside the U.S. are targeted," the release also acknowledges that information about U.S. persons could be acquired in this dragnet. The release states that such acquisition, retention and dissemination of "incidental" findings about citizens will be minimized, but surely there are other, more nuanced ways to catch bad guys.

[ Find out how consumers are driving the government's video surveillance capabilities. Read What's Next In Video Surveillance. ]

Some sources also say that Americans were targeted. It's hard to know what the truth is.

In any case, we need to be extraordinarily careful of using surveillance technology in a way that ever starts to put ordinary, law-abiding citizens under the microscope, even "incidentally" or "minimally." There should always be probable cause and a precise investigation, not broad, sweeping data collection. There is always a tension and balance between liberty and security. This type of broad data collection is unbalanced and has a huge potential for abuse; it feels like a police state.

The NSA operation isn't only bad for personal freedom, it's also bad for business. What foreign company will want to do business in the U.S. if it's our government's acknowledged practice that it performs warrantless collection of the data stored in the cloud by major U.S. companies in order to combat non-specific threats? If I worked for a foreign company, I'd also suspect nationalized corporate espionage as part of the U.S. government effort.

And if you work for a multinational corporation, you're going to have to think seriously about how a provider might be disclosing your data to the U.S. government. While the disclosure thus far seems limited to consumer companies (AOL, Google, Yahoo, Skype, Facebook, Apple), that's only what we know now. It's not much of a leap to assume that the feds are also monitoring enterprise cloud providers. And the NSA trumps contractual obligations every time.

The NSA operation also calls into question the cloud computing movement -- because where there's scale and centralization, there's a far easier ability to monitor. It's much harder to monitor many small providers and thousands of businesses with on-premises computing.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

Another key takeaway for enterprise IT leadership: You better make sure that your data is encrypted when it leaves your premises. The paranoid among us might note that the Patriot Act, which gave U.S. law enforcement far-reaching powers, was signed into law in October 2001, and then the Advanced Encryption Standard was announced in November 2001 -- an eerie timing coincidence. However, AES, based on the work of Belgian researchers, has been publicly inspected globally and is considered technically sound.

But will the software itself be flawed? Would the U.S. government go so far as to coerce independent software vendors to install backdoors? In a country where officials can search your laptop at the border based on a "hunch," and where law enforcement can sample your DNA whenever you're arrested, and where the Patriot Act and Digital Millennium Copyright Act are allowed to stand, why would you be surprised by this dragnet or any further revelations?

My final business technology takeaway: The lack of clear boundaries on government surveillance should be a major motivation to use open source software for security and encryption. While the very largest multinational corporations have the buying power to make sure that proprietary software vendors don't allow a third party to inspect their source code for flaws and backdoors, smaller enterprises don't have such clout or finances. Proprietary software has better feature sets, but until the U.S. government regains the trust of citizens and businesses alike, better to ensure that the encryption software you use hasn't been tampered with.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
6/7/2013 | 6:29:19 PM
re: NSA Dragnet Debacle: What It Means To IT
I agree with this editorial kudos to the writer.

I don't care if you're a lefty or a righty. This is a level of government surveillance unseen in the history of the world. A vast majority of Americans are having their cell phone use monitored. A vast majority of the the world's internet users are being monitored.
Americans should be in the streets. And every globally concerned citizenGÇöregardless of nationalityGÇöshould be contacting their representatives to complain to their representatives about this highly unethical and secretive global surveillance.
I believe this behavior should be considered a crime against humanity. It is a violation of basic human decency, and is obscene. Heads should roll.
<<   <   Page 2 / 2
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll