NSA Data Capture

Reports on the data capture techniques employed by the NSA are coming in thick and fast and I am trying to decipher fact from fiction, and hysteria from the healthy skepticism any free thinking citizen should retain. In light of these statements I wanted to summarize what would and would not surprise or concern me (if found to be true)?

Statements THAT do not surprise me:

  • That our governments have agencies with teams of white hat hackers.
  • Upon receiving a lawful and legal mission those white hat hackers can gain access to various networks using surreptitious techniques.
  • Upon receiving a lawful and legal mission those white hat hackers can gain access to a variety of software and hardware using surreptitious techniques.
  • That these techniques are formalized and catalogued in some fashion for retrieval and execution.
  • That these techniques have not been shared with the vulnerable hardware/software/network/security vendors, or with the general public.

Statements that should cause great concern:

  • That hardware and software partners have purposefully left backdoors open for government agencies to use.
  • That trusted third party security firms are peddling compromised or broken security to enable government agencies to cast broad nets on unsuspecting bad guys, and by extension, the public.
  • The idea that mining and cross referencing the meta data of the masses is somehow not a privacy concern.
  • That these government agencies would suggest vast automated searches do not constitute a breach of privacy because humans are not immediately involved.
  • That data is captured and retained by these agencies indefinitely.

Given the efforts of companies like Amazon and Microsoft to convince companies that their data and even infrastructure is safe in the cloud, statements like these need to be accounted for in the most detailed and formal way. The following excerpt is from Brad Smith, General Counsel at Microsoft:

Many of our customers have serious concerns about government surveillance of the Internet.

We share their concerns. That’s why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data.

Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data. In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry.

If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” alongside sophisticated malware and cyber attacks.

In light of these allegations, we’ve decided to take immediate and coordinated action in three areas:

  • We are expanding encryption across our services.
  • We are reinforcing legal protections for our customers’ data.
  • We are enhancing the transparency of our software code, making it easier for customers to reassure themselves that our products do not contain back doors.

Still not convinced this is important? If you have some technical inclination and about an hour to spare watch the To Protect and Infect video from the 30c3 conference by Jacob Applebaum, it goes into some detail about these data capture techniques.