Quantcast

«

»

Mar 21 2014

Tech companies scramble to avoid NSA damage

The big US internet technology companies protested loudly that the mass spying by the NSA on the people using their systems was done without their knowledge or consent. One could be excused for being skeptical of their claims of innocence and now a top lawyer for the NSA confirms our doubts, saying on Wednesday that Silicon Valley companies knew all along that the NSA was spying on their systems.

Rajesh De, the NSA general counsel, said all communications content and associated metadata harvested by the NSA under a 2008 surveillance law occurred with the knowledge of the companies – both for the internet collection program known as Prism and for the so-called “upstream” collection of communications moving across the internet.

Asked during a Wednesday hearing of the US governments institutional privacy watchdog if collection under the law, known as Section 702 or the Fisa Amendments Act, occurred with the “full knowledge and assistance of any company from which information is obtained,” De replied: “Yes.”

When the Guardian and the Washington Post broke the Prism story in June, thanks to documents leaked by whistleblower Edward Snowden, nearly all the companies listed as participating in the program – Yahoo, Apple, Google, Microsoft, Facebook and AOL – claimed they did not know about a surveillance practice described as giving NSA vast access to their customers’ data. Some, like Apple, said they had “never heard” the term Prism.

De explained: “Prism was an internal government term that as the result of leaks became the public term,” De said. “Collection under this program was a compulsory legal process, that any recipient company would receive.”

After the hearing, De added that service providers also know and receive legal compulsions surrounding NSA’s harvesting of communications data not from companies but directly in transit across the internet under 702 authority.

The disclosure of Prism resulted in a cataclysm in technology circles, with tech giants launching extensive PR campaigns to reassure their customers of data security and successfully pressing the Obama administration to allow them greater leeway to disclose the volume and type of data requests served to them by the government.

Last week, Facebook founder Mark Zuckerberg said he had called US president Barack Obama to voice concern about “the damage the government is creating for all our future.” There was no immediate response from the tech companies to De’s comments on Wednesday.

De’s comments directly contradicts what Google co-founder Larry Page said the same day:

Google co-founder Larry Page on Wednesday condemned US government snooping on the Internet as a threat to democracy.

“It is tremendously disappointing that the government sort of secretly did all this stuff and didn’t tell us,” Page said.

Google’s announcement the very next day that they have started to encrypt Gmail may be a sign that they are trying to repair the damage.

Google said Thursday its popular Gmail service would use encryption to thwart snooping, in the latest move by the tech sector reassuring customers following revelations about US surveillance programs.

“Your email is important to you, and making sure it stays safe and always available is important to us,” Gmail engineering security chief Nicolas Lidzborski said in a blog post.

“Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email.

“Today’s change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers — no matter if you’re using public WiFi or logging in from your computer, phone or tablet.”

Google has already begun scrambling most of the traffic at its websites as technology firms grapple with moves by US intelligence agencies to spy on what people are doing and sharing online.

And similar moves have been announced by Yahoo, Microsoft and Facebook to use encryption that limits the ability of a third party to read messages or emails.

I am not enough of a tech expert to know if the measures taken by these companies are sufficient to thwart mass spying by the NSA. There of course remain the problems of the companies secretly providing backdoor access to the NSA by giving them the encryption keys, not to mention the fact that NIST weakened the standards by which these keys are generated in order to enable the NSA, when it could not gain backdoor aces, to break the encryption.

Influential world-wide web pioneers like Tim Berners-Lee have called for a bill of rights for the internet and the setting up of structures that would have fewer controls on the web. He has praised Edward Snowden for making his revelations, joining the growing number of tech people who see him as having performed a valuable service. This alliance is important because tech people, like Berners-Lee Snowden, are the backbone of the internet and the people who can serve as its watchdogs.

Snowden has endorsed Berners-Lee’s idea of creating some sort of equivalent of the Magna Carta for the internet.

Snowden also dropped some intriguing hints of what’s to come, saying that, “There are absolutely more revelations to come. Some of the most important reporting to be done is yet to come.”

He must be giving president Obama, James Clapper, Keith Alexander, and the rest of the spying gang sleepless nights, wondering what shoes are going to drop next. Serves them right.

9 comments

Skip to comment form

  1. 1
    Lassi Hippeläinen

    Using HTTPS is good against small criminals, but against the NSA it is irrelevant. They have been snooping the traffic from the backbone.

    Goole is now using encryption in backbone as well. That works as long as the NSA doesn’t have a back door to Google’s infrastructure. There is no way to prove that it doesn’t. For example, Google can use keys that the NSA can predict and still claim that all traffic is encrypted.

  2. 2
    hyphenman

    Good morning Mano,

    Then there’s the news that MicroSoft has been reading the mail of its Hotmail system:

    http://www.bbc.com/news/business-26677607

    Going analog is looking better and better.

    Do all you can to make today a good day,

    Jeff

  3. 3
    Pete Moulton

    I think what really irks the powers-that-be at yahoo, facebook, and the like, is that they don’t like the NSA and other amateurs mining the data they consider rightfully theirs. It gives their own data collection a bad (OK, worse) name.

  4. 4
    doublereed

    Frankly, I’d be willing to believe Google and Microsoft against the NSA. Why should I take the NSA’s general counsel’s word that Google/Microsoft knew about tapping of upstream data? It’s like he-said, she-said.

    The tech companies already admitted to being knowledgeable and complicit in most of the NSA spying. They’ve got way more believability than the NSA.

  5. 5
    doublereed

    Also, isn’t that kind of like the NSA revealing corporate secrets to damage corporate reputation? Doesn’t that completely violate the trust between the tech companies and the NSA?

    The NSA just completely threw them under the bus, which I would think would violate the terms of their NDAs or something.

  6. 6
    John Horstman

    I am not enough of a tech expert to know if the measures taken by these companies are sufficient to thwart mass spying by the NSA.

    Well, https encryption will thwart SOME of their methods of data-gathering, but not all of them. As of now, the NSA is simply harvesting and storing encrypted data to be later cracked if it might be relevant to any given legal case or (counter-)espionage action. If computer speeds continue to increase rapidly, or if previously-unknown flaws are found in present encryption algorithms, decrypting the data in the future may be much easier than it is now (also, as you note, the NSA has compromised the NIST ECC standards in a way that doesn’t entirely negate their effectiveness, but does limit the set of possible encryption ciphers to a smaller set than all possible ciphers, making brute-force cracking simpler than it would have been otherwise).

    AS you note, this won’t prevent data-harvesting directly from Google’s servers, for example (this is the bit that involved the collusion of the tech companies). The data has to be decrypted at some point so it can be interpreted, so as long as the NSA maintains access to tech companies’ systems, they can still get whatever they want. However, this WILL help prevent, for example, someone snooping your unencrypted e-mail from a coffee shop’s unencrypted WiFi connection, becasue the e-mails are now encrypted while in transit. It also does help slow the mass-surveillance, since the direct data-harvesting has to be more targeted (and possibly even needs a separate FISA order for each request, though they’ve been playing fast and lose with those), as would any efforts to crack encrypted data that was mass-harvested.

    So, if you’re a person of interest, this won’t help you much, but if you’re not, it will help some. It’s a speed bump, not a barricade.

    @Pete Moulton #2: Bingo.

  7. 7
    Mobius

    The NSA is the largest employer of mathematicians in the world, by far. They especially like number theorists since that field has much to say about code breaking. Almost all of the math the NSA produces is classified, which does not sit well with academic mathematicians. Being among the later group, I often hear people expressing curiosity about what, and how much, the NSA knows that the rest of us don’t.

  8. 8
    Peter B

    John Horstman @6:

    >as [Dr. Singham notes], the NSA has compromised the NIST ECC standards in a way that doesn’t entirely negate their effectiveness, but does limit the set of possible encryption ciphers to a smaller set than all possible ciphers…

    Are you thinking of Dual_EC_DRBG? If that’s the case my p-256 ECC implementation is not impacted. OTOH, for the NIST curves the hash input that specified “b” as in y^2 = x^3 +ax + b (mod p256) may have been chosen after a search for some easier to invert curve. (Using a=-3 is SOP as it simplifies the math.)

    The prime could also be cooked but that, while still possible, is less likely. The primes were chosen to have a fast method of reducing values modulo p as large as p^2. p256 is a 256-bit number with all ones in the top 33 bits and then zeros until the last 96 bits which are all ones.

  9. 9
    unnullifier

    There’s some issues with this story, primarily that the major tech companies were lying about their knowledge of “PRISM” just isn’t true. This is word play from the NSA designed to discredit the major tech companies affected by their actions.

    * “PRISM” was the NSA’s code word for Section 702 requests, which of course tech companies know about, because they have to know about them in order to comply with them, however, they didn’t know that “PRISM” was the NSA’s internal name for them. All firms receiving these requests were prohibited by law from disclosing them.

    * The original story that broke regarding the NSA’s “PRISM” program incorrectly indicated that “PRISM” provided the NSA direct access to major tech firms’ servers and allowed them to collect any data they wanted. This is the claim that major tech firms denied. They never denied knowing about Section 702 requests, but they had their hands legally tied behind their back regarding any disclosure of them.

    * The NSA comes along later and shockingly says “no, no, they’re lying, they knew about Section 702 all along! It was what we called PRISM, so they did know! Look how bad they are, complying with us and lying about it!”

    I’m not saying that I’m okay with Section 702 requests or how they are managed by the government, but the idea being peddled that tech firms lied about their knowledge of them is flat out untrue.

    via: http://www.techdirt.com/articles/20140319/17162326629/dont-fall-misleading-story-being-spread-nsa-suggesting-tech-companies-lied-about-prism.shtml

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>