Reactions from the security community to the NSA spying scandal
Last week a whistleblower created quite the stir when he leaked documents about PRISM, a surveiilance program by the NSA.
Below are comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Dwayne Melancon, CTO, Tripwire
The PRISM situation has a lot of implications in our world. More and more of our information is being shared in the name of convenience, but we have no idea how it’s being used beyond our expectations. I’ve heard people say they feel violated based on what they are learning about PRISM, but don’t know what they can do about it. Unfortunately, the genie is out of the bottle on your past data and you may be limited in how much you can affect how your data is used in the future.
When it comes to information privacy, the confusion begins at the top. For example, President Obama is sending mixed messages — on one hand, he tells us his administration will be “the most transparent in history,” while on the other hand saying saying the US is “going to have to make some choices between balancing privacy and security to protect against terror”. Does that transparency extend to telling us how our data will be used so we have a chance at changing our behavior? It doesn’t seem so.
As we move to more and more “as a service” providers, the likelihood that our data will be used in ways we never intended (and don’t approve of) increases exponentially. These issues around data privacy will not go away, and it’s unlikely that PRISM is the only program that will make us uncomfortable about how our data is used. The real question is whether any sort of regulation can protect the privacy of our data from programs implemented in the name of national security? Regardless of the answer, will we ever know what’s really happening without an unauthorized disclosure about these programs?
Dhillon Andrew Kannabhiran, CEO, Hack In The Box
To assume that the government isn’t already ‘listening in’ is foolish but to think it has direct / unfettered access to the data stream is a tad bit ‘conspiracy theorist’.
What drives the fear that people have about ‘big brother’ and programs like PRISM is in part due to a lack of transparency about how these sorts of programs work. Under what circumstances they can be used and what data is actually handed over. That these decisions are made by a FISA ‘secret court’ also just makes things worse. It’s a case of ‘trust us; we’re the experts’, though in my opinion, law makers are anything but.
And while FISA and programs like PRISM are supposed to be used for targets outside the US that doesn’t mean we shouldn’t be worried that governments in general are seeking for greater access with what appears to be less oversight. US citizens should already be worried especially in light of the news that the NSA has been snarfing up their call metadata – a start of a worrying and disturbing trend if you ask me. Today, it’s ‘just’ your metadata and tomorrow?
Elad Yoran, CEO, Vaultive
Maintaining control of confidential and sensitive data stored and processed in the cloud remains a concern. Now, revelations of the PRISM program run by the NSA have heightened privacy and confidentiality concerns for cloud customers. Unlike the legislation that had already generated anxiety because of their disclosure requirements such as the Patriot Act and ECPA, PRISM reportedly operates in secret with no transparency and provides no mechanism for customers to know when their data has been accessed.
Customers should not have to sacrifice their confidentiality, privacy and control of their data in order to take advantage of cloud computing. The only proactive step cloud customers can take to ensure that corporate data cannot be accessed without their knowledge are to implement encryption-in-use technology before their data goes to the cloud and to hold onto the encryption keys themselves.
By following these simple steps, the data owner can retain control of their cloud data. Thus, if the government, or any unauthorized third party, wants to access the information in a readable format they need to approach the data owner directly to decrypt the data. Doing anything less is taking the ostrich approach to protecting the privacy of your data.
Fran Howarth, Practice Leader, Security, Bloor
Companies are already increasingly aware of the ramifications of the Patriot Act and FISAA, leading to concerns over housing data in the US and with US-owned companies. A fair number of countries have passed blocking statutes making it illegal to comply.
Some of the big service providers named recently are known to be cooperating and have handed over data without the subjects’ knowledge.
The publication of details of the latest surveillance programmes from the US show how alarming this trend is.
US citizems have long had to live eith the fact that they have no expectation of privacy; in Europe, the right to privacy is seen as a human right.
Two things are worrying abouy the publicising of US surveillance tactic. First, what are we not being told? How far do the capabilities go? What can they access if they want to drill deeper into something they deem suspicious? How far can they actually go? Second, this creates a precedent that covert surveillance of individuals is acceptable. Why should other nations with a less than perfect human rights reords not follow suit and use this to subjugate political protest?
The implications are far-reaching. President Obama states that this constitutes only “a modest enchroachment on privacy.” The US previouslu denied that it was behind state-level attacks on other nations until it was shown that it was. Its denials here should be seen in the same lighy.
Peter Cummings, Managing Partner, KuppingerCole Analysts UK
It will be interesting to see how this plays out Internationally. We have seen the German data protection and freedom of information commissioner, Peter Schaar, demanding an explanation for the “monstrous allegations of total monitoring of various telecommunications and Internet services’ almost immediately that this appeared in the press. Australia is reportedly “very troubled”, whilst UK Foreign Secretary William Hague defended GCHQ’s use of intercepts, saying it was all performed legally, whilst carefully avoiding the allegations that Prism had in any way been used.
A General in the US forces remarked during the Cold War that World War II was won because we could turn our aeroplanes inside the turning circle of our enemies, but that the third World War would be won by whoever could operate inside our enemies’ data. If this is true then the NSA may be operating to exclude their enemies operating on the inside, but they have also just made their ‘ready processed’ data an extremely attractive target, in a very public way.
Greg Day, VP and CTO, EMEA at FireEye
Currency has been around for millennia, starting as commodity trading and evolving into the notes and coins used today. However, we are now seeing a new currency evolve through the trade in personal information. Organisations, be they genuine or nefarious, realise that the currency of the future is personal information and the intelligence surrounding it – whether they are the CIA looking for insight into criminal activities, or technology developers looking to increase revenues by utilising the intelligence they capture.
With technology becoming a critical part of daily life, it is unsurprising that electronic profiling is growing. Today, many of us freely share this information, but the boundaries of what information is acceptable to gather are already testing data privacy laws. I believe that incidents such as the recent PRISM allegations will become increasingly common as we try to define who has – and, importantly, who should – have access to our personal data.
Sarb Sembhi, Director, Client Services, Incoming Thought
As national governments need to have access to communications data of its citizens to catch criminals and terrorists, the Governance of data is becoming more important than at any other time in history. As part of good Information Governance, government regulators will have to work closer with privacy organisations on getting some balance that is acceptable between security and privacy in this early phase of Big Data.
This problem is no different than the problem faced by big businesses in the balance between CRM analysis and privacy discussions that have been the pre-cursor to the EU Data Protection Regulation. The world is still in its infancy of its collection of personal data, and widespread use of it by those that collect, and or store that data.
Prism is nothing more than a data collection project, however due to its nature we don’t know what underlying Information Governance principles (if any) it holds itself to. It is these principles that the US Government will need to come clean on.
George Tubin, Senior Security Strategist, Trusteer
Putting aside the political and privacy concerns of the PRISM program, of particular concern is the wholesale collection, aggregation, and storage of massive amounts of highly sensitive personally identifiable information (PII).
Exposing this data intentionally to numerous individuals involved in the PRISM data collection and analysis process or unintentionally to outside hackers dramatically increases the likelihood of the data being misused for fraudulent purposes. Worse, the types and variety of individual data being aggregated is unprecedented and, if misused, would have a devastating impact on an individual’s life. While data security is surely a top priority of the PRISM program, nothing is perfect.