NSA SCANDAL GROWS WORSE FOR INTERNET INDUSTRY

It has been five months since Edward Snowden and NSA operations such as PRISM first splashed across the front pages worldwide.  During this period, the scope of the scandal has only grown through nearly weekly revelations of further NSA transgressions.  While the “golden rule” of scandal management is prompt and full disclosure, the NSA scandal presents a challenge because of the classified nature of much of the information. As a result, the scandal has dragged on and in the process has eroded consumer confidence in the web and harmed US web enterprises.

FALLOUT FOR US INTERNET INDUSTRY

nsa v bizAdWeek reports that there has been a significant shift in consumer’s attitudes following the break of the NSA story with the percentage of internet users concerned about online privacy rising to 58 percent.  “When consumers were asked about their response to the NSA’s collection of online information, nearly one-third  said they were now taking action to protect their online privacy.”

There is also some evidence of a shift away from U.S. providers in response to evidence of their cooperation with the NSA.   Asian governments and businesses are moving their employees and systems off Google’s Gmail and other U.S.-based systems, according to Asian news reports.

In addition, a recent survey by the Cloud Computing Alliance found that:

  • 56% of respondents said that the “Snowden incident” made them less likely to use a US-based cloud service;
  • 10% of respondents indicated that they already had cancelled a project to use a US cloud service.; and
  • 36% of US respondents from American companies said the “Snowden incident” made it harder to do business outside of the US.

In addition, a study by the The Informational Technology & Innovation Foundation estimates that PRISM and NSA Surveillance will cost the U.S. cloud computing industry $22-35 billion over the next 3 years.

REDINGThere also likely will be fallout in Europe that will impact the current Safe Harbor agreement between the EU and US that permits US companies to transfer data from Europe by subscribing to a self-reporting scheme supervised by the U.S. Department of Commerce.  EU’s Justice Commissioner, Vivianne Reding, said that she also has fundamental questions about the EU-US Safe Harbor in light of the new spying disclosures.

The Safe Harbor agreement may not be so safe after all.  It could be a loophole for data transfers because it allows data transfers from EU to US companies—although US data protection standards are lower than our European ones  I have informed ministers that the commission is working on a solid assessment of the Safe Harbor Agreement, which we will present before the end of the year.

One option being explored is scrapping the Safe Harbor altogether, but maintaining the status quo reportedly is not.  There also has been suggestions that U.S. companies that fail to adhere to EU privacy standards should be banned altogether.  (Of course, the EU approach overlooks the surveillance authorities of their own governments.)

More Information: Study: NSA Scandal Is Still Setting Off Privacy Alarm Bells Among Consumers, AdWeek; EU reevaluating data sharing agreement with US in wake of NSA leaks, Ars Technica; The NSA’s Overreach And Lack Of Transparency Is Hurting American Businesses, Tech Dirt;  Could NSA spying hurt California economy? San Diego Union Tribune.

 

LATEST NSA BOMBSHELLS:

NSA ACCESSES BACKDOOR TO “VAST AMOUNT OF ENCRYPTED INTERNET DATA”; MIMICS GOOGLE TO COLLECT USER DATA; and ENGAGED IN “FREQUENT AND SYSTEMATIC VIOLATIONS” OF COURT ORDERS

Among the documents leaked by Snowden was the following NSA slide regarding access to encrypted websites:

The reaction to his revelation was quite severe.

  • “Cryptography forms the basis for trust online.  By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet.”  — Bruce Schneier, an encryption specialist and fellow at Harvard’s Berkman Center for Internet and Society.
  • “Backdoors are fundamentally in conflict with good security.  Backdoors expose all users of a backdoored system, not just intelligence agency targets, to heightened risk of data compromise.   —  Christopher Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union.
  • “The risk is that when you build a backdoor into systems, you’re not the only one to exploit it.  Those backdoors could work against US communications, too.” — Matt Green, Johns Hopkins University.
  • “In security, the worst case—the thing you most want to avoid—is thinking you are secure when you’re not. And that’s exactly what the NSA seems to be trying to perpetuate.”  — Edward Felton, Center for Information Technology Policy.

The National Institute of Standards and Technology (NIST), which by law seeks input from the NSA on encryption standards, has announced it is revisiting some of these standards in light of leaked documents suggesting that the NSA may have helped set the standards in order to give it a back door.  The NIST went so far as to “strongly recommend” against using one particular standard. 

NSA MIMICS GOOGLE TO COLLECT USER DATA

New reports reveal that the NSA targeted Google for a Man-in-the Middle (MITM) attacks.  As explained by Mother Jones:

NSA employees log into an internet router—most likely one used by an internet service provider or a backbone network. (It’s not clear whether this was done with the permission or knowledge of the router’s owner.) Once logged in, the NSA redirects the “target traffic” to an “MITM,” a site that acts as a stealthy intermediary, harvesting communications before forwarding them to their intended destination.The brilliance of an MITM attack is that it defeats encryption without actually needing to crack any code. If you visit an impostor version of your bank’s website, for example, the NSA could harvest your login and password, use that information to establish a secure connection with your real bank, and feed you the resulting account information—all without you knowing.

The MITM attack was included in a report of broader economic espionage by the NSA (something it denies it engages in) in Brazil and with the SWIFT network which processes all international financial transactions.  These revelations have put in a jeopardy a $4 billion deal for Brazil to purchase f-18 fighter jets from Boeing.

NSA RELEASES DOCUMENTS CONFIRMING ACCESS TO TELECOM BACKBONES

nsa flagupThese disclosure comes on the heels of revelations that NSA analysts improperly accessed phone call data thousands of times between 2006 and 2009.  This lead Judge Reggie Walton of the Foreign Intelligence Surveillance Court (FISC), the special court which evaluates classified warrant requests, to pull the NSA’s authority to search the phone database on its own, requiring that the agency receive court approval on a case-by-case basis except for imminent threats to human life.   After the NSA implemented certain changes, FISC allowed the NSA to resume searching the phone database on its own later in 2009.

Judge Walton’s 2009 opinion confirms past speculation that “the federal intelligence community has direct access to telecom companies’ backbones and it scoops up email communications as they go past.”   Judge Walton’s opinion also:

  • explained that “[t]he government has now advised the Court that the volume and nature of the information it has been collecting is fundamentally different from what the court had been led to believe. It has finally come to light that the F.I.S.C.’s authorizations of this vast collection program have been premised on a flawed depiction of how the N.S.A. uses” the phone call data.  “[T]he record before this court establishes that NSA’s acquisition of Internet transactions likely results in NSA acquiring annually tens of thousands of wholly domestic communications, and tens of thousands of non-target communications of persons who have little or no relationship to the target but who are protected under the Fourth Amendment.”
  • criticized the NSA for “what appears to be a flagrant violation” of FISC order that allowed for the sifting of phone records belonging to individuals suspected of terrorist ties; and
  • explained that privacy safeguards established by FISC  “have been…frequently and systematically violated” by the NSA.

UDALL WYDENSenators Ron Wyden (D-Oregon) and Sen. Mark Udall (D-Colorado), the two leading critics of the NSA surveillance program who are constrained by the classified nature of much of the program, reacted by stating:

When the executive branch acknowledged last month that ‘rules, regulations and court-imposed standards’ intended to protect Americans’ privacy had been violated thousands of times each year we said that this confirmation was ‘the tip of a larger iceberg.’  With the documents declassified and released this afternoon by the Director of National Intelligence, the public now has new information about the size and shape of that iceberg.  

 

More Information: Revealed: how US and UK spy agencies defeat internet privacy and security, The Guardian; NSA attains the Holy Grail of spying, decodes vast swaths of Internet traffic, Ars Technica; NSA Apparently Undermining Standards, Security, Confidence, Freedom to Tinker; Report: NSA Mimics Google to Monitor “Target” Web Users, Mother Jones; Declassified Documents Prove NSA Is Tapping the Internet, Wired; Senators: Illegal Spying Still Secret, The Hilll;  Documents Reveal “Flagrant Violations” of Privacy Rights by Bush-Era NSA, AllGov; Court Upbraided N.S.A. on Its Use of Call-Log Data, New York Times; Gov’t standards agency “strongly” discourages use of NSA-influenced algorithm: NIST: “we are not deliberately… working to undermine or weaken encryption”, Ars Technica; Wyden and Udall Statement on the Declassification of FISA Court Opinions on Bulk Collection of Phone Data.