All the hoopla about Prism and the National Security Agency's (NSA's) deep invasion of personal data has created a media feeding frenzy, with outrage from everyday users, politicians and technologists. But a lot of it is missing the point, so here are a dozen topics which are frequently misunderstood, collected together to put the Prism/NSA/Snowden tragicomedy in perspective.
In a nutshell, all the smoke and mirrors hide a possible windfall for local cloud services, since they can offer insulation against some enterprise concerns related to cross-border interception and monitoring. Skip to the end if you want to get directly to those points.
A quick summation, in case you've been in a cave without Internet access since June: Edward Snowden, an NSA contractor, leaked a collection of documents to the media, exposing intelligence programmes which collect Internet data en masse, including directly from Internet companies and telecoms operators. The US public was outraged because only foreigners are supposed to be subjected to spying like that. Foreigners were outraged because, well, they were being subjected to spying like that.
(You can hear some of these points explored in a recent security podcast, hosted by Performanta's Tony Olivier and including Dominic White (SensePost), Karel Rode (Performanta) and Jon Tullett on the panel.)
Mistake 1: This isn't about Snowden
Snowden is irrelevant now, and has been ever since his early revelations in the Guardian. While his story is a fascinating ongoing roller-coaster of political intrigue and derring-do, he is not the central issue - the intelligence programmes and their implications are the point. In fact, the constant news coverage of Snowden's uncomfortable exile and political yo-yoing is distracting us from the real issues, a fact that the intelligence community probably greatly appreciates. Every column-inch spent on the latest twist in his asylum quest is one not spent on exploring the depths to which our privacy is being violated, and I'm quite sure the NSA prefers it that way.
Mistake 2: This is nothing new
Ever since the first spies snooped on messages in ancient history, governments have wanted to intercept communication data in bulk. Julius Caesar used encryption (the eponymous "Caesar Cipher") in his correspondence for good reasons.
In the 60s, long before the Internet age, we had programmes like Echelon, jointly operated by the US, UK, Canada, Australia and New Zealand, capturing and analysing telecoms traffic, including voice, data and fax.
And over a decade ago, secret rooms in AT&T network centres were revealed to house NSA networking equipment, tapping Internet backbone traffic en masse via fibre-optic splitters.
Mistake 3: This is not an American phenomenon
Every government in the world is either able to intercept electronic communications, or wants to. Sometimes it's overt, like the great firewall of China or the nationwide Internet filters operated by Arab states; sometimes covert, like GCHQ and the NSA.
In South Africa, we have a legal framework for interception (via the Regulation of Interception of Communications and Provision of Communication-Related Information Act), and it is entirely plausible that the National Intelligence Agency and Secret Service enjoy deeper access than that, via the Office for Interception Centres or otherwise.
All the hand-wringing by European states (and others) about the evils of interception is entirely disingenuous: they all do it. And there are good reasons for legal interception - it really is a valuable tool for law enforcement and intelligence, and when backed up by a solid legal framework, there should be a minimum of abuse. The intelligence community worldwide is in collective denial about this, and could have done a lot more to reassure their respective publics by pulling back the curtain a little.
Mistake 4: It's not about the spying. Unless it is
Espionage happens. It's completely normal, and every nation does it. Yes, even the "friendly" ones, because no matter how cosy you are with another country, you're still competing in international trade, and because you want an early heads-up if the new government turns out to be a bunch of radical nutjobs. There is a long history of Western nations using espionage to bolster their commercial and industrial competitiveness, so the outrage expressed by the EU states is a flimsy facade, erected for political expediency, no more.
The intelligence community views laws primarily as hurdles to be overcome, not frameworks to guide behaviour.
Sure, the capabilities of Prism and Tempora and the rest are hugely powerful espionage tools, and I'm sure the nations who aren't members of that club feel uncomfortably disempowered by comparison, but the idea that only 'bad people' listen to each other's phone calls is a laughable fiction, as is the notion that only the evil Chinese hack other nations' computers. Right or wrong, we all do it.
However, this is a valid concern in one key area: governments can and do exploit intelligence data for the benefit of their commercial sectors. Having their intellectual property in the hands of foreign governments is a risk many organisations should consider, and weigh up as part of their information security strategy.
Mistake 5: Yes, you do have something to hide
The notion persists that if you aren't a terrorist or criminal, then you have nothing to hide and nothing to fear from government interception and monitoring. That's fallacious from start to finish, and widely and thoroughly debunked, but here are a couple of highlights.
First of all, no, you can't trust your government. The purpose behind having controls and safeguards in place (like the US Constitution) is to protect the citizens against abuse by their government. Anything which circumvents those safeguards is a dangerous sign. Furthermore, as history has shown us many times, no matter how peaceful and well-intentioned the politicians of today may be, their successors may well be less kindly. You are not just protecting yourself against the regime of today, you are safeguarding against the regime of tomorrow. Ask the Egyptians about that.
Second, you really can't trust your government. It is astonishing that the "but I have nothing to hide" sentiment is so strong among Americans in particular, when just one generation ago they had McCarthy and Hoover, whose paranoia manifested in such charming programmes as COINTELPRO (to pick just one example), which saw the FBI conduct intelligence-driven campaigns against political undesirables including communists, lawyers, and black people. From reds under the beds, we've evolved to the war on terror - different bogeyman, but similar ongoing erosions of privacy and civil rights in the name of security theatre.
Third, you will be targeted by association. Among the NSA leaks is the revelation that the agency operates a 'three-hop' principle for investigation: the dragnet against an individual targeted for surveillance will include his associates (correspondents, friends on social networks, etc), and their associates, three levels deep. In 2011, research suggested the average separation between any two individuals is 4.74. In other words, anyone targeted by the NSA will probably pull a healthy subset of the entire Internet population under the microscope. This, incidentally, also circumvents the notional limitation on the NSA's data-gathering to foreign individuals, not that it was ever much of a limitation anyway.
Fourth, even 'innocent' metadata can be mined to reveal a great deal about you - far more than most people think (see "Anonymous data isn't" below).
Lastly, mistakes happen (a few examples in the link above), but the point is that due process and transparency go hand-in-hand for important reasons. Monitoring and interception are vital capabilities for modern intelligence, and without them, mistakes can be swept under the rug, and when that becomes the norm, you're well down the path to a system of abuse.
The 'intelligence machine' is people. All automated systems boil down to the judgment of ordinary humans, and not terribly well-vetted humans at that.
A key point to remember is that the 'intelligence machine' is people. All automated systems boil down to the judgment of ordinary humans, and not terribly well-vetted humans at that - government agencies are scrambling to scale up, and that means bringing increasing numbers of contractors into the loop. That means lower standards of security - a phenomenon we've seen many times in the past, such as CCTV operators in the UK unable to resist the temptation to peep on innocent civilians, endless reports of wrongdoing by TSA agents at airports, and so on. While most mean well, among all the well-intentioned, upstanding agents will be the voyeurs, the perverts, the criminals, the foreign spies and, yes, the whistle-blowers. This is why the need for strict controls and oversight is so strong. These aren't special people; they're ordinary men and women, subject to the same flaws as the rest of us - the corruption of power chief among them.
Mistake 6: Anonymous data isn't
Even if the NSA and its sister agencies were only collecting metadata, the notion that data can be cleansed to the point of harmlessness is a dangerous misdirection. Our ability to mine, correlate and analyse data has advanced to the point where there is almost no such thing as anonymous data anymore.
In 2006, AOL published anonymised search data, with the idea that the community could look for patterns and find ways to improve search algorithms. Within days, researchers had ferreted out the real-world identities of users, much to everyone's embarrassment. Staff were fired and the firm's CTO, Maureen Govern, fell on her sword, but the damage was done - it was a spectacular privacy blunder.
In the wake of the Prism revelations, Malte Spitz, a German politician, obtained six months of his phone metadata and published an interactive map showing how much can be inferred from that data. Combine that with the NSA 'three-hops' approach and you can get a sense of just how much can be correlated from metadata. Which is irrelevant anyway, since we now know the agencies collect every bit they can get their hands on, not just metadata, but it's still worth remembering.
Mistake 7: Intelligence capability scales
An often-repeated argument against wholesale electronic spying is that the scale renders it impossible. There is simply too much data on the Internet, the argument goes, for it to be possible to capture and analyse everything. Besides, if you did, all you'd get is petabytes of cat pictures, porn, and pirated videos.
The facts suggest the opposite. It's not like the NSA and the rest were taken by surprise - they've had decades to develop technology, hire engineers, and build facilities. The idea that the private sector is better at scaling than some of the world's smartest data analysts is pure fantasy. And the NSA's gigantic new data centre in Utah is testament to the agency's burgeoning data capability.
The Guardian, reporting Snowden's leaks, revealed that in the UK, GCHQ's Tempora project can store a three-day buffer of all Internet traffic, allowing for offline analysis.
So yes, they can and will store everything. Even the cat pictures.
Mistake 8: Intercepting data is easier than you think
For all the Internet is widely dispersed geographically, the majority of data flows through identifiable choke-points. The US, which houses most top-tier cloud services, is obviously one such point, but the big peering points in the UK are also vital points, as are the undersea fibre-optic cables carrying the traffic between nations. The US has used submarines to place splitters on undersea cables for this job, and Snowden's revelations included claims that GCHQ also operates splitters on fibre-optic cables.
It's just not all that hard to gather up data in bulk. And for the truly paranoid among us: think back over the last couple of years, and count up all the cable outages we've experienced on the new cables like Seacom and WACS. Maybe they really were all thanks to incompetent fishermen who can't read charts, dropping anchors in the wrong places. And maybe they weren't.
Mistake 9: Interception goes beyond wiretaps, and why we care
Two factors make life difficult for interception at the wire level: encryption, and application logic. The flood of attacks on personal data, including identity theft, banking Trojans, and other fraud, has led to a sharp increase in the use of encrypted transport protocols like https, which renders on-the-wire interception ineffectual (though weaknesses in SSL is another topic in itself - Moxie Marlinspike addressed the topic in terrifying detail at ITWeb's 2012 Security Summit). And the rise of deeply integrated social networks like Facebook, with the core value wrapped up in how the network processes and builds the user's community, also means a lot of the data value lies in the correlation and connections which happen at the service host, not in any individual communication.
Cue the need to capture data directly from the networks themselves, and the arrival of Prism - putting the intelligence gathering inside the firewall, behind the pesky encryption and closer to the logic.
Our ability to mine, correlate and analyse data has advanced to the point where there is almost no such thing as anonymous data anymore.
From an intelligence point of view, this makes complete sense. And coupled with strong oversight, it shouldn't be a concern for the general public, and an improvement in oversight is probably the best we can hope to come out of this saga.
It is also a major concern for non-US governments, because the US has a huge intelligence advantage here. With most popular cloud services resident in the US, most Internet traffic traversing US territory at some point, and US control over ICANN, this means foreign governments are limited to old-fashioned interception, while the US and its allies enjoy far greater options for penetration and analysis. And, as we've discussed, allies are not immune to each other's intelligence activities either.
Mistake 10: Everyone is lying
Almost everyone, from the politicians to the agencies to the companies involved, has been lying about the intelligence programmes from the outset, and is probably still doing so. To be fair, some of the private companies had no choice - secrete FISA orders are accompanied with gag orders preventing their disclosure.
Since Snowden's revelations about Prism, we've seen untruths and weasel words from all sides. We've seen the US director of national intelligence, James Clapper, caught in outright falsehoods under oath to Congress - he later said he'd "forgotten about the Patriot Act" when claiming the NSA didn't collect data on US citizens. We've seen companies like Microsoft, Google, and Yahoo deny not just any involvement in interception, but claiming complete ignorance of the programme, and then promptly go to court to demand the right to reveal just how much data they have handed over. We've seen officials from many nations express outrage about US data collection, only for it to be revealed that they operate similar programmes at home.
In some cases, the deception is fairly transparent. Statements like "we do not collect that data under that programme" leave the fairly obvious question hanging: "Okay, what programme does collect it, then?"
Most of the rhetoric is, by now, pretty thoroughly discredited, and many firms are in active damage limitation mode. Ignore the statements, and just assume any data you place in the cloud is securely backed up at a minimum of two offsite locations, courtesy of the NSA and GCHQ. That's not going to change.
Mistake 11: Legal frameworks are not on your side
If any conclusion has been drawn from the leaks and revelations about Internet snooping, it's that the intelligence community views laws primarily as hurdles to be overcome, not frameworks to guide behaviour. And the agencies in question are very good and overcoming hurdles.
The details of FISA and the Patriot Act are too convoluted to explore here, but in essence, the US intelligence agencies operate under a broad set of privileges, empowered by secret courts, with little oversight or control. Controls which do stand (such as the requirement that NSA investigation be limited to non-US citizens) are overcome by partnership with other agencies, malleable parameters defining the boundaries of investigation, or simply ignored outright.
Where this gets interesting is the friction between interception and data regulations to which enterprises are expected to adhere. The forthcoming Protection of Personal Information (POPI) Act, and the existing EU Data Privacy Directive, make a number of provisions for protecting customer data, including its jurisdiction, transport, and protection. Knowing your customer data in the cloud may be subject to a subpoena in a foreign jurisdiction is one thing; knowing it is being scooped up by foreign governments wholesale is potentially more worrying. Safe harbour agreements between states, set in place to facilitate personal data in cloud services, may come under review. Francis Cronje, one of the authors of POPI, told the audience at ITWeb's Cloud Summit that companies should anticipate a comprehensive reassessment of data risk, jurisdiction, and protection mechanisms, and may have to adjust cloud strategies as a result.
In particular, contract terms need to be scrutinised in the light of POPI requirements and what we know about the exposure of data.
And, because they have to comply with the same regulations, local cloud providers could stand to gain here - which brings us to the last point...
Mistake 12: It's not going to hurt cloud providers. But it could help local guys
In the last few years, we've had a never-ending stream of betrayals by cloud services. Hacks, password leaks, identity theft, outages and data loss. Few ever suffer more than a momentary blip in reputation, so the idea that the Internet will en bloc boycott US-based cloud services because they were complying (as they were legally required to) with heavy-handed US surveillance, is highly unlikely. Some non-US cloud services are already trying to cash in on the hype by advertising "non-Prism" services (as if their own governments are above reproach).
It's more likely that services will start to offer better support for encryption and privacy safeguards, and to compete on that basis. Of course encryption can be questionable - Microsoft has reacted angrily to claims that it has provided the NSA with decryption capability to some of its online services. But, it is possible that services can demonstrate that their security is under control of the end-user, through client-side crypto, for example, to gain momentum.
For the most part, companies and individuals will continue to use cloud services (hopefully having done their data risk assessments) without much concern. More scrutiny may be placed on the contract terms between cloud providers and their customers, and security standards which include provision for these issues could become higher profile.
For sensitive data which does suggest concern, particularly in regulatory issues, there's only one way to minimise your exposure, and that is to house that data yourself, or with a partner who shares the same regulatory requirements. A local host might well be giving up data to the government, but at least it's your government.
Amazon won't even notice the drop in business, but to comparatively smaller scale local operations, Prism and its ilk could be a windfall if they position themselves right.
Share