National Security Agency (NSA) director-general Keith Alexander defended his government's collection of phone and Internet records during his presentation at the Black Hat security conference, in Las Vegas, yesterday.
In its blog, The Wall Street Journal said Alexander brought up new details, leaning heavily on the fact that the surveillance programmes have blocked terrorist activity.
He claimed the NSA's collection of the private data of foreigners helped disrupt 54 terrorist activities, including 13 in the US. He said that out of the 54 activities, 42 were actual terrorist plots, citing the example of the New York City subway bombings that were disrupted because of intelligence gathered in the two programmes.
Alexander added there are a mere 35 analysts at the NSA who are authorised to query a database of US phone records, and insisted they need to undergo rigorous training before having access to the databases that hold the collected data. He also said there were auditing and compliance processes associated with those requests.
According to Threatpost, the first 40 minutes of Alexander's talk saw him making the case for the agency's authority under Section 215 of the Patriot Act and Section 702 of the Foreign Intelligence Surveillance Act. The crowd purportedly rubbished his claims that the NSA stands for freedom while at the same time it collects, stores and analyses "telephone business records, metadata and Internet records" on US citizens.
"The tools and things we use are very much the same tools you use in securing networks. The difference is the oversight and compliance that we have in these programmes. That part is missing in much of the discussion," PC Mag quoted Alexander as saying.
"I believe it's important for you to hear that, for you to understand what these people have to do to do their job to defend the nation and the oversight regime we have with the courts, Congress and the administration. You need to understand that to get a full understanding of what we do and do not do."
Alexander said of speculation that the NSA is scrutinising all US phone calls and Internet traffic: "What you're hearing is 'well, they could'. The fact is they don't."
Legal snooping?
The vast majority of surveillance performed by the NSA and similar agencies relies on court orders, as does wiretapping or lawful intercepts, noted Threatpost. In addition, as these orders are "shrouded in secrecy", many businesses receiving orders comply without question.
Orders, called national security letters, are sent to specific organisations as part of investigations relating to national security. In most cases, their recipients are forbidden from disclosing that they received one, or from seeking help from others inside their own companies.
Brewster Kahle, a prior recipient of one of these letters, and founder of the Internet Archive, said during a panel discussion at Black Hat, that at the time of receiving his letter, he was reluctant to hand over any information, and sought legal advice.
This resulted in Kahle and the Internet Archive challenging the letter in court, and suing the federal government, something only a minute number of recipients of national security letters have done in the past.
The FBI eventually changed its tune, and said it did not need the information after all. Kahle said the takeaway from all of this, is that organisations can in fact challenge these letters, and they should carefully examine their options before handing any information over.
Over and above these letters, government agencies have been known to install a tap in a network or data centre. Matt Blaze, a professor at the University of Pennsylvania, who coined the term trust management to refer to the policy system which decides whether a particular entity should be permitted to carry out a particular action, said installation of wiretapping equipment and suchlike can often lead to other problems.
Threatpost quoted him: "What nobody is asking is if the implementation of a wiretap creates the opportunity for other crimes by weakening our existing infrastructure."
Privacy expert Bruce Schneier said in his blog that the FBI now wants to be able to snoop on everything. He said it believes it can open systems to its eavesdropping, but keep them secure from anyone else's, which is impossible.
For this reason and more, Schneier says the FBI's proposal for a new law that will make it easier to wiretap the Internet, will fail.
"The bad guys will be able to get around the eavesdropping capability, either by building their own security systems - not very difficult - or buying the more-secure foreign products that will inevitably be made available. Most of the good guys, who don't understand the risks or the technology, will not know enough to bother and will be less secure."
An issue of privacy
Alan Davidson, a visiting scholar at the Massachusetts Institute of Technology and former public policy lawyer for Google, added that "secret surveillance scales poorly, especially internationally", and could raise data residency issues, as people might insist on keeping their data in their own countries, which could negatively impact business.
However, there are data-centric solutions that could solve this issue, as the approach protects data at the source. As data is captured, data-centric security steps in, obfuscating the data through encryption, tokenisation and masking. This renders the data unreadable to outsiders, regardless of where it is stored.
Share