DEAR NSA: Fuck Off, Signed Silicon Valley (An Explainer)

Why The Bay hates the NSA…

This is a magazine piece that I wrote in February. For various reasons, none of which had anything to do with the article itself, it never got published. I’m posting it here in an effort to empty my notebook.

The NSA made them out to look like liars.

For at least the past decade, technology companies — specifically Google, LinkedIn, Yahoo and Microsoft — promised hundreds of millions of users that their personal information was safe.

But, after a series of revelations, beginning this past summer, that turned out not to be true.

The U.S. National Security Agency, outed by Edward Snowden in an 8-month-long PR campaign against government snooping, had been routing those efforts all along.

It was undoing the work of many employees at tech companies in the San Francisco Bay area and beyond who take pride in protecting people’s privacy — while, at the same time, forcing those same companies to comply with National Security Letters requesting information ad hoc.

The NSA was breaking the encryption that keeps user information — yes, some of our most private messages — safe. It was collecting information about who we call and who calls us; and most importantly, for tech workers, making fools out of them.

“I think there are two things: One. Silicon Valley worked very hard to gain the trust of their users and say: ‘Your data is safe with us,” says Jeff Larson, a reporter/hardcore data dude at ProPublica, who has been working on a series of stories based on the Snowden revelations in conjunction with the New York Times and the Guardian.

And two “especially for American companies, the NSA focused on them — because they were the best at collecting data.”

That’s understandably infuriating; These companies were specifically targeted because they indeed got so many people to trust them with their personally identifiable information.

To give you an example, one of the unearthed programs, and perhaps the sketchiest, is called muscular. Like an expert thief stealing bags of money out of the back of a Brinks truck without anyone noticing, it quietly captured data that was sent between Google’s, and others’, data centers.

It worked like this:

Say you moved from New York to Atlanta. The search engine giant would notice that you’re suddenly using your Gmail account in a different place.

In order to decrease data latency (basically slower Internet speeds), Google would send all of your information between its huge hard drives in the North and the South.

That’s when the NSA indiscriminately grabbed all your data — which was, at that time, unprotected. Anyone else who made the move, or anything else Google, or Yahoo, was moving, was taken advantage of.

Those actions are arguably illegal. Everyone should be pissed.

Brandon Downey sure is. The Google network security engineer posted as much to his Google-Plus page(the social network seemingly wholly comprised of Googlers), at the end of October.

Fuck these guys.

I’ve spent the last ten years of my life trying to keep Google’s users safe and secure from the many diverse threats Google faces.

But after spending all that time helping in my tiny way to protect Google — one of the greatest things to arise from the Internet — seeing this, well, it’s just a little like coming home from War with Sauron, destroying the One Ring, only to discover the NSA is on the front porch of the Shire chopping down the Party Tree and outsourcing all the hobbit farmers with half-orcs and whips.

Geeky, yes.

But that’s the sentiment in Silicon Valley — one that has Microsoft referring to the NSA as an“advanced persistent threat”. Perhaps the dirtiest of technical terms, reserved for the scoundrels that consistently perpetrate Internet-addled espionage, not usually one’s own government.

That’s made more frustrating by the foundation for this latest burst of outrage.

In the 90s, according to the New York Times (in a story Larson of Propublica wrote with others at the Guardian and the paper-of-record) the NSA had lost a public battle to create methods to break all encryption.

Fuggedabout; They did it anyway.

Still, the agency always had a mandate to eavesdrop, as well as spy on the bad guys. That was cool. Yet, jump to the beginning of June, and what wasn’t cool, is that the NSA, its British counterpart the Government Communications Headquarters (GCHQ) and others were really keeping tabs on everyone. Not just the bad guys.

Now that doesn’t mean that some intelligence analyst is going to check out your snapchats — there are strict rules around what the government can and can’t search (sort of), hardened after President Obama’s recent call for more oversight of the agency.

The concern is that there is the strong potential for abuse.

“What this is, is the NSA physically tapping the internal network of American companies without the companies’ knowledge and then taking all of the data that traverses that network indiscriminately,” says Nate Cardozo, a staff attorney on the Electronic Frontier Foundation’s digital civil liberties team, referring specifically to Muscular.

That’s partially the reason why the President convened a five-person Review Group on Intelligence and Communications Technologies — including the country’s first go-to data privacy guy, the former chief counter-terrorism adviser on the National Security Council and the former deputy director of the CIA, among others — to author a 308-page report outlying 46 different recommendations on how to curtail the NSA’s most controversial practices.

“In my view, the President responded significantly to the Silicon Valley concerns,” says Peter Swire, a member of the review group, and a professor of law and ethics at the Georgia Institute of Technology’s Scheller College of Business, who was a chief counselor for privacy in the Office of Management and Budget from 1999 to 2001.

“We already have seen greater transparency about government requests for data in the agreement with the Justice Department; the President is creating a new process to sensitive communication collection and economic and other officials will be part of that process in addition to the traditional intelligence participants.”

Understand. When the NSA spied on its own citizens and broke the trust between average people and the internet services they used, they potentially also damaged the economy.

“Many of services in Silicon Valley are used by foreign companies to host their data and drive their business,” says Jeremiah Grossman, the interim chief executive of Web-application security firm WhiteHat Security, in an email.

“For example, Google Apps, Salesforce, Dropbox, etc. If these foreign companies do not feel their data is safe in the country for which it’s hosted, such as the US, they’ll instead use competing services located in a country with a less invasive government. The bottom line is foreign competitors looks more attractive to customers.”

There were, however, some victories in the reforms the president recently adopted.

Specifically with National Security Letters — a highly secretive system, made legal by the Patriot Act, that requires private businesses to give up phone, email and financial records sought by agencies such as the FBI.

(Note: In August, Lavabit, an email encryption service that Edward Snowden reportedlyused, received an NSL to hand over all of its encryption keys — essentially everyone’s username and password.

The company shut down rather than comply.)

Thanks to recent changes, companies that receive those letters no longer have to keep it secret. They can announce that they have for sure been required to fork over that information. But only to the 1,000th.

Receive one letter and a company can report that they’ve received between 0-and-999; 1,001, and a company can report they received 1,000 – 1,999 such demands.

In fact, Google recently released its first transparency report.

A TimeLine of the Snowden Revelations; Al-Jazeera

With all of these various (some would say insidious) programs — Prism (communications), Tempora (intercepting reams of internet traveling information), Co-Traveler (cell-phone location tracking) and Bull Run (breaking encryption) –the NSA was arguably breaking the law.

Robert E. Lee (yes, that’s his real name and, no, he’s not related to the Civil War general) is outraged.

He’s a Phoenix-based security researcher who has been working on implementing encryption security standards for the past 20-or-so years.

“The NSA is supposed to help monitor communication of enemy nation-states,” he says. “If we go back to World War II, and the enigma machine, the cyphers, that were talking about Japanese troop movement. That’s fine. There is a lot of really good things that the NSA can do, especially in war times.

“But this is a very complicated thing, mostly because we have a totally messed up foreign policy. We have created a war on terror that has created more terrorists because we are occupying land. Now we are turning normal people into terrorists and that’s why we are now spying on normal people.”

Before 9/11, he says, it was pretty clear who the enemy was. But now that line is blurred.

The other side of this argument is that, well, everything is different now, and the NSA needs far-correcting edicts to be able to connect the dots.

But that’s not necessarily true, says Mike Janke, a former Navy Seal who is the chief executive of Silent Circle, which encrypts phone calls and texts, as well as email and other computer communications, for 11 governments and 26 of the Fortune 50.

“It’s not that you have to give up your privacy in order to protect your borders,” he says.

“Everyone loves to throw fear around — toothpaste bomb, terrorism, 9/11 — when the reality of it is that in this mobile-centric environment this technology environment, law enforcement and government agencies have dozens of ways to monitor and govern their borders without stealing 100 percent of their citizens privacy.”

The NSA clearly crossed the line.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s