Operations
9/22/2016
01:00 PM
Will Ackerly
Will Ackerly
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Snowden: Hollywood Highlights 2 Persistent Privacy Threats

Oliver Stone's movie shows us that while most of us have nothing to hide, we all have information worth protecting - both technically and constitutionally.

Much has already been written about the new Snowden movie directed by Oliver Stone and its inaccuracies and exaggerations. However, the hype does underscore two persistent vulnerabilities, technical and constitutional, which represent serious threats to our privacy. Since we can still take action on both, I’d like to examine them here.

For some of us, like Edward Snowden’s girlfriend in the movie, vulnerability of our data can seem vague and generalized. In Snowden, the technical vulnerabilities are acutely personalized. With a click of a button and entry of someone (else’s) email address, live webcam video and intimate personal messages are seemingly available on-demand. The reality is actually scarier than the movie makes it out to be. Our information is exposed to a massive spectrum of threats, and vulnerable to malicious actors, security holes, and incompetence. An email, for instance, could be compromised by your email provider, your recipient’s email provider, your Internet provider, your cloud provider, your government, foreign governments, or hackers.

Given the spectrum of threats, the only reliable response is to stop depending on the myriad devices and services that store our data and start making our data self-protecting. This is not a totally new concept; it can be achieved with existing technology like end-to-end encryption. End-to-end encryption ensures only you and your authorized recipients may have access to your content so that you do not need to trust devices and service providers in between. It is a technical means of embedding the kind of principle we have written in law to protect the US Mail (no snooping!) and into the DNA of our data online. While traditionally difficult to use, new approaches to self-protecting, data-centric security are becoming it easier to add to existing apps.

Stone’s movie also hit on the biggest legal vulnerability threatening our constitutional rights: secret laws being written that avoid the critical checks and balances of the American system of balance of powers.

One key source of these secret threats is the Foreign Intelligence Surveillance Act (FISA) court system, which issues secret rulings that can function as secret law. While Congress may have rightly understood that many aspects of intelligence gathering and judicial oversight must be kept secret –  including warrants that can reveal sources, methods, and targets –  there was an unintended consequence.  Under this framework, the FISA court can grant new authorities via secret court opinion, constituting new law not subject to public scrutiny.

As we now know, without public scrutiny and an adversarial judicial process, these rulings have been demonstrated to violate common assumptions about Constitutional protections provided by the Fourth Amendment. For instance, a 2013 New York Times article revealed that the FISA court determined that collections of data on any American, regardless of connection to foreign enemies, did not violate the Fourth Amendment search and seizure protections.

This legal threat persists today. Some laws have changed, but our information remains exposed. This may seem like an intractable problem: trying to ensure transparency of law while maintaining operational security of our national defense. But there is a solution.

The solution will require an act of Congress mandating that secret rulings made by courts or agencies must include a public, unclassified summary of any legal interpretations made in granting a warrant or issuing a ruling. This can be done without revealing sensitive sources, methods, or targets.

Perhaps the most chilling theme in the movie revolves around potential misuse of surveillance powers by future leaders. In January, we will have a new administration, and our new president will drive his or her agenda on surveillance. Without legal reform and transparency, we will not know how our privacy rights have changed – for the better or the worse.  In the meantime, let us make sure our data carries its own protection, end to end, so it is protected regardless of what others do.

As Stone’s movie makes clear, while most of us have “nothing to hide,” we all have information worth protecting.

Edward Snowden will be speaking via video link at the SecTor security conference in Toronto at 9 a.m. ET on Tuesday October 18, and will be taking questions from Dark Reading readers. If you have relevant questions you would like to ask, let the SecTor team know by posting them in the comments section at the bottom of this article. SecTor will be selecting the best to be addressed at the event.

Related Content:

 

Will Ackerly is the chief technology officer and cofounder of Virtru. Prior to founding Virtru in 2012, Will spent eight years at the National Security Agency (NSA) where he specialized in cloud analytic and security architecture - specifically protecting the agency's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
willackerly
100%
0%
willackerly,
User Rank: Author
9/30/2016 | 1:36:37 PM
Re: Secret law
jries921, that is a really thoughtful response, and those are fantastic ideas.  I think there are still real opportunities to make progress on these issues, and I'm pursuing one in particular, so it would be great to connect directly. If you're interested, give me a shout on email – accessible via my author profile
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
9/26/2016 | 7:34:32 AM
Re: World with no secrecy
While I am concerned with the way that the world is moving in terms of personal privacy, this is the silver lining I am secretly hoping for. A world with no privacy is one I don't want to come to pass, but if it does, it needs to be an open book for everyone. If there are some with privacy while everyone is without, that gives enormous power to a select few who can keep their skeletons hidden.

However I am not optimistic. Privelege like that has traditionally been one rule for many and another for a few and it seems likely to continue.
Souheil.M
50%
50%
Souheil.M,
User Rank: Apprentice
9/26/2016 | 6:24:51 AM
Re: A good read on Snowden case !
Yes you're right.  However, I would say when using social media networks you are giving them some "private" information somehow,  but all depends on how the privacy is defined according to the Law. Anyway the question is very complex.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/24/2016 | 5:09:29 PM
World with no secrecy
 

Another way of getting rid of this complex situation is not to have secret data, if everything is open to everybody then we will not have this madness and no need to play hide and seek game. Not realistic but it would be perfect if it happens. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/24/2016 | 5:07:37 PM
Re: A good read on Snowden case !
"... he general public have no good way of knowing what the downside was. ..."

Agree. We are only hearing what is reported. We do not understand the dynamics I believe.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/24/2016 | 5:05:07 PM
Re: Secret law
I agree. These are all good points, NSA is not operating under a secret law, these would most likely not solve ultimate problem. Also, it is not only US, other countries' information agencies performing secret services of course.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/24/2016 | 5:01:31 PM
Re: A good read on Snowden case !
"... we can't sacrifice our own privacy ..."

I hear you. Privacy will likely be less of an issue in near future, we already give up privacy by being in the Facebook and when we start using tools available to us, more like security is the main concern.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/24/2016 | 4:58:29 PM
Misuse of data
 

I would not consider a potential, if you have data nobody else has you would use it for your benefits, that is main reason you made the effort to get it. Better not to allow anybody have any data exclusively.
jries921
50%
50%
jries921,
User Rank: Ninja
9/24/2016 | 10:40:45 AM
Re: A good read on Snowden case !
Frankly, I don't know enough to ask for his pardon, which is why I will not sign any petitions requesting it.  Specifically, I don't know what damage he has done to our defense, intelligence, or diplomatic efforts, if any; I don't know what information he has given to the Russian authorities, if any (he denies that he has, but I can't imagine President Putin granting him asylum without his having been thoroughly interrogated by a couple of the FSB's finest); and I don't know what there is in the cache that hasn't been publicly reported (and there really isn't any way to secure what is still in Glenn Greenwald's custody).  Admittedly, he has exposed real abuses and provoked a badly needed public debate, but we, the general public have no good way of knowing what the downside was.

If I were President, I wouldn't even think about granting him a pardon until/unless I had a very good idea of what the negative consequences were, and unless the entire contents of the cache were transmitted to the National Security Council staff (so I and the appropriate agencies would know exactly what was leaked, not just what Greenwald has chosen to release).  Then I'd need to have some very long conversations with my Secretaries of State, Defense, and Homeland Security; and with my Director of National Intelligence and probably a remote conversation with Snowden as well (he could be granted safe conduct to and from the US Embassy in Moscow for that purpose).  Only then do I think I would have enough information to make a decision.

In the mean time, I prefer to withhold judgment.  I don't really like deferring to the President, but I don't see much of a choice.
masoodm
50%
50%
masoodm,
User Rank: Apprentice
9/24/2016 | 10:24:32 AM
Snowden: Hollywood Highlights 2 Persistent Privacy Threats
My question to Snowden is that after exposure, to what extent the IT sector had taken real-time challenges on privacy threats.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I've seen worse.  Last week Tim had a dragon."
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.