Risk
6/10/2013
12:00 PM
Connect Directly
RSS
E-Mail
50%
50%

NSA Prism: Inside The Modern Surveillance State

The government's approach seems to be: "Collect first, ask questions later."

Dystopia used to seem sexier. In George Orwell's 1984, Big Brother used non-stop wars and ever-present surveillance to keep the population in check. A stray glance or thoughtcrime might send you to the slammer. Who wouldn't rebel against that?

In today's increasingly wired -- and wireless -- world, however, the surveillance situation is much more banal: Under the NSA's Prism program, APIs installed on servers running at Google, Facebook, Microsoft and other technology giants give government spooks access to meta-data relating to communications and phone calls. It is signals intelligence meets big data and analytics, with a self-writing sales pitch that seems tailor-made for the Big Three: "Mass surveillance to monitor for suspected terrorists across the entire United States, for only $20 million." Data storage, no doubt, costs extra.

To top it all off, the design of the top secret Prism PowerPoint documents -- leaked by Edward Snowden, 29, an employee of Booz Allen Hamilton who's done contract work for U.S. intelligence agencies -- are, in the words of renowned design guru Edward Tufte, "dreadful."

[ Do you know what this means for your job? Read NSA Dragnet Debacle: What It Means To IT.]

But the biggest problem with the NSA's program is that it has all the hallmarks of an "engineering first" mindset, along these lines: With all of that metadata floating in the ether, why not build it and see what secrets it might reveal? The same philosophy appeared to be behind Google's Street View program, in which a "rogue engineer" pursued wardriving by design, capturing Wi-Fi data for later analysis. Numerous governments fined Google for privacy violations.

Similar privacy fears were raised after a security researcher discovered that Carrier IQ diagnostic software installed on 141 million handsets could be used to capture every keystroke entered on the phone. While the company at first refused to discuss its software or what controls might be in place to counter abuse, it belatedly surrendered details in response to a Senator's inquiry.

Both of those episodes highlight that just because something is technically feasible, when it comes to U.S. citizens' rights -- including Fourth Amendment protections against unreasonable searches -- that doesn't satisfy the moral question: Is it right?

Or in the words of Akamai's security evangelist, Martin McKeay: "'Democratic Surveillance' -- collect minimum needed to be effective. 'Totalitarian Surveillance' -- collect everything, sort it out later."

Is Prism even legal? George Washington University professor Orin Kerr, a former Department of Justice computer crime prosecutor, has suggested that Prism simply implements the Protect America Act of 2007 and FISA Amendments Act of 2008. But as Glenn Greenwald, the Brazil-based U.S. citizen who broke the Prism story for the Guardian tweeted Monday: "If everyone is so sure this spying is legal, why does Obama DOJ keep preventing federal courts from ruling on its constitutionality?"

Now it's up to the Obama administration to prove not only that the program is legal, but that privacy and usage safeguards are in place -- and subject to external reviews -- to ensure that information is only used to spy on foreigners, without infringing U.S. citizens privacy. In other words, the White House must prove the system is just.

Where moral questions are concerned, Snowden said he doesn't think the NSA operators were evil -- far from it. "Analysts (and government in general) aren't bad guys, and they don't want to think of themselves as such," he told The Washington Post. But the NSA's approach was based on a false premise: "If a surveillance program produces information of value, it legitimizes it,'" he said.

That "collect first, ask questions later" justification is chilling. Indeed, one big problem with big data analytics when practiced by intelligence or law enforcement agencies is that it's not a zero-sum game. The NSA's data dragnet operation snares information from everyone. According to accounts of how the system seems to work, it's then left to intelligence analysts to tweak their algorithms until they're only investigating hits on people they have a "51% confidence" of being foreign.

In the wrong hands, or without proper oversight, the data set collected by the NSA would be a privacy nightmare. In March 2013, for example, a study published in Nature found that "human mobility traces are highly unique," and that with just four data points -- involving location and time -- were required to "uniquely identify 95% of the individuals" studied. Picking two random points, meanwhile, allowed researchers to correctly identify half of people in the mobility data set, which was collected from 1.5 million people over a 15-month period.

Given the risks introduced by Prism, the big question in coming days will be: Who's guarding our secrets? Are the potentially petabytes of information being collected in safe hands?

One harbinger that the answers may not be to our liking comes via the actions of Snowden, a contract NSA network administrator who, after seeing the program in operation, gave up his $200,000 annual salary, job in Hawaii and hopes of ever seeing his girlfriend or family again. Snowden said the Prism program led him to conclude that the modern surveillance state is "such a direct threat to democratic governance that I have risked my life and family for it."

"Perhaps I am naive," Snowden told The Washington Post, "but I believe that at this point in history, the greatest danger to our freedom and way of life comes from the reasonable fear of omniscient State powers kept in check by nothing more than policy documents."

Now it's up to the Obama administration to refute that criticism and assuage Americans' concerns. In the words of Senator Mark Udall (D-Colo.), a member of the Senate intelligence committee who commented Sunday about ongoing Prism questions: "Let's have the debate, let's be transparent. Let's open this up."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
pwndecaf
50%
50%
pwndecaf,
User Rank: Apprentice
7/18/2013 | 7:21:59 PM
re: NSA Prism: Inside The Modern Surveillance State
The US incarcerates its population to a much greater percentage than anywhere else in the world. God forbid you be a person of color.
timallard
50%
50%
timallard,
User Rank: Apprentice
6/13/2013 | 12:57:13 PM
re: NSA Prism: Inside The Modern Surveillance State
While I assume most of this is being done for corporate spying internationally to aid USA companies it's a gross violation of the 4th Amendment, so, they need to get the secret agenda's done some other way, and forced to use warrants on individuals.
The whole concept of warrantless searching without a cause is so bogus based on fishing for "terrorists", give me a break, my take is that the hyenas need to get pulled off the carcass of "democracy" before it's long gone.
gavgavgav
50%
50%
gavgavgav,
User Rank: Apprentice
6/11/2013 | 6:09:26 PM
re: NSA Prism: Inside The Modern Surveillance State
To Andrew's comment, everyone draws the line in a slightly different place in the sand with regards to the balance between privacy and security -- but the issue so many people (both Americans and the international community) are struggling with is how much of their own data needs to be harvested in order for a government to keep its people safer. There are a lot of unanswered questions that go far beyond the initial NSA answer of, "Hey, we can't tell you everything but you're safer because of this."

1) Could the attacks partly or completely detected and thwarted by the PRISM system have been prevented by more targeted surveillance techniques?

2) Even if you believe what is happening now is right and good, how is the data collected by the NSA stored and protected from misuse by future administrations? What is the retention policy on all that?

3) Does the wide sweeping nature of this data-gathering tactic weaken the US's role in the world of being an upholder of democracy, human rights, privacy and those kinds of issues that are so often labelled as violations when seen as absent in other countries?

4) Does the revealed lack of privacy in US-based systems weaken American companies abilities to conduct business and be trusted in the wider world, whether they are choosing to be a part of this surveillance or not?

5) Where do we stand ethically and morally with regards to collecting (even if not necessarily analyzing) so much data about people totally unconnected with "terrorism", crime or other activities that the US government would normally have to identify ahead of time in order to become engaged with said people?

To me, this all boils down to the reason why the US Constitution's 4th Amendment was written the way it was, and also why -- when you read that very amendment -- the current activity of the NSA seems so flagrantly in abuse of it.

This is why people the world over need to be protesting this, even given the US government's assurances of increased safety.

Gavin Landless, CISSP, SSCP, CEH
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
6/11/2013 | 2:54:46 AM
re: NSA Prism: Inside The Modern Surveillance State
Not that I know all of the details here, but I do have to wonder if Mr. Snowden has ever heard of both Echelon and Carnivore. Prism would seem to be the direct evolution of the Carnivore program.

For people coming to this topic without any background on what the NSA really does, of course it's going to be shocking. The sheer amount of data (and more importantly, meta-data), the ability to track people based on their network usage and mobile device information... it's mind-blowing, if you didn't know it was a capability that has existed for nearly two decades, if not longer.

If you want to do a little reading on the subject, take a look at how the Secret Service uses information collected from the PRISM program - see if you can find a copy of Privacy Impact Assessment Update for the PRISM-ID dated 10 November 2010.

As to the tools preventing acts of terrorism - I would believe that and I sincerely appreciate that. Having had the building across the street from my office (which happens to be the Federal Reserve Bank of New York) threatened with a bombing last October, the collection of SIGINT (as those in the community call it) to find someone that was working on doing that and then stopping them is much appreciated. Aside from the possible loss of life and ensured damage to the surrounding buildings, it would have made my commute a living hell.

I think the overall issue with the release of the information surrounding PRISM coming on the heels of the issues with the IRS contributes to a level of delirium. Can you trust a government that is going not going to act in a non-partisan way but instead be used as a tool (or weapon) for the political ends of those in power? I would say not. Can you trust an administration that promises transparency but delivers something about as opaque as a Mason jar full of white paint? I would say not, yet again.

As far as the data security side of this program, big data requires... well, just that... big data. In order to find some patterns, a lot of data and a lot of analysis is required. After all, tracking down the faintest voice in the wilderness may be crucial in preventing the next major incident.

I also think that this sort of "discovery" begs the question, should the employees, contractors and the associates of the NSA be held to a higher moral standard? And my feeling is that yes, indeed they should. But, have you ever looked at something along the lines of an SF-86 or considered the process for getting a level of clearance required to get access to the data collected by PRISM? I could be wrong, but my assumption is that not everyone at the NSA has access to that data...

Andrew Hornback
InformationWeek Contributor
D. Henschen
50%
50%
D. Henschen,
User Rank: Apprentice
6/10/2013 | 8:55:37 PM
re: NSA Prism: Inside The Modern Surveillance State
A government insider we know says "the semantic and visual analytics tools weG«÷ve developed have reportedly been successful in preventing multiple acts of terrorism." Does this change your thinking on whether the government should be trusted? Seems to boil down to the desire for some curbs and assurances rather than a blank check to snoop at will.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

CVE-2014-5158
Published: 2014-08-21
The (1) av-centerd SOAP service and (2) backup command in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary commands via unspecified vectors.

CVE-2014-5159
Published: 2014-08-21
SQL injection vulnerability in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary SQL commands via the ws_data parameter.

CVE-2014-5210
Published: 2014-08-21
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.