Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/22/2016
01:00 PM
Will Ackerly
Will Ackerly
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Snowden: Hollywood Highlights 2 Persistent Privacy Threats

Oliver Stone's movie shows us that while most of us have nothing to hide, we all have information worth protecting - both technically and constitutionally.

Much has already been written about the new Snowden movie directed by Oliver Stone and its inaccuracies and exaggerations. However, the hype does underscore two persistent vulnerabilities, technical and constitutional, which represent serious threats to our privacy. Since we can still take action on both, I’d like to examine them here.

For some of us, like Edward Snowden’s girlfriend in the movie, vulnerability of our data can seem vague and generalized. In Snowden, the technical vulnerabilities are acutely personalized. With a click of a button and entry of someone (else’s) email address, live webcam video and intimate personal messages are seemingly available on-demand. The reality is actually scarier than the movie makes it out to be. Our information is exposed to a massive spectrum of threats, and vulnerable to malicious actors, security holes, and incompetence. An email, for instance, could be compromised by your email provider, your recipient’s email provider, your Internet provider, your cloud provider, your government, foreign governments, or hackers.

Given the spectrum of threats, the only reliable response is to stop depending on the myriad devices and services that store our data and start making our data self-protecting. This is not a totally new concept; it can be achieved with existing technology like end-to-end encryption. End-to-end encryption ensures only you and your authorized recipients may have access to your content so that you do not need to trust devices and service providers in between. It is a technical means of embedding the kind of principle we have written in law to protect the US Mail (no snooping!) and into the DNA of our data online. While traditionally difficult to use, new approaches to self-protecting, data-centric security are becoming it easier to add to existing apps.

Stone’s movie also hit on the biggest legal vulnerability threatening our constitutional rights: secret laws being written that avoid the critical checks and balances of the American system of balance of powers.

One key source of these secret threats is the Foreign Intelligence Surveillance Act (FISA) court system, which issues secret rulings that can function as secret law. While Congress may have rightly understood that many aspects of intelligence gathering and judicial oversight must be kept secret –  including warrants that can reveal sources, methods, and targets –  there was an unintended consequence.  Under this framework, the FISA court can grant new authorities via secret court opinion, constituting new law not subject to public scrutiny.

As we now know, without public scrutiny and an adversarial judicial process, these rulings have been demonstrated to violate common assumptions about Constitutional protections provided by the Fourth Amendment. For instance, a 2013 New York Times article revealed that the FISA court determined that collections of data on any American, regardless of connection to foreign enemies, did not violate the Fourth Amendment search and seizure protections.

This legal threat persists today. Some laws have changed, but our information remains exposed. This may seem like an intractable problem: trying to ensure transparency of law while maintaining operational security of our national defense. But there is a solution.

The solution will require an act of Congress mandating that secret rulings made by courts or agencies must include a public, unclassified summary of any legal interpretations made in granting a warrant or issuing a ruling. This can be done without revealing sensitive sources, methods, or targets.

Perhaps the most chilling theme in the movie revolves around potential misuse of surveillance powers by future leaders. In January, we will have a new administration, and our new president will drive his or her agenda on surveillance. Without legal reform and transparency, we will not know how our privacy rights have changed – for the better or the worse.  In the meantime, let us make sure our data carries its own protection, end to end, so it is protected regardless of what others do.

As Stone’s movie makes clear, while most of us have “nothing to hide,” we all have information worth protecting.

Edward Snowden will be speaking via video link at the SecTor security conference in Toronto at 9 a.m. ET on Tuesday October 18, and will be taking questions from Dark Reading readers. If you have relevant questions you would like to ask, let the SecTor team know by posting them in the comments section at the bottom of this article. SecTor will be selecting the best to be addressed at the event.

Related Content:

 

Will Ackerly is the chief technology officer and cofounder of Virtru. Prior to founding Virtru in 2012, Will spent eight years at the National Security Agency (NSA) where he specialized in cloud analytic and security architecture - specifically protecting the agency's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
jries921
100%
0%
jries921,
User Rank: Ninja
9/24/2016 | 10:18:29 AM
Secret law
Technically, there is no such thing, but in Common Law jurisdictions like the USA, judicial precedents have something akin to the force of law, so they must be taken into consideration.  I think there are some things Congress can do to help matters:

1.  Strip FISC of its status as a court of record (meaning that its decisions could not be cited as precedent).  This would mean that FISC decisions would be guided entirely by publicly available statute law and appellate court rulings, not by its own precedents.

2.  Abolish the appellate court established by FISA (which has AFAIK, has only considered a handful of cases since it was established in 1979) and transfer appellate jurisdiction over FISC to the Federal Circuit, which would publish digests of its opinions dealing with cases appealed from FISC in the manner suggested in the article (opinions would be completely declassified when secrecy is no longer required; perhaps after 10 years by default, with the President having authority to extend the period up to five years at a time for a given case).  Cases could be further appealed to the Supreme Court in the usual manner.

A third item could probably only be done by order of the President, but I think it would help enormously:

3.  Make all legal opinions issued by the Justice Department for the general guidance of federal employees public record.  Advice on specific cases would continue to be confidential.  This would help to allay the suspicion that the Federal government is operating on the basis of secret rules, rather than publicly available statute and judicial precedents.

A fourth item could probably be done by act of Congress:

4.  Require any settlements of civil cases in which the US government or its civil officers (in their official capacities) are defendants to be made public record.  This would eliminate a category of "secret law" in the form of confidential consent decrees, which are sometimes alleged to govern federal policy in a number of areas, such as environmental protection.  Settlements of cases in which the federal government is the plaintiff and one or more private citizens are defendants could be partly or completely sealed by a court if it decides that such is necessary to protect privacy.

I suspect that others have other ideas.
Souheil.M
50%
50%
Souheil.M,
User Rank: Apprentice
9/23/2016 | 11:14:50 AM
A good read on Snowden case !
I hope this film will be providing a real opportunity for Snwoden to be pardoned and more comprehension of what he has done !

Anyway, this article is a good point to explain that we can't sacrifce our own privacy in the name of whatever reason !. In addition, I think this kind of intelligence practice will very likely continue to exist...
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because &quot;admins are considered trustworthy&quot;; however, the behavior &quot;contradicts our secu...