SlideShare ist ein Scribd-Unternehmen logo

RSTREET17

S
Steven Titch
1 von 6
Downloaden Sie, um offline zu lesen
HAS THE NSA POISONED THE CLOUD? Steven Titch INTRODUCTION T he U.S. technology industry enters 2014 facing a backlash to its perceived role as accomplice to a series of National Security Agency surveillance programs, each making extensive use of data mining to parse bil- lions of consumer telephone, Internet and computer records in what now appears to have been an ineffective effort to track international terrorists. Recent analysis projects the caution and mistrust engen- dered by the NSA’s programs could cost U.S. technology industry between $35 billion and $180 billion over the next three years. Widespread NSA spying is unsettling because its hits at the current focal point of communications and com- puter innovation—cloud computing. Effective protection of privacy and security is best managed by regulating the activities of government, as opposed to the utility of Inter- net services. RECENT NSA SPYING REVELATIONS PRISM, the NSA electronic surveillance program with the most notoriety, was created in 2007, ostensibly under the authorization of the Protect America Act and the Foreign Intelligence Surveillance Act (FISA). Its activities have been overseen by the FISA Court, an independent judicial arm set up by FISA to determine persons and agencies who could be targeted for surveillance. The PRISM program remained secret until June 2013, when news broke that the FISA Court had ordered Verizon Com- munications to provide the NSA data on all customer tele- phone calls on an ongoing daily basis.1 Days later, the Wash- ington Post and the United Kingdom’s Guardian published NSAdocumentsleakedtothembyEdwardSnowden,anNSA contractor who claimed to have grown concerned over the scope of the spying program.2 Snowden’s revelations revealed the NSA has been capturing and mining massive amounts of private U.S. telecommuni- cations and Internet traffic generated by ordinary citizens in an attempt to gain intelligence primarily on international terrorism, and that the program had further expanded to support investigations into narcotics trafficking, the inter- nal security of foreign countries and to obtain military and political data on foreign countries, including U.S. allies. Throughout the remainder of 2013, we learned that PRISM was just one of several programs aimed at intercepting and analyzing routine communications of not only of American citizens, but foreign nationals, as well, ranging from ordinary consumers to heads of state. Some of the details of the NSA electronic spying include: • Collecting “metadata” on millions of wireless phone calls. Metadata describes information such as the calling and called numbers, location of the callers, R STREET POLICY STUDY NO. 17 January 2014 1. Glenn Greenwald, “NSA Collecting Phone Records of Millions of Verizon Customers Daily – Top Secret Court Order Requiring Verizon to Hand Over All Call Data Shows Scale of Domestic Surveillance under Obama,” The Guardian, June 5, 2013, available at http://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon- court-order. 2. Barton Gellman and Laura Poitras, “U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program,” The Washington Post, June 7, 2012, available at http://www.washingtonpost.com/investigations/ us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret- program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html. CONTENTS Introduction 1 Recent NSA spying revelations 1 Legal, legislative and economic fallout 2 Implications for cloud computing 3 Industry backlash 4 Potential solutions 5 About the author 6 R STREET POLICY STUDY: 2014 HAS THE NSA POISONED THE CLOUD? 1
duration of the call, and other information pertaining to the call other than the actual contents of the con- versation. • Monitoring emails and social media for “keywords” that might signal terrorist or criminal activity. Among other methods, the NSA tapped directly into private networks owned by Google and Yahoo—an operation dubbed MUSCULAR—reportedly without the knowl- edge or consent of the companies. • The development of algorithms designed to use the Internet to connect to and gather information from personal computers without knowledge of the users. • Tapping phones of world leaders, such as German Chancellor Angela Merkel, a U.S. ally. • A plan to use the Internet to turn on embedded per- sonal computer web cameras without user knowledge or consent. • A $10-million contract with RSA, a major supplier of security software to Internet infrastructure manu- facturers, to secretly install software on Internet rout- ers and servers that could decode encrypted data.3 • The NSA’s Tailored Access Operations unit, which developed a special computer code, known colloquially to programmers as “back doors,” that defeat firewalls designed to protect private data. The program target- ed Internet infrastructure from major manufacturers such as Cisco Systems, Juniper Networks, Huawai and Dell. The NSA used common Web advertising tracking programs, called “cookies,” to follow user surfing habits and determine whether they should be targeted for further hacking. The data of a large number of U.S. companies – including Microsoft, Google, Yahoo, Facebook and Apple – was used by the PRISM program, sometimes with their knowledge and consent, and sometimes without it. The disclosures show no sign of letting up. As this paper went to publication, reports emerged that the NSA, in a pro- gram called Quantum, had implanted radio transmitters in some 100,000 personal computers around the world. Using radio, the NSA was able to access and spy on these PCs even when they were not connected to the Internet. LEGAL, LEGISLATIVE AND ECONOMIC FALLOUT TheweightandscopeoftheNSAprogramshassparkedheat- ed debate over their legality and constitutionality. Last year closed with two conflicting court decisions on the constitu- tionality of the PRISM program. On Dec. 16, 2013 in Wash- ington D.C., Federal District Court Richard J. Leon ruled that the NSA’s systematic recordkeeping of all Americans’ phone calls most likely violated the Constitution. He ordered the government to stop collecting data on two plaintiffs’ per- sonal calls and to destroy the records of their calling history.4 Eleven days later, however, a federal judge in New York, Wil- liam H. Pauley III, ruled the same data collection legal, set- ting up an eventual appellate court battle.5 Congress’ 2014 session got underway with the introduction of a bill from Rep. Adam Schiff, D-Calif., that would restruc- ture the NSA’s phone metadata surveillance program. More recently, on Jan. 17, President Barack Obama announced steps to curtail the NSA’s surveillance programs, but stopped well short of suspending them. Obama announced the government would no longer main- tain a database of millions of Americans’ telephone records, which had been conducted under the auspices of Section 215 of the Patriot Act, but said telecommunications companies or an independent third party could continue to maintain that data, and did not rule out mandating that companies do so. The president also said the White House would not support the FISA Improvements Act, which would codify into law the NSA’s authority to conduct many of its existing surveillance programs, as well as endorsing creating a role for independent advocates at the FISA court and conducting an annual review of the court’s declassification decisions. He also appointed John Podesta to lead a review of privacy issues that affect non-suspects, called for a higher standard for surveillance of foreign leaders and proposed ending per- manent gag orders for National Security Letters However, he did not call for an end to international surveil- lance of Internet communications under Section 702 of the FISA Amendments Act, nor did he rescind Executive Order 12333, which permits surveillance of overseas communica- tions. He also did not take up the review panel’s recommen- dation that National Security Letters only be issued after judicial review, nor their recommendation against sabotag- ing private encryption technology. While it remains to be seen what legal and legislative remedies will be applied in 2014, there is already concern that the NSA programs will do significant economic damage to the U.S. technology sector. 4. Charlie Savage, “Federal Judge Rules Against NSA Program,” The New York Times, Dec. 16, 2013, 5. Adam Liptak and Michael S. Schmidt, “Judge Upholds N.S.A.’s Bulk Collection of Data on Calls,” The New York Times, Dec. 27, 2013. 3. Joseph Menn, “Exclusive: Secret Contract Tied NSA and Security Industry Pioneer,” Reuters, Dec. 20, 2013, available at http://www.reuters.com/article/2013/12/20/us- usa-security-rsa-idUSBRE9BJ1C220131220. R STREET POLICY STUDY: 2014 HAS THE NSA POISONED THE CLOUD? 2
The Information Technology and Innovation Foundation (ITIF), a research institute that aims to promote public pol- icies that advance technological innovation and productiv- ity, estimates international concern and mistrust of U.S. tech companies could cost the industry between $21.5 billion and $35 billion through 2016. This is based on the assumption that the industry loses 20 percent of its current foreign mar- ket share, while retaining its projected domestic share.6 ITIF’spredictionsalreadymaybecomingtrue.CitingDefense News, the Christian Science Monitor reported that the United Arab Emirates may cancel a $926 million purchase of two spy satellites from France unless two U.S.-made components are removed from the product. Those components allegedly contain digital “backdoors” that could allow unauthorized access to data sent to the U.A.E.’s ground station.7 Elsewhere, John Henry Clippinger, ID3 executive director at the Massachusetts Institute of Technology Media Lab, told an interviewer: “What people do not appreciate is the eco- nomic damage…that the NSA has done to the cloud comput- ing business for the U.S.” He noted a number of European banks no longer want to host data in the United States and that Salesforce.com, which provides highly sensitive cloud- based sales leads and customer information, has lost a major client.8 Salesforce.com’s CEO has felt the need to publicly state that it was not part of the PRISM program.9 It appears the NSA’s aggressive surveillance has created an overall fear among U.S. companies that there is “guilt by association” from which they need to proactively distance themselves. A more alarming figure comes from Forrester Research, which provides analysis for financial firms and investors. Forrester analyst James Staten cited the ITIF report, but suggested its estimates are too conservative. Staten set the potential global industry cost of PRISM at $180 billion worldwide by 2016—the same time period ITIF uses. Staten believes international buyers—particularly governments and large corporations that are already sensitive to surveillance— will be spooked enough by the NSA program that they will throttle back their development of cloud computing technol- ogy altogether.10 IMPLICATIONS FOR CLOUD COMPUTING Although the term is literally nebulous to the layman, the definition is quite simple. The “cloud” refers to the Internet at large. Cloud computing refers to information processing and storage done on the Internet, not on a home computer or cellphone, as was standard until a few years ago. Cloud computing makes it possible for users to, for example, access playlists and movies from multiple devices, because that con- tent is stored on servers in data centers that could be any- where in the world. That’s just one example. Services like Google’s Gmail and Yahoo’s calendar are cloud-based, too. Social networks like Facebook, LinkedIn, Instagram and Twitter use cloud com- puting to deliver information across their billions of users. Cloud computing has enable many users to now carry light- weight tablets instead of bulky PCs. Cloud computing is also the root of development for the emerging generation of Web-based applications—home security, outpatient care, mobile payment, distance learning, efficient energy use and driverless cars. And it is a research area where the United States is an undisputed leader. Yet despite the excitement and innovation surrounding it, cloud computing was raising privacy and security concerns long before the revelations about the NSA program. The very fact that personal information is stored and processed on servers and computers belonging to third-parties, by defi- nition, means some loss of user control. As companies like Google and Facebook have grown, with revenue streams derived partly from monetizing the information supplied by users, debate in policy circles has intensified about privacy protection. Companies themselves have had to walk a fine line. While the popularity of cloud-based services argues that consum- ers are comfortable with trading a certain amount of per- sonal information for the value of free access to many use- ful applications, there have been instances when users have pushed back. For example, Google blurred identifiable faces and blacked out windows of homes that were photographed for its Street View application, but not before international complaints.11 Facebook has repeatedly modified and clarified its privacy policies in response to user concerns. 10. James Staten, “The Cost of PRISM Will Be Higher Than ITIF Projects,” Forrester Blogs, Forrester Research, Aug. 14, 2013, available at http://blogs.forrester.com/ james_staten/13-08-14-the_cost_of_prism_will_be_larger_than_itif_projects. 6. Daniel Castro, “How Much Will PRISM Cost the U.S. Cloud Computing Industry,” ITIF, August 2013, p. 3. 7. Mark Clayton, “Five overlooked costs of the NSA surveillance flap,” Christian Sci- ence Monitor, Jan. 12, 2014, available at http://www.csmonitor.com/layout/set/print/ World/Security-Watch/2014/0112/Five-overlooked-costs-of-the-NSA-surveillance- flap. 8. VentureBeat (e-publication) video, “DataBeat 2013-John Henry Clippinger, Execu- tive Director, ID3, MIT Media Labs, available at http://vimeo.com/81855881. Clippinger makes his remarks starting at approximately 10:10. 9. Taylor Armerding, “NSA spying could mean US tech companies lose international business,” Computerworld, June 19, 2013, available at http://www.computerworld. co.nz/article/487899/nsa_spying_could_mean_us_tech_companies_lose_interna- tional_business/ R STREET POLICY STUDY: 2014 HAS THE NSA POISONED THE CLOUD? 3
These and other cases where Internet companies may have overreached, but then apologized and adjusted, reflect an understanding that their continued success depends heav- ily on consumer trust. Consumers hold them to their word that personal information will be protected, and are poised to punish those who break that trust. Alas, this underlying trust could be a casualty of the NSA spying program. While it has supplied late-night TV hosts with plenty of fodder for jokes (“I finally got through to the Obamacare helpline because, after two hours, the NSA got tired of listening to that music they play while on hold”), their humor derives from the uneasiness people now have about how much the government is snooping on private phone calls and emails. As a recent headline to another NSA critique dourly put it, 2013 was “the year trust died.”12 This is why the degree of “brand damage” PRISM, MUSCU- LAR and other NSA initiatives have inflicted on the U.S. tech- nology industry may take longer to determine. People may be less inclined to use social networks, or could opt for search engines that are less thorough, but more private. For many sites, this will mean a decline in visitors, which will have an impact on revenues, profits and re-investment. This is not to let some major players off the hook, how- ever. PRISM did come under the jurisdiction of the FISA Court, and third-party companies were obligated to com- ply. However, there were instances where, in retrospect, telephone companies could have used their legal resourc- es to push back more aggressively. Verizon, after all, once stood up to the Recording Industry Association of America when it demanded the phone company provide the identi- ties of account-holders the record companies believed were involved in music piracy. Although the RIAA insisted it had a right to the data, Verizon’s lawyers instructed the organi- zation to seek court approval—a route which, in the end, the RIAA did not choose. In more recent years, the NSA demanded a huge amount of data, not simply on suspected terrorists, but on millions of customers who, perhaps for innocuous reasons, had talked to persons who talked to persons who talked to a suspect. For perspective, if Boston Marathon bombers Dzhokhar and Tamerlan Tsarnaev bought coffee from a barista at Starbucks the morning of their attack, it would be as if the government then placed surveillance on every person who ever bought coffee from that barista, as well as their friends and friends’ friends.Thephonecompanies’unprotestedcompliancewith NSA directives puts some responsibility for the backlash at their doorsteps. That RSA, a respected U.S. company in the security space, so willingly agreed to compromise its own customers for a government contract, is also disappointing. Nonetheless, the public and the media do not seem to be in a discerning mood, and the entire U.S. technology industry has been tarred by what is being called “the Snowden effect.” Dis- trust, suspicion and customer ill-will plague companies that were unknowingly hacked by the NSA, as well as companies like Saleforce.com and Amazon, who were never involved. INDUSTRY BACKLASH Much of the NSA’s surveillance was done without the knowl- edge of tech companies it affected. Several programs, like MUSCULAR and the Tailored Access Operation were undis- guised attempts to undermine privacy and security protec- tions these companies had put in place for consumers. President Obama avoided discussion of these more inva- sive NSA initiatives during his Jan. 17 address to the nation, which focused largely on the PRISM program. PRISM was much more sweeping than any of its predecessors, but at least there is precedent for court-ordered wiretapping and data collection. What makes many of the other NSA proj- ects even more egregious is that they set out deliberately to undermine security and privacy mechanisms that companies put in place for their users. This is the high-tech equivalent of breaking into someone’s home and prying open a locked filing cabinet with a crowbar. While there are laws that protect private citizens from such burglary, there are none that offer explicit protection in the cloud. The Electronic Communications Privacy Act (ECPA), enacted in 1986, still reflects the technology of that era, and mainly protects Americans against illegal wiretapping and seizure of stored phone records. Because cloud computing and storage did not exist in 1986, the act says nothing about the protection of private information in the cloud.Many judges have therefore interpreted seizure of any data stored by third parties as not requiring consent or a search warrant. The NSA has leveraged both jurisprudence and the lack of specific law to push the limits as of its search and seizure powers. President Obama, in his address, conceded there was a “bias” within government to expand information-gath- ering. The NSA’s activities provide clear examples. Concern in U.S. technology circles is high enough that rivals are unifying in demand for due process, transparency and accountability for NSA surveillance. Bipartisan efforts to strengthen ECPA are gaining momentum. Another effort, “Reform Government Surveillance,” is an initiative of eight technology companies who believe their brands were dam- 11. “Google Blurs Faces in Street View Map Pictures,” The Economic Times, May 15, 2008, available at http://articles.economictimes.indiatimes.com/2008-05-15/ news/27714235_1_street-view-google-blog-post-google-spokeswoman. 12. David Gewirtz, 2013: The Year Trust Died, ZDNet, Dec. 9, 2013, available at http:// www.zdnet.com/2013-the-year-trust-died-7000024067/. R STREET POLICY STUDY: 2014 HAS THE NSA POISONED THE CLOUD? 4
aged by the PRISM revelations: AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo. “People won’t use technology they don’t trust,” Brad Smith, gener- al counsel and executive vice president of legal at Micro- soft, stated in a letter to President Obama and Congress. “Governments have put this trust at risk, and governments need to help restore it.”13 Separately, Google and Yahoo have petitioned the government for the right to inform custom- ers when intelligence and law enforcement agencies have requested data and the type of data that was sought. Ironically, the NSA turned the competitive edge U.S. com- panies have in cloud computing into a liability, especially in Europe. Commercially, it will give European competitors an opportunity to promote their own systems as more secure and as safe from U.S. law enforcement. Second, on the regu- latory front, it provides impetus for the privacy measures the European Union wants on certain cloud-based services. These measures could undercut the U.S. firms’ competi- tiveness. For example, such rules would limit the ability of content providers, search and social networking services to access and process personal data of users for purposes of targeted advertising or location-based services. While these measures have a degree of popular support from regula- tors who fear that consumers are being unduly “tracked,” research shows that regulation that limits the use of targeted advertising and other personalized cloud services inhibits growth, innovation and overall use.14 Similarly, Internet companies face “Do Not Track” regula- tion in a number of states, including California, which would put severe limits on their ability to provide free services in exchange for user data. Data has shown that American users historically have been comfortable with current Internet business models. In a 2013 Zogby poll, 70 percent of respon- dents said they’d like at least some ads tailored directly to their interests, while 40 percent said they wanted all their ads targeted.15 Nonetheless, in the wake of the NSA revela- tions, activist legislators may take advantage of a wave of popular unease to enact regulations that in, the long term, prove harmful to Internet service and innovation. POTENTIAL SOLUTIONS The NSA’s surveillance activities represent a massive over- reach on the part of the U.S. government into the private communications and information transactions of its citi- zens—communications and transactions for which there is a reasonable expectation of privacy. Therefore, the govern- ment needs to be restrained through clear laws and policies that govern the collection of private and proprietary data. President Obama’s response falls short. Although he said the government will stop storing phone records, he nonetheless implied that phone companies would continue to do so on the government’s behalf. The appointment of John Podesta to review privacy concerns appears cosmetic. For one, what metrics will determine Mr. Podesta’s effectiveness? The fact that Obama did not call for judicial review of National Secu- rity Letters, nor a halt to NSA efforts to break encryption, remains troubling. PRISM, MUSCULAR, Quantum and all of the other NSA sur- veillance programs that have come to light should not just be tweaked, reformed or repaired. They are all unconstitutional programs that need to be scrapped. 1. Dismantle PRISM and rebuild a surveillance­­program in accordance with specific defense and homeland ­security goals. Surveillance is a useful tool for law enforcement, but it yields the best results when employed against suspected wrong- doers and where there is concrete evidence of a crime or conspiracy. Long before PRISM, law enforcement agencies required judicial sign-off on wiretaps and searches. There is no reason these protections cannot be extended to anti-ter- rorism efforts. PRISM and the other programs have grown so large that it should not be surprising they have not found any actionable intelligence. After news of the PRISM broke last June, Gen. Keith Alexander, the NSA director, told Con- gress that NSA surveillance programs stopped at least 50 terrorist attacks. Since then, that figure has been called into question. In a review of cases brought against 225 individu- als associated with al-Qaeda or inspired by its ideology who were charged in the United States with an act of terrorism since 9/11, the New America Foundation found the NSA’s bulk surveillance programs played an identifiable role in at most, 1.8 percent of these cases. Instead, the report found, traditional law enforcement investigative methods—the use of informants, tips from local communities, and targeted intelligence operations, provided the initial impetus nearly all of these investigations.16 As Judge Leon noted in his decision finding PRISM uncon- stitutional—there is no evidence that PRISM prevented any- thing. His observation serves as both a legal and practical indictment of the program. 13. Microsoft Corp. News Release, “Tech Company Coalition Supports Global Sur- veillance Principles, Calls on US to Lead Reform Efforts,” Microsoft Corp., Dec. 8, 2013, available at http://www.microsoft.com/en-us/news/press/2013/dec13/12-08compa- nycoalitionpr.aspx. 14. cf. Avi Goldfarb and Catherine E. Tucker,“Privacy Regulation and Online Advertising,” University of Toronto, August 5, 2010,available at http://ssrn.com/ abstract=1600259. 15. Katy Bachman, “Poll: Targeted Advertising Is Not the Bogeyman [Updated],” Adweek, April 18, 2013, available at http://www.adweek.com/news/technology/poll- targeted-advertising-not-bogeyman-updated-148649. 16. Peter Bergen, David Sterman, Emily Schneider and Bailey Cahall, “Do NSA’s Bulk Surveillance Program Stop Terrorists?” New America Foundation, January 13, 2014, pp. 1-2, available at http://www.newamerica.net/publications/policy/do_nsas_bulk_ surveillance_programs_stop_terrorists. R STREET POLICY STUDY: 2014 HAS THE NSA POISONED THE CLOUD? 5
2. Enact legislation that recognizes that expectation of privacy extends to personal data stored in the cloud. The Fourth Amendment to the Constitution secures citizens’ “papers and effects” against unreasonable searches and sei- zures. In the 21st century, arguing that the Bill of Rights does not apply because papers and effects are stored in electronic form on the Internet, not in a roll-top desk at home, is legal sophistry. For several years, there have been bipartisan efforts to extend Fourth Amendment protection to cloud-based data, either through new bills, or a rewrite of the 28-year-old Elec- tronic Communications Privacy Act. Little by little, courts have been chipping away at law enforcement’s blatant use of surveillance in the cloud, but legislation would do the most toward curbing this abuse. Congress should be encouraged to move forward. This would go a long way toward reining in collection of Internet data through clandestine use of wire- tapping, back doors or decryption codes. 3. Allow for greater transparency and accountability Had there been appropriate judicial and legislative over- sight, it is hard to imagine that these surveillance programs would have grown as large and intrusive as they did. Any future surveillance programs require the checks and bal- ances of oversight from lawmakers who represent the peo- ple and from an independent judiciary. Laws that authorize such programs must incorporate mechanisms for transpar- ency and accountability, especially when the government demands information owned by third-party companies. Among these, companies should have the right: • To be notified when their infrastructure is being used for surveillance; • To disclose instances when they have been asked to assist with surveillance and turn over information • To demand that due process be followed • To oversight of domestic civilian surveillance by conventional courts, not FISA or secret military courts • To requests for data that are held to the same stan- dard as other search warrants, wherein the requester must identify the suspect, the probable cause, the data to be searched and what specific information is being sought. As House Judiciary Committee Chairman Bob Goodlatte, R-Va., put it: “We must ensure our nation’s intelligence col- lection programs include real protections for Americans; civ- il liberties, robust oversight, and additional transparency.”17 In a free society, individuals are not automatically assumed to be suspects that need to be vetted and surveyed. Citizens have the right to go about their business without the need to answer to the state for every thought, act, purchase or Facebook comment. The argument that widespread surveil- lance is required to secure the common defense is specious, anditsdarkconsequenceswerearticulatedbyGeorgeOrwell almost 70 years ago in the novel 1984: You had to live—did live, from habit that became instinct—in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.18 While not every aspect of Orwell’s grim vision of a totalitar- ian regime has come to pass, one unsettling aspect of 1984 has: the surveillance state he envisioned is a practical reality. The government, indeed, has shown it can use technology to keep tabs on much of what its citizens are doing. Fortu- nately, we still hold to the idea that the government itself is subject to its own laws. It will be critical to remember this as we seek to reclaim our fundamental right to privacy and to be left alone. ABOUT THE AUTHOR Steven Titch is an associate fellow at the R Street Institute, focused on telecommunications, Internet and information technology. He also serves as a policy advisor to the Heartland Institute and is a former policy analyst at the Reason Foundation. His columns have appeared in Investor’s Business Daily, the Washington Examiner and the Houston Chronicle. Titch also was co-founder and executive producer of Security Squared, a business-to-business Web publication covering IT con- vergence in physical security and surveillance. Previously, Titch was editor of Network-Centric Security and director of editorial projects for Data Communications magazine. He also has held the positions of editorial director of Telephony, editor of Global Telephony maga- zine, Midwest bureau chief of Communications Week and associate editor-communications at Electronic News. 17. House Judiciary Committee, “Goodlatte Statement on PCLOB’s Report on Intelligence-Gathering Programs,” Jan. 23, 2014. http://judiciary.house.gov/index.cfm/ press-releases?ID=E9B835FE-AA07-4A06-9DCB-91494B463BF1 18. George Orwell, 1984, Harcourt Brace Jovanovich, New York, 1949 (64th Signet Edition), pp. 6-7. R STREET POLICY STUDY: 2014 HAS THE NSA POISONED THE CLOUD? 6

Empfohlen

Warrantless governmental surveillance through the use of emerging technology ...
Warrantless governmental surveillance through the use of emerging technology ...Warrantless governmental surveillance through the use of emerging technology ...
Warrantless governmental surveillance through the use of emerging technology ...
Vania_Chaker
 
Q&A about PRISM
Q&A about PRISMQ&A about PRISM
Q&A about PRISM
AFRIKASOURCES
 
Anger swells after NSA phone records collection revelations
Anger swells after NSA phone records collection revelationsAnger swells after NSA phone records collection revelations
Anger swells after NSA phone records collection revelations
trupassion
 
privtechsomeassemb
privtechsomeassembprivtechsomeassemb
privtechsomeassemb
Jonathan Alley
 
Privacy in the Information Age
Privacy in the Information AgePrivacy in the Information Age
Privacy in the Information Age
Jordan Peacock
 
Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]
Jordan Peacock
 
Cyber war
Cyber warCyber war
Cyber war
Praveen
 
NSA, GCHQ, Five, Nine, Fourteen Eye tactics and techniques
NSA, GCHQ, Five, Nine, Fourteen Eye tactics and techniquesNSA, GCHQ, Five, Nine, Fourteen Eye tactics and techniques
NSA, GCHQ, Five, Nine, Fourteen Eye tactics and techniques
Michael Holt
 

Empfohlen

Warrantless governmental surveillance through the use of emerging technology ...
Warrantless governmental surveillance through the use of emerging technology ...Warrantless governmental surveillance through the use of emerging technology ...
Warrantless governmental surveillance through the use of emerging technology ...
Vania_Chaker
 
Q&A about PRISM
Q&A about PRISMQ&A about PRISM
Q&A about PRISM
AFRIKASOURCES
 
Anger swells after NSA phone records collection revelations
Anger swells after NSA phone records collection revelationsAnger swells after NSA phone records collection revelations
Anger swells after NSA phone records collection revelations
trupassion
 
privtechsomeassemb
privtechsomeassembprivtechsomeassemb
privtechsomeassemb
Jonathan Alley
 
Privacy in the Information Age
Privacy in the Information AgePrivacy in the Information Age
Privacy in the Information Age
Jordan Peacock
 
Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]
Jordan Peacock
 
Cyber war
Cyber warCyber war
Cyber war
Praveen
 
NSA, GCHQ, Five, Nine, Fourteen Eye tactics and techniques
NSA, GCHQ, Five, Nine, Fourteen Eye tactics and techniquesNSA, GCHQ, Five, Nine, Fourteen Eye tactics and techniques
NSA, GCHQ, Five, Nine, Fourteen Eye tactics and techniques
Michael Holt
 
US mining data from 9 leading internet firms and companies deny knowledge
US mining data from 9 leading internet firms and companies deny knowledgeUS mining data from 9 leading internet firms and companies deny knowledge
US mining data from 9 leading internet firms and companies deny knowledge
trupassion
 
GovSec Joyal New Threat Matrix
GovSec Joyal New Threat MatrixGovSec Joyal New Threat Matrix
GovSec Joyal New Threat Matrix
Paul Joyal
 
Digital divide final ppt
Digital divide final pptDigital divide final ppt
Digital divide final ppt
Rowshan begum
 
Cyber-what?
Cyber-what?Cyber-what?
Cyber-what?
Enrique J Cordero
 
The sc is asked to investigate the pegasus allegations by senior journalists
The sc is asked to investigate the pegasus allegations by senior journalistsThe sc is asked to investigate the pegasus allegations by senior journalists
The sc is asked to investigate the pegasus allegations by senior journalists
aditi agarwal
 
House rejects nsa spying restrictions after white house outcry
House rejects nsa spying restrictions after white house outcryHouse rejects nsa spying restrictions after white house outcry
House rejects nsa spying restrictions after white house outcry
World Truth
 
Obama administration defends massive phone record collection
Obama administration defends massive phone record collectionObama administration defends massive phone record collection
Obama administration defends massive phone record collection
trupassion
 
News letter aug 11
News letter aug 11News letter aug 11
News letter aug 11
captsbtyagi
 
Cyber warfare ss
Cyber warfare ssCyber warfare ss
Cyber warfare ss
Maira Asif
 
20150604 nyt-cyber-surveillance-documents
20150604 nyt-cyber-surveillance-documents20150604 nyt-cyber-surveillance-documents
20150604 nyt-cyber-surveillance-documents
AnonDownload
 
Don't Panic. Making Progress on the 'Going Dark' Debate
Don't Panic. Making Progress on the 'Going Dark' DebateDon't Panic. Making Progress on the 'Going Dark' Debate
Don't Panic. Making Progress on the 'Going Dark' Debate
Fabio Chiusi
 
Prism
PrismPrism
Prism
Rovin Valencia
 
FBI's New Data Warehouse A Powerhouse
FBI's New Data Warehouse A PowerhouseFBI's New Data Warehouse A Powerhouse
FBI's New Data Warehouse A Powerhouse
childlikeegg1000
 
Dba forbidden-knowledge-stingray-july-2014
Dba forbidden-knowledge-stingray-july-2014Dba forbidden-knowledge-stingray-july-2014
Dba forbidden-knowledge-stingray-july-2014
DeepDude
 
Cyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece MooreCyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece Moore
Jamie Moore
 
Polinter09
Polinter09Polinter09
Polinter09
Jeffrey Hart
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Alisha Deboer
 
DarkNet_article_wn17
DarkNet_article_wn17DarkNet_article_wn17
DarkNet_article_wn17
Ed Alcantara
 
Paranoia or risk management 2013
Paranoia or risk management 2013Paranoia or risk management 2013
Paranoia or risk management 2013
Henrik Kramshøj
 
Cultural Food Checklist
Cultural Food ChecklistCultural Food Checklist
Cultural Food Checklist
Vivian Onuoha
 
Catálogo de Ofertas BEEP Octubre 2015
Catálogo de Ofertas BEEP Octubre 2015Catálogo de Ofertas BEEP Octubre 2015
Catálogo de Ofertas BEEP Octubre 2015
Beep Informática
 
Integrando las tic a la gestión educativa
Integrando las tic a la gestión educativaIntegrando las tic a la gestión educativa
Integrando las tic a la gestión educativa
profesoraudp
 

Weitere ähnliche Inhalte

Was ist angesagt?

US mining data from 9 leading internet firms and companies deny knowledge
US mining data from 9 leading internet firms and companies deny knowledgeUS mining data from 9 leading internet firms and companies deny knowledge
US mining data from 9 leading internet firms and companies deny knowledge
trupassion
 
GovSec Joyal New Threat Matrix
GovSec Joyal New Threat MatrixGovSec Joyal New Threat Matrix
GovSec Joyal New Threat Matrix
Paul Joyal
 
Digital divide final ppt
Digital divide final pptDigital divide final ppt
Digital divide final ppt
Rowshan begum
 
Obama administration defends massive phone record collection
Obama administration defends massive phone record collectionObama administration defends massive phone record collection
Obama administration defends massive phone record collection
trupassion
 
News letter aug 11
News letter aug 11News letter aug 11
News letter aug 11
captsbtyagi
 
20150604 nyt-cyber-surveillance-documents
20150604 nyt-cyber-surveillance-documents20150604 nyt-cyber-surveillance-documents
20150604 nyt-cyber-surveillance-documents
AnonDownload
 
Dba forbidden-knowledge-stingray-july-2014
Dba forbidden-knowledge-stingray-july-2014Dba forbidden-knowledge-stingray-july-2014
Dba forbidden-knowledge-stingray-july-2014
DeepDude
 
DarkNet_article_wn17
DarkNet_article_wn17DarkNet_article_wn17
DarkNet_article_wn17
Ed Alcantara
 

Was ist angesagt? (19)

US mining data from 9 leading internet firms and companies deny knowledge
US mining data from 9 leading internet firms and companies deny knowledgeUS mining data from 9 leading internet firms and companies deny knowledge
US mining data from 9 leading internet firms and companies deny knowledge
 
GovSec Joyal New Threat Matrix
GovSec Joyal New Threat MatrixGovSec Joyal New Threat Matrix
GovSec Joyal New Threat Matrix
 
Digital divide final ppt
Digital divide final pptDigital divide final ppt
Digital divide final ppt
 
Cyber-what?
Cyber-what?Cyber-what?
Cyber-what?
 
The sc is asked to investigate the pegasus allegations by senior journalists
The sc is asked to investigate the pegasus allegations by senior journalistsThe sc is asked to investigate the pegasus allegations by senior journalists
The sc is asked to investigate the pegasus allegations by senior journalists
 
House rejects nsa spying restrictions after white house outcry
House rejects nsa spying restrictions after white house outcryHouse rejects nsa spying restrictions after white house outcry
House rejects nsa spying restrictions after white house outcry
 
Obama administration defends massive phone record collection
Obama administration defends massive phone record collectionObama administration defends massive phone record collection
Obama administration defends massive phone record collection
 
News letter aug 11
News letter aug 11News letter aug 11
News letter aug 11
 
Cyber warfare ss
Cyber warfare ssCyber warfare ss
Cyber warfare ss
 
20150604 nyt-cyber-surveillance-documents
20150604 nyt-cyber-surveillance-documents20150604 nyt-cyber-surveillance-documents
20150604 nyt-cyber-surveillance-documents
 
Don't Panic. Making Progress on the 'Going Dark' Debate
Don't Panic. Making Progress on the 'Going Dark' DebateDon't Panic. Making Progress on the 'Going Dark' Debate
Don't Panic. Making Progress on the 'Going Dark' Debate
 
Prism
PrismPrism
Prism
 
FBI's New Data Warehouse A Powerhouse
FBI's New Data Warehouse A PowerhouseFBI's New Data Warehouse A Powerhouse
FBI's New Data Warehouse A Powerhouse
 
Dba forbidden-knowledge-stingray-july-2014
Dba forbidden-knowledge-stingray-july-2014Dba forbidden-knowledge-stingray-july-2014
Dba forbidden-knowledge-stingray-july-2014
 
Cyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece MooreCyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece Moore
 
Polinter09
Polinter09Polinter09
Polinter09
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
 
DarkNet_article_wn17
DarkNet_article_wn17DarkNet_article_wn17
DarkNet_article_wn17
 
Paranoia or risk management 2013
Paranoia or risk management 2013Paranoia or risk management 2013
Paranoia or risk management 2013
 

Andere mochten auch

Cultural Food Checklist
Cultural Food ChecklistCultural Food Checklist
Cultural Food Checklist
Vivian Onuoha
 
Integrando las tic a la gestión educativa
Integrando las tic a la gestión educativaIntegrando las tic a la gestión educativa
Integrando las tic a la gestión educativa
profesoraudp
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
nitinw25
 

Andere mochten auch (7)

Cultural Food Checklist
Cultural Food ChecklistCultural Food Checklist
Cultural Food Checklist
 
Catálogo de Ofertas BEEP Octubre 2015
Catálogo de Ofertas BEEP Octubre 2015Catálogo de Ofertas BEEP Octubre 2015
Catálogo de Ofertas BEEP Octubre 2015
 
Integrando las tic a la gestión educativa
Integrando las tic a la gestión educativaIntegrando las tic a la gestión educativa
Integrando las tic a la gestión educativa
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Party hardy
Party hardyParty hardy
Party hardy
 
Volunteering Abroad | Katharine Diane McCallum
Volunteering Abroad | Katharine Diane McCallumVolunteering Abroad | Katharine Diane McCallum
Volunteering Abroad | Katharine Diane McCallum
 
ppt on khaitan company
ppt on khaitan companyppt on khaitan company
ppt on khaitan company
 

Ähnlich wie RSTREET17

Krempley 1POL 300GoogleMulti-National Corporations, Inter.docx
Krempley 1POL 300GoogleMulti-National Corporations, Inter.docxKrempley 1POL 300GoogleMulti-National Corporations, Inter.docx
Krempley 1POL 300GoogleMulti-National Corporations, Inter.docx
DIPESH30
 
Intelligence chief defends internet spying program
Intelligence chief defends internet spying programIntelligence chief defends internet spying program
Intelligence chief defends internet spying program
abiross34
 
Government Employs Backdoor Searches ACSB standards- Social and Ethica.docx
Government Employs Backdoor Searches ACSB standards- Social and Ethica.docxGovernment Employs Backdoor Searches ACSB standards- Social and Ethica.docx
Government Employs Backdoor Searches ACSB standards- Social and Ethica.docx
LeonardN9WWelchw
 
(Lim Jun Hao) G8 Individual Essay for BGS
(Lim Jun Hao) G8 Individual Essay for BGS(Lim Jun Hao) G8 Individual Essay for BGS
(Lim Jun Hao) G8 Individual Essay for BGS
Jun Hao Lim
 
How the camera on your cellphone can be captured and used to spy on you
How the camera on your cellphone can be captured and used to spy on youHow the camera on your cellphone can be captured and used to spy on you
How the camera on your cellphone can be captured and used to spy on you
Sheher Bano
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...
Ulf Mattsson
 
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docxReview DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
ronak56
 
Domestic Surveillance_ProsandCons
Domestic Surveillance_ProsandConsDomestic Surveillance_ProsandCons
Domestic Surveillance_ProsandCons
Kati Mccarthy
 
Data Mining: Privacy and Concerns
Data Mining: Privacy and ConcernsData Mining: Privacy and Concerns
Data Mining: Privacy and Concerns
Bradley Buchanan
 
Data localization vs global internet
Data localization vs global internetData localization vs global internet
Data localization vs global internet
Yoonee Jeong
 
www.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docxwww.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docx
ericbrooks84875
 
ESSENTIALS OF Management Information Systems 12eKENNETH C..docx
ESSENTIALS OF Management Information Systems 12eKENNETH C..docxESSENTIALS OF Management Information Systems 12eKENNETH C..docx
ESSENTIALS OF Management Information Systems 12eKENNETH C..docx
debishakespeare
 
ESSENTIALS OF Management Information Systems 12eKENNETH C.
ESSENTIALS OF Management Information Systems 12eKENNETH C.ESSENTIALS OF Management Information Systems 12eKENNETH C.
ESSENTIALS OF Management Information Systems 12eKENNETH C.
ronnasleightholm
 

Ähnlich wie RSTREET17 (20)

2013 01-14
2013 01-142013 01-14
2013 01-14
 
Krempley 1POL 300GoogleMulti-National Corporations, Inter.docx
Krempley 1POL 300GoogleMulti-National Corporations, Inter.docxKrempley 1POL 300GoogleMulti-National Corporations, Inter.docx
Krempley 1POL 300GoogleMulti-National Corporations, Inter.docx
 
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
 
Can cloud computing survive the NSA disclosures
Can cloud computing survive the NSA disclosuresCan cloud computing survive the NSA disclosures
Can cloud computing survive the NSA disclosures
 
Intelligence chief defends internet spying program
Intelligence chief defends internet spying programIntelligence chief defends internet spying program
Intelligence chief defends internet spying program
 
Government Employs Backdoor Searches ACSB standards- Social and Ethica.docx
Government Employs Backdoor Searches ACSB standards- Social and Ethica.docxGovernment Employs Backdoor Searches ACSB standards- Social and Ethica.docx
Government Employs Backdoor Searches ACSB standards- Social and Ethica.docx
 
(Lim Jun Hao) G8 Individual Essay for BGS
(Lim Jun Hao) G8 Individual Essay for BGS(Lim Jun Hao) G8 Individual Essay for BGS
(Lim Jun Hao) G8 Individual Essay for BGS
 
How the camera on your cellphone can be captured and used to spy on you
How the camera on your cellphone can be captured and used to spy on youHow the camera on your cellphone can be captured and used to spy on you
How the camera on your cellphone can be captured and used to spy on you
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...
 
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docxReview DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
 
Domestic Surveillance_ProsandCons
Domestic Surveillance_ProsandConsDomestic Surveillance_ProsandCons
Domestic Surveillance_ProsandCons
 
Data Mining: Privacy and Concerns
Data Mining: Privacy and ConcernsData Mining: Privacy and Concerns
Data Mining: Privacy and Concerns
 
Data localization vs global internet
Data localization vs global internetData localization vs global internet
Data localization vs global internet
 
www.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docxwww.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docx
 
Lofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionLofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and Encryption
 
ESSENTIALS OF Management Information Systems 12eKENNETH C..docx
ESSENTIALS OF Management Information Systems 12eKENNETH C..docxESSENTIALS OF Management Information Systems 12eKENNETH C..docx
ESSENTIALS OF Management Information Systems 12eKENNETH C..docx
 
ESSENTIALS OF Management Information Systems 12eKENNETH C.
ESSENTIALS OF Management Information Systems 12eKENNETH C.ESSENTIALS OF Management Information Systems 12eKENNETH C.
ESSENTIALS OF Management Information Systems 12eKENNETH C.
 
Looking Ahead Why 2019 Will Be The year of Cyberwarfare
Looking Ahead Why 2019 Will Be The year of CyberwarfareLooking Ahead Why 2019 Will Be The year of Cyberwarfare
Looking Ahead Why 2019 Will Be The year of Cyberwarfare
 
Academic project used marketing data to monitor russian military sites
Academic project used marketing data to monitor russian military sites Academic project used marketing data to monitor russian military sites
Academic project used marketing data to monitor russian military sites
 
Unethical American surveillance.docx
Unethical American surveillance.docxUnethical American surveillance.docx
Unethical American surveillance.docx
 

RSTREET17

  • 1. HAS THE NSA POISONED THE CLOUD? Steven Titch INTRODUCTION T he U.S. technology industry enters 2014 facing a backlash to its perceived role as accomplice to a series of National Security Agency surveillance programs, each making extensive use of data mining to parse bil- lions of consumer telephone, Internet and computer records in what now appears to have been an ineffective effort to track international terrorists. Recent analysis projects the caution and mistrust engen- dered by the NSA’s programs could cost U.S. technology industry between $35 billion and $180 billion over the next three years. Widespread NSA spying is unsettling because its hits at the current focal point of communications and com- puter innovation—cloud computing. Effective protection of privacy and security is best managed by regulating the activities of government, as opposed to the utility of Inter- net services. RECENT NSA SPYING REVELATIONS PRISM, the NSA electronic surveillance program with the most notoriety, was created in 2007, ostensibly under the authorization of the Protect America Act and the Foreign Intelligence Surveillance Act (FISA). Its activities have been overseen by the FISA Court, an independent judicial arm set up by FISA to determine persons and agencies who could be targeted for surveillance. The PRISM program remained secret until June 2013, when news broke that the FISA Court had ordered Verizon Com- munications to provide the NSA data on all customer tele- phone calls on an ongoing daily basis.1 Days later, the Wash- ington Post and the United Kingdom’s Guardian published NSAdocumentsleakedtothembyEdwardSnowden,anNSA contractor who claimed to have grown concerned over the scope of the spying program.2 Snowden’s revelations revealed the NSA has been capturing and mining massive amounts of private U.S. telecommuni- cations and Internet traffic generated by ordinary citizens in an attempt to gain intelligence primarily on international terrorism, and that the program had further expanded to support investigations into narcotics trafficking, the inter- nal security of foreign countries and to obtain military and political data on foreign countries, including U.S. allies. Throughout the remainder of 2013, we learned that PRISM was just one of several programs aimed at intercepting and analyzing routine communications of not only of American citizens, but foreign nationals, as well, ranging from ordinary consumers to heads of state. Some of the details of the NSA electronic spying include: • Collecting “metadata” on millions of wireless phone calls. Metadata describes information such as the calling and called numbers, location of the callers, R STREET POLICY STUDY NO. 17 January 2014 1. Glenn Greenwald, “NSA Collecting Phone Records of Millions of Verizon Customers Daily – Top Secret Court Order Requiring Verizon to Hand Over All Call Data Shows Scale of Domestic Surveillance under Obama,” The Guardian, June 5, 2013, available at http://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon- court-order. 2. Barton Gellman and Laura Poitras, “U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program,” The Washington Post, June 7, 2012, available at http://www.washingtonpost.com/investigations/ us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret- program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html. CONTENTS Introduction 1 Recent NSA spying revelations 1 Legal, legislative and economic fallout 2 Implications for cloud computing 3 Industry backlash 4 Potential solutions 5 About the author 6 R STREET POLICY STUDY: 2014 HAS THE NSA POISONED THE CLOUD? 1
  • 2. duration of the call, and other information pertaining to the call other than the actual contents of the con- versation. • Monitoring emails and social media for “keywords” that might signal terrorist or criminal activity. Among other methods, the NSA tapped directly into private networks owned by Google and Yahoo—an operation dubbed MUSCULAR—reportedly without the knowl- edge or consent of the companies. • The development of algorithms designed to use the Internet to connect to and gather information from personal computers without knowledge of the users. • Tapping phones of world leaders, such as German Chancellor Angela Merkel, a U.S. ally. • A plan to use the Internet to turn on embedded per- sonal computer web cameras without user knowledge or consent. • A $10-million contract with RSA, a major supplier of security software to Internet infrastructure manu- facturers, to secretly install software on Internet rout- ers and servers that could decode encrypted data.3 • The NSA’s Tailored Access Operations unit, which developed a special computer code, known colloquially to programmers as “back doors,” that defeat firewalls designed to protect private data. The program target- ed Internet infrastructure from major manufacturers such as Cisco Systems, Juniper Networks, Huawai and Dell. The NSA used common Web advertising tracking programs, called “cookies,” to follow user surfing habits and determine whether they should be targeted for further hacking. The data of a large number of U.S. companies – including Microsoft, Google, Yahoo, Facebook and Apple – was used by the PRISM program, sometimes with their knowledge and consent, and sometimes without it. The disclosures show no sign of letting up. As this paper went to publication, reports emerged that the NSA, in a pro- gram called Quantum, had implanted radio transmitters in some 100,000 personal computers around the world. Using radio, the NSA was able to access and spy on these PCs even when they were not connected to the Internet. LEGAL, LEGISLATIVE AND ECONOMIC FALLOUT TheweightandscopeoftheNSAprogramshassparkedheat- ed debate over their legality and constitutionality. Last year closed with two conflicting court decisions on the constitu- tionality of the PRISM program. On Dec. 16, 2013 in Wash- ington D.C., Federal District Court Richard J. Leon ruled that the NSA’s systematic recordkeeping of all Americans’ phone calls most likely violated the Constitution. He ordered the government to stop collecting data on two plaintiffs’ per- sonal calls and to destroy the records of their calling history.4 Eleven days later, however, a federal judge in New York, Wil- liam H. Pauley III, ruled the same data collection legal, set- ting up an eventual appellate court battle.5 Congress’ 2014 session got underway with the introduction of a bill from Rep. Adam Schiff, D-Calif., that would restruc- ture the NSA’s phone metadata surveillance program. More recently, on Jan. 17, President Barack Obama announced steps to curtail the NSA’s surveillance programs, but stopped well short of suspending them. Obama announced the government would no longer main- tain a database of millions of Americans’ telephone records, which had been conducted under the auspices of Section 215 of the Patriot Act, but said telecommunications companies or an independent third party could continue to maintain that data, and did not rule out mandating that companies do so. The president also said the White House would not support the FISA Improvements Act, which would codify into law the NSA’s authority to conduct many of its existing surveillance programs, as well as endorsing creating a role for independent advocates at the FISA court and conducting an annual review of the court’s declassification decisions. He also appointed John Podesta to lead a review of privacy issues that affect non-suspects, called for a higher standard for surveillance of foreign leaders and proposed ending per- manent gag orders for National Security Letters However, he did not call for an end to international surveil- lance of Internet communications under Section 702 of the FISA Amendments Act, nor did he rescind Executive Order 12333, which permits surveillance of overseas communica- tions. He also did not take up the review panel’s recommen- dation that National Security Letters only be issued after judicial review, nor their recommendation against sabotag- ing private encryption technology. While it remains to be seen what legal and legislative remedies will be applied in 2014, there is already concern that the NSA programs will do significant economic damage to the U.S. technology sector. 4. Charlie Savage, “Federal Judge Rules Against NSA Program,” The New York Times, Dec. 16, 2013, 5. Adam Liptak and Michael S. Schmidt, “Judge Upholds N.S.A.’s Bulk Collection of Data on Calls,” The New York Times, Dec. 27, 2013. 3. Joseph Menn, “Exclusive: Secret Contract Tied NSA and Security Industry Pioneer,” Reuters, Dec. 20, 2013, available at http://www.reuters.com/article/2013/12/20/us- usa-security-rsa-idUSBRE9BJ1C220131220. R STREET POLICY STUDY: 2014 HAS THE NSA POISONED THE CLOUD? 2
  • 3. The Information Technology and Innovation Foundation (ITIF), a research institute that aims to promote public pol- icies that advance technological innovation and productiv- ity, estimates international concern and mistrust of U.S. tech companies could cost the industry between $21.5 billion and $35 billion through 2016. This is based on the assumption that the industry loses 20 percent of its current foreign mar- ket share, while retaining its projected domestic share.6 ITIF’spredictionsalreadymaybecomingtrue.CitingDefense News, the Christian Science Monitor reported that the United Arab Emirates may cancel a $926 million purchase of two spy satellites from France unless two U.S.-made components are removed from the product. Those components allegedly contain digital “backdoors” that could allow unauthorized access to data sent to the U.A.E.’s ground station.7 Elsewhere, John Henry Clippinger, ID3 executive director at the Massachusetts Institute of Technology Media Lab, told an interviewer: “What people do not appreciate is the eco- nomic damage…that the NSA has done to the cloud comput- ing business for the U.S.” He noted a number of European banks no longer want to host data in the United States and that Salesforce.com, which provides highly sensitive cloud- based sales leads and customer information, has lost a major client.8 Salesforce.com’s CEO has felt the need to publicly state that it was not part of the PRISM program.9 It appears the NSA’s aggressive surveillance has created an overall fear among U.S. companies that there is “guilt by association” from which they need to proactively distance themselves. A more alarming figure comes from Forrester Research, which provides analysis for financial firms and investors. Forrester analyst James Staten cited the ITIF report, but suggested its estimates are too conservative. Staten set the potential global industry cost of PRISM at $180 billion worldwide by 2016—the same time period ITIF uses. Staten believes international buyers—particularly governments and large corporations that are already sensitive to surveillance— will be spooked enough by the NSA program that they will throttle back their development of cloud computing technol- ogy altogether.10 IMPLICATIONS FOR CLOUD COMPUTING Although the term is literally nebulous to the layman, the definition is quite simple. The “cloud” refers to the Internet at large. Cloud computing refers to information processing and storage done on the Internet, not on a home computer or cellphone, as was standard until a few years ago. Cloud computing makes it possible for users to, for example, access playlists and movies from multiple devices, because that con- tent is stored on servers in data centers that could be any- where in the world. That’s just one example. Services like Google’s Gmail and Yahoo’s calendar are cloud-based, too. Social networks like Facebook, LinkedIn, Instagram and Twitter use cloud com- puting to deliver information across their billions of users. Cloud computing has enable many users to now carry light- weight tablets instead of bulky PCs. Cloud computing is also the root of development for the emerging generation of Web-based applications—home security, outpatient care, mobile payment, distance learning, efficient energy use and driverless cars. And it is a research area where the United States is an undisputed leader. Yet despite the excitement and innovation surrounding it, cloud computing was raising privacy and security concerns long before the revelations about the NSA program. The very fact that personal information is stored and processed on servers and computers belonging to third-parties, by defi- nition, means some loss of user control. As companies like Google and Facebook have grown, with revenue streams derived partly from monetizing the information supplied by users, debate in policy circles has intensified about privacy protection. Companies themselves have had to walk a fine line. While the popularity of cloud-based services argues that consum- ers are comfortable with trading a certain amount of per- sonal information for the value of free access to many use- ful applications, there have been instances when users have pushed back. For example, Google blurred identifiable faces and blacked out windows of homes that were photographed for its Street View application, but not before international complaints.11 Facebook has repeatedly modified and clarified its privacy policies in response to user concerns. 10. James Staten, “The Cost of PRISM Will Be Higher Than ITIF Projects,” Forrester Blogs, Forrester Research, Aug. 14, 2013, available at http://blogs.forrester.com/ james_staten/13-08-14-the_cost_of_prism_will_be_larger_than_itif_projects. 6. Daniel Castro, “How Much Will PRISM Cost the U.S. Cloud Computing Industry,” ITIF, August 2013, p. 3. 7. Mark Clayton, “Five overlooked costs of the NSA surveillance flap,” Christian Sci- ence Monitor, Jan. 12, 2014, available at http://www.csmonitor.com/layout/set/print/ World/Security-Watch/2014/0112/Five-overlooked-costs-of-the-NSA-surveillance- flap. 8. VentureBeat (e-publication) video, “DataBeat 2013-John Henry Clippinger, Execu- tive Director, ID3, MIT Media Labs, available at http://vimeo.com/81855881. Clippinger makes his remarks starting at approximately 10:10. 9. Taylor Armerding, “NSA spying could mean US tech companies lose international business,” Computerworld, June 19, 2013, available at http://www.computerworld. co.nz/article/487899/nsa_spying_could_mean_us_tech_companies_lose_interna- tional_business/ R STREET POLICY STUDY: 2014 HAS THE NSA POISONED THE CLOUD? 3
  • 4. These and other cases where Internet companies may have overreached, but then apologized and adjusted, reflect an understanding that their continued success depends heav- ily on consumer trust. Consumers hold them to their word that personal information will be protected, and are poised to punish those who break that trust. Alas, this underlying trust could be a casualty of the NSA spying program. While it has supplied late-night TV hosts with plenty of fodder for jokes (“I finally got through to the Obamacare helpline because, after two hours, the NSA got tired of listening to that music they play while on hold”), their humor derives from the uneasiness people now have about how much the government is snooping on private phone calls and emails. As a recent headline to another NSA critique dourly put it, 2013 was “the year trust died.”12 This is why the degree of “brand damage” PRISM, MUSCU- LAR and other NSA initiatives have inflicted on the U.S. tech- nology industry may take longer to determine. People may be less inclined to use social networks, or could opt for search engines that are less thorough, but more private. For many sites, this will mean a decline in visitors, which will have an impact on revenues, profits and re-investment. This is not to let some major players off the hook, how- ever. PRISM did come under the jurisdiction of the FISA Court, and third-party companies were obligated to com- ply. However, there were instances where, in retrospect, telephone companies could have used their legal resourc- es to push back more aggressively. Verizon, after all, once stood up to the Recording Industry Association of America when it demanded the phone company provide the identi- ties of account-holders the record companies believed were involved in music piracy. Although the RIAA insisted it had a right to the data, Verizon’s lawyers instructed the organi- zation to seek court approval—a route which, in the end, the RIAA did not choose. In more recent years, the NSA demanded a huge amount of data, not simply on suspected terrorists, but on millions of customers who, perhaps for innocuous reasons, had talked to persons who talked to persons who talked to a suspect. For perspective, if Boston Marathon bombers Dzhokhar and Tamerlan Tsarnaev bought coffee from a barista at Starbucks the morning of their attack, it would be as if the government then placed surveillance on every person who ever bought coffee from that barista, as well as their friends and friends’ friends.Thephonecompanies’unprotestedcompliancewith NSA directives puts some responsibility for the backlash at their doorsteps. That RSA, a respected U.S. company in the security space, so willingly agreed to compromise its own customers for a government contract, is also disappointing. Nonetheless, the public and the media do not seem to be in a discerning mood, and the entire U.S. technology industry has been tarred by what is being called “the Snowden effect.” Dis- trust, suspicion and customer ill-will plague companies that were unknowingly hacked by the NSA, as well as companies like Saleforce.com and Amazon, who were never involved. INDUSTRY BACKLASH Much of the NSA’s surveillance was done without the knowl- edge of tech companies it affected. Several programs, like MUSCULAR and the Tailored Access Operation were undis- guised attempts to undermine privacy and security protec- tions these companies had put in place for consumers. President Obama avoided discussion of these more inva- sive NSA initiatives during his Jan. 17 address to the nation, which focused largely on the PRISM program. PRISM was much more sweeping than any of its predecessors, but at least there is precedent for court-ordered wiretapping and data collection. What makes many of the other NSA proj- ects even more egregious is that they set out deliberately to undermine security and privacy mechanisms that companies put in place for their users. This is the high-tech equivalent of breaking into someone’s home and prying open a locked filing cabinet with a crowbar. While there are laws that protect private citizens from such burglary, there are none that offer explicit protection in the cloud. The Electronic Communications Privacy Act (ECPA), enacted in 1986, still reflects the technology of that era, and mainly protects Americans against illegal wiretapping and seizure of stored phone records. Because cloud computing and storage did not exist in 1986, the act says nothing about the protection of private information in the cloud.Many judges have therefore interpreted seizure of any data stored by third parties as not requiring consent or a search warrant. The NSA has leveraged both jurisprudence and the lack of specific law to push the limits as of its search and seizure powers. President Obama, in his address, conceded there was a “bias” within government to expand information-gath- ering. The NSA’s activities provide clear examples. Concern in U.S. technology circles is high enough that rivals are unifying in demand for due process, transparency and accountability for NSA surveillance. Bipartisan efforts to strengthen ECPA are gaining momentum. Another effort, “Reform Government Surveillance,” is an initiative of eight technology companies who believe their brands were dam- 11. “Google Blurs Faces in Street View Map Pictures,” The Economic Times, May 15, 2008, available at http://articles.economictimes.indiatimes.com/2008-05-15/ news/27714235_1_street-view-google-blog-post-google-spokeswoman. 12. David Gewirtz, 2013: The Year Trust Died, ZDNet, Dec. 9, 2013, available at http:// www.zdnet.com/2013-the-year-trust-died-7000024067/. R STREET POLICY STUDY: 2014 HAS THE NSA POISONED THE CLOUD? 4
  • 5. aged by the PRISM revelations: AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo. “People won’t use technology they don’t trust,” Brad Smith, gener- al counsel and executive vice president of legal at Micro- soft, stated in a letter to President Obama and Congress. “Governments have put this trust at risk, and governments need to help restore it.”13 Separately, Google and Yahoo have petitioned the government for the right to inform custom- ers when intelligence and law enforcement agencies have requested data and the type of data that was sought. Ironically, the NSA turned the competitive edge U.S. com- panies have in cloud computing into a liability, especially in Europe. Commercially, it will give European competitors an opportunity to promote their own systems as more secure and as safe from U.S. law enforcement. Second, on the regu- latory front, it provides impetus for the privacy measures the European Union wants on certain cloud-based services. These measures could undercut the U.S. firms’ competi- tiveness. For example, such rules would limit the ability of content providers, search and social networking services to access and process personal data of users for purposes of targeted advertising or location-based services. While these measures have a degree of popular support from regula- tors who fear that consumers are being unduly “tracked,” research shows that regulation that limits the use of targeted advertising and other personalized cloud services inhibits growth, innovation and overall use.14 Similarly, Internet companies face “Do Not Track” regula- tion in a number of states, including California, which would put severe limits on their ability to provide free services in exchange for user data. Data has shown that American users historically have been comfortable with current Internet business models. In a 2013 Zogby poll, 70 percent of respon- dents said they’d like at least some ads tailored directly to their interests, while 40 percent said they wanted all their ads targeted.15 Nonetheless, in the wake of the NSA revela- tions, activist legislators may take advantage of a wave of popular unease to enact regulations that in, the long term, prove harmful to Internet service and innovation. POTENTIAL SOLUTIONS The NSA’s surveillance activities represent a massive over- reach on the part of the U.S. government into the private communications and information transactions of its citi- zens—communications and transactions for which there is a reasonable expectation of privacy. Therefore, the govern- ment needs to be restrained through clear laws and policies that govern the collection of private and proprietary data. President Obama’s response falls short. Although he said the government will stop storing phone records, he nonetheless implied that phone companies would continue to do so on the government’s behalf. The appointment of John Podesta to review privacy concerns appears cosmetic. For one, what metrics will determine Mr. Podesta’s effectiveness? The fact that Obama did not call for judicial review of National Secu- rity Letters, nor a halt to NSA efforts to break encryption, remains troubling. PRISM, MUSCULAR, Quantum and all of the other NSA sur- veillance programs that have come to light should not just be tweaked, reformed or repaired. They are all unconstitutional programs that need to be scrapped. 1. Dismantle PRISM and rebuild a surveillance­­program in accordance with specific defense and homeland ­security goals. Surveillance is a useful tool for law enforcement, but it yields the best results when employed against suspected wrong- doers and where there is concrete evidence of a crime or conspiracy. Long before PRISM, law enforcement agencies required judicial sign-off on wiretaps and searches. There is no reason these protections cannot be extended to anti-ter- rorism efforts. PRISM and the other programs have grown so large that it should not be surprising they have not found any actionable intelligence. After news of the PRISM broke last June, Gen. Keith Alexander, the NSA director, told Con- gress that NSA surveillance programs stopped at least 50 terrorist attacks. Since then, that figure has been called into question. In a review of cases brought against 225 individu- als associated with al-Qaeda or inspired by its ideology who were charged in the United States with an act of terrorism since 9/11, the New America Foundation found the NSA’s bulk surveillance programs played an identifiable role in at most, 1.8 percent of these cases. Instead, the report found, traditional law enforcement investigative methods—the use of informants, tips from local communities, and targeted intelligence operations, provided the initial impetus nearly all of these investigations.16 As Judge Leon noted in his decision finding PRISM uncon- stitutional—there is no evidence that PRISM prevented any- thing. His observation serves as both a legal and practical indictment of the program. 13. Microsoft Corp. News Release, “Tech Company Coalition Supports Global Sur- veillance Principles, Calls on US to Lead Reform Efforts,” Microsoft Corp., Dec. 8, 2013, available at http://www.microsoft.com/en-us/news/press/2013/dec13/12-08compa- nycoalitionpr.aspx. 14. cf. Avi Goldfarb and Catherine E. Tucker,“Privacy Regulation and Online Advertising,” University of Toronto, August 5, 2010,available at http://ssrn.com/ abstract=1600259. 15. Katy Bachman, “Poll: Targeted Advertising Is Not the Bogeyman [Updated],” Adweek, April 18, 2013, available at http://www.adweek.com/news/technology/poll- targeted-advertising-not-bogeyman-updated-148649. 16. Peter Bergen, David Sterman, Emily Schneider and Bailey Cahall, “Do NSA’s Bulk Surveillance Program Stop Terrorists?” New America Foundation, January 13, 2014, pp. 1-2, available at http://www.newamerica.net/publications/policy/do_nsas_bulk_ surveillance_programs_stop_terrorists. R STREET POLICY STUDY: 2014 HAS THE NSA POISONED THE CLOUD? 5
  • 6. 2. Enact legislation that recognizes that expectation of privacy extends to personal data stored in the cloud. The Fourth Amendment to the Constitution secures citizens’ “papers and effects” against unreasonable searches and sei- zures. In the 21st century, arguing that the Bill of Rights does not apply because papers and effects are stored in electronic form on the Internet, not in a roll-top desk at home, is legal sophistry. For several years, there have been bipartisan efforts to extend Fourth Amendment protection to cloud-based data, either through new bills, or a rewrite of the 28-year-old Elec- tronic Communications Privacy Act. Little by little, courts have been chipping away at law enforcement’s blatant use of surveillance in the cloud, but legislation would do the most toward curbing this abuse. Congress should be encouraged to move forward. This would go a long way toward reining in collection of Internet data through clandestine use of wire- tapping, back doors or decryption codes. 3. Allow for greater transparency and accountability Had there been appropriate judicial and legislative over- sight, it is hard to imagine that these surveillance programs would have grown as large and intrusive as they did. Any future surveillance programs require the checks and bal- ances of oversight from lawmakers who represent the peo- ple and from an independent judiciary. Laws that authorize such programs must incorporate mechanisms for transpar- ency and accountability, especially when the government demands information owned by third-party companies. Among these, companies should have the right: • To be notified when their infrastructure is being used for surveillance; • To disclose instances when they have been asked to assist with surveillance and turn over information • To demand that due process be followed • To oversight of domestic civilian surveillance by conventional courts, not FISA or secret military courts • To requests for data that are held to the same stan- dard as other search warrants, wherein the requester must identify the suspect, the probable cause, the data to be searched and what specific information is being sought. As House Judiciary Committee Chairman Bob Goodlatte, R-Va., put it: “We must ensure our nation’s intelligence col- lection programs include real protections for Americans; civ- il liberties, robust oversight, and additional transparency.”17 In a free society, individuals are not automatically assumed to be suspects that need to be vetted and surveyed. Citizens have the right to go about their business without the need to answer to the state for every thought, act, purchase or Facebook comment. The argument that widespread surveil- lance is required to secure the common defense is specious, anditsdarkconsequenceswerearticulatedbyGeorgeOrwell almost 70 years ago in the novel 1984: You had to live—did live, from habit that became instinct—in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.18 While not every aspect of Orwell’s grim vision of a totalitar- ian regime has come to pass, one unsettling aspect of 1984 has: the surveillance state he envisioned is a practical reality. The government, indeed, has shown it can use technology to keep tabs on much of what its citizens are doing. Fortu- nately, we still hold to the idea that the government itself is subject to its own laws. It will be critical to remember this as we seek to reclaim our fundamental right to privacy and to be left alone. ABOUT THE AUTHOR Steven Titch is an associate fellow at the R Street Institute, focused on telecommunications, Internet and information technology. He also serves as a policy advisor to the Heartland Institute and is a former policy analyst at the Reason Foundation. His columns have appeared in Investor’s Business Daily, the Washington Examiner and the Houston Chronicle. Titch also was co-founder and executive producer of Security Squared, a business-to-business Web publication covering IT con- vergence in physical security and surveillance. Previously, Titch was editor of Network-Centric Security and director of editorial projects for Data Communications magazine. He also has held the positions of editorial director of Telephony, editor of Global Telephony maga- zine, Midwest bureau chief of Communications Week and associate editor-communications at Electronic News. 17. House Judiciary Committee, “Goodlatte Statement on PCLOB’s Report on Intelligence-Gathering Programs,” Jan. 23, 2014. http://judiciary.house.gov/index.cfm/ press-releases?ID=E9B835FE-AA07-4A06-9DCB-91494B463BF1 18. George Orwell, 1984, Harcourt Brace Jovanovich, New York, 1949 (64th Signet Edition), pp. 6-7. R STREET POLICY STUDY: 2014 HAS THE NSA POISONED THE CLOUD? 6