The revelations late last year on the extent to which the National Security Agency (NSA) has encroached upon both corporate and citizens’ information have rapidly had an impact on everything from lost (and massive) technology deals with foreign customers to common information security (InfoSec) practices in the enterprise. This morning, President Obama addressed the media and the nation in a speech about the NSA program that gathers the private phone records of billions of Americans. Saying that he had not seen any indication of abuses of the program, he admitted that he recognized the potential for abuse and is requesting reforms to address these concerns.
The president announced the call for a “new approach” to phone-records collection, saying also that he is “ordering a transition that will end the…bulk metadata program as it currently exists” and establish a new mechanism that equips the NSA with the intelligence capabilities they need without the requirement to store what might be called “big metadata.” “This will not be simple,” President Obama noted, and said that a decision will need to be made on which entity will store the data and under which conditions the database can be queried. These are meaningful promises about important first steps that should be taken.
The Intelligence Agency and the Private-Sector Giants
The NSA has been far from alone in their secret infiltration, of course. Intelligence agencies in other countries and giant corporations such as Google and Facebook have been collecting the same—and increasingly more—types of data from the public for years with only minimal attempts at notification and consent. Today, based on the metadata collected to date, the NSA, Google, and Facebook can all determine with whom you associate and who your friends are. Based on the recent acquisition by Google of home thermostat maker Nest Labs, it may soon be able to determine which room of my home I’m currently occupying and whether I’m home or not.
As a society, we’re uncomfortable with these other large organizations having access to this information, and there seems no reason to be more comfortable with the NSA having access to it. Large corporations, after all, are accountable to stockholders and are subject to lawsuits, while the NSA is mostly invisible and has little public accountability.
The president promised some new controls on NSA collection practices today. However, when the specter of terrorism can rightly be invoked to justify much of what is done within intelligence agencies, we must ask, how likely is it that the NSA will dramatically improve the way it collects and handles data?
Truth be told, if more of the public were aware that any other government collected this type of data on American citizens, it would be considered the biggest data breach in history. From a security and privacy perspective, that's exactly what these NSA programs are—breaches. They circumvent the security systems designed to keep the data private and exfiltrate the data from its original location to an NSA-controlled site.
The Questions I'd Still Like to See Answered
I’m looking for three things in particular from the president following this address—orders or policies that could go a long way toward alleviating these concerns.
No. 1 - Who will have access to the data? It's very difficult to limit access to big data. Anyone asking a valid question of the data needs access to all the data, and that means that the NSA’s data scientists need to be highly vetted and monitored carefully to make sure they don’t abuse their position of privilege. In an ideal world, the president would solve all the issues around access by denying any access to the data without a warrant specifying exactly what the user is allowed to look for, and how they will use the data.
Failing that, I’d hope for more rigorous access controls in which only a few selected individuals have the ability to work with the data, and only under the appropriate oversight. We’ve already seen problems with Google, where employees of that company abused their access to the company’s data stores for personal purposes; we need to avoid that with this data.
No. 2 - How is the data secured? Big data is notoriously difficult to protect—it takes a lot of computing infrastructure to store and work with, and that means a bigger network perimeter to protect. And let’s not forget that simply by storing all this data in one location the NSA has just opened a hugely valuable new target for true black-hat attackers. Imagine what would happen if a team of thieves knew who your friends were and how often you spoke. You could become the target of some incredibly sophisticated phishing attacks. An executive order to take the data offline, so that it could only be accessed in person, or to anonymize it, so that anyone breaching the NSA’s security would only get limited information, would provide a very welcome level of protection.
No. 3 - How long can the NSA retain the data? Can they keep it 30 days? Six months? Indefinitely? The idea that our actions persist for years and years, perhaps decades in electronic format is a frightening one. Shouldn’t there be a “statute of limitations” on your phone calls and email communications? We’d like to see orders limiting the lifespan of the data retention to a relatively short period.
As citizens, we need the protection from terrorism that intelligence agencies can give us. But we also need to ensure that our rights are being protected just as stringently. We must balance the good that examining this data can do against the dangers that access to it presents (attack or opportunities for abuse). In the IT industry, the concepts outlined above are well-understood and accepted. All security professionals, for instance, understand that they need to secure access to their data, protect it against intrusion, and limit its lifespan, in order to reduce the risk of abuse or outside attack. The current administration and Congress should take this opportunity to make a significant difference in how we as a society view these programs and the data they collect.
Have questions of your own? Opinions? I welcome discussion in the Comments section below.