By now, everyone has heard of Edward Snowden, the NSA (the National Security Agency), and the many (classified) documents that Snowden leaked to the American public about some of the NSA’s secret surveillance programs. Yet another recent article by The Washington Post (“NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say“) portrays how complicated the NSA’s programs actually, and how much data they are indiscriminately monitoring from around the world.
Last October, I had a friend make the following comment: I understand how it’s a clear violation of the 4th, but I’m fuzzy on what exactly they’re doing and how.
In this blog post, I will attempt to address this confusion, explain why this is (legally) possible, but also explain why the facts in this particular Washington Post article are so disturbing.
The NSA has built relationships with governments and organizations worldwide that allow them to place internet monitoring equipment worldwide, outside of US territory.
So how does this allow the NSA to monitor emails and other internet data coming from the States? As explained in the Washington Post article, giant tech companies like Google and Facebook process massive amounts of data throughout their numerous data centers. They routinely backup this data to other data centers, sometimes to ones that are located outside of the US.
Even companies the size of Google and Facebook don’t maintain 100% of their own network connections – the physical cables connecting their data centers on different continents – and so they rely on the huge telecommunication and ISP companies that provide those services.
If the NSA is able to control (or at least monitor) the internet hardware operated by these ISPs that provide the corporations’ ability to exchange data between their data centers, then this constitutes as a classic attempt at a “man-in-the-middle” attack. The only problem left to solve for the NSA, then, would be to break the encryption (something that is often times more easily done than you would think).
The vision of the NSA is “Global Cryptologic Dominance through Responsive Presence and Network Advantage” (C/F http://www.nsa.gov/about/values/index.shtml). The NSA argues that monitoring internet traffic is necessary because it allows them to search for keywords and keep tabs on known terrorists.
On the other hand, millions of Americans’ data is intercepted and automatically processed through filters – without a search warrant, which many argue is a clear violation of the 4th Amendment (search and seizure only with probable cause and with a search warrant).
By monitoring hardware outside of US jurisdiction, the NSA argues, it is legal for them to monitor all of the internet traffic that flows through those devices – regardless of where that data is coming from. The argument is that there is reasonable doubt the data they are monitoring is tied to an American, because it isn’t on American soil.
Another way the NSA is able to monitor Americans’ internet and phone communications is that often times, technically, they don’t. Instead, they ask their counterparts in different countries (such as the Government Communications Headquarters – GCHQ – in Britain) to do the dirty work. That way, the NSA can argue that they aren’t actually the ones doing the monitoring.
In essence, the NSA has built a massive world-wide surveillance system and maintains close ties with similar organizations from other countries to exchange information and broaden their ability to monitor traffic.
Why is this worrisome? After all, the majority of Americans simply don’t care – or do they?
Very rarely will an American have something to hide, and be negatively affected by the NSA’s monitoring program. However, as an IT professional and security guy, I argue this is worrisome because of two main reasons:
- If the data exists, it is vulnerable.
- If the potential for abuse is present, there is always potential for abuse!
First, if the data exists, it is vulnerable.
The very fact that the NSA is storing huge amounts of data (often times personal data on individuals) raises a security and privacy concern. Perhaps the NSA has the best of intentions, and will always work to keep that data safe. But as I’ve written several times on the Develop CENTS blog, data that is stored on any computer system is never 100% safe. There’s an old saying among IT professionals: A truly secure computer is turned off, unplugged, encased in concrete, buried 5 feet deep, and guarded 24/7. The point? Hackers know this truth, and, now that they know where so much data is stored, they just have to figure out a way to get to the data.
No system is completely secure, and that goes for the NSA’s computer system and network.
Secondly, if the potential for abuse is present, there is the potential for abuse!
No individual, system of government, or entity is infallible, and this is true for achieving one’s own ambitions. The very fact that the NSA stores (and monitors) so much data about American citizens is worrisome, because that data could be used for nefarious ends.
Take the example of Edward Snowden. Here was a dude working for the NSA that obviously had access to a lot of classified information. If he had wanted to, he could have kept quiet and sold the data on the black market or to other countries. He didn’t. Instead, many argue that he has provided a very big, very good, public act of service.
But the question remains: What if he HAD used this data (or other data that hasn’t been released on individuals) for nefarious purposes? The security situation in the United States could have been a lot worse than it is.
Another potential for abuse comes from the U.S. government itself. What if a department, branch of government, the White House administration, or even an individual in the higher ranks of government wanted certain information on an individual – or a group of people? The reasoning could be anything, such as learning business trade secrets or getting ahead in a political campaign.
Remember, if the data exists, it is vulnerable. Someone has access to that data, or could illegally gain access to that data. There is, and always will be, the potential for abuse.
What are your questions? Do you have any comments? Leave them below, or contact me!