Monday, 09 November 2015 16:05

NSA mass data collection to stop in 20 days, but just on paper.

Written by

Reading time is around minutes.

In the post-Snowden era the idea that government agencies are spying on us is no longer the real of Movies/TV or conspiracy theorists. It is fairly well documented that this is happening every day. The question has moved from what if this happens, to what we are going to do to change it. Well one of the biggest hurdles has been trying to find people in power that even want this to change. When you consider the fact that the people with the power to stop the mass spying are likely to be the ones that voted to put it in place. This has meant that the average person must try to prove their case in the courts.

Fortunately there has been some rather solid movement on this over the past year or so. To start with, National Security Letters have been ruled unconstitutional in their current form. This means that sending someone a national security letter to collect mass data without any legal recourse on the part of the subject or the company violates certain provisions in the US Constitution. That does not mean that a reformatting of the existing law or letter would not continue to allow them. Also while this was ruled at the Federal District Court, the US Supreme Court has not made a final ruling on this.

Secondly the bulk metadata and records collection being performed by the NSA will stop in a couple of weeks thanks to the USA FREEDOM Act. This act was written to stop the bulk collection without a proper warrant or tasking. Yes, the NSA will still be able to monitor you and your web browsing habits if there is an active investigation on you and they are officially tasked to do so. There is even a judge that is telling the NSA to stop collecting data on one guy and ruling that the NSA must block any data already collected from being queried. It seems that all is well right? Well not so fast.

As we have previously written the new CISA (Cybersecurity Information Sharing Act) allows this information to be passed along voluntarily with little to no recourse be the average citizen. All the NSA or other government agency has to do is quietly ask a company can hand the data over all in the name of National Security on the “Cyber” front (ASL?). This is not the first time that the US Government has tried to pass a bill like this one, but they finally managed to get one through. The claim is that this will help companies share threat information with each other, but the reality is that the law goes much deeper than that and is not really needed. Companies are already sharing threat data and indications of compromise without any fear of consumer backlash, so this bill really only serves the purpose to protect other data sharing. Russ Spitler, Vice President of Product Strategy at Alien Vault had this to say about CISA.

“The CISA bill really centers around two area: providing technical requirements for the DHS on how to set up a “real-time” cyber indicator sharing network and providing liability protection for organizations when sharing data.  The real questions are, are either of these provisions necessary?  And do we need to tie them together?  

The first area is, frankly, the easiest to dismiss.  Congress has a very poor history of providing technical requirements to other parts of government.  The DNI, DHS, DOD, and DOJ has some very capable technical resources between them and a large number of people who can whip together a process and program for sharing cyber indicators.  Why does congress feel the need to provide explicit direction for these programs?  Is there some insight that congress has learned that they feel these agencies does not understand?  It feels disingenuous to prescribe to a technical organization how to run a technical program of this nature.  If you are to trust it stewardship with these organizations, why not also trust its inception?  For the most part all of the requirements set forth throughout the bill would be ones that would naturally arise while trying to follow existing laws or provide a compelling technical solution.  It simply would not be effective if this information is not disseminated in a timely manner nor would any governmental organization take on the risk of sharing personal information of an innocent bystander without layers of fail-safe precautions.  

The second area - related to the liability protection - is a little more interesting.  Here, the unwritten assumption is that organizations do not share information due to a concern that they will be held liable for some legal violation.  However, that assumption falls flat on two fronts.  First, the same organizations that would benefit from this ‘protection’ are lobbying against this act.  They do not see these protections as a benefit to their organization (and these are companies who take security as a core part of their business).  But the more important issue at hand is that these organizations are already, effectively, sharing cyber indicators.  They share them with each other, and they share (and receive) them with the federal government.  There are long standing organizations such as FS-ISAC (and the 19 other flavors of ‘ISAC’) established explicitly for this purpose.  These organizations have been extraordinarily successful and there has been a recent boom of private companies and open exchanges that has only added to the availability of this data.  Organizations are already sharing cyber indicators without concern of liability and they are doing so effectively.”

To add to the mix the FCC has just blatantly stated that they will not stop companies like Google, Microsoft, YouTube, Netflix and others from tracking you on the internet. Even if you have the Do Not Track option enabled. They are giving the big guys a pass. Despite reclassifying broadband as a utility they are not imposing any of the utility rules: “Recognizing that the existing rules were written for voice services, the Commission held it was 'not persuaded that the Commission's current rules ... necessarily would be well suited to broadband Internet access service” This is odd because the voice communications rules should fit perfectly into this when it comes to private communication like email, chat etc. To try and claim they do not is skating around the issue. It makes the reclassification seem like a sham.

The practical upshot of all of this is that while we are seeing movement on one front, the opposition already has a backup plan in full swing. The big data collection will continue and the US Government will have all the same access they had before, but now they have laws to protect the companies that share this… Just like AT&T and Verizon received after they were caught in the 70s-80s… The more things change…

Read 3568 times Last modified on Monday, 09 November 2015 16:05

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.