Gary McGraw: NSA data collection programs demand discussion, scrutiny

Opinion: Gary McGraw details the various and sundry NSA data collection programs and explains why all its efforts demand new discussion and scrutiny.

Recent revelations first published in The Guardian that (surprise, surprise) the National Security Agency is collecting telephone call metadata from domestic U.S. telephone carriers with sweeping surveillance dragnets may have sparked a firestorm, but Edward Snowden's incredibly brave and simultaneously naïve revelations about Prism has added the real accelerant to the fire.

Gary McGrawGary McGraw

So what's going on here? What's the effect on the Internet services you and your organization use every day? And what can you -- a presumably innocent citizen -- do to protect your communications?

On tapping phones, or rather, on not tapping phones

Cigital logo

Equivocations recently doled out by NSA leadership and various members of Congress aim to assure the American public that the content of their phone calls is not being collected or listened to. That makes it pretty clear to me that the NSA is collecting all the data it can about who calls whom, when, and for how long. This data is known as "pen-register" data and "trap-and-trace" data (or pen/trap data).

The NSA may not have a dossier for every U.S. citizen, but it probably has a dossier on each telephone number and IP address it collects. Is a telephone number enough data to identify an individual? For most of us, the answer is, "yes, obviously."

The NSA's goal with this data collection effort is to track networks of individuals and devices more than it is about particular individuals themselves. Whom do you associate with? The NSA wants to know. (So much for free association, huh?) As long as everyone you ever call, text or email is one of the "good guys," you'll be OK. Just don't dial the wrong number. And if your public actions could lead to future blackmail, consider yourself already compromised by the spooks.

There is a long law enforcement history behind the collection of the who calls whom pen/trap data, beginning way back in 1979. It started with a spectacularly bad Supreme Court decision that year, Smith v. Maryland, that defined pen/trap data as the equivalent to public records (after all, the phone company keeps track of all that information for billing). Fortunately, Congress subsequently enacted some limitations on pen/trap-collection power, requiring law enforcement to get a court order for a 60-day collection. It is not clear how such restrictions apply to the NSA.

Remember, this is about who calls whom, not what they say (though text messages are a special case). The content of your or your organization's telephone conversations is still protected by the Fourth Amendment; the dialing information is not. (If you are a U.S. citizen, that is. Are you a foreigner? Then you're toast.)

When the police want to collect pen/trap data, they have to get a court order. But the bar is pretty low, and the courts grant the right to collect this data all the time. For what it's worth, it is much harder for the police to get wiretap permission and access the content of your calls. But that happens too.

On to the really bad news. The USA PATRIOT Act, signed into law following the events of September 11, 2001, extends the notion of pen/trap data to the Internet. Under the PATRIOT Act, the headers of your email, your IP number and your machine's use of various communications ports and protocols all count as pen/trap data. After all, your ISP needs to know that stuff to route your traffic. Also consider that your mobile phone blabs exactly where it is using a pen/trap flavor of data as well. That is, it has to ping cell towers and check in with your provider's network so that your calls and other IP traffic can be routed properly.

It's sadly safe to assume that the NSA data collection effort is vacuuming up all of the pen/trap data it can and storing it for possible later use. It is possible that this data is not supposed to be widely available to analysts without a court order (when it comes to American citizens, that is), but they are all piled up and indexed and waiting for queries should you or anyone you ever called, texted or emailed come under suspicion. There is more than likely an API to the NoSQL engine exposed to analysts who can invoke a search with the click of a mouse. We may never know what powers have been granted since the Foreign Intelligence Surveillance Court proceeds in secret.

In the future if you fall under government suspicion, your pen/trap data will be pulled and various forms of traffic analysis will occur. The NSA may not care where you are right now, but if they start caring in the future where you were yesterday, they will likely be able to determine your whereabouts for any time, dating back many years.

This can be a good thing. How do you think the Boston Marathon bombers were caught so quickly after they pulled off their despicable, cowardly act? But for all the good these tracking capabilities provide, we are creating a turnkey system for instant oppression that calls out clearly for public discussion and scrutiny. We need to weigh the pros and cons of these capabilities as a society and not have them weighed out for us by Big Brother.

Prism: 'All your clicks belong to us'

On Sunday, June 9, Edward Snowden revealed himself to the media as the NSA whistleblower who provided the information for both the pen/trap story and the Prism story. Regardless of whether you believe Snowden is a traitor or a hero, Snowden's video is worth watching. We've already covered what the Verizon pen/trap talk is all about, but what is Prism?

The content of your or your organization's telephone conversations is still protected by the Fourth Amendment; the dialing information is not.

You can think of Prism as extending eavesdropping capabilities to the Internet, well beyond what we've discussed so far. Let's take a look at a few popular services; in particular, those companies named in one of the leaked slides.

Google knows a bunch about you. It uses what it knows to target ads in your direction. Every day, millions of us use that really cool "free" Web search engine Google provides or its really cool Android operating system on your phone/tablet in exchange for letting Google keep track of what you're looking for, where you are when you're looking for it and what you click on.

Facebook knows even more about you. You tell Mark Zuckerberg & Co. who all of your friends are and what you were doing all weekend -- on purpose. That's how it all works. It automatically tags and indexes your photos too. And then it profits off of all that data in about as many ways as you can count.

Other companies, including Microsoft, Yahoo, PalTalk, YouTube, Skype, AOL and Apple also participate in Prism (some since 2007). It looks like Twitter is among those companies not playing the NSA data collection game (just yet). Thanks, Twitter. I, for one, really appreciate that.

Anyway, you'll notice that the most successful Internet and technology companies collect and profit from your personal data, so it's hardly a surprise that government intelligence agencies (ours and those of other nations) want it too. Imagine how useful it is to keep track of the Facebook accounts of Chinese cyberwarriors (yes, they apparently have them and sometimes slip up with an identity connection that outs them). Al-Qaeda terrorists have been known to use plenty of technology too.

The question is whether Prism data is being piled up about American citizens just like the pen/trap data. I hope not!

Why Facebook may carry more blame for privacy intrusion than the NSA

Here's the thing. Facebook has built dossiers for its users that rival and surpass the wildest dreams of the East German Stasi. The Stasi used its notorious files to oppress East German citizens, mostly through intimidation and implication. That is, it used the supposedly private information in its files to leverage and blackmail East German citizens into silence about the regime and the Communist Party. Did the Stasi care who talked to whom and who met with whom when? Yes.

Let's be clear: Facebook does not want to create a tyrannical oppressive regime. It just wants to sell ads. But it has unintentionally created an incredibly powerful tool for oppression. I think of it as "turnkey tyranny."

I do not for a minute believe that our democratic government in the United States wants to oppress us. But I do believe that it is high time to have some real and serious discussions about privacy in this country. Sure, total information awareness might stop all terrorism, but I am not interested in living in a gilded cage or a "happy bappy" police state.

What you should do about all this

Check out what the EFF has to say about protecting your information from eavesdropping on its website. Here are options that I employ myself and encourage others to adopt:

  1. Don't use Facebook or LinkedIn, ever. This is not practical for many individuals and organizations, but realize that what you post, when you post it, where you post it from, and whom you're posting it for may all end up in the NSA's digital dragnet.
  2. 'Crypt up email you want to keep private with S/MIME. For enterprises, this should be trivial. That said, if you haven't revisited your email encryption strategy in a few years, consider this your invitation to do so.
  3. If you have a real secret, don't write it down or better yet tell it to anybody. In a business context, that means carefully restricting access to sensitive information -- everything from access restrictions on sensitive intellectual property (IP), to the principal of least privilege (especially for admins) to where and when executives use their cell phones. 
  4. Things that may be worth considering in the future include using Tor to anonymize traffic, encrypting text messages, and occasionally taking the battery out of your cell phone when you don't want your whereabouts at any given moment to appear in someone's database down the road.

Finally, remember that you live in a democracy. Participate in it. Tell your representatives what you expect from them.

About the author:
Gary McGraw, Ph.D., is CTO of software security consulting firm Cigital Inc. He is a globally recognized authority on software security and the author of eight best-selling books on this topic. Send comments on his column to
feedback@infosecuritymag.com.

This was first published in June 2013
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close