Submitted by Charlton Stanley (aka Otteray Scribe) Guest Blogger
First there was WikiLeaks, then there was Edward Snowden. The drip, drip, drip of information about secretive spy agencies continues. There have been bombshell revelations about the extent to which government agencies like the FBI, CIA, NSA and others are invading our most private communications. Of course, spies do what spies do, and that is to spy on whoever or whatever they can get away with. Few people understood the implications of PRISM when news of the program was leaked. Additionally, I suspect that despite revelations of its existence, the full extent of its capability and reach will never be known by the public.
The NSA reportedly paid tech companies millions of dollars to cover the cost of compliance with their “requests” for back-door access to the software package.
Another program to keep in mind is the FBI Stingray operation that sucks up wireless telephone communications. Last May, in the first litigation where the government admitted having Stingray, Arizona Federal District Judge David Campbell dismissed a motion to suppress. Judge Campbell is a George W. Bush appointee. PDF of his ruling is here. Last July, the ACLU filed a Freedom of Information Act lawsuit in the Northern District of California, in an effort to learn more about Stingray, and if it is scooping up domestic phone calls.
If you are a government employee, this is the time to cover your eyes. Washington Post writer Josh Hicks reports:
“The Department of Homeland Security has warned its employees that the government may penalize them for opening a Washington Post article containing a classified slide that shows how the National Security Agency eavesdrops on international communications.
An internal memo from DHS headquarters told workers on Friday that viewing the document from an “unclassified government workstation” could lead to administrative or legal action. “You may be violating your non-disclosure agreement in which you sign that you will protect classified national security information,” the communication said.”
Let’s see if I have this straight. The DHS, those wizards who are supposed to protect us from sneaky dangerous people, threatens their employees with possible criminal charges or other penalties for looking at pictures published in the newspaper or on a blog? Doesn’t everyone feel a lot safer now?
Some of the latest leaks center around a 41-slide PowerPoint presentation alleged to have come from the NSA. One slide in particular references FAA702. This refers to §702 of the FISA Amendments Act (50 USC § 1881a). I am not going to try to explain the slide here, but there are explanations at this link and this link. At any rate, here is the slide that was leaked.
Which brings us to a discussion of internet security and the security of all our internet activities, including personal, business and financial information. Some of us are required to use encryption as part of our day to day operations. For example, HIPAA requires all files containing patient data be encrypted with an encryption program that meets specific HIPAA guidelines. Non-compliance with HIPAA guidelines can have draconian consequences for any health care service caught in an audit, with both monetary and criminal penalties. Earlier this year, WellPoint was hit with a $1.3 million dollar fine. Cignet fared much worse with a $4.3 million fine. Most health care providers use proprietary software they purchase from vendors, which include some of the biggest names in software.
If there is a secret agreement between proprietary encryption software and the NSA, and a user is obligated to keep data secure, then the legal question becomes one of “knew or should have known.” If we now have reason to believe unknown people at various government agencies can rummage around our computers and digital devices at will, we have a problem. Let’s assume no one reading this is up to no good, but simply conducting day-to-day business as usual. However, file data are sensitive and if it gets into the wrong hands, there could be problems. Hypothetically, let’s say some government employee running a routine scan stumbles across a marriage counselor’s file and discovers his or her spouse is having a torrid affair…with the best friend, the mayor, the parish priest or even their own boss. Then goes home and confronts spouse. Spouse sues the counselor. What then?
We have all seen those ads on the big search engines. If you looked on eBay or Amazon for a widget yesterday, when you opened Google this morning, you see ads for widgets. The big search engines keep track of your browsing habits. That enables them to target you for ads. It also lets you know they are keeping records on you. Those records are subject to both subpoena and data mining by spy software such as PRISM. This has been a boon to the smaller but smarter search engine DuckDuckGo. They do not keep records, and as soon as you close the browser, the search is gone. If subpoenaed, DuckDuckGo has nothing to cough up.
If one suspects proprietary closed-source encryption software is compromised, what to do? There are several solutions. First of all, look at open-source freeware. There are several good freeware encryption programs. Lifehacker has a review of the five top open-source programs. The top-rated one is TrueCrypt. Edward Snowden is said to have used TrueCrypt on the files he took with him. The advantage of open-source is that it is open source. That means it is unlikely to have secret files in it because they would be soon discovered. Open source software is in a constant state of development by experts all over the world. Do spy agencies try to insert malware into it? It is safe to assume they probably try. However, there are many eyes watching, and if something suddenly appeared in the source code that is not supposed to be there, it would be discovered quickly. Security expert and software engineer Bruce Schneier, writing in The Guardian, has a list of five basic things one can do to keep files safe. Here are two of the five suggestions:
3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.
4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.
Last Tuesday, the ACLU filed a lawsuit in the US District Court in New York, alleging the National Security Agency’s (NSA) surveillance of vast numbers of Verizon customers is unconstitutional. PDF of the filing is at this link.
Lest they forget, here is a reminder:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.