How to decipher NSA data mining: Examine capabilities and intentions

The news media this week was full of articles describing the U.S. government's role in gathering, mining and analyzing big data from nine leading U.S. Internet companies in order to stop terrorism. Where is this capability going?

by / June 9, 2013 0

The news media this week was full of articles describing the U.S. Government’s role in gathering, mining and analyzing big data from nine leading U.S. Internet companies in order to stop terrorism.

The reaction from most of my friends and family has been one of shock, confusion and almost disbelief. One colleague commented, “The whole story seems almost Orwellian.” Several relatives contacted me to get my viewpoint, since I am a former NSA employee. 

Many of them are angry. Their questions are all over the map, such as:

-    Can the feds really see all that Internet data? Is it even technically possible? (My answer – Yes.)

-    Is government listening to my phone calls? (My answer – No, but they have the capability.) 

-    Do I believe President Obama’s explanation? (Yes, but more questions must be asked.)

-    Is this massive data mining really needed to stop terrorism? (My answer: Probably.)

-    Some believe claims that the government wants to destroy privacy worldwide. (I disagree.)

-    Am I worried? Couldn’t this power be misused? (My answer: A bit – we need future controls.)

-    How can we decipher all of this monitoring? Where is the balance between security and personal privacy? What should be watching out for? (My answer:  Read on.)

Quick News Recap

The Guardian (U.K.) broke the story and The Washington Post quickly followed with this piece. Here’s an excerpt:

“The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, emails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post.”

The article goes on to describe the companies involved, the history of the program (reportedly called PRISM) which goes back to President Bush in 2007, includes the British government, describes the approval from all branches of government and more.

The Internet companies named quickly denied many of the claims and urged more government transparency regarding national security programs, with responses like this from Facebook’s founder Mark Zuckerberg:

“Facebook is not and has never been part of any program to give the US or any other government direct access to our servers. ...”

I found these responses from technology companies regarding a lack of involvement to be totally unconvincing. While I believe what they said is likely to be “technically accurate,” I think their responses were very carefully worded. Notice words like “direct access” and “legal.”

OK, was there indirect access? Yes, you may need a court order, but do you provide the data or not? [Saturday update – suspicions confirmed - most companies have now acknowledged participation in the program.]

Expert Perspectives

So how I do view the new revelations? As I look back at the week, I really like the balanced view that New York Times columnist David Brooks provided on PBS on Friday.

 

Since I don’t have access to specific details of what privacy protections are in place now, I can’t be sure if our civil liberties are being protected under PRISM. Nevertheless, my overall view of this the current program is that the data is likely needed for national security reasons and appropriate privacy controls covering content are (likely) in place, since this is the bipartisan view inside the D.C. Beltway right now.

Perhaps just as important to me as the government’s Internet search for terrorists, are the articles describing the breadth and depth of monitoring that is already occurring online by many companies we trust every day.

For example, there were related stories this week that were mostly lost in all of the government monitoring headlines. Bloomberg reported that carriers sell user’s tracking data in $5.5 billion market. Here’s an excerpt:

“Phone companies already collect data on user location, as well as Web surfing and application use, to adjust their networks to handle traffic better. Two carriers, Verizon Wireless and Sprint Nextel Corp. (S), are just starting to make the data available to third-party companies in hopes of booking millions in sales. Worldwide, revenue from selling mobile-user behavior data may reach $9.6 billion in 2016, up from $5.5 billion last year, Walldorf, Germany-based SAP (SAP) estimated….

  … Privacy advocates say data protections don’t go far enough. ...”

And this tracking of data can get very personal and is often shared with business partners. There was even this article describing upcoming versions of Xbox which will be watching (via a camera) and reporting on the actions of game console users. 

Where is This Story Heading Next?

But I want to close this blog by zooming in on one point that was made by David Brooks. We know that mistakes are made with our data. Inadvertent disclosures that are corrected are inevitable -- but don’t bother me much. However, the potential for deliberate future targeting of innocent Americans with this big data concerns me.

For example, we currently have many unanswered questions in the ongoing IRS scandal. There are also questions regarding the use of reporter phone calls and FBI tracking of the media. All of this comes at the same time as The Guardian story breaks, leading to serious public fear regarding how this data could be used.

We can learn from history. During the military debates of the past, Americans were taught the importance of nuclear deterrence. Here is a relevant quote from the Orlando Sentinel in 1996:

“The late Gen. Lewis Walt, a great Marine, was fond of saying that what counts is capability, not intentions. Intentions can change overnight; capability cannot. The truth of that is evident.”

So what matters most in our new “mining big data” technology is not only current capabilities, policies and intentions. Along with David Brooks, I worry about how this big data will be used in the future as the technical capabilities are enhanced further – and intentions may change.

Furthermore, I am equally concerned about private companies collecting and using our data in new ways. It seems that as the pendulum swings more and more toward mining big data 24/7 with new technology, both the public and private sectors want to take advantage of our online surfing habits in more ways than yesterday. Will today’s privacy policy be replaced with a simple letter or perhaps even an email tomorrow?

Important questions on transparency include: What is the current monitoring policy? How will we be told if/when the policy changes? Just as with nuclear weapons, who controls the keys (decision-making)?

Bottom line: Mining big data works – to stop acts of terrorism and to sell products. Nevertheless, we need an open societal discussion on effective, ongoing controls. This is important to more than just a few groups who champion personal privacy. At stake are American freedoms, our liberty and our way of life.  

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso