The word “MUSCULAR” took on new meaning this week. It now also refers to a NSA project in which data was being intercepted in transmission. We outline five initial takeaways based on this new development.
Day before yesterday, 30 October, the Washington Post in the United States published an article alleging that the US’ National Security Agency (NSA) had been infiltrating links to Yahoo, Google data centers worldwide. According the publication, the details were revealed by former NSA contractor, Edwards Snowden, and “interviews with knowledgeable officials”. In summary, although the NSA can (and is authorised) to compel online service providers (such as Google and Yahoo) to furnish data via its programme known as PRISM, it is alleged that through a project called MUSCULAR, the organisation has also been harvesting large volumes data during transmission without permission. The image below is reportedly from a NSA presentation and highlights the vulnerability that the NSA allegedly has been exploiting.
As at the time of publication of this post, the NS has refuted the claims that have been made. However, the affected service providers are reportedly furious about the revelations, stating emphatically that they were unaware of this matter and are demanding answers from the US government. In light of the hot water the US is currently in for spying on its allies, this new allegation may remain unaddressed into the immediate future. However, outlined below are five initial takeaways that might be worth considering.
1. US spying may still be deeper and more pervasive than we think
The earlier revelations, about the NSA collecting metadata from telephone calls in the US and collecting large volumes of information from online service providers via PRISM, pales in comparison to some of the most recent news about the NSA tapping the phones of senior government officials in foreign countries, and now the interception/infiltration allegations. However, we are still learning about the extent of the US’ spying capabilities and actions, and at this time we ought not to be surprised if additional scandals come to light.
2. Private leased lines might not safe as we believe
Based on news reports, although the affected online companies had leased dedicated capacity on fibre optic cables networks to carry their data, the NSA was “copying entire data flows across fiber-optic cables that carry information among the data centers of the Silicon Valley giants” (Source: Washington Post). The slide above from a NSA presentation suggests where in the routing the infiltration might have occurred. However, the key takeaway is that any sort of protection or safeguards that private leased lines inherently offer might not be enough to thwart the sophisticated interception/spying technology available to government intelligence agencies.
3. Our fear of having our privacy breached by our service provider might be what we should be worrying about
Over the last few years, and especially among large online properties such as Google and Yahoo that offer free services to the public, there has been a trend away from sharing user information with third party companies. Generally, those properties use the information internally to further their own business efforts, or for advertising and promotional purposes. However the details of what purposes user information might be subject to are usually set out in the websites’ Terms of Use and Privacy Policies.
The result of this position by websites is that many users – individuals and organisations alike – are wary about using certain online properties. However, this recent allegation indicates that the interception might have been done unbeknownst to the affected online firms, and as a result we, as users, have no idea how our data is being used; who might be liable; and what recourse we might have.
4. Organisations might become more wary of cloud services and remote storage than they already are
Cloud technology and cloud services have been huge buzzwords in recent years, and in the last two years, they have been gaining traction as cost effective means of accessing data and a broad range of services over the internet. More importantly, global analysts firms, such as Gartner, have projected that data centres, and cloud technology and services will become increasingly integral to businesses into the future. However, these new allegations might be setback in the shift to greater take up of cloud and remote storage services, but may also have the positive effect of prompting persons to ask more questions of their current and prospective service providers.
5. Organisations and countries could benefit from re-examining their data protection policies and tools
Finally, when the above are considered, especially the latitude the US might have (or is prepare to take) regarding electronic data in their jurisdiction, it might be prudent for countries, and even organisations to re-examine their data protection policies and exactly how they being implemented and followed. For example, the data protection law in many countries worldwide require that personal data should only be transferred to countries that offer similar or better data protection as the home country.
In light of the US’ aggressive posture on intelligence and spying, which is supported in law, such as via the Patriot Act 2001, companies may need to seriously consider whether or not, or the extent to which they are okay with having their data access or intercepted by the US government and the alternatives they could to consider.
Salvatore Vuono / FreeDigitalPhotos.net
______________
All good points to make Michelle. Its not comforting but at all but I say these for context and defy successful contradiction:
1. The argument is about CAPABILITY vs CAPACITY
2. The NSA – and fellow travelers – ALWAYS had the Capability to access ALL traffic and not since this year. In fact this has been the case in your lifetime 🙂
3. Digital storage advances and software defined networks and the very nature of message addressing and routing have granted the NSA – and fellow travelers – increase to both CAPACITY & CAPABILITY. Technology advance will ALWAYS be in their favour.
4. Data protection, encryption all of these initiatives should be viewed as bumps in the road; they simply slow down the action
5. The law and regulatory frameworks actually allows more access than we believe. And in the US instance, the secret FISA Court grants it.
Here’s the closeout. I will quote Diffie – the guy who developed the Diffie-Hellman algorithm on which the public key (security) infrastructure is based. “When you have a secret, you have a vulnerability”.
Period. Just a matter of determining the risk.
-Carlton
Excellent, Carlton. Thanks for this. I really cannot refute any of the points you made :-).
The Diffe quote really struck a chord, and imo, can be broadened from a “secret” per se, to anything we might wish to keep private.
Good points and comments. When the news broke out, I eagerly looked forward to both of these ( the points and the comments ).
In addition, listening to NSA Director’s submission to Congress, one is left with no doubt that the US admin see these as necessary to their national security. They will therefore continue, covertly, in one form or the other, regardless of what steps are taken to strengthen privacy protection.
So true, Michael, but I think there is a sense that the NSA has gone too far…
Sadly, taking into account what Carlton has said, I think the NSA will get slapped on the wrist, but the ultimate result is that they will burrow down deep (waaay under the radar) and continue what they have been doing.
Imo, very little is likely to change…