Don’t Listen to Google and Facebook: The Public-Private Surveillance Partnership Is Still Going Strong

Print Friendly, PDF & Email
Bruce Schneier

Bruce Schneier

And real cor­po­rate secu­ri­ty is still impossible.

If you’ve been read­ing the news recent­ly, you might think that cor­po­rate Amer­i­ca is doing its best to thwart NSA surveillance.

Surveillance of GoogleGoogle just announced that it is encrypt­ing Gmail when you access it from your com­put­er or phone, and between data cen­ters. Last week, Mark Zucker­berg per­son­al­ly called Pres­i­dent Oba­ma to com­plain about the NSA using Face­book as a means to hack com­put­ers, and Face­book’s Chief Secu­ri­ty Offi­cer explained to reporters that the attack tech­nique has not worked since last sum­mer. Yahoo, Google, Microsoft, and oth­ers are now reg­u­lar­ly pub­lish­ing “trans­paren­cy reports,” list­ing approx­i­mate­ly how many gov­ern­ment data requests the com­pa­nies have received and com­plied with.

On the gov­ern­ment side, last week the NSA’s Gen­er­al Coun­sel Rajesh De seemed to have thrown those com­pa­nies under a bus by stat­ing that—despite their denials—they knew all about the NSA’s col­lec­tion of data under both the PRISM pro­gram and some unnamed “upstream” col­lec­tions on the com­mu­ni­ca­tions links.

Yes, it may seem like the the public/private sur­veil­lance part­ner­ship has frayed—but, unfor­tu­nate­ly, it is alive and well. The main focus of mas­sive Inter­net com­pa­nies and gov­ern­ment agen­cies both still large­ly align: to keep us all under con­stant sur­veil­lance. When they bick­er, it’s most­ly role-play­ing designed to keep us blasé about what’s real­ly going on.

Two Sur­veil­lance Regimes, Still in Force

The U.S. intel­li­gence com­mu­ni­ty is still play­ing word games with us. The NSA col­lects our data based on four dif­fer­ent legal author­i­ties: the For­eign Intel­li­gence Sur­veil­lance Act (FISA) of 1978, Exec­u­tive Order 12333 of 1981 and mod­i­fied in 2004 and 2008, Sec­tion 215 of the Patri­ot Act of 2001, and Sec­tion 702 of the FISA Amend­ments Act (FAA) of 2008. Be care­ful when some­one from the intel­li­gence com­mu­ni­ty uses the caveat “not under this pro­gram,” or “not under this author­i­ty”; almost cer­tain­ly it means that what­ev­er it is they’re deny­ing is done under some oth­er pro­gram or author­i­ty. So when De said that com­pa­nies knew about NSA col­lec­tion under Sec­tion 702, it does­n’t mean they knew about the oth­er col­lec­tion programs.

The big Inter­net com­pa­nies know of PRISM—although not under that code name—because that’s how the pro­gram works; the NSA serves them with FISA orders. Those same com­pa­nies did not know about any of the oth­er sur­veil­lance against their users con­duct­ed on the far more per­mis­sive EO 12333. Google and Yahoo did not know about MUSCULAR, the NSA’s secret pro­gram to eaves­drop on their trunk con­nec­tions between data cen­ters. Face­book did not know about QUANTUMHAND, the NSA’s secret pro­gram to attack Face­book users. And none of the tar­get com­pa­nies knew that the NSA was har­vest­ing their users’ address books and bud­dy lists.

These com­pa­nies are cer­tain­ly pissed that the pub­lic­i­ty sur­round­ing the NSA’s actions is under­min­ing their users’ trust in their ser­vices, and they’re los­ing mon­ey because of it. Cis­co, IBM, cloud ser­vice providers, and oth­ers have announced that they’re los­ing bil­lions, most­ly in for­eign sales.

These com­pa­nies are doing their best to con­vince users that their data is secure. But they’re rely­ing on their users not under­stand­ing what real secu­ri­ty looks like. IBM’s let­ter to its clients last week(March 2014)  is an excel­lent exam­ple. The let­ter lists five “sim­ple facts” that it hopes will mol­li­fy its cus­tomers, but the items are so qual­i­fied with caveats that they do the exact oppo­site to any­one who under­stands the full extent of NSA sur­veil­lance. And IBM’s spend­ing $1.2B on data cen­ters out­side the U.S. will only reas­sure cus­tomers who don’t real­ize that Nation­al Secu­ri­ty Let­ters require a com­pa­ny to turn over data, regard­less of where in the world it is stored.

Why Real Secu­ri­ty Is Impossible

Google’s recent actions, and sim­i­lar actions of many Inter­net com­pa­nies, will def­i­nite­ly improve its users’ secu­ri­ty against sur­rep­ti­tious gov­ern­ment col­lec­tion programs—both the NSA’s and oth­er governments’—but their assur­ances delib­er­ate­ly ignores the mas­sive secu­ri­ty vul­ner­a­bil­i­ty built into its ser­vices by design. Google, and by exten­sion, the U.S. gov­ern­ment, still has access to your com­mu­ni­ca­tions on Google’s servers.

Google could change that. It could encrypt your e‑mail so only you could decrypt and read it. It could pro­vide for secure voice and video so no one out­side the con­ver­sa­tions could eavesdrop.

It does­n’t. And nei­ther does Microsoft, Face­book, Yahoo, Apple, or any of the others.

Why not? They don’t part­ly because they want to keep the abil­i­ty to eaves­drop on your con­ver­sa­tions. Sur­veil­lance is still the busi­ness mod­el of the Inter­net, and every one of those com­pa­nies wants access to your com­mu­ni­ca­tions and your meta­da­ta. Your pri­vate thoughts and con­ver­sa­tions are the prod­uct they sell to their cus­tomers. We also have learned that they read your e‑mail for their own inter­nal investigations.

But even if this were not true, even if—for example—Google were will­ing to for­go data min­ing your e‑mail and video con­ver­sa­tions in exchange for the mar­ket­ing advan­tage it would give it over Microsoft, it still won’t offer you real secu­ri­ty. It can’t.

The biggest Inter­net com­pa­nies don’t offer real secu­ri­ty because the U.S. gov­ern­ment won’t per­mit it.

This isn’t para­noia. We know that the U.S. gov­ern­ment ordered the secure e‑mail provider Lavabit to turn over its mas­ter keys and com­pro­mise every one of its users. We know that the U.S. gov­ern­ment con­vinced Microsoft—either through bribery, coer­cion, threat, or legal compulsion—to make changes in how Skype oper­ates, to make eaves­drop­ping easier.

We don’t know what sort of pres­sure the U.S. gov­ern­ment has put on Google and the oth­ers. We don’t know what secret agree­ments those com­pa­nies have reached with the NSA. We do know the NSA’s BULLRUN pro­gram to sub­vert Inter­net cryp­tog­ra­phy was suc­cess­ful against many com­mon pro­to­cols. Did the NSA demand Google’s keys, as it did with Lavabit? Did its Tai­lored Access Oper­a­tions group break into to Google’s servers and steal the keys?

We just don’t know.

The best we have are caveat-laden pseu­do-assur­ances. At SXSW ear­li­er this month, CEO Eric Schmidt tried to reas­sure the audi­ence by say­ing that he was “pret­ty sure that infor­ma­tion with­in Google is now safe from any gov­ern­men­t’s pry­ing eyes.” A more accu­rate state­ment might be, “Your data is safe from gov­ern­ments, except for the ways we don’t know about and the ways we can­not tell you about. And, of course, we still have com­plete access to it all, and can sell it at will to whomev­er we want.” That’s a lousy mar­ket­ing pitch, but as long as the NSA is allowed to oper­ate using secret court orders based on secret inter­pre­ta­tions of secret law, it’ll nev­er be any different.

Google, Face­book, Microsoft, and the oth­ers are already on the record as sup­port­ing these leg­isla­tive changes. It would be bet­ter if they open­ly acknowl­edged their users’ inse­cu­ri­ty and increased their pres­sure on the gov­ern­ment to change, rather than try­ing to fool their users and customers.