How the NSA Sends Your Private Data Overseas
CREDIT: National Security Agency/Adam Hart-Davis
When defense contractor Edward Snowden leaked secret National Security Agency documents to the media on June 6, the initial public outcry focused on how America's communications intelligence service had kept track of the telephone, and possibly the online, activities of its own citizens.
Government officials quickly made clear that the online-activity-monitoring program revealed by Snowden, called PRISM, targeted only foreign nationals.
United States "persons" — citizens and residents protected by the Fourth Amendment — were said to not be part of its scope.
Yet PRISM data was shared with Britain's communications intelligence service, GCHQ, and possibly with a Dutch intelligence service. In fact, the United States and several other countries all regularly see each others' communications intelligence.
That raises a question: If the NSA can't directly spy on Americans, does it get around that rule by letting trusted, allied intelligence services do so? Does the NSA then get that data through an information-sharing agreement? And do allied countries rely on the NSA to spy on their own citizens?
"It is a natural conclusion that we are all being spied upon by all parties, then, isn't it?" said Chester Wisniewski, a senior security analyst with the British anti-virus firm Sophos based in Vancouver, British Columbia.
All in the family
The assumption that NSA intelligence stays within the United States has long been a fallacy, considering the existence of the UKUSA, or "Five Eyes," data-sharing agreement.
UKUSA dates back to the Anglo-American alliance during World War II and was expanded to its current format in the mid-1950s. It guarantees the smooth exchange of communications intelligence, or COMINT — emails, phone calls, video chats, etc. — among the signals-intelligence services of Great Britain, the United States, Canada, Australia and New Zealand.
The declassified 1955 version of the agreement explicitly defines Five Eyes as "(a) the rapid flow of COMINT material from points of interception to the Agencies; (b) the rapid exchange of all types of raw traffic, technical material, end-products, and related material between the Agencies; (c) the efficient control of COMINT collection and production."
On June 7, Britain's GCHQ admitted to having received PRISM-derived intelligence as early as June 2010. Public outrage then forced Foreign Secretary William Hague to deny that GCHQ had been accepting foreign surveillance of British citizens as a means to circumvent domestic eavesdropping restrictions.
On June 11, the Amsterdam newspaper De Telegraaf reported that the Dutch domestic intelligence service AIVD (not part of Five Eyes) not only received access to PRISM but also received detailed information that could be supplied within minutes.
Wisniewski summarized a Canadian Broadcasting Corporation radio program he'd recently heard: "Considering the USA insists it is not spying directly on U.S. citizens, only foreigners, Canada has also said the exact same thing. When asked if Canada was sharing information about foreigners with the USA, they said they were and the U.S. was sharing with them."
Watching the watchers
Does this all mean your online existence is in danger? Maybe not.
"The NSA does nothing without oversight," said Robert David Graham, founder and chief executive officer of Errata Security in Atlanta. "They aren't trying to subvert legal restrictions."
Graham, who has worked with the NSA, but never for it, said his experience indicates that even our closest allies "will learn little from the NSA about American citizens" because shared information will be "sanitized of private information."
Sean Sullivan, a security adviser with Helsinki-based anti-virus firm F-Secure, agreed.
"Using foreign relationships to spy on Americans doesn't provide a legal loophole of any kind," Sullivan said. "If you aren't authorized to collect data at home, you can't then use somebody else to do it."
Graham sees strength in the secret court created by the Foreign Intelligence Surveillance Act of 1978.
Any information on U.S. persons shared by a foreign intelligence service, Graham said in an email message to TechNewsDaily, will most likely "have to be OK'd by the system (often the FISA court) before it can be used."
Despite the very real chance that any number of government agencies, U.S. and otherwise, could have your personal information, Graham still thinks the NSA is attempting to protect Americans.
Blame the lawmakers
"The NSA is not your enemy," Graham said in a recent blog posting. "They carry out the mission that politicians give them, and do not cross the line, with an almost religious fervor. It's the politicians who have moved that line."
Sullivan pointed out that the government's ability to gather intelligence on U.S. residents is dwarfed by the amount of information private companies collect.
"Target and Walmart probably know more about me than the NSA," Sullivan said. PRISM has existed for only seven years, he added, yet "retailers can use credit-card numbers to track customers over years of history."
Whatever transgressions the NSA may have committed, said Graham, the agency can't be changed by focusing on its past actions.
Instead, Graham said, "It's every politician who voted to extend the Patriot Act and empower the FISA court that you have to fight."
To Wisniewski, public disclosure is the most important factor.
"There is nothing wrong with accepting this monitoring," he said, "but it is important to recognize that it is happening and [to] make a personal decision as to whether you think this is appropriate and makes you safer."
How to keep what you do secret
The real lesson from the disclosure of PRISM is that keeping an eye on your own online activities might now be more necessary than ever.
Those who value truly private communications have to protect their messages, Wisniewski said; people "must take personal responsibility and encrypt them, or expect that their governments may be reading them."
Self-preservation efforts such as encrypted email and voice calls, completely random passwords and browser security will quite simply have to increase at the same rate as spying methods.
"Encryption works," Snowden himself said in a question-and-answer session with Guardian readers yesterday (June 17). "Properly implemented strong crypto systems are one of the few things that you can rely on.
"Unfortunately," Snowden added, "endpoint security is so terrifically weak that NSA can frequently find ways around it."