NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information

 


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Google (and Lauren) Meet NSA




                     Google (and Lauren) Meet NSA

           http://lauren.vortex.com/archive/000678.html


Greetings.  I woke up this morning to find my inbox flooded with
concerned notes regarding a reported agreement being negotiated
between Google and NSA - the National Security Agency.
( http://bit.ly/cgsbR6 [ New York Times ] )
( http://bit.ly/9sIp0A [ Washington Post ] )

The general trend of the messages, mostly from the same people who
routinely treat me to rather paranoid anti-Google tirades, was largely
along the lines of, "Here's another reason not to trust big, bad
Google with our data."

I have no information beyond what has been published publicly
regarding either this reported agreement or the Chinese-based attacks
that are apparently the direct catalyst for the exploration of such an
arrangement.

But I can explain why I'm not particularly concerned about this
"partnership," so long as Google is being sufficiently careful and
compartmented -- which I strongly suspect they are.

Older generations of NSA operatives are no doubt somewhat bemused by
the openness with which the agency is discussed these days.  Years
ago, the official existence of "No Such Agency" was purposely kept so
publicly nebulous that conference attendees from the agency routinely
wore name tags only identifying their organization as "Department of
Defense."

My first direct contact with NSA occurred many moons ago.  I was
sitting at a rather rickety CRT display in the UCLA ARPANET computer
room, hacking at Unix OS code.  A coworker popped his head into the
noisy room, and announced that "two guys from NSA have shown up and
want to speak to you."

Hmm.  A quick mental review didn't reveal any recent felonies that
might be of particular interest to the pair, so I popped out into the
quiet of the "Boelter Hall" basement hall.

And sure enough, there awaited a couple of polite young men in dark
suits holding notepads.  Fascinating.

As it turned out, they had come to ask for software advice.  At that
point in time, before the widespread availability of terminal
independent programming libraries like "termcap" and "termlib," I was
something of the point man for ports of a particular Unix application
to different terminal environments.

The NSA team wanted to talk about that application and some of the
related porting issues -- and we had a nice chat.  I wondered at the
time why they hadn't just called or sent an e-mail -- I was
LAUREN@UCLA-SECURITY back then and easy enough to reach.  But maybe it
was like the "hovercraft" guy in the current Orbitz commercials, who
flies around hand-delivering refund checks because, what the hell, "We
have a hovercraft!"

Years later, I discovered that NSA had become interested in my
experiments with Unix-based newswire data collection and indexing, but
that's another story.

The above was a long way of saying that NSA is both a premiere R&D
institution and a signals intelligence (SIGINT) data collection and
analysis organization.

That various serious abuses both long past and quite recent (at least
the ones we know about that have come to public light) have occurred
in the latter aspect of NSA is well documented -- James Bamford is the
recommended starting point for interested readers new to the NSA
sagas.

Yet it's undeniable that NSA represents the nation's most concentrated
resource relating to cryptography and what now seems to be popularly
called anti-cyberterrorism.

Controversies associated with NSA's involvements even in these regards
have certainly been recurring facts of life -- NSA roles in the
development of cryptosystems such as DES and AES are well-known
examples.  Recent over-enthusiasm by some members of Congress for
proposals to establish direct NSA involvement in the day to day
aspects of Internet security have justifiably raised significant
privacy and other concerns.

But the fact still remains that the expertise represented by NSA in
the computer security field is unparalleled in key contexts, and it is
utterly reasonable that Google (and other technology firms) would
consider carefully structured associations with NSA in the existing
environment.

The devil is in the details, naturally.  But Google knows that the
continued patronage of their users is integrally associated with those
users feeling confident that their data is safe from abuse.

I cannot visualize a circumstance under which Google would voluntarily
agree to any partnership with NSA that could possibly marginalize or
jeopardize that confidence.  Of course -- and speaking only
theoretically -- if Google were forced by governments to involuntarily
cooperate with privacy-invasive schemes, we'd be faced with a whole
different class of serious problems way outside the scope of the
current discussion, and with far-reaching consequences for our
democracy.  But (based on all available evidence, one hopes) that's
not where we are today.

It would however be extremely useful for Google to make as much
information as possible publicly available regarding any association
with NSA.  At least the outlines of any data sharing arrangements
should be announceable without negatively impacting operational
effectiveness.  A sustained lack of information in this regard tends
to fuel the kinds of conspiracy-focused rumors that just love a
vacuum.

NSA is perhaps a quintessential example of a government agency that
exists as a double-edged sword.  Properly directly and harnessed, its
resources for our positive protection are vast.  But if "running
amok," NSA possesses at least equal potential for civil liberties
abuses on a massive scale.

It makes perfect sense for Google -- like various other firms -- to
work with NSA towards a better understanding and preventing of
cyberattacks, so long as sufficient NSA isolation from Google user
data is guaranteed.

But to use the vernacular, when dancing with Godzilla, it's always a
really good idea to plan out your steps very, very carefully in
advance -- for you never, ever want to find yourself underfoot!

--Lauren--
Lauren Weinstein
lauren@vortex.com
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
   - People For Internet Responsibility - http://www.pfir.org
Co-Founder, NNSquad
   - Network Neutrality Squad - http://www.nnsquad.org
Founder, GCTIP - Global Coalition 
   for Transparent Internet Performance - http://www.gctip.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein