Our friends at the NSA


Published on

Lecture for LIS 644 "Digital Trends, Tools, and Debates." Composed in October 2013; likely to become outdated quickly!

Published in: Education, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Our friends at the NSA

  1. 1. Our friends at the NSA LIS 644
  2. 2. Why am I talking about this? •Great real-world example bringing together a lot of what we’ve already learned. •Law and ethics as well as tech! •Because it’s our patrons and potential patrons being spied on. •That puts it squarely in the category of “our problem.” •The library world needs a strategy on this kind of thing and doesn’t have one. •That means you’re not exempt from worrying about it. Libraries tend to look to newer practitioners to react to stuff like this.
  3. 3. How do we know what we know about this? •Massive classified-document leak from contractor Edward Snowden. •Pretty classic example of security failing from within! Records managers, this is common and you need to be concerned about it! •Why did he do it? Because he considered the NSA’s actions unethical invasion of privacy, and thought the rest of us needed to know. •Agree or not, it’s a very librarianly motivation. •You need to ask yourself whether you’re that brave. It matters.
  4. 4. So what is the NSA collecting? •Domestic phone call records, landline and cellular. •This is the oft-mentioned “metadata.” Actual content of calls is not (as far as we know!) collected. •As much Internet traffic as they can get their hands on. •Including supposedly-private encrypted traffic. •Not just “metadata” (that would be logs, I suppose), but the actual content transferred/stored. Email, social media, video, uploaded files, databases, name it.
  5. 5. How did they get it, without anybody realizing? •(via Ars Technica, http://arstechnica.com/tech-policy/2013/09/let-us-count-the-wayshow-the-feds-legally-technically-get-our-data/ Categories mine.) •Social engineering •A company volunteers to help (and gets paid for it) •A company complies under legal duress •Spies infiltrate a company •Spies coerce upstream companies to weaken crypto in their products/install backdoors •Actual technology breakage •Spies copy the traffic directly off the fiber (sometimes without owner’s knowledge) •Spies brute force the crypto •Spies compromise a digital certificate •Spies hack a target computer directly, stealing keys and/or data, sabotage.
  6. 6. Notes on the social engineering factor •The Patriot Act and its NSLs and gag orders made a huge difference here. •So librarians who protested the Patriot Act weren’t “hysterical!” I like to think of us as early-warning signals... •Not just companies compromising crypto •Standards bodies, too. NSA has representatives on crypto-related standards bodies, e.g. at NIST. This is worrisome!
  7. 7. On “metadata” •You are your patterns of communication! •Who you talk to, when, how often •From where (your phone’s location is part of cellular metadata) •The NSA’s database ties this directly to you. •Even if it didn’t, you might well be identifiable! •This is called “reidentification” and we will discuss it in more detail next week. •Not just the NSA, not just cell phones! •Check out license-plate databases sometime. Am I ever glad I don’t own a car. •So if anybody says “it’s just metadata,” don’t buy it. Metadata is a big deal.
  8. 8. Other things we know •Judicial oversight of the NSA is... um. Not rigorous, shall we say. •The data have been abused by NSA employees. In creepy and gross ways. •The NSA has repeatedly lied, including to Congress, about: •what data it has collected •who has access to the data it has collected •what is being done with those data •There’s probably lots more we don’t know!
  9. 9. Some principles of security we can derive from this •Retained data is vulnerable data. •Can’t misuse data you ain’t got! •The easiest (sometimes only) way to break a security system is to break the people who implement it. •Security is a function of law and norms, not just code. •As usual, vulnerable populations get hurt the most.
  10. 10. Meager signs of hope? •Dark Email Alliance •replacing totally-insecure SMTP email-sending protocol with something better •headed by someone who shut down his secure-communications company rather than let the government have his clients’ encrypted data. Downright librarianly, that man. •Very, very angry US allies •Go Dilma Rousseff! •IETF working on securing Internet infrastructure standards •Legislation (currently “USA Freedom Act”)
  11. 11. What can we do? •Don’t miss the elephant for the circus. •Lots of faff in the media about Snowden. It doesn’t matter what we think of Snowden! What matters is the NSA! •The usual citizen things: stay informed, contact your legislators, vote. •Educate. Discuss. Provide a venue for education and discussion. •Libraries: protect your employees! protect your computers and networks! (as best you can) •Library organizations: amicus briefs •The ACLU has already sued.
  12. 12. Something to think about •The Internet was designed and built by engineers, physicists, military people. •It therefore exhibits many of their values: e.g. technical elegance. •What if librarians and archivists had built it? How would it be different? Would it be better? •Can we build that Internet NOW?