In fact, I call on Dianne Feinstein, our California Senator to call for immediate hearing on whether this is in fact true. I am hearing denials from the head of the NSA, but its hard to "take their word for it". Perhaps the Senate Intelligence Communities are aware of this program, but if our politicians are aware of these programs, then we have a bigger problem.
I spent 8 years of my life at Google and have spent a big portion of the last decade evangelizing the benefits and the security of the cloud - for personal and business use. I continue to believe that cloud based services from big companies like Google, Yahoo, Amazon, Apple. Microsoft and others are more secure than private data centers and traditional computing. I believe this because these large internet companies have the resources, skill sets and motivation to hire the best security professionals in the world and devote serious capital to building world class security in the world. But state sponsored hacking is a every bit the equal of these great companies and pose formidable risks.
Today's allegations in the Washington Post are by far the most serious alleged in this year long saga that started with the revelations from Edward Snowden. Lets review what we know about the US government's continued pursuit of data from major internet providers.
1. Government can make requests of internet service providers for data under the usual subpoena process. If the government suspects someone of committing murder, they can go to a judge and get a subpoena for data. The government serves a subpoena to the internet service provider. The internet service provider reviews whether the subpoena complies with the law, determines if it is overly broad then decides to comply or negotiates the amount of data it will hand over. The internet service provider will then notify the end user that their has been a request for data. This is perfectly fine, has plenty of judicial oversight and is generally part of the workings of a very strong democracy.
2. There are a series of US laws (and similar laws in other countries), that allow the government to request data under secret subpoenas. These are subpoenas that are served and compel the data holder to hand over data, but require that the data holder to NOT notify the end user that there was been a request and investigation. The Patriot Act and RICO laws (for investigating organizing crime) are the most notable laws that allow secret subpoenas in the United States. These requests in my mind are more troubling, but until recently they were used less frequently and we had been assured that there was vigilant judicial oversight.
3. In May of this year, it became known that the NSA had developed a powerful system called PRISM. The Prism program collects stored Internet communications based on demands made to Internet companies under Section 702 of the FISA Amendments Act of 2008. The NSA can use these Prism requests to target communications that were encrypted when they traveled across the Internet backbone, to focus on stored data that telecommunication filtering systems discarded earlier, and to get data that is easier to handle, among other things. This was even more troubling. While on the surface this program may have been a simple extension of the what we thought was happening under the Patriot Act, it has become apparent that this program is larger, more systematic and there appears to be some fast track judicial review that lacks the rigor that we felt was in place under RICO or the Patriot Act. The Snowden allegations caused a great deal of controversy but the government defended the program as targeted and effective. They argued that it was stopping terrorism and that they should be trusted with this program and the systematic data request system. there has been little meaningful debate about whether this program should be allowed to stand as is. I am not willing to say that this program should not stand, but I believe more transparency is needed here.
4. Yesterday's allegations go much further. The NSA is apparently just hacking into systems , looking at unencrypted data streams and doing whatever they want with the data. There is no request to internet service providers, no judicial oversight and certainly no notification to end users. IF TRUE, THIS IS OUTRAGEOUS. THIS IS NOT AN EXTENSION OF EXISTING LAWS. IT IS BROAD BASED SPYING ON EVERY INDIVIDUAL USING INTERNET SERVICES.
We cannot stand by and allow this to happen. We cannot debate the privacy versus security balance. This is WAY OVER the line.
Its time for some answers. If this is true, it is time for some serious policy change.
