Businesses have the ability to push back on law enforcement's secret demands for large swaths of user data or risk opening costly weaknesses that could provide terrorists and other criminals a way to conduct serious damage, according to a group of expert panelists studying the issue of privacy and civil liberties.
The secret demands are in the form of National Security Letters, which can require businesses to provide access to large amounts of data pertaining to an investigation. The letters come with a gag order, limiting the ability of businesses to seek help and fight back, said Brewster Kahle, founder and digital librarian of the Internet Archive, an organization that successfully pushed back against an FBI National Security Letter in 2007 requesting personal information on a user. The lawsuit was settled and the FBI withdrew its request, Kahle said.
"By keeping things secret, the government is causing a level of distrust," Kahle said. "They are not trusting us, and being less trustworthy has created a dangerous period in our history and a need for us to do something about it."
The NSLs are believed to have been used hundreds of thousands of times. It's only one tool the government is using as part of its data collection efforts. The National Security Agency, which has come under fire due to leaked documents provided to the media by NSA whistleblower Edward Snowden, is believed to be collecting massive amounts of data on U.S. citizens, including phone records, credit card data and internet browsing habits on users.
At the Black Hat security conference, owned and operated by CRN's parent company UBM, a panel of privacy and policy experts urged information security professionals to get engaged with public officials to inform them about the risks created by broad requests made by federal officials for large swaths of data from providers. Businesses are required to respond to the demands relatively quickly and little is known about secret surveillance infrastructure or technical interfaces used to collect the information requested, said Matt Blaze, a privacy and surveillance expert and professor at the University of Pennsylvania where he directs the Distributed Systems Lab. For example, Microsoft reportedly worked closely with law enforcement to provide a workaround to view information before it was encrypted by the company's services. Software used to cull data and hardware connections to various systems are rarely tested thoroughly for weaknesses, and the complexity it introduces could result in dangerous consequences, Blaze said.
"The only real weapon we have is engagement," he said. "No one is asking whether the implementation of this crime solving technology creates the opportunity for new crime that wasn't there by weakening our infrastructure."
Both Google and Microsoft have challenged government surveillance gag orders, and the secret court, which was created to oversee NSL requests, conducts its rulings cloaked in a veil of secrecy, said Alan Davidson, a visiting scholar at MIT’s Sloan School of Management and a research affiliate at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL). Both technology firms have also recently released reports outlining National Security Letter demands. Davidson, who was formerly the director of public policy for Google in the Americas, said the search engine giant successfully pushed back on a request for data that would have resulted in Google having to assemble billions of records. A judge found in favor of the company, ordering it to provide the government with 5,000 random search queries to comply with its demand, Davidson said.
"The data shows that people do care a bit about their privacy, and in the context of the discussion we are having now, there could be a real impact on businesses," Davidson said.
Davidson said there is a legislative movement in Washington, D.C., for more transparency and a discussion on how surveillance activities are treading on civil liberties. He urged security professionals to get involved with the Digital Due Process Coalition, which is helping modernize surveillance laws.
PUBLISHED August 1, 2013