Google, CloudFlare Supporting FISA Change Prohibiting NSA Back Doors


Google and CloudFlare are among a variety of groups supporting a widely expected amendment to the Defense Appropriations bill aimed at ending a back-door search loophole that gives the NSA and other intelligence agencies the ability to conduct warrantless surveillance on U.S. citizens.

The amendment, expected from Thomas Massie (R-KY) and Zoe Lofgren (D-CA), would alter the defense spending bill to prohibit funding that enables government agencies to collect and search the communications of U.S. citizens without a warrant, and prevent the nation's intelligence agencies from using funding to coax technology providers to build hidden back doors into products or services for government surveillance.

A letter supporting the measure was signed by the technology firms as well as a variety of organizations representing privacy advocates and technology firms, including the Computer & Communications Industry Association, the Internet Infrastructure Coalition, the Electronic Frontier Foundation and the Center for Democracy & Technology.

"This is a sensible limitation that not only improves transparency of surveillance practices, but also promotes security by avoiding the creation of potential vulnerabilities that can later be exploited by criminals and other bad actors," according to the group's letter (.PDF), made available by The New America Foundation, a nonprofit organization chaired by Google executive chairman Eric Schmidt. "Both of these measures would make appreciable changes that would advance government surveillance reform and help rebuild lost trust among Internet users and businesses, while also preserving national security and intelligence authorities."

[Related: Dell, Cisco 'Deeply Concerned' Over NSA Backdoor Exploit Allegations]

The Guardian reported last year about a secret loophole giving the NSA the ability to search for U.S. citizen email and phone call data without a warrant. The details were uncovered in a top secret document leaked by former NSA contractor Edward Snowden.

Other documents leaked by Snowden also exposed secret funding used by the NSA to get technology providers in the U.S. to build hidden access into their products for surveillance. The leaked documents suggested Microsoft helped the NSA circumvent encryption in Outlook.com messages and RSA was paid $10 million to intentionally support a controversial encryption algorithm in a tool for developers. Both vendors deny aiding government surveillance activities.

FISA was established in 1978 to set guidelines on electronic and physical surveillance activities following the uncovering of broad surveillance activity conducted by the Nixon administration against political and activist groups in the U.S. It's been updated following terrorist incidents to broaden the scope of the government's intelligence agencies to search through telephone records, email messages and other Internet communications when investigating foreigners suspected of terrorist activity. 

Section 702 was added in 2008, further extending the scope of warrantless surveillance.  Privacy advocates call it a "back-door search loophole," because it doesn't restrict searches if data on U.S. citizens was inadvertently caught in the government's broad surveillance dragnet.

Despite denials of any complicit role in helping U.S. intelligence agencies, U.S. technology providers say the negative impact is coming from business abroad, where there is a perception that the firms play a big role in providing access.

Business owners are more aware of the data practices of their cloud service providers but aren't taking any additional measures like replacing gear, said Eldon Sprickerhoff, founder and chief security strategist at Cambridge, Ontario-based managed security services provider eSentire.

"There's broader understanding of what governments are capable of and there's some question as to where the data is kept when we are doing analysis," Sprickerhoff said.

The attention has put an emphasis on better data security and authentication measures, such as multifactor authentication, digital certificates and encryption, said Skip Gould, CEO of BrightPlanIT, a Buffalo, N.Y.-based systems integrator whose data center is in a former NSA facility.

"There are more questions being asked about data handling than ever before," Gould said. 

PUBLISHED JUNE 18, 2014