Looking Through the Cloudy PRISM

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.datalossdb.org/incident_highlights/59-looking-through-the-cloudy-prism

As you have no doubt heard, a lot of fuss has been made over the past
couple days involving both NSA, Verizon, and Facebook, as well as
several other companies and governments. Here, we want to provide a
concise overview of the information available at this point, along
with some links to additional reading about the program that is known
as “PRISM”.

On June 6, 2013, the Guardian published an article that suggested a
classified order was issued on April 25, 2013 that allowed the United
States government to collect data until July 19, 2013 and then hand it
over to the NSA. This order was issued to Verizon, and it’s existence
was not allowed to be spoken of. Currently, the documents revealed
only cover Verizon, but there may have been similar orders involving
other companies, not just ones that provide phone service. PRISM, a
program allowing the NSA access to company data, was originally
enabled in December of 2007 by President Bush under a U.S.
surveillance law and then renewed by President Obama in December of
2012. This program was started to aid anti-terrorism efforts and there
are claims by the government that it has already prevented a terrorist
plot in Colorado.

These documents reveal that the NSA is performing massive data mining
covering millions of U.S. citizens. Wired reported the collected data
includes phone numbers of both parties involved in the phone call, the
time and duration of the call, the calling card numbers used in the
call, and the International Mobile Subscriber Identity (IMSI) number
which applies to mobile callers. The location of the calls may have
been recording using cell tower data. Data that was NOT collected
includes names, addresses, account information, and recordings of call
content. There is heated debate whether this metadata is sensitive or
not. On the one hand, no names or call content suggests that your
fundamental privacy is intact. On the other hand, consider that the
government knows you “spoke with an HIV testing service, then your
doctor, then your health insurance company in the same hour. But they
don't know what was discussed.”

Edward Snowden has been identified as the whistleblower who released
the documents that exposed this classified order. He had access to
these documents as an employee for the NSA, which he had been working
for over last four years as a contractor from outside organizations,
including Booz Allen and Dell. When Snowden released the documents he
stated, “I can’t allow the US to destroy privacy and Internet
freedom.”

This article by the Guardian highlights multiple comments made by
President Obama about the issue. He called this a “very limited issue”
when discussing these disclosures of the NSA accessing phone data. In
an attempt to deflect criticism, the President also stated that he had
privacy concerns regarding private corporations as they collect more
data than the government.

Both Facebook and Google denied any previous knowledge of the PRISM
surveillance program after concerns they may have been part of the
program. Many other technology companies thought be be part of PRISM
issued similar statements saying that they did not allow the
government “direct access” to their systems. However, the NY Times
reports that Google, Microsoft, Apple, Facebook, Yahoo, AOL, and
Paltalk all negotiated with the government and were required to share
information due to the Foreign Intelligence Surveillance Act (FISA).
The Guardian also states that Microsoft has been a part of this
information sharing program since the beginning in December of 2007
and was joined by Yahoo in 2008, Google, Facebook and PalTalk in 2009,
YouTube in 2010, Skype and AOL in 2011, and Apple in 2012. At this
point, it is a game of "who do you trust?" The government who finds
such data incredibly valuable, or the corporations that sometimes rely
on such data for their business model (e.g. Facebook).

In an article by Mark Jaquith, he mentions how important the details
are in this situation. There are two different reports on how PRISM
actually works; one says the government can directly and unilaterally
access company servers to take data and the other is just an easier
way to transfer data requested by court orders. The majority of
reports are pointing toward the second method describing the way that
PRISM works. If this is true, the transfer of data is moderated and
indirect making it basically a lock box to securely pass information
through. Now, that this has been brought to light we hope more details
will continue come to the surface to provide clarity.

As with many big information leaks, the emotions and politics quickly
take hold and begin to dominate the argument. Veterans of the Internet
are largely not surprised by the PRISM news, due to fleeting memory of
ECHELON, Carnivore, and likely other initiatives that never came to
light. Regardless, the PRISM program represents a serious threat to
individual privacy and every citizen should be concerned.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.