Re: Reactions to reported NSA PRISM program

[Emery Rudolph <erudolph () UMD EDU>]

I too am extremely interested in the responses from those who are embedded in the IT industry and responsible for the 
security of data. To this point, the NSA's access to this data has been characterized as direct connection to the 
servers within the various vendors data centers. To me, that means they have the ability to tap of the primary data 
feeds and thus do not require any intermediate authorization mechanism. I would like more details on the actual 
connection details, but I would argue that if they have access within the data center, then by default, they and the 
ISP, vendors are one in the same in their access. 

Given the nature of this program, it does not seem that there is any "real" option for an institution or corporation to 
protect the privacy of their data, except to bring it all back in house and isolate it from the network, which is 
impractical for many environments and programs. 

Although the goal of the NSA program is to mine data in an unidentifiable manner, the agency is comprised of humans and 
we will always overreach when presented with the opportunity. 

Interested to read more on this and hear others responses. 


Very Best Regards,

Emery Rudolph, MS
Manager
IT-ETI-PS Enterprise UNIX Services
University of Maryland
(301) 405-9379
http://www.umd.edu




-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Doty
Sent: Friday, June 07, 2013 9:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Reactions to reported NSA PRISM program

On 06/07/2013 08:02 AM, Kevin Halgren wrote:
> For those of you already using Google or Microsoft cloud e-mail
> solutions, I'll be curious to hear the reactions on your campuses to
> this news.
>
> I believe the tech companies are telling the truth when they say they
> don't provide direct backdoor access into their systems and that the
> PRISM presentation may overstate the cooperation and capabilities of the
> system, however that doesn't preclude the government from abusing
> existing systems and capabilities e.g. those under CALEA lawful
> intercept capabilities.

My reading of the statements is they carefully skirt ever stating that 
they aren't participating in PRISM -- in effect what they say is that 
they only provide information pursuant to legal requests. The 
arrangement outlined by PRISM would, AFAICT, be currently interpreted as 
legal no matter how abhorrent one might find it.

James Clapper (Director of National Intelligence) confirms the program's 
existence, only differing on the accuracy of unspecified details.

If you provide a narrow interpretation, such as "direct backdoor", then 
sure it is likely to not be technically accurate. But there appears to 
be sufficient evidence to support assertions that they have query access 
to the data sets in question only constrained by unspecified keywords 
that may, or may not, limit a query to foreigners. And a policy to move 
out from the target by two degrees which is likely to result in 
collection on US citizens.

In "the good old days" an investigation had to get approval to collect 
data on contacts made by the target (excepting only a very limited scope 
of data collection and actions such as would permit such a request). 
That policy applied to physical investigations -- apparently digital is 
somehow different.

Tim Doty