How Does Prism Change the Way We See Things?

The extraordinary revelations about the NSA's global spying programme Prism have only just started - was it really just last Thursday that things began? So it would be extremely rash to attempt any kind of definitive statement about what is...


The extraordinary revelations about the NSA's global spying programme Prism have only just started – was it really just last Thursday that things began? So it would be extremely rash to attempt any kind of definitive statement about what is going on. But that doesn't preclude a few preliminary comments, as well as initial thoughts on what action those of us in Europe might take in response.

Things began with the news that one of the largest telecoms companies in the US, Verizon, was handing over on an "ongoing, daily basis" an entire class of data about its customers:

The order directs Verizon to "continue production on an ongoing daily basis thereafter for the duration of this order". It specifies that the records to be produced include "session identifying information", such as "originating and terminating number", the duration of each call, telephone calling card numbers, trunk identifiers, International Mobile Subscriber Identity (IMSI) number, and "comprehensive communication routing information".

What's interesting about that, of course, is that it is precisely this kind of metadata that the UK government wants to slurp up as part of the Snooper's Charter.

The next day, we discovered that leading Internet companies were also compromised - Microsoft, Yahoo, Google, Facebook, PalTalk, YouTube, Skype, AOL and Apple, given in order of joining:

The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian.

The NSA access is part of a previously undisclosed program called Prism, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says.

The Guardian has verified the authenticity of the document, a 41-slide PowerPoint presentation – classified as top secret with no distribution to foreign allies – which was apparently used to train intelligence operatives on the capabilities of the program. The document claims "collection directly from the servers" of major US service providers.

It's worth noting that the word "direct" is both key and contested. Soon afterwards, we had outraged denials that any of this was happening from the companies concerned. Striking, though, was the fact that the language used was rather similar; all of them specifically denied the "direct" part, but admitted that they did pass information, as required by the US government.

And then we had the hilariously-named Boundless Informant:

An NSA factsheet about the program, acquired by the Guardian, says: "The tool allows users to select a country on a map and view the metadata volume and select details about the collections against that country."

Under the heading "Sample use cases", the factsheet also states the tool shows information including: "How many records (and what type) are collected against a particular country."

That may sound pretty boring, but what's noteworthy about it is that the NSA specifically said it couldn't do what Boundless Informant does boundlessly. In others words, they lied, which may have some serious consequences in the US. But far more interesting for the readers of this blog is the following little fact, buried at the bottom of one of the slides obtained by the Guardian:

BoundlessInformant leverages FOSS technology (i.e. available to all NSA developers)

I suppose that goes to show that every cloud has a silver lining: yet again, we have the ultimate accolade for free softare – that it is used by people for whom money is no problem, and who could therefore buy any software they wanted. Instead, they choose open source – and even note it as one of the strong points of their approach. In fact, I'd be surprised if that weren't true for practically everything the NSA does. Free software is not only the best, it is naturally open, which allows it to be checked for backdoors and suchlike.

Finally – well, until the next revelation – we had the leaker reveal himself:

The individual responsible for one of the most significant leaks in US political history is Edward Snowden, a 29-year-old former technical assistant for the CIA and current employee of the defence contractor Booz Allen Hamilton. Snowden has been working at the National Security Agency for the last four years as an employee of various outside contractors, including Booz Allen and Dell.

Interestingly, Booz Allen has just won an award for open source:

The Department of Defense (DoD) hired technology consulting firm Booz Allen Hamilton to transform its aging and inflexible architecture into one that supports elasticity and flexibility during spikes in user demand. Using Red Hat Enterprise Linux, Red Hat JBoss Middleware, and Red Hat Enterprise Virtualization, Booz Allen Hamilton created a private cloud and elastic infrastructure that is forecast to save over $5 million through fiscal year 2015 and has increased agility and flexibility.

Maybe open source permeates this murky cloak-and-dagger world now...

But returning to the rather more serious matter of what the latest series of leaks mean for the future, we need to confront the fact that everyone outside the US is being spied on by the latter on what looks like a massive scale. Although the documents that have been released are vague, Snowden himself is not: he says that technology has got to the point where it is just easier for the NSA to grab everything to store for later use, rather than to attempt to be selective about what is kept.

That is, we are now pretty sure that what I feared back in January has in fact been happening. Not that I can take any credit for that perspicacity: my post was based on the European Parliament report "Fighting cyber crime and protecting privacy in the cloud" [.pdf], still well-worth reading. One of the authors of that report was Caspar Bowden, who has been sounding the warning about US surveillance in Europe for some time. He's now put together an even better presentation [.pdf] on the threats that cloud computing represents thanks to Prism and whatever else is being used that we don't (yet) know about. I strongly urge you to read it.

Since the problem of Prism is essentially the same problem that I addressed in January, I naturally think the solution is the same:

That leaves two main alternatives. First, European-controlled cloud computing systems. Fortunately, setting up cloud computing infrastructure isn't hard, not least because a wide range of open source software is available in this area to ease the task. This should lead to a burgeoning of European cloud computing services once companies start realising the dangers of using US-controlled systems.

However, there may still be risks associated with those, since European police forces may also seek powers to access data held on such services. Companies for whom data security and privacy are absolutely crucial need to think about bringing the clouds in house. Again, the availability of low-cost open source solutions that scale effortlessly is hugely helpful here, especially if an enterprise already has experience of implementing free software solutions. Somehow it seems appropriate that software whose origins lie in the preservation of basic freedoms should be deployed in this way to counter toxic cloud computing's threat to them.

Actually, there are a few more actions I think we should take.

First, we should repeal the Safe Harbour status of the US. That essentially says that US companies can self-certify that they will respect our privacy with our data. Prism blows that completely out of the water: our data is going to the NSA – whether "directly" or not is irrelevant" - and so the terms of the Safe Harbour agreement have been breached. Moreover, there is no way in the future that they will not be breached. Therefore Safe Harbour must be cancelled for all US companies. Similarly, all the other data transfer schemes such as SWIFT – our financial data – and PNR – our travel information – also fail the privacy test. These schemes too must be cancelled.

That might seem extreme, but what has been revealed in the past few days is just as extreme, and merits a similar response. We're talking about the abolition of privacy, and the near-impossibility of secrecy. We're talking about one country claiming the right to spy on the entire world in a way that is completely unfettered as far as everyone outside the US is concerned – and probably barely constrained within it. We're talking about a subversion and corruption of the Internet so deep as to threaten its usefulness as a means of communication between free individuals.

I won't deign to answer the usual idiots that trot out the "if you have nothing to hide, you have nothing to fear" argument. Instead, I will just urge you to watch the initial video interview with Edward Snowden. It is not just an incredibly calm and dignified explanation of why he did what he did, it also offers one of the best, and most convincing explanations of why even if you have absolutely nothing to hide, you have everything to fear thanks to Prism and its ilk.

Follow me @glynmoody on Twitter or, and on Google+

Find your next job with computerworld UK jobs