Friday, February 5, 2010

Google and the NSA? Really?

When I heard that Google - the world's largest and ever expanding privacy allergic technological empire - had enlisted the National Security Agency (the agency responsible for such privacy violation greatest hits as warrantless wiretapping) for technical assistance to learn more about the computer network attackers who breached the company’s cybersecurity defenses last year, I thought, "what could possibly go wrong with this partnership?"

I'm being facetious of course, and I can't say I believe there's something necessarily nefarious going on here, but I wouldn't go so far as to say I believe the "anonymous sources" version of the story either.

Anyone that has read this blog knows I have written a number of posts about Google's confrontational relationship with privacy, and the variety of ways this can be demonstrated in a host of its products.

I've written about the approaching launch of Google Books just around the corner in which the ACLU, Electronic Frontier Foundation, and the Samuelson Clinic have even launched a Google Book Search privacy campaign to address. I've written about the loss of "Locational Privacy" and how a host of Google products relate to that growing privacy protection challenge.

And I've posted a lot about other examples demonstrating Google's less than stellar record on privacy in the past, from their lobbying efforts in Congress, to cloud computing, and to its increasing usage and expansion of behavioral marketing techniques.

In a nutshell, as I wrote a few months back, "It's inarguable that Google is rapidly becoming the official technology sponsor of the nation and globe. For the sake of argument, let's just accept this as truth, and assume this company's reach and breadth will only grow. With that in mind, it becomes paramount - and beholden on all those that relish privacy - to keep a close eye on this global leader's attention to privacy as it relates to their technological innovations."

My problems with the NSA are too numerous to detail here for you now, but let's just say they aren't known for their deep respect for privacy or the fourth amendment. In other words, we have the largest search engine company in the world teaming up with the federal agency in charge of global electronic surveillance...and what they're doing is confidential. Hmmm....

Noah Shachtman of Wired magazine makes some important points to consider:

The National Security Agency is widely understood to have the government’s biggest and smartest collection of geeks — the guys that are more skilled at network warfare than just about anyone on the planet. So, in a sense, it’s only natural that Google would turn to the NSA after the company was hit by an ultrasophisticated hack attack. After all, the military has basically done the same thing, putting the NSA in charge of its new “Cyber Command.” The Department of Homeland Security is leaning heavily on the NSA to secure .gov networks.

But there’s a problem. The NSA and its predecessors also have a long history of spying on huge numbers of people, both at home and abroad. During the Cold War, the agency worked with companies like Western Union to intercept and read millions of telegrams. During the war on terror years, the NSA teamed up with the telecommunications companies to eavesdrop on customers’ phone calls and internet traffic right from the telcos’ switching stations. And even after the agency pledged to clean up its act — and was given wide new latitude to spy on whom they liked – the NSA was still caught “overcollecting” on U.S. citizens.

According to The New York Times, the agency even “tried to wiretap a member of Congress without a warrant.”

All of which makes the NSA a particularly untrustworthy partner for a company that is almost wholly reliant on its customers’ trust and goodwill. We all know that Google automatically reads our Gmail and scans our Google Calendars and dives into our Google searches, all in an attempt to put the most relevant ads in front of us. But we’ve tolerated the automated intrusions, because Google’s products are so good, and we believed that the company was sincere in its “don’t be evil” mantra.

That’s a lot harder to swallow, when Google starts working cheek-to-jowl with the overcollectors. The company pinkie-swears that its agreement with the NSA won’t violate the company’s privacy policies or compromise user data. Those promises are a little hard to believe, given the NSA’s track record of getting private enterprises to cooperate, and Google’s willingness to take this first step.

So what exactly is the agreement between these two behemoths? That, unfortunately, isn't really clear - unless you believe those oh so trustworthy "anonymous sources". Here's what the New York Times had to say about the deal:

By turning to the N.S.A., which has no statutory authority to investigate domestic criminal acts, instead of the Department of Homeland Security, which does have such authority, Google is clearly seeking to avoid having its search engine, e-mail and other Web services regulated as part of the nation’s “critical infrastructure.”

The United States government has become increasingly concerned about the computer risks confronting energy and water distribution systems and financial and communications networks. Systems designated as critical infrastructure are increasingly being held to tighter regulatory standards.

On Jan. 12, Google announced a “new approach to China,” stating that the attacks were “highly sophisticated” and came from China. At the time, it gave few details about the attacks other than to say that a theft of its intellectual property had occurred and that a primary goal of the attackers had been to gain access to the Gmail accounts of Chinese human rights activists. In reaching out to the N.S.A., which has extensive abilities to monitor global Internet traffic, the company may have been hoping to gain more certainty about the identity of the attackers.

And the Washinton Post adds a bit more detail:

Google approached the NSA shortly after the attacks, sources said, but the deal is taking weeks to hammer out, reflecting the sensitivity of the partnership. Any agreement would mark the first time that Google has entered a formal information-sharing relationship with the NSA, sources said. In 2008, the firm stated that it had not cooperated with the NSA in its Terrorist Surveillance Program.

Sources familiar with the new initiative said the focus is not figuring out who was behind the recent cyberattacks -- doing so is a nearly impossible task after the fact -- but building a better defense of Google's networks, or what its technicians call "information assurance."


The NSA would also be able to help the firm understand what methods are being used to penetrate its system, the sources said. Google, for its part, may share information on the types of malicious code seen in the attacks -- without disclosing proprietary data about what was taken, which would concern shareholders, sources said.

In other words, there's a lot still "unknown" here, outside of a few anonymous sources assuring us there will be no disclosures of proprietary data, on say, the tens of millions of google users. I'd also argue that it brings some perhaps some undesired, but needed attention on the Constitution subverting ways of the NSA.

As Marc Rotenberg, executive director of the Electronic Privacy Information Center, a Washington-based policy group, noted: “Google and N.S.A. are entering into a secret agreement that could impact the privacy of millions of users of Google’s products and services around the world."

He also believes the agreement covers much more than the Google hack, particularly in light of the fact that the search giant and intelligence agency were in talks prior to Google discovering that it had been hacked, stating, “What they’ve told you is that this is about an investigation of a hack involving China. I think and have good reason to believe that there’s a lot more going on.”

Wired magazine adds some needed depth to the Post and Times stories:

On Thursday, the organization filed a lawsuit against the N.S.A., calling for the release of information about the agency’s role as it was set out in National Security Presidential Directive 54/Homeland Security Presidential Directive 23 , a classified 2008 order issued by President George W. Bush dealing with cybersecurity and surveillance.

The FOIA request also seeks NSA communications with Google regarding Google’s failure to encrypt Gmail and cloud computing services. Rotenberg says EPIC wants to know what role the NSA has played in shaping privacy and security standards for Google’s services.

EPIC also filed a lawsuit against the NSA and the National Security Council, seeking a key document governing the government’s broader national cybersecurity policy, which has been shrouded in secrecy.

We can’t afford to have secret cybersecurity policy that impacts the privacy rights of millions of internet users,” said Rotenberg.


Matthew Aid, NSA historian and author of The Secret Sentry, said the move troubled him. “I’m a little uncomfortable with Google cooperating this closely with the nation’s largest intelligence agency, even if it’s strictly for defensive purposes,” he told the Post.

The NSA has been embroiled since 2005 in allegations that the agency violated federal laws in conducting illegal surveillance of Americans’ phone and internet communications. Giving the agency authority over coordination of the government’s cybersecurity plan — which would include working with telecoms and other critical companies in the private sector — could put the agency in the position of surreptitiously monitoring communications.

Click here to read the rest of the Wired article.

I want to conclude by going back to Noah Shachtman of Wired magazine, and his take on the business angle in all this:

Google may need help in fighting off these hacks. But turning to Ft. Meade could wind up permanently damaging the company’s image — and the foundation of its incredible success. Already, the Russian press are talking about Google’s decision to spy with NSA, for instance. Hackers might be able to compromise some of Google’s services, for a little while. The association with the NSA could permanently cripple the company. The telegram companies and the old-school telcos were virtually monopolies; customers had nowhere to turn, if they wanted private communications. Bing and Yahoo Mail are just a click away.

Needless to say, I'll be watching this story...

1 comment:

sovereignthink said...

Great Atricle!

They spy and they lie. They know that we are awakening.
They face total exposure in the InfoWar.

Learn to think evil and do good.
Learn to sovereignthink