Friday, September 17, 2010

EPIC Sues To Get More Info About Google/NSA Relationship

This headline in the Los Angeles Times caught my eye today. Now, I wrote about the original story surrounding the shady relationship between notorious privacy villain - Google - and notorious civil liberties violator - the National Security Administration - back in February of this year.

Now, we've got some movement on it, as evidenced by the privacy rights group Electronic Privacy Information Center (EPIC) suing the spy agency because it won't divulge information about its reported agreement to help the Internet company defend itself against foreign cyber attacks.

Before we get to the article, let me refresh your memory on the story, using some of what I wrote back in February:

"It's inarguable that Google is rapidly becoming the official technology sponsor of the nation and globe. For the sake of argument, let's just accept this as truth, and assume this company's reach and breadth will only grow. With that in mind, it becomes paramount - and beholden on all those that relish privacy - to keep a close eye on this global leader's attention to privacy as it relates to their technological innovations."

My problems with the NSA are too numerous to detail here for you now, but let's just say they aren't known for their deep respect for privacy or the fourth amendment. In other words, we have the largest search engine company in the world teaming up with the federal agency in charge of global electronic surveillance...and what they're doing is confidential. Hmmm....

Noah Shachtman of Wired magazine makes some important points to consider:

The NSA and its predecessors also have a long history of spying on huge numbers of people, both at home and abroad. During the Cold War, the agency worked with companies like Western Union to intercept and read millions of telegrams. During the war on terror years, the NSA teamed up with the telecommunications companies to eavesdrop on customers’ phone calls and internet traffic right from the telcos’ switching stations. And even after the agency pledged to clean up its act — and was given wide new latitude to spy on whom they liked – the NSA was still caught “overcollecting” on U.S. citizens.

According to The New York Times, the agency even “tried to wiretap a member of Congress without a warrant.”

All of which makes the NSA a particularly untrustworthy partner for a company that is almost wholly reliant on its customers’ trust and goodwill. We all know that Google automatically reads our Gmail and scans our Google Calendars and dives into our Google searches, all in an attempt to put the most relevant ads in front of us. But we’ve tolerated the automated intrusions, because Google’s products are so good, and we believed that the company was sincere in its “don’t be evil” mantra.

That’s a lot harder to swallow, when Google starts working cheek-to-jowl with the overcollectors. The company pinkie-swears that its agreement with the NSA won’t violate the company’s privacy policies or compromise user data. Those promises are a little hard to believe, given the NSA’s track record of getting private enterprises to cooperate, and Google’s willingness to take this first step.

So what exactly is the agreement between these two behemoths? That, unfortunately, isn't really clear - unless you believe those oh so trustworthy "anonymous sources". Here's what the New York Times had to say about the deal:

By turning to the N.S.A., which has no statutory authority to investigate domestic criminal acts, instead of the Department of Homeland Security, which does have such authority, Google is clearly seeking to avoid having its search engine, e-mail and other Web services regulated as part of the nation’s “critical infrastructure.”


On Jan. 12, Google announced a “new approach to China,” stating that the attacks were “highly sophisticated” and came from China. At the time, it gave few details about the attacks other than to say that a theft of its intellectual property had occurred and that a primary goal of the attackers had been to gain access to the Gmail accounts of Chinese human rights activists. In reaching out to the N.S.A., which has extensive abilities to monitor global Internet traffic, the company may have been hoping to gain more certainty about the identity of the attackers.

In other words, there's a lot still "unknown" here, outside of a few anonymous sources assuring us there will be no disclosures of proprietary data, on say, the tens of millions of google users. I'd also argue that it brings some perhaps some undesired, but needed attention on the Constitution subverting ways of the NSA.

As Marc Rotenberg, executive director of the Electronic Privacy Information Center, a Washington-based policy group, noted: “Google and N.S.A. are entering into a secret agreement that could impact the privacy of millions of users of Google’s products and services around the world."

He also believes the agreement covers much more than the Google hack, particularly in light of the fact that the search giant and intelligence agency were in talks prior to Google discovering that it had been hacked, stating, “What they’ve told you is that this is about an investigation of a hack involving China. I think and have good reason to believe that there’s a lot more going on.”

Wired magazine adds some needed depth to the Post and Times stories:

On Thursday, the organization filed a lawsuit against the N.S.A., calling for the release of information about the agency’s role as it was set out in National Security Presidential Directive 54/Homeland Security Presidential Directive 23 , a classified 2008 order issued by President George W. Bush dealing with cybersecurity and surveillance.

The FOIA request also seeks NSA communications with Google regarding Google’s failure to encrypt Gmail and cloud computing services. Rotenberg says EPIC wants to know what role the NSA has played in shaping privacy and security standards for Google’s services.
EPIC also filed a lawsuit against the NSA and the National Security Council, seeking a key document governing the government’s broader national cybersecurity policy, which has been shrouded in secrecy.

“We can’t afford to have secret cybersecurity policy that impacts the privacy rights of millions of internet users,” said Rotenberg.


Matthew Aid, NSA historian and author of The Secret Sentry, said the move troubled him. “I’m a little uncomfortable with Google cooperating this closely with the nation’s largest intelligence agency, even if it’s strictly for defensive purposes,” he told the Post.

The NSA has been embroiled since 2005 in allegations that the agency violated federal laws in conducting illegal surveillance of Americans’ phone and internet communications. Giving the agency authority over coordination of the government’s cybersecurity plan — which would include working with telecoms and other critical companies in the private sector — could put the agency in the position of surreptitiously monitoring communications.

I want to conclude by going back to Noah Shachtman of Wired magazine, and his take on the business angle in all this:

Google may need help in fighting off these hacks. But turning to Ft. Meade could wind up permanently damaging the company’s image — and the foundation of its incredible success. Already, the Russian press are talking about Google’s decision to spy with NSA, for instance. Hackers might be able to compromise some of Google’s services, for a little while. The association with the NSA could permanently cripple the company. The telegram companies and the old-school telcos were virtually monopolies; customers had nowhere to turn, if they wanted private communications. Bing and Yahoo Mail are just a click away. we're ready to look at the new developments. The Los Angeles Times reports:

The ad hoc and secretive nature of Google's arrangement with the federal spy agency also spotlights what some experts said was the lack of a clear federal plan to deal with the growing vulnerability of U.S. computer infrastructure to cyber intrusions launched from foreign countries. At risk are power grids, banks and other crucial public services.


The nonprofit Electronic Privacy Information Center, which has tangled with Google in the past over the security of its Gmail e-mail system, filed a request under the Freedom of Information Act for documents related to any agreement between Google and the NSA. The NSA denied the request, and on Monday the privacy group took the agency to court, seeking to force it to hand over records.

"As of 2009, Gmail had roughly 146 million monthly users, all of whom would be affected by any relationship between the NSA and Google," the privacy group's request said. "In order for the public to make meaningful decisions regarding their personal data and e-mail, it must be aware of the details of that relationship. Neither Google nor the NSA has provided information regarding their relationship."

There probably isn't a significant privacy concern in the NSA's dealings with Google, said Richard Clarke, a top national security official in the Clinton and Bush administrations and author of "Cyber War: The Next Threat to National Security and What to Do About It." "But the easy way for Google and NSA to prove that is by letting an outside group come in and find out," Clarke said.


In a statement, NSA declined to confirm or deny its relationship with Google. "NSA works with a broad range of commercial partners and research associates to ensure the availability of secure, tailored solutions," the statement said.

A Google spokesman declined to comment Monday, but in January, the company issued a statement saying it was "working with the relevant U.S. authorities" in response to the cyber attack.

Click here for the article in its entirety.

I don't think I need to add much to all this...I don't know what may, or may not be going on between these two Goliaths. But I do know that WE should know. So cheers to EPIC for keeping on will I here...

No comments: