Six years have passed since Edward Snowden’s bombshell revelations, and the news broke through The Guardian:
“The UK’s electronic eavesdropping and security agency, GCHQ, has been secretly gathering intelligence from the world’s biggest internet companies through a covertly run operation set up by America’s top spy agency, documents obtained by the Guardian reveal.
The documents show that GCHQ, based in Cheltenham, has had access to the system since at least June 2010, and generated 197 intelligence reports from it last year.
The US-run programme, called Prism, would appear to allow GCHQ to circumvent the formal legal process required to seek personal material such as emails, photos and videos from an internet company based outside the UK.”
So everyone who understands the implications of Prism should be outraged. Why should government agencies have access to the love letters I email my boyfriend? Why should they know about the drug my doctor prescribed, that I discussed with my friend in a private message on Twitter? Why should they read my text messages about which movie to see at the cinema, and which restaurant we’ll be eating at afterwards? Why do they need to know that stuff? And if they’re collecting that sort of data on billions of people worldwide, don’t they get overwhelmed? How is this protecting ordinary citizens?
But intelligence agencies and other sorts of government agencies haven’t given up their quest to have access to our data without our consent. To the best of my knowledge, Prism still exists. Then there are more recent developments.
Last year, the Australian Department of Home Affairs’ website published a controversial memo, which has since gone offline. The memo was from the Five Eyes, the intelligence alliance between the United States, the United Kingdom, Canada, Australia, and New Zealand. The memo requested that tech companies “create customized solutions, tailored to their individual system architectures that are capable of meeting lawful access requirements (to our data.)” Then it adds, “should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”
The use of the word “lawful,” in this context, is rather deceptive. They’re the governments! They write the laws! I think the word “lawful” is being used to suggest that what they want is fair and reasonable. But as they write the laws, “lawful” is anything they think is good. I’m of the chaotic good alignment, and I think something being legal doesn’t make it moral. Sending people to prison for marijuana possession was “lawful” here in Canada until cannabis was legalized last year. Government laws are arbitrary. “Constant monitoring of citizens is lawful. Lawful means we approve of it!”
If tech companies cooperate with the government’s desire to implement backdoors into our software and hardware, that’d facilitate even more mass data collection on us. Even if I was to assume that their intentions are purely good (which I don’t), why should we grant governments all of that extra data if they can’t even protect the data they already have from cyber attackers? What if government backdoors in our PCs, phones, tablets, servers, applications, and online platforms put our sensitive data at greater risk of external cyber attack?
Government databases are a prime target for cyberwarfare, advanced persistent threats, and run-of-the-mill cyber attackers alike. They have all kinds of sensitive data on us, our government ID numbers, our street addresses, our financial and medical data, our taxes. And that data, in the wrong hands, can lead to identity theft, spear phishing, and a loss of privacy offline as well. Experience indicates that governments have done a lousy job of protecting the data they have on us.
Take this fine example into consideration. Bulgaria isn’t a member of the Five Eyes, but I would assume that the security measures that the Bulgarian government implements in their data is comparable to what a Five Eyes government does. Bulgaria has a population of about 7 million people, and about 5 million of them have had their data breached in a cyber attack on their National Revenue Agency. I would assume that the number of victims includes pretty much all of Bulgaria’s adults.
On July 24th, Reuters reported that Bulgarian police have a suspect who might be behind the crime.
“Police investigating Bulgaria’s biggest-ever data breach have detained a manager of a cybersecurity company, raided its offices and seized computers, they said on Wednesday.
The company, Tad Group, has become a focus of the investigation. Another of its employees, Kristian Boykov, is the only person so far charged with involvement in last month’s cyber attack on the tax agency, in which nearly every Bulgarian adult’s financial records were compromised.
Boykov, 20, has denied wrongdoing. He has been released from custody but banned from leaving the country.
Police and prosecutors searched Tad Group’s premises on Tuesday. ‘One senior manager has been taken in for questioning. He is being detained for 24 hours,’ an interior ministry spokeswoman said. She did not identify the person detained.
Prosecutors have said they believe Boykov did not act alone and were now looking for instigators of the attack and contractors they used.”
At least one of the roughly 5 million victims is understandably angry about the data breach. As per CNN:
“Asen Genov is pretty furious. His personal data was made public this week after records of more than 5 million Bulgarians got stolen by hackers from the country's tax revenue office.
In a country of just 7 million people, the scale of the hack means that just about every working adult has been affected.
‘We should all be angry. ... The information is now freely available to anyone. Many, many people in Bulgaria already have this file, and I believe that it's not only in Bulgaria,’ said Genov, a blogger and political analyst. He knows his data was compromised because, though he's not an IT expert, he managed to find the stolen files online.”
Government data systems can be a nightmare to security harden. Insiders cite the proliferation of legacy tech, often described as out-of-date systems which are difficult to patch, as a major factor. Another major factor is the amount of data government agencies share with third-party contractors, creating a vast scope which can be difficult to inventory and maintain.
So government data storage can be rather vulnerable to cyber attack. Also government backdoors can be just as vulnerable to cyber attack. Each and every backdoor weakens encryption in general. Once again, I’ll quote Bruce Schneier: “The FBI wants the ability to bypass encryption in the course of criminal investigations. This is known as a ‘backdoor,’ because it's a way to access the encrypted information that bypasses the normal encryption mechanisms. I am sympathetic to such claims, but as a technologist I can tell you that there is no way to give the FBI that capability without weakening the encryption against all adversaries as well. This is critical to understand. I can't build an access technology that only works with proper legal authorization, or only for people with a particular citizenship or the proper morality. The technology just doesn't work that way.
If a backdoor exists, then anyone can exploit it. All it takes is knowledge of the backdoor and the capability to exploit it. And while it might temporarily be a secret, it's a fragile secret. Backdoors are one of the primary ways to attack computer systems.”