Our friends at the NSALIS 644

Why am I talking about this?•Great real-world example bringing together

a lot of what we’ve already learned.•Law and ethics as well as tech!

•Because it’s our patrons and potential patrons being spied on.•That puts it squarely in the category of “our problem.”

•The library world needs a strategy on this kind of thing and doesn’t have one.•That means you’re not exempt from worrying about it. Libraries tend to look to

newer practitioners to react to stuff like this.

How do we know what we know about this?

•Massive classified-document leak from contractor Edward Snowden.•Pretty classic example of security failing from within! Records managers,

this is common and you need to be concerned about it!

•Why did he do it? Because he considered the NSA’s actions unethical invasion of privacy, and thought the rest of us needed to know.•Agree or not, it’s a very librarianly motivation.•You need to ask yourself whether you’re that brave. It matters.

So what is the NSA collecting?

•Domestic phone call records, landline and cellular.•This is the oft-mentioned “metadata.” Actual content of calls is not (as far

as we know!) collected.

•As much Internet traffic as they can get their hands on.•Including supposedly-private encrypted traffic.•Not just “metadata” (that would be logs, I suppose), but the actual

content transferred/stored. Email, social media, video, uploaded files, databases, name it.

How did they get it, without anybody realizing?

•(via Ars Technica, http://arstechnica.com/tech-policy/2013/09/let-us-count-the-ways-how-the-feds-legally-technically-get-our-data/ Categories mine.)

•Social engineering•A company volunteers to help (and gets paid for it)•A company complies under legal duress•Spies infiltrate a company•Spies coerce upstream companies to weaken crypto in their products/install backdoors

•Actual technology breakage•Spies copy the traffic directly off the fiber (sometimes without owner’s knowledge)•Spies brute force the crypto•Spies compromise a digital certificate•Spies hack a target computer directly, stealing keys and/or data, sabotage.

Notes on the social engineering factor

•The Patriot Act and its NSLs and gag orders made a huge difference here.•So librarians who protested the Patriot Act weren’t “hysterical!” I like to

think of us as early-warning signals...

•Not just companies compromising crypto•Standards bodies, too. NSA has representatives on crypto-related

standards bodies, e.g. at NIST. This is worrisome!

On “metadata”•You are your patterns of communication!

•Who you talk to, when, how often•From where (your phone’s location is part of cellular metadata)

•The NSA’s database ties this directly to you.•Even if it didn’t, you might well be identifiable!

•This is called “reidentification” and we will discuss it in more detail next week.

•Not just the NSA, not just cell phones!•Check out license-plate databases sometime. Am I ever glad I don’t own a car.

•So if anybody says “it’s just metadata,” don’t buy it. Metadata is a big deal.

Other things we know•Judicial oversight of the NSA is... um. Not

rigorous, shall we say.•The data have been abused by NSA

employees. In creepy and gross ways.•The NSA has repeatedly lied, including to

Congress, about:•what data it has collected•who has access to the data it has collected•what is being done with those data

•There’s probably lots more we don’t know!

Some principles of security we can derive from this

•Retained data is vulnerable data.•Can’t misuse data you ain’t got!

•The easiest (sometimes only) way to break a security system is to break the people who implement it.

•Security is a function of law and norms, not just code.

•As usual, vulnerable populations get hurt the most.

Meager signs of hope?

•Dark Email Alliance•replacing totally-insecure SMTP email-sending protocol with something better•headed by someone who shut down his secure-communications company

rather than let the government have his clients’ encrypted data. Downright librarianly, that man.

•Very, very angry US allies•Go Dilma Rousseff!

•IETF working on securing Internet infrastructure standards

•Legislation (currently “USA Freedom Act”)

What can we do?•Don’t miss the elephant for the circus.

•Lots of faff in the media about Snowden. It doesn’t matter what we think of Snowden! What matters is the NSA!

•The usual citizen things: stay informed, contact your legislators, vote.

•Educate. Discuss. Provide a venue for education and discussion.

•Libraries: protect your employees! protect your computers and networks! (as best you can)

•Library organizations: amicus briefs•The ACLU has already sued.

Something to think about

•The Internet was designed and built by engineers, physicists, military people.•It therefore exhibits many of their values: e.g. technical elegance.

•What if librarians and archivists had built it? How would it be different? Would it be better?

•Can we build that Internet NOW?