Google turns to the NSA for help - should you worry?by Steve Ragan - Feb 6 2010, 21:05
The news that Google has turned to the NSA for help in the aftermath of the attack on their systems has earned mixed reactions both on and offline. Pundits have come out on both sides of the fence, but the ultimate question is, should the average consumer worry about this team-up?
Ellen Nakashima, a reporter for the Washington Post, broke the Google/NSA story on page one of Thursday’s edition of the paper. Anonymous sources reported to the Post that while details need to be finalized, Google and the NSA will be working together and developing an information assurance program.
The Post story makes it clear, the information shared with the NSA by Google will not commence unless Google’s policies are adhered to concerning user privacy. The story also said that the team-up will work to safeguard privacy laws that protect American citizens.
The plan is not to locate those behind the attacks on Google and other businesses in China, now officially called Operation Aurora, but to strengthen Google against future attacks. While it is big news that Google turned to the NSA for help, they are not alone, as other top tech companies have done so as well. The Information Assurance program from the NSA is widely known and used by several major companies.
The only problem, a major one that cannot be ignored, is that the NSA has a shifty track record with privacy. USA Today reporter, Leslie Cauley, broke a story in 2006 that ultimately led to a series of investigations into the NSA and government policy where private citizens are concerned. [Link]
Cauley broke a story that is now infamous when it comes to the NSA and privacy. The report centered on how every one of the major telecoms, including AT&T and Verizon, were handing over domestic call information to the agency. The only telecom that did not hand out detailed call information to the NSA was Qwest. Even then, Qwest felt a lot of pressure from the government to cooperate.
The NSA defended the program, shortly after it was launched in 2001, by pointing out that the calls monitored may have one end of the communication outside of the United States.
However, in response to the 2006 allegations, the NSA said that, “…it is important to note that NSA takes its legal responsibilities seriously and operates within the law.” The Bush Administration added to that by saying that there “…is no domestic surveillance without court approval.”
The NSA stated that they will operate within the law and privacy will be protected. They said so in 2001 and 2006 on the record. The recent news concerning the NSA and Google has no statements for the record, only the insider’s assurance when speaking to the Post that privacy will be protected. However, the two cases pose similar risks and offer the same assurances. Because of this, the fear over what the NSA could access and what Google can turn over is instant for some circles.
"The critical question is: At what level will the American public be comfortable with Google sharing information with NSA?" said Ellen McCarthy, president of the Intelligence and National Security Alliance, to the Post.
ESET researcher Randy Abrams, who often looks at the threats online from a user perspective, spoke to the Tech Herald about the Google/NSA announcement. We asked him if people should be worried about the NSA working with Google, and if the public should worry about privacy issues.
“I think the NSA gets access to whatever they want. Google knows that Congress will grant them immunity if they violate privacy laws,” Abrams said.
He added that this could also be a PR campaign. He explained it in the context of the telecom scandal, where the domestic monitoring was dropped on the public at large. However, since it is now an established fact that Google is working with the NSA, if any damaging things come to light, the public was well aware of the possibility.
There is a potential upside, Abrams noted, which could offer some privacy protection from the start. The sheer volume of data that Google can collect means that the NSA won’t have the manpower or technical resources to sort through everything. They will most likely be accessing a subset of data.
“The problem is that there are too many trees in the forest. There is so much data that most of us will simply be noise, not the signal they are looking for.”
The privacy issue is a major concern. It cannot be written off simply because of the Information Assurance program the NSA offers.
While the plan for Google is to understand whether they have the proper defenses in place, using the NSA’s help to evaluate the infrastructure (hardware and software) Google uses to limit attack surfaces, the fact remains that the NSA has access to an impressive set of information.
However, until there is some solid proof that the NSA turns Google’s data into another telecom fiasco, it’s more likely that Google is only interested in the Information Assurance program.
So should the public panic? Is there a need to be concerned? Abrams addressed this succinctly when he offered his opinion.
“I think the public at large should be concerned in general with privacy violations, but I don’t think that this specific instance is particularly alarming.”