Protecting your data in the age of the NSA and PRISM

Soon after Edward Snowden released a cache of top-secret documents detailing the far-ranging data collection activities of the U.S. National Security Agency (NSA) in the summer of 2013, the Federal Bureau of Investigation (FBI) approached the secure email provider Lavabit with a demand to turn over the encryption keys to its communications. Their target was, allegedly, none other than Snowden himself, who had been posting his address and inviting human rights activists around the world to contact him. Ladar Levison, the owner of Lavabit, refused the Bureau’s request. Levison was concerned that turning over his private encryption key would allow the government to decrypt not only Snowden’s communications but also those of all of Lavabit’s nearly 400,000 customers, many of whom are activists and had chosen Lavabit for its security. Facing a contempt of court charge, Levison eventually turned over the encryption key. However, he simultaneously shut down his service, thus preventing the authorities from gaining access to his customers’ communications.

Few companies have the ability to act like Lavabit and shut down in the face of such a demand. Lavabit was a very small organization with no shareholders and few employees to answer to for their actions. As organizations become more decentralized and their employees more mobile, they naturally need to share more information, raising concerns about how to adequately protect that information from NSA-like government actors. Most organizations have no plan in place for reacting to a government request for data. How should companies prepare to deal with this issue? What steps can be taken to protect data? We’ll explore these questions in this report, place the NSA threat in perspective, and suggest steps most companies can take to preserve data privacy.


The NSA in Perspective
The NSA is not unique in its use of the Internet for intelligence gathering. Most other major industrialized nations contribute to or have some surveillance footprint on the Internet. Some of these nations even engage in economic espionage and sabotage
efforts, a serious concern for businesses worried about intellectual property and their global competitiveness.1 However, because of the NSA’s aggressiveness and scope, organizations should consider to what degree they need to protect against such an agency and other only slightly less capable state actors. The NSA can be thwarted, as their frustration with breaking2 the Tor network3 demonstrates. Though, as is often the case, hardening one security weakness inevitably leads to the aversary exploiting that weakness.

Risk assessments by corporations and individuals are critical in this context. To perform a risk assessment, one has to understand the capabilities of those who are trying to infi ltrate their information systems, and place these risks in context. Many organizations face security and data privacy threats from many sources – malicious hackers, insiders, or weak security systems and process. In reality, the most dangerous threat for most organizations is unintended mistakes and errors by employees – losing a laptop, or sending a confi dential fi le to the wrong people. An analysis of recently revealed NSA strategy and techniques can help provide perspective as well as give insights into the methodologies of other state actors. Many of the NSA’s techniques involve accessing metadata, so we’ll explore that distinction fi rst. Next, we’ll identity the major NSA programs revealed as of today, and some suggested countermeasures.

Author: John Conley III

I am a technology and business consultant who provides state of the art software design services to rapidly growing and mature organizations using cutting edge technologies. Information Technology Professional with over 20 years of industry experience as a Software Architect/Lead Developer and Project Management Coach using service oriented (SOA/EIB) view of the software development process (Use Case/Story View, Class Design View, Database Design View, and Infrastructure View) and software design (Model-View-Controller based (MVC pattern/framework)). Coached PMs on various aspects of task and resource management and requirements tracking and tracing, and even filled in for PMs. Led teams of varying sizes mainly from the architect viewpoint: translating non-technical requirements into concrete, technical components and work units, identifying and creating reusable frameworks and design patterns, creating skeletal IDE projects with MVC wiring and config files, assigning app tiers or horizontal components to developers, making sure test team members have use cases and other work unit inputs to create an executable test/quality assurance plan, organizing meetings, ensuring enterprise standards and practices are adhered to, enforcing any regulatory and security compliance traceable from requirements/Solution Architecture Documents (SADs) all the way down to core classes in code, and so on Expertise includes designing and developing object-oriented, service/component-based software systems that are robust, high-performance and flexible for multiple platforms. Areas of specialization include Internet (business-to-business and business-to-consumer) e-commerce and workflow using Microsoft.NET technologies (up to current Visual Studio 2010/.Net Framework 4.0, MVC3/Razor View Engine, LINQ), TFS, Sharepoint 2007 (Task Mgmt, Build Script), Commerce Server 2007/2002 (basket and order pipeline), ASP.NET, ADO.NET, C#, Visual C++, Visual Basic.NET) and Java EE/J2EE, service oriented architecture (SOA) and messaging (MSMQ, MQSeries, SAP message handling) and more abstract enterprise service bus (ESB) designs, best patterns and practices, telecommunications and the offline processes of the enterprise. Provide detail estimates on budgets, guided design and development tasks with offshore teams, technical assessments of third party software tools and vendor selections, project/iteration planning and spring product backlogs, and level of effort for statements of work (including for offshore based development teams), including executive summary presentations as needed.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s