Soon after Edward Snowden released a cache of top-secret documents detailing the far-ranging data collection activities of the U.S. National Security Agency (NSA) in the summer of 2013, the Federal Bureau of Investigation (FBI) approached the secure email provider Lavabit with a demand to turn over the encryption keys to its communications. Their target was, allegedly, none other than Snowden himself, who had been posting his @lavabit.com address and inviting human rights activists around the world to contact him. Ladar Levison, the owner of Lavabit, refused the Bureau’s request. Levison was concerned that turning over his private encryption key would allow the government to decrypt not only Snowden’s communications but also those of all of Lavabit’s nearly 400,000 customers, many of whom are activists and had chosen Lavabit for its security. Facing a contempt of court charge, Levison eventually turned over the encryption key. However, he simultaneously shut down his service, thus preventing the authorities from gaining access to his customers’ communications.
Few companies have the ability to act like Lavabit and shut down in the face of such a demand. Lavabit was a very small organization with no shareholders and few employees to answer to for their actions. As organizations become more decentralized and their employees more mobile, they naturally need to share more information, raising concerns about how to adequately protect that information from NSA-like government actors. Most organizations have no plan in place for reacting to a government request for data. How should companies prepare to deal with this issue? What steps can be taken to protect data? We’ll explore these questions in this report, place the NSA threat in perspective, and suggest steps most companies can take to preserve data privacy.
The NSA in Perspective
The NSA is not unique in its use of the Internet for intelligence gathering. Most other major industrialized nations contribute to or have some surveillance footprint on the Internet. Some of these nations even engage in economic espionage and sabotage
efforts, a serious concern for businesses worried about intellectual property and their global competitiveness.1 However, because of the NSA’s aggressiveness and scope, organizations should consider to what degree they need to protect against such an agency and other only slightly less capable state actors. The NSA can be thwarted, as their frustration with breaking2 the Tor network3 demonstrates. Though, as is often the case, hardening one security weakness inevitably leads to the aversary exploiting that weakness.
Risk assessments by corporations and individuals are critical in this context. To perform a risk assessment, one has to understand the capabilities of those who are trying to infi ltrate their information systems, and place these risks in context. Many organizations face security and data privacy threats from many sources – malicious hackers, insiders, or weak security systems and process. In reality, the most dangerous threat for most organizations is unintended mistakes and errors by employees – losing a laptop, or sending a confi dential fi le to the wrong people. An analysis of recently revealed NSA strategy and techniques can help provide perspective as well as give insights into the methodologies of other state actors. Many of the NSA’s techniques involve accessing metadata, so we’ll explore that distinction fi rst. Next, we’ll identity the major NSA programs revealed as of today, and some suggested countermeasures.