February 04, 2010

Google (and Lauren) Meet NSA

Greetings. I woke up this morning to find my inbox flooded with concerned notes regarding a reported agreement being negotiated between Google and NSA - the National Security Agency ( [1] and [2] ).

The general trend of the messages, mostly from the same people who routinely treat me to rather paranoid anti-Google tirades, was largely along the lines of, "Here's another reason not to trust big, bad Google with our data."

I have no information beyond what has been published publicly regarding either this reported agreement or the Chinese-based attacks that are apparently the direct catalyst for the exploration of such an arrangement.

But I can explain why I'm not particularly concerned about this "partnership," so long as Google is being sufficiently careful and compartmented -- which I strongly suspect they are.

Older generations of NSA operatives are no doubt somewhat bemused by the openness with which the agency is discussed these days. Years ago, the official existence of "No Such Agency" was purposely kept so publicly nebulous that conference attendees from the agency routinely wore name tags only identifying their organization as "Department of Defense."

My first direct contact with NSA occurred many moons ago. I was sitting at a rather rickety CRT display in the UCLA ARPANET computer room, hacking at Unix OS code. A coworker popped his head into the noisy room, and announced that "two guys from NSA have shown up and want to speak to you."

Hmm. A quick mental review didn't reveal any recent felonies that might be of particular interest to the pair, so I popped out into the quiet of the "Boelter Hall" basement hall.

And sure enough, there awaited a couple of polite young men in dark suits holding notepads. Fascinating.

As it turned out, they had come to ask for software advice. At that point in time, before the widespread availability of terminal independent programming libraries like "termcap" and "termlib," I was something of the point man for ports of a particular Unix application to different terminal environments.

The NSA team wanted to talk about that application and some of the related porting issues -- and we had a nice chat. I wondered at the time why they hadn't just called or sent an e-mail -- I was LAUREN@UCLA-SECURITY back then and easy enough to reach. But maybe it was like the "hovercraft" guy in the current Orbitz commercials, who flies around hand-delivering refund checks because, what the hell, "We have a hovercraft!"

Years later, I discovered that NSA had become interested in my experiments with Unix-based newswire data collection and indexing, but that's another story.

The above was a long way of saying that NSA is both a premiere R&D institution and a signals intelligence (SIGINT) data collection and analysis organization.

That various serious abuses both long past and quite recent (at least the ones we know about that have come to public light) have occurred in the latter aspect of NSA is well documented -- James Bamford is the recommended starting point for interested readers new to the NSA sagas.

Yet it's undeniable that NSA represents the nation's most concentrated resource relating to cryptography and what now seems to be popularly called anti-cyberterrorism.

Controversies associated with NSA's involvements even in these regards have certainly been recurring facts of life -- NSA roles in the development of cryptosystems such as DES and AES are well-known examples. Recent over-enthusiasm by some members of Congress for proposals to establish direct NSA involvement in the day to day aspects of Internet security have justifiably raised significant privacy and other concerns.

But the fact still remains that the expertise represented by NSA in the computer security field is unparalleled in key contexts, and it is utterly reasonable that Google (and other technology firms) would consider carefully structured associations with NSA in the existing environment.

The devil is in the details, naturally. But Google knows that the continued patronage of their users is integrally associated with those users feeling confident that their data is safe from abuse.

I cannot visualize a circumstance under which Google would voluntarily agree to any partnership with NSA that could possibly marginalize or jeopardize that confidence. Of course -- and speaking only theoretically -- if Google were forced by governments to involuntarily cooperate with privacy-invasive schemes, we'd be faced with a whole different class of serious problems way outside the scope of the current discussion, and with far-reaching consequences for our democracy. But (based on all available evidence, one hopes) that's not where we are today.

It would however be extremely useful for Google to make as much information as possible publicly available regarding any association with NSA. At least the outlines of any data sharing arrangements should be announceable without negatively impacting operational effectiveness. A sustained lack of information in this regard tends to fuel the kinds of conspiracy-focused rumors that just love a vacuum.

NSA is perhaps a quintessential example of a government agency that exists as a double-edged sword. Properly directly and harnessed, its resources for our positive protection are vast. But if "running amok," NSA possesses at least equal potential for civil liberties abuses on a massive scale.

It makes perfect sense for Google -- like various other firms -- to work with NSA towards a better understanding and preventing of cyberattacks, so long as sufficient NSA isolation from Google user data is guaranteed.

But to use the vernacular, when dancing with Godzilla, it's always a really good idea to plan out your steps very, very carefully in advance -- for you never, ever want to find yourself underfoot!


Posted by Lauren at February 4, 2010 10:42 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein