What is PRISM? - All about the beginning of NSA scandal

What is PRISM? - All about the beginning of NSA scandal

In June, a private contractor working for Booz Allen Hamilton, Edward Snowden, leaked classified presentation slides that detailed the existence and the operations of PRISM. PRISM is a surveillance program launched by the US National Security Agency (NSA), with the purpose to capture the private data of citizens who are not suspected of any connection to terrorism or any crime. The Washington Post and The Guardian obtain a leaked 41-slide security presentation. Both publications say that according to the slides, PRISM is considered a highly classified program that allows the National Security Agency and Federal Bureau of Investigation to retrieve data directly from Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple, along with the widely used cloud service Dropbox.

On September 7th, the Der Spiegel has reported that it has obtained NSA documents in which the agency states it accessed data from Apple iPhones, BlackBerry devices, and phones that use Google’s Android operating system. The documents state that it is possible for the NSA to tap most sensitive data held on these smart phones, including contact lists, SMS traffic, notes and location information about where a user has been. Also we can read some news about the NSA  ”breaking” attempts against the SSL and IPSEC internet security protocols, standards. In fact, as it turned out later (or at most we believe) that NSA did not really break these standards they only get around some implementation error.

The NY times, based on the leaked information, wrote that since 2000 the NSA invested billions of dollars in a clandestine campaign to preserve its abіlіty of eaveѕdropping. The agency uѕed іtѕ іnfluence, that aѕ the world’ѕ moѕt experіenced code maker covertly іntroduce weaknesses into the encryption standards. We can also read that U.S. government usually pay huge money for security exploits.

Why should YOU care about PRISM and protect your privacy?

They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” ― Benjamin Franklin, Memoirs of the life & writings of Benjamin Franklin

The above mentioned quote from Benjamin Franklin provides a strong resolution on the  security vs. privacy topic. You can raise a question, why should I care about PRISM? The government collects information about us to protect, they only use this information to catch the bad guys. So I don’t mind. There can be two answers to this question:

First, what is the guarantee that the collected information about us will not be obtained by someone else? Are there any guarantees that these stored databases will not get broken by some hackers who will sell all of your sensitive data to some crime organization or some other country? Finally, there can always be an insider, someone like Edward Snowden who leaks information about you. Basically, as some security expert say: we’re bad at privacy because the consequences of privacy disclosures are separated by a lot of time and space from the disclosures themselves. Almost all our privacy disclosures do no harm, and some of them cause grotesque harm, but when this happens, it happens so far away from the disclosure that we can’t learn from it. Additionally, what is more worrisome is that the audits made at NSA are cursory, incomplete, and easily fooled by fake justifications, with numerous self-granted exceptions, and that NSA policies encourage staff to assume the benefit of the doubt in cases of uncertainty. This means that there can be a large number of false alarms, and anyone can suddenly become a dangerous suspect.

Second, the current data collection activity of the US government is not the most effective solution. According to many security experts, the information are over-collected, and the investigation are not focused at all. In the debate about privacy vs. security, the security expert Bruce Schneier says: “There’s plenty of examples of security that doesn’t infringe on privacy. They are all around. The government feels like they need all this information in order to do their job, that there can’t be security without them having access to everything. Well, that’s a lazy or shortsighted way of seeing things,” he says. “The idea I reject is that you need to violate everyone’s privacy rather than be better at your job of identifying specific (targets).’ The point is that security and privacy are not mutually exclusive ideas.

Has the NSA broken everything?

Based on the leaked information, we believe that, they have not broke the security protocols (SSL, Ipsec, etc), and other solutions, but only exploited the implementation weaknesses in many applications. As Bruce Schneier argues,  “The math is good, but math has no agency. Code has agency, and the code has been subverted”. The NSA has been accused with weakening the security standards, which has been denied by The US National Institute of Standards and Technology (NIST).

The Brave new world – How can we deal with PRISM?

According to security experts the re-engineering the internet to prevent this kind of wholesale spying has to be figured out. We need new techniques to prevent communications intermediaries from leaking private information. We can make surveillance expensive agaіn. Іn partіcular, we need open protocolѕ, open іmplementatіonѕ, open ѕyѕtemѕ – these will be harder for the NSA to subvert. Bruce Schneier also said that “we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it”.

I think all of these suggestions sound great but at the same time they are very hard to implement, because the internet is more or less controlled by the US based companies and government agencies have great influence on them. It is highly unlikely that this situation would change, because giving up power and strategy is not easy for any governments.

Instead, we need immediate (and temporary) solutions: the strength of crypto primitives, should be improved and we encourage the use of AES-256, SHA-512, RSA-4096. Some companies started to use RSA-4096, after the outbreak of the PRISM scandal.
Individually, we can protect our privacy and sensitive data by using more open source programs or services, and we can try security services that do not belong to a company from US. Of course, these solutions also do not provide 100% guarantee, because as usual, the security is highly based on how the security standards are implemented, but at least we cannot worry much about the fact that they are under the strong influence by government.

We always knew that our personal data is very valuable for different purposes, and companies, agencies and governments made serious attempts to collect them. The outbreak of the PRISM scandal should strengthen our awareness and increase our willingness to protect our sensitive data, and privacy.
To achieve our goal and to force a radical change in this field, the most important thing is that everyone has to fight for its privacy.  People should not give up their privacy for convenience. This is similar to the situation of protecting the environment, where to make it feasible we need to strive for it, and we need to cooperate with each other.

Our guest blogger Ta Vinh Thong is working at the Laboratory of Cryptography and System Security (CrySyS) as a PhD student. His main interests are Automated and formal security verification of protocols, firewalls, APIs, and systems.