Security expert on gov't hacking tech giants: "Same chance as winning the power ball"
In the wake of news that the U.S. government is mining data from nine Internet companies, some questions are left unanswered -- chief among them: Are tech companies providing direct access to its servers or is the National Security Agency (NSA) the world's greatest hacker?
The Washington Post reported on Thursday that the NSA and FBI have a direct line to the central servers of Microsoft, Yahoo, Google, Facebook, Paltalk, AOL, Skype, YouTube and Apple.
According to the Post, the program, called PRISM, was established in 2007 and collects data, like email, voice or video chat, photos, voice over Internet Protocol (VoIP) and file transfers from its partners. Everything from a Facebook status update to a late-night chat on AIM is alleged to be collected and stored by the NSA.
All of the companies involved have issued statements denying participation in any government program and saying they only give over information when required by law. But doubts have been raised about what the companies have said, as so many could not have breaches of the size described without knowing it.
"I don't see the government hacking into the nine largest tech companies," Chester Wisniewski, senior security advisor at security firm Sophos, told CBSNews.com, "I would put it at the same chance as winning the Powerball."
Earlier this week, British newspaper The Guardian reported that Verizon was ordered to hand over its customer' phone records to the NSA. The newspaper published an alleged leaked Foreign Intelligence Surveillance Act (FISA) court order, showing that Verizon is barred from acknowledging the court order exists or disclosing to the public the existence of the FBI's request.
Apple, Facebook, Microsoft, Google, AOL and Paltalk say in their statements that the government does not have direct access to their servers, but they note that they would hand over information in accordance with the law. Wisniewski says there is a chance these companies could be in the same situation as Verizon.
"Even if Google had complied, they might be barred from saying," Wisniewski says.
Google has posted data of how many subpoenas and search warrants the company has received from 2009-2012 in its transparency report, but, as the Electronic Frontier Foundation points out, there is no data on FISA court orders.
The Post suggests a possible explanation for the discrepancy between what's come to light and the companies' official statements as "imprecision" on part of an NSA author whose work has been part of the published reports. In one of the documents obtained by the newspaper, the arrangement is described as a collection manager having access to equipment installed at a company-controlled location, not having direct access to servers.
- NSA secretly mining user data from U.S. Internet giants
- Obama: "Nobody is listening to your telephone calls"
- Tech companies issue statements of denial in NSA data mining
Wisniewski believes we should take these reports with a grain of salt. And he points out that it's not just the government that can gather data from computers. It's widely known that hackers can gain access to a computer on an open Wi-Fi connection.
"If I was sitting at a Starbucks with a computer, much of what the NSA is getting, I could get because people don't take security seriously," Wisniewski says. When it comes to the balance of national security and personal privacy, he says: "Maybe this is a good opportunity for us as a nation, society and culture to talk about this."
