Intelligence Surveillance & Privacy

Band-Aids Can’t Fix Bullet Holes: Silicon Valley and the NSA

Nicholas Weaver
Wednesday, September 30, 2015, 3:55 PM

There is a lot of bad blood between Silicon Valley companies and the intelligence community. It should not be surprising with what the NSA did to understand why Silicon Valley is pushing back so strongly, with encryption, with lawyers, and with any other tool at their disposal.

Published by The Lawfare Institute
in Cooperation With

There is a lot of bad blood between Silicon Valley companies and the intelligence community. It should not be surprising with what the NSA did to understand why Silicon Valley is pushing back so strongly, with encryption, with lawyers, and with any other tool at their disposal.

The NSA committed at least three major acts: the battle over FISA orders against Yahoo, sabotaging US products in transit, and the bulk surveillance of Yahoo and Google’s internal networks, that all represent not just attacks on Silicon Valley companies, but attacks on the very business models these companies operate on. For Silicon Valley, beyond anything else, needs a reputation for trust, a reputation directly attacked by the NSA.

Beginning in 2007, Yahoo challenged surveillance orders in the FISA court over a fairly narrow question: could a government declaration that “this surveillance is for foreign intelligence purposes against a not-in-country US person”, without any court order, suffice to compel Yahoo to produce the desired data. Even the fact that Yahoo challenged this order remained secret until after the Snowden disclosures, and it was a year further before even redacted versions of the orders and arguments became publicly available.

It is practically an article of faith in some circles that secret law, especially opinions of constitutional law marked TOP SECRET//COMINT//ORCON,NOFORN//X1, is not law. If you can not discuss the case you make nor the case against you, and if you can not even see all the arguments made by the government, this is not law. What would we call this if it was any other country?

Yet even if Yahoo won, it would be academic. It would not provide any protection to non-US persons, and for US targets the government would just get a seemingly inevitable FISC court approval. Quietly, Microsoft admitted that data stored in Europe is not protected from US Government action. We also know that data compelled from US companies is not just about fighting terrorists, but is specifically used by the NSA to target trade issues in Japan, oil in Venezuela, and energy in Mexico.

But at least the FISA system has a patina of law and the companies are aware of the NSA’s actions. NSA’s interdiction program offers no such protection. The NSA will intercept routers or media in transit, open the boxes, and sabotage the device. The photo of unknown NSA personnel opening the underside of a Cisco box to install an implant probably did more for Huawei sales than anything else in the past three years.

Large US government research programs have focused on preventing and countering lifecycle attacks, how to protect against such sabotage in the supply chain. Some in Congress have insinuated that Huawei and ZTE can’t be trusted due to their strong ties to the Chinese government enabling Chinese sabotage. And during this time, the NSA was directly attacking Cisco in the same way.

But this is not the worst the NSA did to Silicon Valley. Interdicting routers only targets individual (and in the one known case, a particularly deserving) Cisco customers while the FISA process also limits the number of targets. The companies would refuse a request for “everybody’s contact list”. Since the NSA really does want everybody’s contact list, they simply stole this information from Yahoo and Google.

Google, Yahoo, and other big cloud services have large data centers full of computers all around the planet, with private network connections between them. Through these private connections, the computers backup information into other data centers and migrate data around. The NSA tapped these links, in bulk, complete with an associated PowerPoint diagram of “SSL added and removed here J”.

Silicon Valley lives in fear that the rest of the world realizes the truth: many of Silicon Valley’s products and services are unusable for almost anyone who is even remotely interesting to the NSA, be it government, trade, telecommunications, or industry. Namely, anyone who’s economically prosperous enough to be a good customer. The NSA can compel the companies to provide the data they want and, when the companies don’t cooperate, the NSA will attempt to sabotage the products or steal the data anyway. Silicon Valley’s greatest asset is trust, and the NSA attacked that.

The ability to work in a post-Snowden world strongly depends on the company. Apple, which sells commodity devices, resists interdiction and can provide services that protect user privacy since they don’t gain significant revenue from advertising. Cisco and server vendors like HP and Dell, who sell interdictable devices to individual customers, now must go through great lengths to retain business including shipping to fake addresses.

Perhaps the worst off are cloud service providers, both those offering services like Amazon and those, like Google and Yahoo, who survive on advertising. Nobody living outside the 5-eyes countries can trust these providers, because their business model relies on the provider having access. And if the provider has access, the NSA can have access too.

Silicon Valley can’t operate without the trust of their customers, and trust, once lost, is hard to regain. The bad blood will remain for years.

Nicholas Weaver is a senior staff researcher focusing on computer security at the International Computer Science Institute in Berkeley, California, and Chief Mad Scientist/CEO/Janitor of Skerry Technologies, a developer of low cost autonomous drones. All opinions are his own.

Subscribe to Lawfare