The Public Eye with Eric Chabrow

NSA's Prism: Balancing Security, Privacy Program Reflects the New Reality
NSA's Prism: Balancing Security, Privacy

The U.S. federal government has the ability to store in its vast database the fact that you're now reading this blog. That could - perhaps should - be disturbing. But the reality is that tracking what we do electronically has been happening for years - and it's not just the government doing the tracking.

See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations

Lots of attention is being given to the collection of metadata - data about data - with the revelation this past week of a previously unknown and highly classified National Security Agency program known as Prism. Prism allows the government to tap into the central servers of nine leading U.S. Internet companies and collect the metadata - not the content itself - of audio and video chats, photographs, e-mails, documents and connection logs, according to top-secret documents obtained by the Washington Post. That enables analysts to track foreign targets.

You can't have 100 percent security and also then have 100 percent privacy and zero inconvenience. We're going to have to make some choices. 

Over the weekend, the Guardian, the British newspaper that first broke the story, and the Post revealed that they received the classified information about NSA programs from Edward Snowden, a 29-year-old former technical assistant for the CIA and current employee of the business and IT security adviser Booz Allen Hamilton. Snowden has been working at the NSA for the last four years as an employee of various outside contractors, including Booz Allen and Dell, according to the two newspapers.

Although Prism is aimed at rooting out foreign terrorists, the information culled by the NSA includes data on Americans. But the data mining tools used to identify suspects is designed to target foreigners only. This blog isn't going to address whether it's ethical for the government to amass so much data on individuals, but if you want, you can weigh in on this topic in the comments box below.

Prism doesn't allow the government to access content, whether phone conversations or e-mail messages; that would require a search warrant. But the metadata collected can tell much about individuals and they're movements. Metadata can reveal with whom suspected terrorists are communicating and where they are physically located. NSA analysts might not see who's pictured in a photograph taken by a terror suspect, but they could tell where and when the photo was taken by the timestamp and GPS data encoded with the image.

Clues Hidden in Metadata

It's a matter of connecting the dots. "By sifting through this so-called metadata, they may identify potential leads with respect to folks who might engage in terrorism," President Obama said.

Rob Lee, a digital forensics expert who teaches at the SANS Institute, wasn't surprised to learn of the government's Prism effort. He says he's more concerned about the mass of information private companies, such as Google and Amazon, collect, access, analyze and utilize on individuals than he is with a government program such as Prism.

"When I talk to people about this, I routinely ask, 'What's the difference between Amazon and the U.S. government in this regard?' They're both watching what you're doing, what you're buying, how you're spending your money. They're gathering the way you're using Facebook, and the way you Skype. They're not targeting you, they're not watching your content - they're just monitoring your habits. Why is it more eerie when it's the government instead of Amazon? Everyone says they don't like Amazon doing it, but then they're completely comfortable with it when you go out to the website, and [say] 'Wow, there's every item I wanted to purchase right there on the webpage. How do they know?' Computer programs allow you to do that these days."

Technology Outpaces the Law

Civil libertarians and privacy advocates are justified in their concern about the federal government amassing so much data on citizens. Perhaps legislation should be enacted to place limits on such activities. But we live in an age when technology advances more rapidly than our laws. Regardless of the steps we take to restrict the government from collecting information on individuals, more information about us will get out in the open, much of it coming from ourselves.

Obama summed up the situation our society faces in this über-information age when he defended the government program that secretly surveils individuals' phone records and Internet activities: "You can't have 100 percent security and also then have 100 percent privacy and zero inconvenience. We're going to have to make some choices as a society. ... On balance, we have established a process and a procedure that the American people should feel comfortable about."

It's not quite Orwellian, but it's an environment we might have to learn to live with.

* * *

How comfortable do you feel about this über-information age? Let us know below.



About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.




Around the Network