The NSA’s Tall Order
The Protect America Act (PAA) was passed in August of 2007. In effect, this ill-considered law re-purposes an existing NSA data collection and surveillance framework to observe domestic conversations. In a succinct article (“Risking Communications Security: Potential Hazards of the Protect America Act”) in the next issue of IEEE Security & Privacy magazine, Steve Bellovin, Matt Blaze, Whitfield Diffie, Susan Landau, Peter G. Neumann, and Jennifer Rexford write about the security aspects (as opposed to the civil liberties concerns) involved in permitting the NSA to spy on US persons. A preprint is available on Steve’s website and from Matt Blaze’s blog entry. The authors are pretty adamant about making sure such a powerful capability is just as powerfully justified and protected: “If security cannot be assured, then any surveillance performed using that system will be inherently fraught with risks that are fundamentally unacceptable.” Note that “fundamentally unacceptable” is pretty direct language (for example, they did not say the system was “unreasonable”, “ill-advised”, or merely “risky”); this type of phrase is as close to harsh criticism that an academic might come in a professional publication.
The ball on this topic got rolling when Susan wrote an op-ed piece for the Washington Post in August 2008 on why it was a bad idea to re-purpose a system built to spy on external entities to begin spying on domestic entities.
The bottom line: the unintended consequence is that such a system is now a really juicy target for foreign entities to spy on domestic entities. It is also ripe for abuse by insiders. The underlying problem is that domestic data will be captured; it is simply too hard to filter out domestic data given the limits of current networking technology. The IEEE S&P article also has a pointer to a very well-written article about the Greek cell phone system compromise; these threats are not theoretical. Asking the NSA to do something that it has no experience (presumably) doing is a bad technical policy, especially since the technology cannot simultaneously meet the demands of the new law and the expectation of privacy derived from, among other things, the 4th Amendment. I suspect that many in the NSA rank & file might agree; this seems to be a situation where everything looks like a nail when all you have is a hammer.
