PRISM-as-a-Service: Not subject to American Law (Lynn Root)

Transcript

1. None

2. PRISM-as-a-Service Not Subject to American Law Lynn Root | @roguelynn

   | roguelynn.com

3. rogue.ly/prism Write-up and references @roguelynn

4. @roguelynn Who am I? • Software Engineer at Red Hat

   • PyLadies of San Francisco • PSF Board Member

5. @roguelynn Why am I here? • What is PRISM? •

   Unanswered Questions • How does it affect cloud services? • What can we do now?

6. @roguelynn Disclaimer • I am not a lawyer! • I

   have no three-letter-agency or PRISM-cooperative-company insight • Thoughts & opinions are my own

7. PRISM Overview

8. @roguelynn Planning tool for Resource Integration, Synchronization, and Management

9. @roguelynn What is it? • electronic data mining tool •

   purpose is for mass surveillance • collect intelligence that passes through US servers • supposedly only metadata

10. @roguelynn Who does it affect? • Targets foreigners’ communication •

    Can not specifically or intentionally target US Citizens

11. @roguelynn Who’s involved? • 98% of PRISM data comes from

    Google, Microsoft, and Yahoo • Other companies: Apple, AOL, Facebook, PalTalk, Skype, & YouTube

12. @roguelynn How does it work? NSA Company

13. @roguelynn How does it work? FBI

14. @roguelynn How does it work? FBI Company

15. @roguelynn How does it work? FBI Company

16. @roguelynn How does it work? FBI Company NSA

17. @roguelynn How does it work? FBI Company NSA

18. Mass Surveillance Timeline

19. @roguelynn 1952 1973 1978 2000 2001 1946 Five Eyes Group

    • USA, UK, Australia, Canada & New Zealand • Purpose to share intelligence, concentrating on signal intelligence

20. @roguelynn 1952 1973 1978 2000 2001 1946 CSEC formed •

    Responsible for foreign signal intelligence • Canada’s national cryptologic agency

21. @roguelynn 1952 1973 1978 2000 2001 1946 NSA Established Purpose

    for collecting, processing, and disseminating intelligence information from foreign electronic signals for national foreign intelligence and counterintelligence purposes and to support military operations.

22. @roguelynn 1952 1973 1978 2000 2001 1946 Warrants needed Supreme

    Court rules that warrants are now required for domestic intelligence surveillance.

23. @roguelynn 1952 1973 1978 2000 2001 1946 FISA signed to

    law Foreign Intelligence Surveillance Act to protect widespread abuse of wiretaps.

24. @roguelynn 1952 1973 1978 2000 2001 1946 “live on the

    network” NSA transitions into 21st-century by expressing desire to “live on the network” to perform its offensive and defensive missions.

25. @roguelynn 1952 1973 1978 2000 2001 1946 9/11 WTC Attacks

    Culture against spying begins to shift at the NSA.

26. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Winter ’02 NSA

    resurfaces spying plan from 1999 Originally illegal in 1999 as deemed by FISA, NSA resurfaces its plan to perform contact chaining on metadata it collected.

27. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Winter ’02 Telecoms

    + Domestic spying US Admin gains access to large telecom switches carrying the bulk of US’s phone calls. Seems to be no obstacle to prevent NSA from eavesdropping.

28. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Winter ’02 Total

    Information Awareness Program to record and analyze all digital information generated by all US citizens. Defunded, but continued to run under different names.

29. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Room 641a AT&T

    employees discover NSA officials on an undisclosed mission; also discovered secret rooms being built within AT&T offices. Winter ’02

30. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Telecoms enter formal

    agreement to give data Major telecommunication companies enter into voluntary formal agreement to give metadata of calling information to the NSA. Winter ’02

31. @roguelynn 2007 2008 2011 2012 2005 NYT reveals companies gave

    backdoor access NSA gained cooperation with US telecoms to obtain backdoor access to streams of domestic and international communication.

32. @roguelynn 2007 2008 2011 2012 2005 Canada follows Canadian defense

    minister, Bill Graham, signs decree to collect communications metadata on its citizens, renewed in 2011.

33. @roguelynn 2007 2008 2011 2012 2005 Protect America Act President

    Bush signs bill to give NSA the right to collect communications without warrant and without court oversight.

34. @roguelynn 2007 2008 2011 2012 2005 PRISM data collection September

    2007, PRISM data collection began with Microsoft, the first of the PRISM-cooperative companies.

35. @roguelynn 2007 2008 2011 2012 2005 FISA Amendments July 9th,

    Congress passes amendments to FISA that gives telecoms legal immunity for those that cooperated with NSA’s wiretapping.

36. @roguelynn 2007 2008 2011 2012 2005 UK’s turn Estimated launch

    of GCHQ’s Tempora program, clandestine security electronic surveillance program after first trialled in 2008.

37. @roguelynn 2007 2008 2011 2012 2005 NSA Datacenter The NSA

    starts building its biggest spy center in Utah for the purpose of intercepting, deciphering, analyzing, and storing vast swaths of the world’s communications.

38. @roguelynn 2007 2008 2011 2012 2005 Wiretap-ready sites FBI pushing

    for wiretap-friendly websites.

39. @roguelynn ? ? ? ? 2013 PRISM revealed June 6th,

    Washington Post reveals PRISM program, 6 years after data collection started.

40. Unanswered Questions

41. @roguelynn • How is “foreignness” determined? • What if foreigners

    and US citizens communicate? • What do words like “backdoor”, “direct”, “intentional” mean? • How is the PRISM-collected data handled? • What analysis is being done on collected data?

42. @roguelynn • US citizens abroad? • US citizens using services

    abroad? • Are US permanent residents considered foreigners? • Foreign persons/companies using services from US-based companies incorporated abroad? What about...

43. Effects on the Cloud

44. @roguelynn Recognized effects • 56% less likely to use US-based

    services • 10% cancelled US contracts • Germany forbids future data transfers to non-EU clouds • US economy stands to lose $22-35 billion

45. @roguelynn Recognized effects • Silent Mail’s voluntary shutdown • Lavabit

    suspends operations

46. @roguelynn Which is it? • Is security compromised? • Or

    lack of government oversight?

47. @roguelynn

48. @roguelynn Which is it? • Is security compromised? • Or

    lack of government oversight? Does it matter?

49. What can we do?

50. @roguelynn What can we do? • As professionals • As

    nerds ourselves

51. @roguelynn As professionals • Limit foreign gov’t exposure • Enemy

    you know is better than the one you don’t

52. @roguelynn As professionals • Use services that are within your

    company’s jurisdiction • DIY-clouds

53. @roguelynn As nerds ourselves • Location Tracking • Behavior Profiles

    • Encryption

54. @roguelynn Location Tracking • Cell Phone • Internet/Computer

55. @roguelynn Behavior Profiles • Can we accomplish complete anonymity? •

    What about protecting our privacy?

56. @roguelynn Encryption • SSL attacks • Certificate Authorities • Perfect

    Forward Secrecy

57. Outlook

58. @roguelynn Outlook • How much can we still trust SSL?

    • Do we need to reevaluate CA system? • Reboot our encryption protocols and habits entirely?
59. None

60. Then they came for me

61. fin rogue.ly/prism Lynn Root | @roguelynn | roguelynn.com