PRISM-as-a-Service: Not subject to American Law

8c5e76dca74a59822dbf7f0286177ddd?s=47 Lynn Root
August 10, 2013

PRISM-as-a-Service: Not subject to American Law

Presented at PyCon Canada 2013:

X-as-a-Service products are integral in the U.S. tech industry with their ability to take the pain out of server configuration, maintenance, provisioning, data storage and other aspects of running a server. With the recent outing of PRISM, a clandestine national security electronic surveillance program, the next desirable IT feature is "not subject to American law." How can we leverage cloud-based software while maintaining privacy?

This talk is a look at what exactly PRISM is, how PRISM affects cloud services, and how best to approach securing data and preserving privacy within the cloud.

8c5e76dca74a59822dbf7f0286177ddd?s=128

Lynn Root

August 10, 2013
Tweet

Transcript

  1. 1.
  2. 4.

    @roguelynn Who am I? • Software Engineer at Red Hat

    • PyLadies of San Francisco • PSF Board Member
  3. 5.

    @roguelynn Why am I here? • What is PRISM? •

    Unanswered Questions • How does it affect cloud services? • What can we do now?
  4. 6.

    @roguelynn Disclaimer • I am not a lawyer! • I

    have no three-letter-agency or PRISM-cooperative-company insight • Thoughts & opinions are my own
  5. 9.

    @roguelynn What is it? • electronic data mining tool •

    purpose is for mass surveillance • collect intelligence that passes through US servers • supposedly only metadata
  6. 10.

    @roguelynn Who does it affect? • Targets foreigners’ communication •

    Can not specifically or intentionally target US Citizens
  7. 11.

    @roguelynn Who’s involved? • 98% of PRISM data comes from

    Google, Microsoft, and Yahoo • Other companies: Apple, AOL, Facebook, PalTalk, Skype, & YouTube
  8. 19.

    @roguelynn 1952 1973 1978 2000 2001 1946 Five Eyes Group

    • USA, UK, Australia, Canada & New Zealand • Purpose to share intelligence, concentrating on signal intelligence
  9. 20.

    @roguelynn 1952 1973 1978 2000 2001 1946 CSEC formed •

    Responsible for foreign signal intelligence • Canada’s national cryptologic agency
  10. 21.

    @roguelynn 1952 1973 1978 2000 2001 1946 NSA Established Purpose

    for collecting, processing, and disseminating intelligence information from foreign electronic signals for national foreign intelligence and counterintelligence purposes and to support military operations.
  11. 22.

    @roguelynn 1952 1973 1978 2000 2001 1946 Warrants needed Supreme

    Court rules that warrants are now required for domestic intelligence surveillance.
  12. 23.

    @roguelynn 1952 1973 1978 2000 2001 1946 FISA signed to

    law Foreign Intelligence Surveillance Act to protect widespread abuse of wiretaps.
  13. 24.

    @roguelynn 1952 1973 1978 2000 2001 1946 “live on the

    network” NSA transitions into 21st-century by expressing desire to “live on the network” to perform its offensive and defensive missions.
  14. 25.

    @roguelynn 1952 1973 1978 2000 2001 1946 9/11 WTC Attacks

    Culture against spying begins to shift at the NSA.
  15. 26.

    @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Winter ’02 NSA

    resurfaces spying plan from 1999 Originally illegal in 1999 as deemed by FISA, NSA resurfaces its plan to perform contact chaining on metadata it collected.
  16. 27.

    @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Winter ’02 Telecoms

    + Domestic spying US Admin gains access to large telecom switches carrying the bulk of US’s phone calls. Seems to be no obstacle to prevent NSA from eavesdropping.
  17. 28.

    @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Winter ’02 Total

    Information Awareness Program to record and analyze all digital information generated by all US citizens. Defunded, but continued to run under different names.
  18. 29.

    @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Room 641a AT&T

    employees discover NSA officials on an undisclosed mission; also discovered secret rooms being built within AT&T offices. Winter ’02
  19. 30.

    @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Telecoms enter formal

    agreement to give data Major telecommunication companies enter into voluntary formal agreement to give metadata of calling information to the NSA. Winter ’02
  20. 31.

    @roguelynn 2007 2008 2011 2012 2005 NYT reveals companies gave

    backdoor access NSA gained cooperation with US telecoms to obtain backdoor access to streams of domestic and international communication.
  21. 32.

    @roguelynn 2007 2008 2011 2012 2005 Canada follows Canadian defense

    minister, Bill Graham, signs decree to collect communications metadata on its citizens, renewed in 2011.
  22. 33.

    @roguelynn 2007 2008 2011 2012 2005 Protect America Act President

    Bush signs bill to give NSA the right to collect communications without warrant and without court oversight.
  23. 34.

    @roguelynn 2007 2008 2011 2012 2005 PRISM data collection September

    2007, PRISM data collection began with Microsoft, the first of the PRISM-cooperative companies.
  24. 35.

    @roguelynn 2007 2008 2011 2012 2005 FISA Amendments July 9th,

    Congress passes amendments to FISA that gives telecoms legal immunity for those that cooperated with NSA’s wiretapping.
  25. 36.

    @roguelynn 2007 2008 2011 2012 2005 UK’s turn Estimated launch

    of GCHQ’s Tempora program, clandestine security electronic surveillance program after first trialled in 2008.
  26. 37.

    @roguelynn 2007 2008 2011 2012 2005 NSA Datacenter The NSA

    starts building its biggest spy center in Utah for the purpose of intercepting, deciphering, analyzing, and storing vast swaths of the world’s communications.
  27. 39.

    @roguelynn ? ? ? ? 2013 PRISM revealed June 6th,

    Washington Post reveals PRISM program, 6 years after data collection started.
  28. 41.

    @roguelynn • How is “foreignness” determined? • What if foreigners

    and US citizens communicate? • What do words like “backdoor”, “direct”, “intentional” mean? • How is the PRISM-collected data handled? • What analysis is being done on collected data?
  29. 42.

    @roguelynn • US citizens abroad? • US citizens using services

    abroad? • Are US permanent residents considered foreigners? • Foreign persons/companies using services from US-based companies incorporated abroad? What about...
  30. 44.

    @roguelynn Recognized effects • 56% less likely to use US-based

    services • 10% cancelled US contracts • Germany forbids future data transfers to non-EU clouds • US economy stands to lose $22-35 billion
  31. 48.

    @roguelynn Which is it? • Is security compromised? • Or

    lack of government oversight? Does it matter?
  32. 51.
  33. 52.
  34. 57.
  35. 58.

    @roguelynn Outlook • How much can we still trust SSL?

    • Do we need to reevaluate CA system? • Reboot our encryption protocols and habits entirely?
  36. 59.