AFP Photo / Paul
J. Richards
The National
Security Agency has been hit with several lawsuits since leaks began to expose
its spy programs last year. Now the latest legal challenge, filed this week,
finds fault with the NSA for its unwillingness to explain its use of certain
exploits.
On Tuesday, the
Electronic Frontier Foundation filed a
complaint for injunctive relief against the NSA because
the agency has failed to answer Freedom of Information Act requests filed by
the digital advocacy group concerning the United States intelligence
community’s use of so-called “zero day exploits,” or computer vulnerabilities
that are unknown to its respective developers and therefore un-patched and easy
to exploit.
Any person with
intimate knowledge of zero days, or 0-days, may choose to use that information
to their advantage and exploit any which vulnerability that is otherwise
unknown. Previously, RT has reported that the NSA has indeed entered into an
agreement with a French 0-day vendor, and the Obama
administration has not hid the fact that the US government sees advantages in
using these types of exploits.
When US President
Barack Obama ordered a review of the NSA’s policies in the wake of last year’s
unauthorized disclosures, an administration-appointed panel wrote that “US
policy should generally move to ensure that Zero Days are quickly blocked, so
that the underlying vulnerabilities are patched on US Government and other
networks.”
“In rare
instances,” the group continued, “US policy may
briefly authorize using a Zero Day for high priority intelligence collection,
following senior, inter-agency review involving all appropriate departments.”
When reports
surfaced a few months later suggesting that US spies were long aware of the
Heartbleed vulnerability that impacted the OpenSSL cryptographic library, the
Office of the Director of National Intelligence responded in the negative and
claimed that it had “reviewed its policies in this area and
reinvigorated an interagency process for deciding when to share
vulnerabilities” in the wake of the review group’s findings. That
process, the ODNI added, was officially named the “Vulnerabilities Equities
Process,” and was established following “a disciplined, rigorous and
high-level decision-making process for vulnerability disclosure.”
Hoping to learn
more, the EFF responded right away by filing a FOIA request seeking electronic
records concerning “the development or implementation of the ‘Vulnerabilities
Equity Process’ and . . . the ‘principles’ that guide the agency
‘decision-making process for vulnerability disclosure.’”
The EFF’s request,
dated May 6, has yet to garner a response from the NSA. Now in an attempt to
force the agency to produce the requested documents, the EFF filed a complaint
this week in the US District Court for the Northern District of California
asking the Justice Department to intervene.
"This FOIA
suit seeks transparency on one of the least understood elements of the US
intelligence community's toolset: security vulnerabilities," EFF legal
fellow Andrew Crocker said in a statement released by the group this week. "These
documents are important to the kind of informed debate that the public and the
administration agree needs to happen in our country."
"Since these
vulnerabilities potentially affect the security of users all over the world,
the public has a strong interest in knowing how these agencies are weighing the
risks and benefits of using zero days instead of disclosing them to
vendors," added Eva Galperin, a global policy analyst for
the EFF.
Previously, the
EFF filed suit against the NSA regarding the agency’s spy operations, both
before and after Edward Snowden, a former intelligence contractor, began
leaking secret documents to the media last year.
No comments:
Post a Comment