5 Things PRISM Teaches CIOs About Doing Business in Today's World
Revelations that the United States government is monitoring Internet data from tech giants such as Facebook, Google and Microsoft should make your company reconsider where and how it stores data--all while realizing that, at the end of the day, surveillance practices (usually) stay a secret for a reason.
Tue, August 06, 2013
CIO — It's been about two months since the sweeping allegations of United States government surveillance, mainly through the National Security Agency, hit the airwaves. It seems like we get a new taste of how deeply the NSA works with various companies to enable that monitoring every couple of weeks, too.
We may never know the full extent of this program, and some details are still in dispute, but it has been long enough for the general public to start forming conclusions about the program. Considering what we now know—or at least what we think we know—here are five considerations for CIOs and technical staff at all companies in the wake of the PRISM monitoring scandal.
Feature: The NSA Security Quagmire
1. Everything—Yes, Everything—Leaves a Trail.
Essentially, every service you touch generates metadata—or information about you, the transaction and other details—which is stored and can be accessed at a later date. Understanding this is a crucial step to fully appreciating the implications of a surveillance program like PRISM.
Internally, looking at data retention policies for possible modification should move up your priority list. Externally, interrogating your vendors about what metadata is generated through your business with their companies, as well as how it's stored and when it expires, takes on added importance.
2. Assume That Most PRISM Press Is Wrong.
Or, to be charitable, assume that it's at least moderately inaccurate from a technical perspective. As is ever the case, in an effort to make a technical operation understandable and digestible to the average reader, who isn't an Internet communications professional, a significant portion of the media coverage about the PRISM monitoring contains inaccuracies.
For example, there's still much debate about what initial reports from The Guardian on NSA "direct access" to servers at Microsoft, Google and so on actually means in practice. The Guardian later reported that Microsoft had provided methods of decrypting communications stored in the company's Outlook.com and Hotmail e-mail services—specifically, that "Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept Web chats on the new Outlook.com portal."
It's unclear if this means that Microsoft helped the NSA penetrate SSL based encryption used during data transmission, or if Microsoft stores the records of chats and their contents for a period of time in an encrypted way and then gave the keys to the NSA, or something else entirely.