Tech company denials genuine, but Prism still accessing their servers – security expert
Apple, Facebook, Google, Microsoft and Yahoo systems likely tapped without their knowledge. NZ companies need to think about privacy law implications.
Internet experts around the world have begun to unravel the truth about how the US National Security Agency’s Prism and associated eavesdropping systems work says Daniel Ayers, director of Auckland IT security company Special Tactics. Their research indicates Google, Facebook and others are genuine in saying they had no knowledge of Prism - but that the NSA is tapping their servers regardless.
One such expert, Mr Steve Gibson, has published a detailed explanation of the workings of Prism in his respected security podcast (Security Now!, Episode 4082).
Mr Gibson refers to a telecommunications interception facility that was discovered at the AT&T office at Room 614A, 611 Folsom St, San Francisco in 20063. The facility worked by tapping into fibre optic cables that
carried internet traffic as light signals. Some of the light was split off using a prism so that it could be intercepted.
“This interception was the focus of a class action brought by the Electronic Frontier Foundation against AT&T – the case was eventually shut down by the US government taking the rare step of passing retrospective legislation to grant immunity.” Mr Ayers says.
Mr Gibson argues that the Prism programme involves using this same technology to tap into all telecommunications links connecting the targeted companies (Google, Facebook, etc) to the Internet. “This could be done without the companies knowledge, meaning their recent denials are genuine” says Mr Ayers.
“It would give access to all Internet traffic into and out of the companies – all unencrypted email messages, chat messages, photos, Internet searches would be available and it appears they are all being stored for future search and review”.
This means that if you have a Gmail, Yahoo, Outlook.com email account all your inbound and outbound emails are being stored by the US Government," Mr Ayers says. "If you use iMessage to send text messages between iPhones they are also being stored by the US Government – and the encryption status of those is unclear."
“I consider this to be the scariest and most significant development affecting the Internet in the 24 years since I began using it” says Mr Ayers.
"Prism is what we security consultants call a ‘man in the middle ‘ attack. In the past we would advise clients on how to defend against a theoretical attack. Now we have a real long term man in the middle attack affecting the world’s largest Internet companies”.
“New Zealand organisations now have to consider their obligations under the Privacy Act 1993 or contractual responsibilities (such as confidentiality agreements) when they communicate with people using the affected Internet companies. That is because we now know for sure that the traffic is being intercepted and that a third party (the US Government) might read it. That may make it illegal for people to communicate with users of those internet services” says Mr Ayers.
“Because of the potential damage to the reputation and business of the largest internet companies in the world I would be very surprised if this did not lead to a lengthy court battle between those companies and the US government” Mr Ayers says.
Facebook, Google, Microsoft, Apple, Yahoo and others revealed on a leaked NSA Prism PowerPoint have categorically denied cooperating with the mass electronic surveillance initative, but all say they will share specific information when a court order requires it.
NBR staff
Fri, 14 Jun 2013
Fri, 14 Jun 2013
© All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.
Tech company denials genuine, but Prism still accessing their servers – security expert
30127