Wow, what a year 2014 was. Most people write a “year in review” at the end of the year. I decided to beat the rush and write my 2014 privacy and security year in review now. So, what a year. Some pretty interesting developments.
Well, this was the year that Congress finally got around to debating a comprehensive policy on cybersecurity. Again. You know, setting the overall agenda for the United States government, and committing resources and personnel to making sure that the U.S. was the most secure country in the world. In fact, in 2014, Congress and its various committees debated over a dozen different cybersecurity bills, but unfortunately were unable to pass a single one. The President, through Executive Order implemented some minor changes to staffing and policy but that’s about it.
More NSA Fallout
In the wake of the NSA revelations by Edward Snowden, three other intelligence analysts with government agencies have added to the revelations. It was revealed, of course, that the government had deliberately weakened all security, and had worked with the cell phone manufacturers to install secret chips within cell phones to allow hardware based remote access to any phone on the planet.
It was also revealed that the NSA had installed similar hardware based vulnerabilities with the cooperation of PC and router manufacturers, on all laptop and desktop computers, routers, hubs, switches, etc.
In addition, the NSA also installed backdoor and Trojan horse programs within the Windows, Mac and Linux operating systems, and had been routinely collecting data on computers worldwide.
It was also revealed that the NSA had been responsible for developing the most sophisticated encryption and obscuring software (such as TOR routers) each of which had low-level vulnerabilities built-in, which were being exploited.
Other NSA revelations included the fact that the NSA had secret agreements with GCHQ in the United Kingdom and other intelligence agencies, as well as with the FBI and domestic law enforcement agencies to collect and share information about U.S. persons within the United States.
Because the NSA was prohibited from “targeting” U.S. persons (particularly in the U.S.) it was revealed that the NSA provided tools, hardware, software, training and facilities to GCHQ, and compulsory process from the US FISA Court to allow GCHQ and US law enforcement to obtain records on U.S. persons, which would not be prohibited under U.S. law.
This information was technically not in the custody of the NSA but was analyzed for the NSA, which had a pipeline directly into the database. The operation, codenamed ENEMY ASSISTANCE of ENEMA, collected both the content and metadata as well as location data on all US persons, and created an index-able and searchable database of these records, stored in a remote facility near the north pole called the “Fortress of [No} Solitude.
General Alexander defended the program as being “lawful” and “approved” by the FISA court. He also stated that the program kept Americans safe. It was also revealed that the NSA had installed back door programs into all social networking sites like Facebook, Twitter, etc., and was collecting all photographs posted online into a massive biometric database of facial recognition. Congress promised to hold hearings.
It was also revealed that the NSA was conducting Deep Packet Inspection of all communications not only internationally, but within the U.S. searching for content that met a specified profile. General Alexander noted that the program was narrowly tailored to use specified key words to search only for evidence related to terrorism, espionage, foreign intelligence gathering, and other matters related to national security.
The FBI revealed a similar program examining the contents of files for obscenity, child pornography, or other “contraband.” FBI Director James Comey likened the program to the use of “dog sniffs” at airports, stating that the program only looked for evidence of crimes and noting, “if you aren’t using the Internet to commit a crime, you have nothing to worry about.”
2014 was the year of the breach. At least 60 major retailers and hospitals suffered massive data breaches, which together compromised the account numbers of every man, woman and child on the planet.
In addition, Congressional hearings revealed that the government’s Affordable Care database and health care exchanges were repeatedly breached. The good news was that the black market for such personal information had just about disappeared because the prices had dropped precipitously with supply for personal information far outstripping demand. Retailers promised to do better next year.
Speaking of retail, retailers developed new technologies to aid in the buying process, both online and off.
Piggybacking off Apple’s biometric device, retailers now created a single sign on system where they captured the entire browsing history, purchasing history (including sizes, styles, etc.) of every shopper. So shoppers entering a brick and mortar store had their faces recognized and fingerprints scanned and were assigned “personal shopping profiles” to assist them.
Japanese retailer Daimaru announced plans for a robotic personal shopper which would guide the high-end shopper through the store, pull appropriate styles and sizes from the shelves, and even price the items based upon income and purchasing history. The NSA indicated that it was interested in exploring the technology.
The cyber attack at the Sochi Olympics shut down operations for 3 days, but was attributed to a “software glitch.”
The Supreme Court agreed to hear a number of cases involving privacy and security. In a landmark 5-4 decision written by Justice Scalia, the Court ruled that the government did not need probable cause or a warrant to search a person’s cell phone, computer or other electronic device “incident to a lawful arrest.”
The Court also extended the “stop and frisk” doctrine which allowed the police to stop and pat down individuals on the street who they thought might be doing something suspicious for weapons or contraband to the electronic arena. Thus, the Court now permits the police to stop anyone randomly, demand their cell phone, tablet, or other electronic device, and “pat it down” for evidence of criminality or contraband.
Justice Scalia noted that “computers are the weapons of the 21st Century” and that people should not assume that they have a reasonable expectation of privacy in the contents of devices they carry with them outside the home.
The Court, in a 5-4 decision, also extended the so called “third party” doctrine which permits the government to gather information from third parties like banks, phone companies and ISP’s without a warrant, to cloud providers.
Amazon and Google both revealed that they had received subpoenas for entire cloud databases, passwords, and other access to cloud services. Justice Clarence Thomas’ opinion noted that, by sharing the data with others in the cloud, this was “no different than the police observing what one would do in Grand Central Terminal, or on the U.S. Mall/ People should not expect data voluntarily shared to be private.”
The public reacted to the murder of a famous actress, whose murder was facilitated by a hack into Apple’s “Find my iPhone” software. It was revealed that hackers had been able to track the movements of every iPhone on the planet.
A similar vulnerability existed on Android, Windows and other smartphone platforms. It was introduced through a subroutine in a game program downloaded tens of millions of times. A class action lawsuit was dismissed when the Court ruled that people should not expect privacy in their location when they were outdoors. It was later revealed that the NSA introduced the vulnerability.
Not much on this front. Worldwide military and political representative meeting in Geneva attempted to develop Laws of Armed Cyber Conflict” but were unable to make any progress when the lights, power, phones and water to the conference were shut down. Attendees promised to do better next year.
So that was the year 2014. But NEXT year, we will make progress. I promise.