As if there wasn't already enough NSA mass surveillance to worry about, last week we got a peek at the agency's arsenal of tools for exploiting the hardware and software of its targets. They're best described as a veritable SpyMall catalog of sophisticated concealed gadgets and surreptitious software "implants", each sneakier than the last in its ability to compromise and extract private data from the computers and phones on which they're installed. If you still thought there was anywhere in the electronic world to hide after you're in their sights, this should be enough to disabuse you of that notion once and for all.
This lies atop six months of news of the myriad ways our metadata and, in some cases, our content, is being routinely collected and analyzed, cloud services and communications providers being compromised, and security standards that should be protecting us being sabotaged. The sane reaction seems to lie somewhere between paranoia and despair.
So we have to take small comforts where we can find them. And, paradoxically as it may seem, at least two of the most egregious revelations might actually hold out a glimmer of hope for privacy going forward.
First, we now have evidence, albeit indirect, that the NSA might not have the cryptologic superpowers that some feared they might. In particular, they have had to resort to outright sabotage of a range of security standards and systems that give them trouble. This suggests that a more robust (and un-sabotaged) infrastructure – secured by proper cryptography and without hidden backdoors or so-called "lawful intercept" interfaces – can make mass surveillance genuinely difficult. (And not just more difficult for the NSA. More difficult for other, perhaps less benevolent, nations' intelligence services as well.) So perhaps we stand a chance after all, at least if we're not being individually targeted.
Which brings us to the second encouraging bit of news, which is that if you are being individually targeted, you really don't stand a chance. The NSA's tools are very sharp indeed, even in the presence of communications networks that are well hardened against eavesdropping. How can this be good news? It isn't if you're a target, to be sure. But it means that there is no good reason to give in to demands that we weaken cryptography, put backdoors in communications networks, or otherwise make the infrastructure we depend on be more "wiretap friendly". The NSA will still be able to do its job, and the sun need not set on targeted intelligence gathering.
Don't get me wrong, as a security specialist, the NSA's Tailored Access Operations (TAO) scare the daylights of me. I would never want these capabilities used against me or any other innocent person. But these tools, as frightening and abusable as they are, represent far less of a threat to our privacy and security than almost anything else we've learned recently about what the NSA has been doing.
TAO is retail rather than wholesale.
That is, as well as TAO works (and it appears to work quite well indeed), they can't deploy it against all of us – or even most of us. They must be installed on each individual target's own equipment, sometimes remotely but sometimes through "supply chain interdiction" or "black bag jobs". By their nature, targeted exploits must be used selectively. Of course, "selectively" at the scale of NSA might still be quite large, but it is still a tiny fraction of what they collect through mass collection.
For over a decade now, the NSA has been drowning in a sea of irrelevant data collected almost entirely about innocent people who would never be selected as targets or comprise part of any useful analysis. The implicit assumption has been that spying on everyone is the price we pay to be able to spy on the real bad guys. But the success of TAO demonstrates a viable alternative. And if the NSA has any legitimate role in intelligence gathering, targeted operations like TAO have the significant advantage that they leave the rest of us – and the systems we rely on – alone.
Which is not to say that TAO is a silver bullet against abuse.
First, of course, spying on, say, political opponents is as much a temptation with TAO as it is with the NSA's bulk collection programs. There's no technological solution to this; it requires meaningful oversight, of a kind that's been sorely lacking from US policymakers. And while we're at it, we should ask whether NSA really needs the 85,000 "implants" it reportedly already has.
A more subtle issue is the ecosystem of software security. When NSA exploits flaws, it enters into a fundamental conflict between its mission to gather intelligence and its mission to protect citizens from hostile entities seeking to take advantage the very same problems. Even though software flaws exist whether NSA exploits them or not, the agency should ultimately be in the business of reporting and helping to fix any vulnerabilities it finds. This is a point made strongly by the recent NSA review panel report. It's possible to reconcile reporting and exploiting, but again, it requires vigilant, meaningful oversight and clear rules.
The intelligence community no doubt regards targeted collection methods like TAO as a method of last resort, to be used only when mass surveillance fails. We urgently need to reverse this. Yes, we can expect resistance from the NSA and its "five eyes" partners at any suggestion that they scale back mass collection in favor of targeted methods. It means doing things differently, not to mention that carefully focused targeting is likely more expensive than drinking from the fire hose to which they've become accustomed.
But if TAO is a bit more expensive, it also demonstrates that we have a real choice here. We can safely curtail mass collection, shore up needlessly "wiretap friendly" infrastructure and generally protect ourselves against mass surveillance, all without shutting down legitimate intelligence gathering. In a free society, this should be an easy choice to make.