Obama is right: privatizing metadata storage would be a nightmare
On December 12, 2013, the President’s Review Group on Intelligence and Communications Technologies issued a report on domestic NSA surveillance, and offered a list of 46 recommendations for reform. Perhaps the most controversial was recommendation #5, proposing that the NSA and other government intelligence agencies outsource the storage of metadata to private third-parties:
We recommend that legislation should be enacted that terminates the storage of bulk telephony meta-data by the government under section 215, and transitions as soon as reasonably possible to a system in which such meta-data is held instead either by private providers or by a private third party. Access to such data should be permitted only with a section 215 order from the Foreign Intellience [sic] Surveillance Court that meets the requirements set forth in Recommendation 1.In last week's address to the nation, President Barack Obama promised to act on the reforms suggested by the NSA review panel, but he wavered on recommendation #5.
At first Obama said that he wanted intel agencies to transition to a system where the government no longer had to hold metadata, but quickly walked back his statement, and said instead that moving metadata from government to private third party servers would "pose difficult problems" and "raise new privacy concerns."
Here's how he explained his worries:
...any third party maintaining a single consolidated database would be carrying out what’s essentially a government function, but with more expense, more legal ambiguity, potentially less accountability, all of which would have a doubtful impact on increasing public confidence that their privacy is being protected.Now, I know it's totally uncool to agree with anything President Obama says these days — and anyone who does, must either be a paid Obamabot and/or a Big Brother groupie. But the fact is, on this point, Obama couldn't be more right.
The notion that privatizing metadata storage will protect our privacy and civil liberties is insane, dangerous and just plain ol' wrong.
It would make our private data less secure, offer fewer legal protections and be huge giveaway to private security contractors like Booz Allen, opening the door to all sorts of other corrupt privatization schemes and unaccountable illegal activity. No matter how much it may abuse its mandate, our government is still legally required to protect our constitutional rights — something that corporations are not obligated to do.
In short: mandating the privatization of intel storage would be a cluseterfuck in just about every possible way.
Let's start with data security — because the for-profit intelligence industry has a notoriously atrocious track record when it comes to keeping our most sensitive and private data safe. Security analysts have been warning for years that the biggest data intelligence companies have gaping holes in their security architecture, allowing scammers and hackers waltz in and out with our private data whenever they feel like it. As one expert recently told me, “A sophisticated criminal can pretty much get anything they want now.”
Even the biggest private intel/defense contractors aren't immune from embarrassing hacks. In 2011, defense contractor (and former Edward Snowden employer) Booz Allan Hamilton, whose $6 billion in annual revenues comes almost exclusively from federal contracts, was breached by kiddie hackers from Anonymous, who were able to plunder 90,000 military email logins and other sensitive data, and upload to Pirate Bay.
But we don't need to go back that far. In many of the biggest breaches that occurred over past year, big data companies took a frighteningly long time to realize that their systems had been compromised — sometimes they had no clue they had been broken into until the Secret Service showed up on their doorstep.
That's what happened with the recent Christmas time breach of Target's customer database and payment system. The company was targeted by sophisticated scammer-hackers, who found massive security hole in the company's cash register system. They dialed in unimpeded, deposited a bug-bot that intercepted credit card and customer data and then had the data sent back to the scammer mothership.
The breach exposed the personal information of over 100 million people. Analysts quoted by the New York Times estimate that the breach will impact not only Target and banks, but would saddle Target's customers with $4 billion dollars in "uncovered losses" due to identity theft.
Target might be a retailer, but it also dedicates considerable resources to collecting private customer data and using it to predict behavior — including a program that allows Target to out a pregnant woman shopper “even if she didn’t want us to know.” In short: target runs a very effective private surveillance operation.
And yet, despite the size of the breach, the company no clue it had been bugged. Target only found out when the federal government began investigating a sudden surge in credit card fraud and found out that much of the activity came from cards that had been recently used at Target...
A similar thing happened in early 2013, with the breach of Lexis Nexis, Altegrity and Dun & Bradstreet, multibillion for-profit intelligence companies that are deeply involved with government agencies and law enforcement, and maintain files hundreds of millions of people around the world.
All three companies were hacked by a group of scam-hacker ring run out of Russia or Ukraine. Bugs were planted deep inside the companies' servers, and sat there for weeks and maybe even months piping out sensitive data undetected.
That data eventually found its way to scammer data hub called ssndob.ms, where it was sold to identity thieves, scammers and other shady Internet lurkers at rockbottom prices. The intel for sale included names, social security numbers, addresses, mother's maiden names, credit card info, background reports and other personally identifiable information on millions of Americans.
Brian Krebs, who broke the story last year, explains:
Earlier this summer, SSNDOB was compromised by multiple attackers, its own database plundered. A copy of the SSNDOB database was exhaustively reviewed by KrebsOnSecurity.com. The database shows that the site’s 1,300 customers have spent hundreds of thousands of dollars looking up SSNs, birthdays, drivers license records, and obtaining unauthorized credit and background reports on more than four million Americans.The source of ssndob's data would have remained a mystery if Brian Krebs hadn't tracked down and analyzed the contents of its database, which had been plundered by rival hacker-scammers and posted online. Only after he published his report, did the the three affected companies grudgingly acknowledge that they indeed had been hacked. Of course they gave as little information as possible about the nature and extent of the data breach...
The thing to remember is that Lexis Nexis, Altegrity and Dun & Bradstreet are not tiny boutique data firms, but massive multibillion dollar for-profit intelligence companies that provide all sorts of services to law enforcement and governments agencies.
Take Altegrity, a parent company that owns several major for-profit intelligence businesses:
With 10,500 employees in 30 countries, Altegrity is the world’s leading risk consultancy company, the largest commercial provider of background investigations for the government; the trusted supplier of on-demand employment background screening to more than one-third of the Fortune 500; and a leading provider of investigative, analytic, consulting and security services to organizations around the world.Altegrity owns US Investigations Services (USIS), a company that contracted by the federal government to conduct background checks and clear people for security clearance. NSA leaker Edward Snowden was positively cleared by USIS. So was Aaron Alexis, a private contractor who killed 12 people at the Washington Navy Yard last September, despite the fact that Alexis had a number of run-ins with the law, and was arrested for shooting out his coworkers tires a few years before the background check.
A recent government investigation revealed that USIS lied to about the thoroughness of its background checks. The company systematically cut corners and did shoddy work, purposefully failing to fully investigate at least half of the people it ran background checks on — all for the sake of profits.
In 2011, the company had won federal contracts totaling $2.7 billion to run background checks. According to the Wall Street Journal, USIS' "management had gradually built a corporate culture that made revenue top priority. A previous CEO, in 2006, chided managers at a meeting to 'get off your ass to make a buck.'"
The funny thing here is that USIS began as a government agency that was privatized in 1996 as part of Vice President Al Gore's effort to "reinvent government" and make it more efficient. Back then, WaPo columnist David Broder praised Gore's privatization effort, writing that a government-run bureaucracy is "no longer acceptable to the citizen-customers of democracy."
The fact that a private security/defense contractor would cut costs and churn out inferior product in pursuit of fatter profit margins probably doesn't come as a surprise. That's what outsourcing is all about.
The question is: why the hell would we trust them to protect our civil liberties?
[image via thinkstock]