The Electronic Frontier Foundation (EFF) has filed a Freedom of Information Act (FOIA) lawsuit against the NSA and the Office of the Director of National Intelligence (ODNI).
In an effort to gain access to documents showing how intelligence agencies choose whether to disclose zero day flaws, the movement comes a year after Edward Snowden’s revelations, and mark a time when online freedom advocates are taking their fight to legal cases.
In this case, the EFF has filed an FOIA request for records related to these processes, but said that since it was filed on May 6th it has not yet received any documents. “This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community’s toolset: security vulnerabilities,” EFF Legal Fellow Andrew Crocker said. “These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country.”
Commenting, Toyin Adelakun, VP at Sestus, said that were the EFF’s lawsuit to succeed, the NSA and other agencies might be compelled to divulge their decision-making processes in respect of zero-day disclosures to vendors and the public — in other words, to explain the workings of the Vulnerabilities Equities Process.
“Let us assume that the public can, crudely speaking, be classed into three groups: those who believe the Government and its agencies constitute a bunch of malevolent connivers; those who believe the Government and its agencies are benevolent strivers for the common good; and those who have no strong beliefs on the matter (i.e. are apathetic, ignorant and/or neutral),” he said.
“Disclosure of the decision-making process might shift some ‘neutrals’ into the ‘Government-is-malevolent’ end of the spectrum, and will obviously entrench in their beliefs those already in that area — but may also shift some opinions in the other direction.”
Will Semple, VP of research and intelligence for Alert Logic, said: “While this certainly is a tricky subject; my personal position is controlled disclosure with a right to exclude if you’re in the national security business. This is more from a ‘I’ve seen what can happen’ position than a freedom of information one.
“It’s how we structure our thoughts on what a vulnerability can achieve in the wrong hands, rather than if should it be made available to the public. There will be a lot of maturity in this topic over the next year or so.”
He said that the use of security vulnerabilities by intelligence agencies, not just in the US, introduces a different type of ethical question, and questions should be asked on why agencies such as the NSA have a program to discover zero day vulnerabilities and what they use them for.
He said: “As with all modern espionage or security agencies, they are a tool in an evolved set of tradecraft. They introduce a mechanism or avenue for information gathering that was not previously available. Spy satellites in the 80’s and 90’s introduced a way to track physical assets that was not available in the 60’s and 70’s. In a world where the physical assets leave a digital footprint it is natural for agencies such as the NSA to develop tools and techniques to track these assets.”