EFF Sues NSA Again Over Failure To Release Procedures For Dealing With Zero Days (original) (raw)

from the eff-may-need-a-whole-floor-devoted-to-nsa-lawsuits dept

Another day, another lawsuit filed by the EFF against the NSA. As you may recall, back in April there was some discussion about how the NSA deals with zero day exploits it discovers, and (specifically) whether or not it reveals them to relevant parties or keeps them for its own ability to exploit them. The NY Times revealed that President Obama had put in place an official rule that said the NSA should have a “bias” towards revealing the flaws, but left open a gaping loophole in saying the NSA could exploit those zero days for “a clear national security or law enforcement need.” That’s a pretty big loophole — especially when you consider how law enforcement has been abusing every opportunity of late.

EFF filed a FOIA request to find out about the NSA’s process for determining whether to exploit or reveal a zero day… and hasn’t received a response, despite a promise by the government to “expedite” the request. Hence: the new lawsuit.

“This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community’s toolset: security vulnerabilities,” EFF Legal Fellow Andrew Crocker said. “These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country.”

Over the last year, U.S. intelligence-gathering techniques have come under great public scrutiny. One controversial element has been how agencies such as the NSA have undermined encryption protocols and used zero days. While an intelligence agency may use a zero day it has discovered or purchased to infiltrate targeted computers or devices, disclosing its existence may result in a patch that will help defend the public against other online adversaries, including identity thieves and foreign governments that may also be aware of the zero day.

“Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors,” Global Policy Analyst Eva Galperin said.

These days, it really does seem that the only way to get the government to cough up these kinds of documents is to file a lawsuit, which really defeats the purpose of the whole FOIA process. Perhaps the government should just admit it’s a charade and let people go straight to the lawsuit filing process instead.

Filed Under: cybersecurity, exploit, foia, james clapper, nsa, odni, surveillance, zero days
Companies: eff