The US National Security Agency (NSA) has created a boatload of buzz over the past few days with these two headline-makers:
First, a senior Republican congressional aide suggested over the weekend that the agency might be shuttering its phone metadata slurping program instead of renewing it in December (suppress your glee: the news is less encouraging for surveillance-adverse citizenry than it appears at first blush) and….
…Second, by releasing Ghidra, a free software reverse engineering tool that the agency had been using internally for well over a decade.
First, the political cat-and-mouse game:
Will the USA Patriot Act really die?
News of the NSA potentially killing off its mass phone-spying program – exposed by whistleblower Edward Snowden in 2013 – came on Saturday in the form of a Lawfare podcast interview with Luke Murry, national security advisor to House minority leader Kevin McCarthy.
At 5 minutes in, Murry said that the NSA hasn’t been using its metadata collecting system for spying on US citizens for the past six months, due to “problems with the way in which that information was collected, and possibly collecting on US citizens.” The program is due for Congressional reauthorization in December 2019, but Murry suggested that the administration might not bother:
I’m not actually certain that the administration will want to start that back up given where they’ve been in the last six months.
News outlets jumped on the notion that the NSA might end a widely disliked spying program: one that courts have dubbed illegal, that privacy advocates have protested, and which legislators have filibustered against, given that it indiscriminately snoops on America’s own citizens.
If you’re wondering which spying program Murry was talking about, join the club. Was it the USA Patriot Act, whose Section 215 supported the NSA’s bulk collection of telephone records, which resulted in the agency having collected the phone records of millions of US persons not suspected of any crime? Or was it the USA Freedom Act, signed into law in 2015 as what was supposed to be a way to clip the NSA’s powers?
Section 215 expired at the end of May 2015 but was re-enabled through to the end of 2019 via the USA Freedom Act, which passed the following month, as well as being extended via various other legal maneuvers.
In the interview with Lawfare, Murry muddled the two laws. When asked about national security topics coming up this year, he said:
One which may be must-pass, may actually not be must-pass, is Section 215 of USA Freedom Act, where you have this bulk collection of, basically metadata on telephone conversations – not the actual content of the conversations but we’re talking about length of call, time of call, who’s calling – and that expires at the end of this year.
Again, Section 215 is actually from the Patriot Act. But whatever law Murry referred to, we shouldn’t be too excited by the notion that it will go away, because if history is any guide, it won’t. Rather, it will likely be reinterpreted and spring up in a new form. The Register has done a thorough rundown of how the NSA works that, and it’s well worth a read.
For example, Section 215 goes far beyond authorizing the collection of phone metadata, but the truth is that the secretive NSA hasn’t told us about the other 97% of data collection it authorizes. From the Register:
In 2014, for example, there were 180 orders authorized by the US government’s special FISA Court under Section 215, but only five of them related to metadata; the rest cover, well, the truth is that we don’t know what they cover because it remains secret.
It could be that Section 215 covers collection of emails and instant messages, search engine searches, and video uploads, for example. The law says that the NSA can collect “tangible things”, which could mean just about anything.
After the blanket surveillance program was reauthorized in 2015, the Office of the Director of National Intelligence (ODNI) issued an official statement that sure did sound good: the NSA would stop analyzing old bulk telephony metadata and start deleting it. What it would shift to, the DNI said, was the Freedom Act’s new, “targeted production” of records.
It turns out that the phone data collection didn’t stop, however. In a June 2018 statement, the ODNI said that the NSA had begun deleting all the call detail records that it had gotten its hands on – after that new, “targeted” approach.
The NSA blamed “technical irregularities in some data received from telecommunications service providers” for the junking of the phone records – problems that, it promised, had been resolved, clearing the way for yet more future records collection.
Murry said the program never got rebooted, though, and that he doesn’t believe it will. This undoubtedly has something to do with strenuous efforts by two US senators, Ron Wyden and Rand Paul, who’ve both been waging war against the NSA’s spying.
During their wrangling, which has gone on for over a year and has focused on getting more control of Section 702 of the Foreign Intelligence Surveillance Act (FISA), the NSA has avoided answering Rand’s questions (PDF), such as whether the NSA is collecting domestic communications. It’s also gotten creative with coming up with secret interpretations of the law.
The Register suggests that the fact that the public only knows about the telephone metadata aspects of the far broader Section 215 could be an advantage to the NSA, as it continues to find ways to keeping getting the data it wants. From the Register:
If the NSA offers to give up its phone metadata collection voluntarily, it opens up several opportunities for the agency. For one, it doesn’t have to explain what its secret legal interpretations of the law are and so can continue to use them. Second, it can repeat the same feat as in 2015 – give Congress the illusion of bringing the security services to heel. And third, it can continue to do exactly what it was doing while looking to everyone else that it has scaled back.
On a far more security-crowd-pleasing note, there’s the NSA’s release of Ghidra:
The NSA released Ghidra, a software reverse engineering tool, at the RSA security conference on Wednesday. It marked the first public demonstration of the tool, which the agency has been using internally and which helps to analyze malicious code and malware tracks down potential vulnerabilities in networks and systems.
ZDNet, reporting from the conference, said that the NSA’s plan is to get security researchers comfortable working with the tool before they apply for government cybersecurity positions, be those jobs at the NSA or at the other government intelligence agencies with which the NSA has privately shared Ghidra.
The initial reviews have been, overall, positive, in large measure because “free” is a lot cheaper than the alternative tool, IDA Pro. The commercial license for IDA Pro costs thousands of US dollars per year. Here are some early reviews from well-known security pros:
Yes, I'm going to start using it for all new projects. So far, it looks like it can replace enough of my workflow in IDA that I can switch, phew!— Tavis Ormandy (@taviso) March 6, 2019
The good things:— Joxean Koret (@matalaz) March 6, 2019
- The decompiler is fucking awesome.
- The decompiler supports anything that you can disassemble.
- Everything is fully integrated.
- Multi-binaries projects with version control.