The latest revelations from exiled former National Security Agency contractor Edward Snowden highlight security weaknesses in some of the world’s most popular Internet networks.
According to the Washington Post, the NSA and its British counterpart have tapped into links between Google and Yahoo data centers and collected text, audio, video and vast amounts of other data.
“Technologists and people who work on privacy in general have known that this can be done and may have been going on for a long time,” said Lance Hoffman, head of the George Washington University Cyberspace Security Policy and Research Institute.
Hoffman says that while the companies store data in secure facilities around the world, and even have some of their own fiber optic networks, at certain points they travel through the same cables as the rest of the Internet’s data.
“Whenever you’re moving things from point A to point B, there’s a possibility of an intercept,” he added.
NSA says its data collection is legal and is used solely to look for clues that would prevent terrorist attacks and other security threats.
While little is known about how the spy agencies made those intercepts, the routers that direct Internet traffic are one possibility, said Jeff Tjiputra, computer scientist at the University of Maryland-University College.
“I have known hackers that can hack into routers that change the code that will make it a device that transmits traffic to a third party,” he said.
“At this point,” he added, “it goes back to what we always thought: that if you send anything on the Internet, it’s the same as if you’re sending a postcard. Anybody that handles that mail can see it.”
A Yahoo spokesperson said the company has “strict controls in place to protect the security of our data centers.”
Google said it is extending encryption across more of its services.
But as more and more information goes to distributed “cloud” computing networks, computer experts see both risks and benefits.
“I think many folks in the security community look at cloud computing as inherently more risky,” Syracuse University computer engineering professor Shiu-Kai Chin.
“Does that mean we shouldn’t use it? No. If I want to store my videos and my music up there, I’m really delighted to do that. Would I want to store the nuclear launch codes for the United States and the keys to the U.S. treasury? Probably not.”
Hoffman said he was not surprised that security agencies were able to crack into Google and Yahoo. “The surprise to me is that it’s taken so long to galvanize the public to have the conversation, to put in place the proper controls,” he said.
He says technology has gotten ahead of us. But he adds, “The technology always gets out ahead of us. People don’t generally write laws until they see something that needs to be organized or controlled in some way.”
“Basically, it’s time to have this discussion, to do it fast, to get agreement on controls that guarantee civil liberties” and address the privacy concerns raised by the NSA revelations.
“In some sense, privacy is a precursor to freedom. If you don’t have privacy, you don’t have freedom.”