While you have probably been busy during the past couple weeks with work, vacation, and/or celebrating the July 4th Independence Day holiday, there have been some interesting developments regarding government surveillance programs and familiar high-tech firms. BusinessWeek reported on July 3 that:
"Google spokeswoman Gina Scigliano confirms that the company has already inserted some of the NSA’s programming in Android OS... Through its open-source Android project, Google has agreed to incorporate code, first developed by the agency in 2011, into future versions of its mobile operating system, which according to market researcher IDC runs on three-quarters of the smartphones shipped globally in the first quarter. NSA officials say their code, known as Security Enhancements for Android, isolates apps to prevent hackers and marketers from gaining access to personal or corporate data stored on a device."
The explanation the NSA gave for its code in the Android operating system (OS):
"Improve our understanding of Android security."
Experts say the NSA code has been reviewed by peers and is not devious in any manner. Is this accurate? There don't seem to be any rules that the code will remain unchanged, or that Android device users will be notified of any changes.
Really? That's all? Nothing else? Are we to believe the NSA at its word? I find this explanation difficult to believe given some less than truthful statements recently by an NSA representative to the U.S. Congress. When they lie, you break the trust with the public. If they will lie to the U.S. Congress, they will definitely lie to journalists and to citizens. I expect the NSA will continue to do what it does: spy. As a wise person once said, "a leopard does not change his spots."
Like any other consumer (who is not a computer programmer), I am trying to make sense of these revelations and understand what is happening. New disclosures and revelations about government spying seem to happen weekly, like peeling layers off an onion. Perhaps, some programming experts will weigh in on this blog post about the technical aspects. That Google decided to do business with the NSA and include NSA code in the operating system software for its mobile devices, I found very interesting for several reasons:
1. Back in June, we learned the the NSA PRISM program taps into the computing and network systems of several high-tech companies, including Google. At that time, Google said in a statement:
"Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a back door for the government to access private user data."
I guess one could argue about the meaning of what a "back door" is. They seem to have another back door now.
2. As the article highlights, any devices running the Android operating system (OS) will include this NSA code: smart phones, tables, televisions, automobiles, and any or mobile devices. I assume the NSA code is also in the new Google Glass devices too, albeit that new device has a customized OS. So, that shiny new mobile device you just bought -- the HTC One, the Samsung Galaxy S4, and others -- all include programming code written by the National Security Agency (NSA). I didn't know that. Did you?
3. So, the NSA decided to "enhance the security of Android mobile devices (that is what the NSA labeled its own code). And, since the NSA gets its funding from your and my tax dollars, it is using public money to enhance the security of the devices by a private manufacturer. Is this how you want your hard-earned tax dollars spent?
It' was really nice of the NSA to donate programming code without asking for any payments or royalties in return. Given the huge federal government deficits and debt, some payments would have been great, but I guess we'll just have to look elsewhere for financial solutions.
4. Vermont Senator Sanders asked what else the government is doing that they haven't told us. Well, we now know that, besides spying, the NSA is also in the mobile device software development business. Is this NSA code in any other companies' mobile devices? And if not, why only Google Android?
"Microsoft operating systems have a backdoor entrance for the National Security Agency, a cryptography expert said Friday, but the software giant denied the report and other experts differed on it. The chief scientist at an Internet security company said Microsoft built in a "key" for the nation's most powerful intelligence agency to the cryptographic standard used in Microsoft Windows 95, Windows 98, Windows NT4 and Windows2000."
Reportedly, Microsoft assisted the NSA and the FBI with breaking encryption codes, and collecting data from cloud storage severs and Skype phone calls. So, the NSA has been in the commercial software development business for a while.
5. Let's take the NSA at its word, that the code in Android devices is benign and it will help the agency better understand the security of those mobile devices. What exactly might the NSA want to better understand or learn? They could easily buy (if they haven't done already) usage reports about Android users from Google, or from any number of market research firms.
In my business experience, I reviewed, managed, and executed data licensing agreements -- contracts -- with other organizations to share data. Companies enter into these types of contracts to generate revenues and/or to learn more about an industry or groups of users. In some instances, other companies wanted to learn more about my prior employer's industry. Those contracts specified usage reports with a certain frequency (e.g., monthly, quarterly, daily) and certain data elements (e.g., customer name, location, amounts purchased, items purchased, etc.). I must assume that the folks at the NSA are smart and have already purchased usage reports about mobile users directly from market research firms and/or directly from Google. For whatever reasons the NSA has decided to go the next step beyond usage reports to modify OS code to obtain more data directly.
And that data includes everyone who uses Android mobile devices, not just foreign people communicating with U.S. citizens whom the NSA is supposed to target. Readers who are unclear on the scope of geolocation data collected about your by your mobile devices, should read this blog post.
In my business experience, that initial contract (e.g., often 5 to 7 years in duration) is usually followed by a more detailed and extensive contract. Simply, after you learn more you can execute a better contract with more data reporting. So, one could conclude that the NSA has even bigger, more extensive plans for Google Android OS mobile devices and other high-tech firms.
6. Given the BYOD ("Bring Your Own Device") trend during the past few years, I'll bet that plenty of CIO, CTO, and C-Suite executives in companies worldwide are now wondering what to do next. Both their companies' servers (e.g., NSA code is embedded in Linux servers, too) and their employees' mobile devices are embedded with NSA programming code. As the BusinessWeek article reported:
"... an information technology consultant in Dublin, says his clients in European governments and multinational corporations are worried about how vulnerable their data are when dealing with U.S. companies. The information security world had been preoccupied with Chinese hacking until recently... With Prism, the same accusations can be laid against the U.S. government...”
One wonders what the unintended consequences will be. How much revenue will Google lose as a result of corporations (and/or governments) rejecting or limiting Android OS usage in their countries? How much revenue will the online and high-tech industries lose because foreign governments and corporations conclude that the NSA has compromised the products and services produced by those industries? Along with the revenue loss, what might other consequences be, such as employment cutbacks and fewer jobs?
And, it no longer seems so surprising that Android smart phones sold in China include a stripped down OS without several Google services (e.g., search, map, Gmail). The Chinese did this partly to promote the growth of the mobile app development and online industries in their country, but you still have to wonder given all of the claims and denials flying back and forth about hacking and spying.
The limitations on Google services with Android OS in China limit Google's revenues. Given the NSA code revelations, what other countries will place tighter controls or bans? Where else might there be negative affects on Google's revenues?
7. There have been plenty of articles in the news media about the really smart, innovative engineers at Google. But, maybe Google really does need beefed-up security given its (poor) history of data beaches, privacy incursions, and reported vulnerabilities:
- March, 2009 data breach: Google Docs. An undisclosed number of records
- April 2007 data breach: Google Ads. Malware affecting an undisclosed number of records
- September 2010: unauthorized access by a Google employee of consumers' personal information
- June 2011 data breach: Gmail
- June 2013: after an investigation, Google was found to have breached privacy law in France
- June 2013: an investigation in Spain for alleged privacy breaches
- July 2012: Google breached UK privacy rules by not deleting personal data collected by Street View
- July 2013: vulnerability discovered by Bluebox Labs affecting 99% of mobile devices running the Android OS
Overall, there seem to be two over-arching issues:
- 4th Amendment of the U.S. Constitution
Lies break the public's trust. Lies break customers' trust. When a government forces corporations to lie, it breaks the public's trust with both. Perhaps more importantly, a government can't simply ignore or walk away from the Fourth Amendment of the U.S. Constitution:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
Do you trust the NSA? Do you trust Google? Do you trust your government? And, is this NSA code okay with you? Really?