Privacy advocacy group Electronic Privacy Information Center (EPIC) has filed a Freedom of Information Act (FOIA) request with the National Security Agency (NSA) asking for details on the agency's purported partnership with Google Inc. on cybersecurity issues.
In a separate action that was also taken today, EPIC filed a lawsuit against the NSA and the National Security Council, seeking more information on the NSA's authority over the security of U.S. computer networks.
The Post reported that the NSA and Google are in the process of finalizing an agreement under which the NSA will help Google better defend itself against cyberattacks.
The report said Google approached the NSA shortly after the recent cyberattacks, which it said originated in China.
The deal does not involve the NSA gaining access to Google users' search information or e-mail accounts, and neither will Google be sharing any proprietary data, the Post said, quoting anonymous sources.
Neither Google nor the NSA confirmed the reporting about the partnership. But the Post quoted an NSA spokeswoman as saying the agency, as part of its "information assurance mission," has been working with a broad range of commercial partners and research associates.
News of the purported agreement is already stirring up a storm in the privacy community. In its FOIA request today, EPIC asked the NSA for all records concerning any agreement between Google and NSA whether in draft or final form.
EPIC also asked the NSA for any communications the agency might have had with Google on the issue of Google's not encrypting Gmail messages prior to the cyberattacks from China but then deciding to implement encryption immediately after the attacks.
"There is particular urgency for the public to obtain information about the relationship between the NSA and Google," EPIC said in its FOIA request. "As of 2009, Gmail had roughly 146 million monthly users, all of whom would be affected by any relationship between the NSA and Google."
However, James Lewis, director and senior fellow at the Center for Strategic and International Studies (CSIS), cautioned against overstating the privacy concerns. Without all the details, it's hard to know what information exactly Google will share with the NSA, he said.
And he said it's highly unlikely that Google will share personal data with the NSA. All it wants is for the NSA to look at its networks and help them figure out how to protect it against similar attacks, he said. "It has nothing to do with intelligence. That point appears to have been missed," Lewis said.
Meanwhile, EPIC's lawsuit against NSA was filed today in U.S. District Court for the District of Columbia. It seeks the court's intervention in getting the NSA to divulge details on the authority it has been granted on domestic cybersecurity matters under National Security Presidential Directive 54 (NPSD54). The classified directive, which is also known as Homeland Security Presidential Directive 21, was issued during the Bush Administration.
The directive was used to set up a highly classified, multi-billion dollar cybersecurity program called the Comprehensive National Cybersecurity Initiative (CNCI), which is designed to bolster the ability of federal networks to detect and respond to cyber-intrusions.
Lawmakers, industry executives and privacy advocacy groups including EPIC have urged the government to release more information on CNCI and the NSA's role. EPIC has previously filed FOIA requests with the NSA asking for the information. Its lawsuit stems from what EPIC claims has been the NSA's failure to comply with statutory deadlines for providing the information.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.