EFF sues the NSA to disclose use of software security flaws
The EFF filed suit against the NSA and ODNI Tuesday, seeking information about zero-day flaws
IDG News Service - The Electronic Frontier Foundation, a prominent digital privacy rights group, has filed a lawsuit against the U.S. National Security Agency to get it to specify the extent to which it might exploit software security flaws.
The EFF said Tuesday it had filed a Freedom of Information Act lawsuit against the NSA and the Office of the Director of National Intelligence to gain access to documents showing how intelligence agencies choose whether to disclose software security flaws known as "zero days." These early stage flaws are typically discovered by researchers but are not yet patched by developers or the company. A market has even sprung up around the flaws, in which governments will purchase the vulnerabilities to gain access to people's computers, EFF said.
Not disclosing zero-day flaws jeopardizes people's data and communications, the EFF has argued.
The suit comes amid concerns and accusations that government agencies, including but not limited to the NSA, may be exploiting these vulnerabilities for intelligence-gathering processes without the public's awareness.
In April, Bloomberg News reported that the NSA had used the then-recently disclosed "Heartbleed" security bug to gather intelligence for at least two years before it was discovered by others. The NSA said the report was incorrect.
The EFF had filed a Freedom of Information Act request in May related to these processes, but still has not received any documents, despite Intelligence Director James Clapper's office agreeing to expedite the request, the group said Tuesday.
"This [suit] seeks transparency on one of the least understood elements of the U.S. intelligence community's toolset: security vulnerabilities," said Andrew Crocker, EFF legal fellow, in a statement. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country."
A spokeswoman for the NSA declined to comment. The intelligence director's office did not immediately respond to comment.
Following disclosures made last year by former NSA contractor Edward Snowden, intelligence agencies' techniques have come under much scrutiny. In addition to their possible exploitation of software vulnerabilities, whether agencies can exploit weaknesses in encryption has also sparked concern.
As a result many large companies like Google and Microsoft have bolstered their use of encryption technology in recent months.
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Do More With Less: How CARFAX Consolidated Their Security Solutions Through a consolidated F5 solution, CARFAX cut site downtime to zero, secures its data, and deployed a high-performance infrastructure to support its rapid...
- F5 Data Center Firewall Aces Performance Test F5's BIG-IP 10200v with Advanced Firewall Manager (AFM) can handle traffic at 80-Gbps rates while screening and protecting tens of millions of connections...
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!