EFF Sues NSA Again Over Failure To Release Procedures For Dealing With Zero Days

from the eff-may-need-a-whole-floor-devoted-to-nsa-lawsuits dept

Another day, another lawsuit filed by the EFF against the NSA. As you may recall, back in April there was some discussion about how the NSA deals with zero day exploits it discovers, and (specifically) whether or not it reveals them to relevant parties or keeps them for its own ability to exploit them. The NY Times revealed that President Obama had put in place an official rule that said the NSA should have a "bias" towards revealing the flaws, but left open a gaping loophole in saying the NSA could exploit those zero days for "a clear national security or law enforcement need." That's a pretty big loophole -- especially when you consider how law enforcement has been abusing every opportunity of late.

EFF filed a FOIA request to find out about the NSA's process for determining whether to exploit or reveal a zero day... and hasn't received a response, despite a promise by the government to "expedite" the request. Hence: the new lawsuit.
"This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community's toolset: security vulnerabilities," EFF Legal Fellow Andrew Crocker said. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country."

Over the last year, U.S. intelligence-gathering techniques have come under great public scrutiny. One controversial element has been how agencies such as the NSA have undermined encryption protocols and used zero days. While an intelligence agency may use a zero day it has discovered or purchased to infiltrate targeted computers or devices, disclosing its existence may result in a patch that will help defend the public against other online adversaries, including identity thieves and foreign governments that may also be aware of the zero day.

"Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors," Global Policy Analyst Eva Galperin said.
These days, it really does seem that the only way to get the government to cough up these kinds of documents is to file a lawsuit, which really defeats the purpose of the whole FOIA process. Perhaps the government should just admit it's a charade and let people go straight to the lawsuit filing process instead.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, exploit, foia, james clapper, nsa, odni, surveillance, zero days
Companies: eff


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Anonymous Coward, 2 Jul 2014 @ 3:54pm

    Better Solution

    "Perhaps the government should just admit it's a charade and let people go straight to the lawsuit filing process instead."

    Perhaps we should stick an amendment in the constitution to allow the recall of any government official for cause, including obstructing existing law, failure to up hold the oath of office, lying (including by omission) maybe a few more; to include all three branches, including the supreme court, and initiated by any citizen that thinks they probably have probable cause.

    Whatever legal standard is used, it should be no different than that used for the common person.

    link to this | view in chronology ]

    • icon
      GEMont (profile), 3 Jul 2014 @ 6:54pm

      Re: Better Solution

      "Whatever legal standard is used, it should be no different than that used for the common person."

      Err.... would that not take some access to government?

      I mean, who would write these new rules into law?

      I'd think the current members of the Federal Government would simply say a unanimous "no", and then laugh their collective asses off at the audacity of some peasant telling them to restrict their activities in such a manner.

      First, methinks, it might behoove us to figure out some way to gain control of this runaway federal government before we try and get it to do something diametrically opposed to its members' current practices, habits and desires - none of which has anything remotely to do with honesty, obedience or disclosures to the public.

      Unless of course, you think the Federal Government is simply "confused" and "unguided", and not at all being purposely obtuse, deceptive, or secretive, and a simple wrist slap will bring them all back in line....

      Good luck with that then.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Jul 2014 @ 4:06pm

    Personally, I am terrified that somebody will sue me because I don't really have any money. What's another lawsuit to the NSA? A moral victory is very hollow when I don't see any reform out of it. When I don't see anybody getting fired. When I don't see anybody serving time for willful disregard of the constitution. As an ordinary citizen, I'm really tired of being disrespected by my own government. What else can I do? I want to start a revolution but that's what Aaron S. did. Nobody had his back. They can get to you no matter what. Unless, we all stand together. I just don't know how.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Jul 2014 @ 7:08pm

      Re:

      "Personally, I am terrified that somebody will sue me because I don't really have any money."

      While having no money will exclude you from membership in the Ownership Society and eliminate any "rights" that must be shored up via lawyers, and make you pretty much a voiceless member of the peasant class in modern America, I'm pretty sure that nobody can actually sue you for the crime of having no money.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Jul 2014 @ 5:45pm

    Here we see on display the total lack of need to follow the laws. Obama has pretty much deemed in his power he is a king with no need to follow those laws and to do any damn thing he can figure out a way to word justification on.

    We have laws on the books about illegal access to computers. We have laws on the books about FOIA and when they are to be responded to. Yet we have a government willing to take to court anyone that does what they do and their employees are unaccountable to the same laws. What's wrong with this picture?

    I can't but believe there is an end to this. Either the government changes it's ways (which it won't do voluntarily) or a revolt is coming. If it is a revolt, then it is a matter of when the trigger event comes.

    Today it is easy to see as long as the bread and circuses keep coming that it will be a while. But I think too many things are coming down the pipes all at once and that trigger will be on our doorsteps far sooner than we anticipate.

    You take the roof over peoples heads, the ability to pay for food, medicine, take their possessions for taxes they can't pay due to the economy, and suddenly you have a whole different thing staring you in the face.

    link to this | view in chronology ]

    • identicon
      alternatives(), 3 Jul 2014 @ 7:00am

      Re:

      Obama has pretty much deemed in his power he is a king with no need to follow those laws and to do any damn thing he can figure out a way to word justification on.

      And that has never happened before with any other president ever.

      link to this | view in chronology ]

      • identicon
        David, 3 Jul 2014 @ 7:08am

        Re: Re:

        "And that has never happened before with any other president ever."

        While true, there have been many other media outlets (besides just TechDirt) that have pointed out that this lack of transparency has happened much more now than with any other President. And it is still no excuse for it happening now, or to be tolerated any less.

        link to this | view in chronology ]

    • identicon
      David, 3 Jul 2014 @ 12:07pm

      Re:

      Obama has pretty much deemed in his power he is a king with no need to follow those laws and to do any damn thing he can figure out a way to word justification on.

      A king would likely prefer walking around with less egg on his face.

      Obama rather is a pawn, and the laws he needs to follow are not the laws and constitution of the U.S.A. Whether or not he is able to word-smith a justification for the things the government agencies are doing, they will carry on.

      link to this | view in chronology ]

  • icon
    Ninja (profile), 3 Jul 2014 @ 4:16am

    Perhaps the government should just admit it's a charade and let people go straight to the lawsuit filing process instead.

    This could shorten the time between the beginning of the process and the time when they have to reveal something. The FOIA process allows them to delay ad eternum, present heavily redacted stuff and the likes thus dragging it for months or even years before the people decide to go for a lawsuit that will then last a few more months/years.

    This is on purpose.

    link to this | view in chronology ]

  • icon
    Whatever (profile), 3 Jul 2014 @ 5:43am

    I was trying to figure out... where exactly is the law that details how you should handle 0 day exploits? I searched, I can't find anything on the books that obliges anyone to disclose in any manner, be it a government agency or an individual.

    link to this | view in chronology ]

    • icon
      Ninja (profile), 3 Jul 2014 @ 6:27am

      Re:

      Again you show your totalitarianism.

      While there may not be specific laws there are serious implications when such flaws are withheld from the public since they might not be fixed before crooks start using them for real crimes.

      Ordinary people would be prosecuted and jailed for exploiting those flaws. Now when the Government does it for surveillance and without warrants then it's way worse.

      link to this | view in chronology ]

    • identicon
      Michael, 3 Jul 2014 @ 9:26am

      Re:

      It is highly likely that any high-profile exploits of 0 day exploits would result in CFAA charges to start with.

      link to this | view in chronology ]

    • icon
      Lars (profile), 3 Jul 2014 @ 10:27am

      Re:

      I can't seem to find a law or an executive order on that. However there seems to be a "policy" in place, according to the ODNI. See this ars technica article for a quoted reference to it. I believe that policy, and the documents one presumes exist that state it, is what the EFF is trying to have released.

      link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 3 Jul 2014 @ 3:00pm

      Re:

      I was trying to figure out... where exactly is the law that details how you should handle 0 day exploits? I searched, I can't find anything on the books that obliges anyone to disclose in any manner, be it a government agency or an individual.

      There isn't any law. But the gov't has stated that it has a policy on that, and EFF has properly asked for it under a FOIA.

      link to this | view in chronology ]

  • icon
    Whatever (profile), 3 Jul 2014 @ 8:02am

    Totalitarianism? All I asked was exactly where is the law? If there is no specific law, is the EFF basically trying to sue them for bad taste? Not being "nice"?

    "Ordinary people would be prosecuted and jailed for exploiting those flaws."

    No, ordinary people would be prosecuted and jailed for what they do in exploiting those flaws. You rarely see someone prosecuted for injected a "hello your machine is infected" message on someone's computer, but they sure would get in trouble for adding in a key logger and stealing their credit card numbers and bank information.

    So it's back to the start: Show that the "surveillance" is specifically illegal, and perhaps you have a case. Otherwise it's a legal dead end - the type of space the EFF seems to enjoy playing in.

    link to this | view in chronology ]

    • identicon
      Michael, 3 Jul 2014 @ 9:32am

      Re:

      If someone were to hack into your PC and monitor your communications, they could be charged with stalking and computer fraud (CFAA) and possibly breaking wire tapping laws (depending on the state).

      "Surveillance" is NOT illegal in public places, but once you have moved into any form of hacking into communications, a private citizen would have broken the law.

      link to this | view in chronology ]

    • icon
      Ninja (profile), 3 Jul 2014 @ 11:51am

      Re:

      You rarely see someone prosecuted for injected a "hello your machine is infected" message on someone's computer

      Indeed. Which is not as simple as what the NSA does. Let us not forget that it engaged even in industrial espionage.

      Otherwise it's a legal dead end - the type of space the EFF seems to enjoy playing in.

      Ah the ignorance. Keep throwing it. EFF has scored more victories last year than you in your entire life probably.

      link to this | view in chronology ]

    • identicon
      David, 3 Jul 2014 @ 12:48pm

      Re:

      You seem to be confused. The EFF is not suing because of what the government does regarding exploits.

      It is suing because the government does not tell what they are doing regarding exploits.

      This is a republic, not a monarchy. The people are the overseeing authority, and they cannot control the government unless the government tells the people what it is doing.

      link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 3 Jul 2014 @ 3:01pm

      Re:

      Totalitarianism? All I asked was exactly where is the law? If there is no specific law, is the EFF basically trying to sue them for bad taste? Not being "nice"?

      No, as is pretty clearly stated in the article and the filings, they are suing over a failure of the gov't to properly respond to a FOIA filing.

      link to this | view in chronology ]

  • icon
    GEMont (profile), 3 Jul 2014 @ 6:40pm

    ...ask me no questions...

    "Perhaps the government should just admit it's a charade and let people go straight to the lawsuit filing process instead."

    Well, they might do that if it were not for the Standard Government Policy laid down by the Bush administration - know as the "Rules", that states - tell them a lie first, then tell another if that one does not work, then make them ask for proof, then, after they've asked (roll a 6 sided die and multiply by 2 and add 3) times, make them get a court order, then blackmail the judge to deny the order, and make them go through the whole process again from the beginning, and then lose the documents in question, through a. storeroom fire, b. computer malfunction, c. dog ate them, d. tornado damage, e. flood damage, f. termites, or g. make something up.

    You see, they can't ever admit to you that the FOIA is a charade, because, well, that would be telling the public something it simply does not need to know.

    And telling the public something it does not need to know is against the Rules.

    link to this | view in chronology ]

    • icon
      T (profile), 3 Jul 2014 @ 8:54pm

      Re: ...ask me no questions...

      Now even internal executive branch policies were simply inherited from Bush!

      link to this | view in chronology ]

      • icon
        GEMont (profile), 4 Jul 2014 @ 11:42am

        Re: Re: ...ask me no questions...

        !!!!!!Rant Warning!!!!!!

        The Never To Be Written Secret History of the USA.

        Bush Junior was the first fully effective corporate POTUS, placed into office through vote fixing, bribery, blackmail and coercion.

        His job was to rewrite as many laws as possible, in order to remove the restrictions faced by Banks, Wall Street and the Top 500 MAFIA controlled corporations, due to regulations that prevented them from doing such things as cheating, lying, stealing, racketeering, forming monopolies, etc..

        Since he was not fully successful - he had to do a lot of other things like end a ton of law suits against various supporter institutions like the tobacco industry and bury all the records of his family's support of Hitler prior to and during WW2 - they needed to place a new corporate POTUS in power to finish the task.

        Since placing a Known Republican back in the Oval Office was impossible after Bush, it was necessary to create a ringer - a Republican sympathizer who could masquerade as a Democrat.

        9/11 allowed the forces of Wall Street and the MAFIA to almost entirely eliminate the Democratic Party through a combination of blackmail, bribery and coercion, made possible by the new War Time Laws secretly enacted after 9/11 due to the manufactured Terrorist Problem.

        This made it easy to foist the ringer on the public without exposure by other democrats.

        Obama was the perfect choice for the New Republican POTUS, because, due to his being black and a silver-tongued con-artist, the public could be easily fooled into believing he was a democrat and trust-worthy.

        Because everyone expected all the American Blacks to vote for Obama, the vote was easily fixed and the election was a cake walk.

        Naturally, the nutcase Republican Pundits publicly poo pooed the Ringer endlessly in order to insure the public's continued belief in his Democrat-hood, in the face of his republican friendly activities and corporate administration members.

        Obama has since finished off all the work that was started by Bush and added a few new twists that his handlers have always wanted, such as reverse copyright reform and the beginnings of the end of the internet.

        Wall Street is now fully in control of the Federal Government, as can be seen easily by the way the NSA, FBI, IRS, CIA and every other branch of the Federal Government has been behaving since 9/11, not to mention Hollyood, the RIAA and MPAA law creation, or the Trade Agreement Group's secrecy.

        If it were not for Snowden, almost none of this would have been known by the few Americans who have been able to see through the smoke screen put up by the Truth-Free Press.

        Sadly, the vast majority of American citizens continue to ignore reality, due mainly to embarrassment at being made fools of, and their misguided patriotism.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Jul 2014 @ 8:05pm

    Perhaps the government should just admit it's a charade.
    FTFY

    It was a run-on sentence.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Jul 2014 @ 1:03pm

    Donate to EFF.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.