Credit: Reuters/Jason Reed
President Obama has said he is reforming the NSA practice of acquiring and storing telephone call metadata, and the NSA will no longer collect and store bulk data. Forgive me if I find that both doubtful and frankly unhelpful. You don't put this cat back in the bag. Once these practices have begun and the infrastructure has been built to facilitate this data gathering, it doesn't simply stop.
Some may say it has stopped, they might even order it stopped, but there's no possible way to verify it has in fact stopped. Remember, not even Congress knew about much of the data-gathering practices of the NSA. I think it's a guarantee that nobody knows the full range of what the NSA has built, much less what it can capture and view.
As I discussed last week, we've entered into a post-security world. From this day forward, we must assume that all of our computing systems are compromised. We can never certify that anything is completely secure, not even airgapped systems. We cannot trust any hardware or hardware vendor, nor can we trust any proprietary software or software vendor.
It's not necessarily because the vendor itself is knowingly providing backdoors, though that has clearly happened in many cases. Rather, it's proven far too easy for certain domestic and foreign agencies to slip backdoors into just about anything or to have already compromised encryption standards and security certificates. It's all gone, and it's never coming back.
While the president might promise that these programs are being "transitioned" or even mothballed, it's impossible to trust that it's so. The specific practice of bulk collecting data on millions of American's phone calls is a small part of what we now know the NSA has been doing. We haven't heard anything about the NSA ceasing the practice of siphoning data between Google data centers, for instance, or no longer collecting massive amounts of general Internet traffic and storing it for later perusal. It would be basically pointless for those claims to be made, even if they were actually true. There is no way to verify it.
Anyone can point to an empty room and say all the gear used to store, say, every piece of email from Yahoo's servers is now gone, and data has been destroyed. Beyond that empty room may be dozens more with storage arrays humming away, containing that very data. No audit could ever be conducted to completely verify that claim. The scope and scale of the NSA's actions have permanently destroyed security and privacy across the globe.
Sign up for Computerworld eNewsletters.