The story that landed in the Guardian on Wednesday evening, the Verizon FISA order, is the kind of disclosure that I have been writing about as theoretical for two years. The PRISM story that the Guardian and Washington Post broke jointly on Thursday — alleging direct NSA collection from the production systems of Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple — is the kind of disclosure I have been writing about as theoretical for ten years. And the Snowden video interview that the Guardian put up this morning is, for once, the kind of source-revelation that lets us calibrate how to read the rest. I have spent the past four days reading every primary document I can find, and the operational implications for the engagement work I do are the part I want to write down before the news cycle overwrites them.
The Verizon order is the cleaner of the two stories, because the document is in the public record. The order from the Foreign Intelligence Surveillance Court, dated 25 April and runs through 19 July, requires Verizon Business Network Services to provide the NSA "on an ongoing daily basis ... an electronic copy of the following tangible things: all call detail records ... created by Verizon for communications between the United States and abroad and wholly within the United States, including local telephone calls". Every domestic call detail record, every international call detail record, all telephone metadata. The legal authority cited is Section 215 of the USA PATRIOT Act. The interpretation that "tangible things" includes the entire daily call-detail-record output of a major US carrier is, on the face of the order, what the FISA court has authorised.
The PRISM story is harder to read because the primary document is a forty-one slide PowerPoint deck of a kind that NSA presentations often are — internal-jargon-heavy, with claims that may be straightforward, may be aspirational, and may be the kind of marketing-internal hyperbole that staff slide decks sometimes contain. The slides show a list of companies, dates of "joining" PRISM (Microsoft 2007, Yahoo 2008, Google 2009, Facebook 2009, PalTalk 2009, YouTube 2010, Skype 2011, AOL 2011, Apple 2012), and language describing collection of "stored communications, real-time communications, transactional data". The companies have all denied the "direct access to servers" interpretation that the Guardian put on the slides; the more measured reading is that PRISM is the codename for Section 702 collection, in which the companies receive FISA-court-authorised requests and provide responsive material through a defined process. The exact technical interpretation will be argued out over the coming months. The structural implication does not depend on the resolution of the technical question: US-headquartered platforms are subject to FISA-court authorities that the user does not see, that the platform cannot disclose, and that compel production of user data under conditions the platforms publicly disagree with but operationally comply with.
For the engagements I run, this changes some of the conversations. The question that I have been asking clients for two years — "where is your sensitive data, and who can compel its production" — has had a theoretically clean answer along the lines of "your cloud provider, but only through normal legal process". The Snowden material makes the second clause much harder to defend. The legal process at issue is FISA-court process, which is secret, non-adversarial, and (on present evidence) substantially more permissive than the legal-process protections that boards have historically assumed. The clients with sensitive customer data on US cloud platforms — most of the secondment portfolio, several Hedgehog clients — are now in a different threat position than they thought they were on Wednesday morning. I have been having that conversation in person with several of them through the past two days.
The narrower technical question is what to do about it. The honest answer is that there is no quick fix. The structural answer is the privacy-and-encryption methodology I have been writing for the past several months — end-to-end encryption of sensitive content (which makes the platform-level access useless for content even if metadata is still collectable), data residency in jurisdictions whose legal frameworks are at least nominally adversarial to US compulsion, and a sharp distinction between data that has to be encrypted at rest and data that is operationally treated as "we do not need to encrypt this because we trust the platform". The third point is the part that is structurally changing. The trust-the-platform default is not defensible after this week. It may have been defensible in the post-DigiNotar landscape with caveats; it is no longer defensible at all.
The wider question that I am thinking about is what this does to the long-running conversation about commercial security infrastructure and state-level surveillance infrastructure. I have been arguing — through the Petraeus-metadata piece most recently and at various points before — that the relationship between the two is closer than the security industry has been willing to publicly acknowledge. Snowden is the public confirmation. The defensive engineering case for treating the major platform vendors as inside the threat model rather than outside it is now the case that has been made, in public, by a primary-source disclosure with documentary backing. Bruce Schneier's running commentary is the right place for the daily-updated analysis as the documents continue to land.
For the Hedgehog SOC, the post-Snowden detection-content updates are limited to what we can credibly detect with our visibility — anomalous patterns at the SaaS-platform integration layer, unusual administrative-API usage patterns, and continued credential-monitoring at the authentication layer. The structural problem (the platform vendors can be compelled to do things that bypass our detection) is not something the SOC can solve from outside; the answer is at the data-architecture layer, not the monitoring layer. I have been adapting the engagement-team material to reflect that distinction.
The next post is probably whatever Snowden material lands next — the Guardian and Washington Post are signalling additional documents that they are working through, and the GCHQ angle that has been hinted at in the Snowden reporting may surface within weeks. Or possibly the Microsoft-NSA-relationship material that Glenn Greenwald has been signalling on his Twitter timeline. The pace of disclosure is, on present evidence, going to remain high for some time.