Could 'Tailored Access Operations' Be An Alternative To 'Collect It All'?
from the easy-choices dept
One of the most contentious aspects of the NSA’s surveillance is the central belief by General Alexander and presumably many others at the agency that it must “collect it all” in order to protect the public. To stand a chance of overturning that policy, those against this dragnet approach need to come up with a realistic alternative. An interesting article by Matt Blaze in the Guardian offers a suggestion in this regard that takes as its starting point the recent leaks in Der Spiegel about the extensive spying capabilities of the NSA’s Tailored Access Operations (TAO). As Blaze points out:
if you are being individually targeted, you really don’t stand a chance. The NSA’s tools are very sharp indeed, even in the presence of communications networks that are well hardened against eavesdropping. How can this be good news? It isn’t if you’re a target, to be sure. But it means that there is no good reason to give in to demands that we weaken cryptography, put backdoors in communications networks, or otherwise make the infrastructure we depend on be more “wiretap friendly”. The NSA will still be able to do its job, and the sun need not set on targeted intelligence gathering.
The key word there is “targeted”: instead of building in to the Internet general weaknesses that allow everyone to be spied upon (and that can also be exploited by criminals or hostile nations), the NSA could use its elite TAO squad to gain access to the systems of particular individuals. This has several huge advantages over dragnet collection.
First, it avoids the whole problem of searching for possible needles in an enormous haystack — the favorite metaphor of the NSA. Instead, it puts the emphasis on investigating just the needles. Secondly, it can’t be applied indiscriminately:
as well as TAO works (and it appears to work quite well indeed), they can’t deploy it against all of us — or even most of us. They must be installed on each individual target’s own equipment, sometimes remotely but sometimes through “supply chain interdiction” or “black bag jobs”. By their nature, targeted exploits must be used selectively.
The final advantage is that because of the more limited scale of the surveillance, it is possible to require individual approval from a judge for every single operation before it is carried out. By scaling things back, meaningful oversight can be introduced in a way that is simply not possible when the crude “collect it all” approach is employed.
As Blaze concludes:
The intelligence community no doubt regards targeted collection methods like TAO as a method of last resort, to be used only when mass surveillance fails. We urgently need to reverse this. Yes, we can expect resistance from the NSA and its “five eyes” partners at any suggestion that they scale back mass collection in favor of targeted methods. It means doing things differently, not to mention that carefully focused targeting is likely more expensive than drinking from the fire hose to which they’ve become accustomed.
But if TAO is a bit more expensive, it also demonstrates that we have a real choice here. We can safely curtail mass collection, shore up needlessly “wiretap friendly” infrastructure and generally protect ourselves against mass surveillance, all without shutting down legitimate intelligence gathering. In a free society, this should be an easy choice to make.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: bulk data collection, collect it all, nsa, surveillance, tailored access operations
Comments on “Could 'Tailored Access Operations' Be An Alternative To 'Collect It All'?”
Sound reasoning, and it seems to be a reasonable compromise of security vs. privacy, the biggest problem is the various spy agencies all appear to be flat out addicted to their mass surveillance, and weaning them off of that is going to be quite the hurdle, considering they haven’t even managed the first step of dealing with addictions, that of admitting that there is a problem.
Re: Re:
Sadly they won’t go Amy Winehouse on their addiction and I suspect rehab attempts will be just as effective.
It’ll have to be cut down the hard way.
Re: Re:
Reasonable compromise? TAO and other NSA programs are not about security, its espionage. The security theater is only for getting the funding from US taxpayers. How about starting a mind-your-own-fucking-business program, which will ensure that foreigners don’t eye services and equipment from US companies with suspicion, and can have some privacy?
“realistic alternatives” is a useless ideology because you are dealing with a mindset here that believe that “protecting the public” is only possible by controlling the public.
No amount of alternatives are going to change that.
At best you manage to curtail such activities and behaviors only as long as the public is willing to maintain constant vigilance on their government activities. The minute that diligence wavers in even the slightest, the people running things now will go right back to what their mindset dictates.
The *only* way to ensure realistic change is to replace the people in charge with people who have a different mindset. Anything less is just blowing smoke in the wind and a waste of time.
A realistic alternative? How about “don’t collect it all”. Fire the people who have based the organization’s operations on this failed policy of “collect it all” and hire people who can run the NSA in a manner that doesn’t do massive harm to U.S. technology companies, doesn’t subvert the efficacy and reputations of cybersecurity standards bodies, doesn’t embarrass the U.S. government in the eyes of foreign leaders, and doesn’t violate the U.S. Constitution.
Re: Re:
Well, those people thought they were playing a Japanese game about pocket monsters, so…
Re: Re:
Must of missed the section in the constitution that authorizes the creation of the nsa………apart from that, SPOT ON my friend
'Tailored Access Operations' or 'Collect It All'
The fear this will be Governments only response…
http://i.imgur.com/nPoiPCA.jpg
Are we sure they are selective?
they can’t deploy it against all of us — or even most of us. They must be installed on each individual target’s own equipment, sometimes remotely but sometimes through “supply chain interdiction” or “black bag jobs”. By their nature, targeted exploits must be used selectively.
I’m not sure that I buy that TAO are being selective. Schneier has been highlighting items from TAO’s catalog of tricks. The one’s he’s shown so far are exploits for dell and HP server machines and juniper network devices. These are not items you’d find in someone’s home. They’re items you’d find in a commercial company’s data center.
Re: Are we sure they are selective?
Though the stuff in peoples homes is probably an awful lot easier to crack. Security on ISP routers is close to nil.
You have to stop looking
at this as a program to stop “terrorists.” It is not about stopping terrorism… it’s about control.
The problem is that they have become so fixated on the haystack, and obtaining every possible view of it, that they aren’t really looking for the needles. I’d also question whether TAO would be more expensive. You’d save massively on obtaining, storing and sifting the haystacks – a task that that appears to be totally valueless. If you just retasked the haystack money to TAO you’d be better off by exactly that amount.
They aren’t trying to actually stop terrorism. If they were, they’d have specifically targeted terrorists from the very beginning, instead of just spying on everyone.
We’ve seen any number of studies proving that the NSA’s actions are doing nothing to actually fight terrorism. You think the NSA were completely unaware of the likely outcome of their actions? It’s by design.
If terrorism was actually stopped, they wouldn’t be able to justify everything they do by shouting “9/11!”. They welcome terrorist attacks; they always have intel warning them about the likes of the Boston Bombing, but they would never do anything to stop them, because then they wouldn’t be able to keep seizing more and more power in the name of “fighting terrorism”.
My friend the
Octopus will help you know who “Tailored access” will be tailored to:
http://niqnaq.files.wordpress.com/2013/12/bawnccdceaeekoi-jpglarge.jpeg
ummm...
Didn’t we get into this whole situation by people coming up with “reasonable alternatives” to the Constitution?
How come ...
… every time I read “five eyes” I think “ten rings”?
I’ve done some serious thinking about this (and posted a reply to reddit’s /r/privacy a few days ago). I don’t think this is a good idea.
For one, I don’t think it’s logistically possible to add reasonable and meaningful oversight. For another, the potential for accidentally spying on innocent people seems too high. The difference between TAO and a traditional (gagged or not) search warrant is that a search warrant is limited to a specific time; once the warrant is “done” the search stops. TAO however breaks the security of a device for its entire lifetime, no matter who that device is owned/operated by in the future. Finally, my trust in my government, and any reasonably realistic future government, has been shattered in this respect. This is a powerful tool and I do not think we as a species are ready to handle it responsibly.
unless someone is a known member of an organisation, destined to do harm to others for no particular reason other than they want to, their should be no surveillance at all!!
If a warrant and probable cause come back into the equation. Then I’ll support it, but I will never support bulk, unconstitutional dragnet spying. Never!
Too many brave American patriots fought and gave their lives to make sure the American people would never have to live under that kind of unconstitutional tyranny and oppression.