US Government Has Apparently Demanded, And Obtained, Tech Companies' Source Code In The Past

from the ask-(FISC_)-and-ye-shall-receive dept

From Zack Whittaker at ZDNet comes the alarming revelation that it's not just Apple looking at possibly having to turn over its source code and/or encryption keys to the government, much like what happened to Lavabit. Many other companies have done this previously as the result of orders granted by the nation's most opaque, non-adversarial court.

The US government has made numerous attempts to obtain source code from tech companies in an effort to find security flaws that could be used for surveillance or investigations.

The government has demanded source code in civil cases filed under seal but also by seeking clandestine rulings authorized under the secretive Foreign Intelligence Surveillance Act (FISA), a person with direct knowledge of these demands told ZDNet. We're not naming the person as they relayed information that is likely classified.

With these hearings held in secret and away from the public gaze, the person said that the tech companies hit by these demands are losing "most of the time."
That's hardly heartening. The DOJ would only go so far as to confirm this has happened before, likely because there's no way to deny it. The documents from the Lavabit case have been made public -- with the DOJ using a formerly-sealed document to hint at what could be in store for Apple if it refuses to write FBiOS for it.

Unfortunately, because of the secrecy surrounding the government's requests for source code -- and the court where those requests have been made -- it's extremely difficult to obtain outside confirmation. Whittaker contacted more than a dozen Fortune 500 companies about the unnamed official's claims and received zero comments.

A few, however, flatly denied ever having handed over source code to the US government.
Cisco said in an emailed statement: "We have not and we will not hand over source code to any customers, especially governments."

IBM referred to a 2014 statement saying that the company does not provide "software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data." A spokesperson confirmed that the statement is still valid, but did not comment further on whether source code had been handed over to a government agency for any other reason.
Cisco is likely still stinging from leaked documents showing its unwitting participation in an NSA unboxing photo shoot and has undoubtedly decided to take a stronger stance against government meddling since that point. As for IBM, its statement is a couple of years old and contains a major qualifying statement.

Previously-leaked documents somewhat confirm the existence of court orders allowing the NSA to perform its own hardware/software surgery. Presumably, the introduction of backdoors and exploits is made much easier with access to source code. Whittaker points to a Kaspersky Lab's apparent discovery of evidence pointing to the NSA being in possession of "several hard drive manufacturers'" source code -- another indication that the government's history of demanding source code from manufacturers and software creators didn't begin (or end) with Lavabit.

The government may be able to talk the FISA court into granting these requests, given that its purview generally only covers foreign surveillance (except for all the domestic dragnets and "inadvertent" collections) and national security issues. The FBI's open air battle with Apple has already proceeded far past the point that any quasi-hearing in front of the FISC would have. That's the sort of thing an actually adversarial system -- unlike the mostly-closed loop of the FISA court -- tends to result in: a give-and-take played out (mostly) in public, rather than one party saying "we need this" and the other applying ink to the stamp.

Filed Under: doj, fbi, fisa, fisa court, fisc, privacy, security, signing keys, software, source code, tech companies

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Michael W. Perry, 20 Mar 2016 @ 6:32am

    Best case scenario.

    Join with me for a moment is extreme cynicism. What is the best possible outcome for widespread NSA/FBI surveillance?

    No, it's not the NSA/FBI succeeding in forcing Apple to insert backdoors and discover pass codes for law enforcement. It's for Apple to give every appearance of having won this dispute, while secretly cooperating with those agencies, actively or passively, for any of a number of reasons.

    Why? Because a NSA/FBI win sends a message to terrorists and other wrongdoers (including corrupt corporations) that Apple platform is unsafe and requires that they take additional measures. A seeming win by Apple, accompanied by enormous publicity, would make them slack off in their precautions, thus making the work of NSA/FBI easier.

    Indeed the very publicity given to this dispute and Apple's seemingly hard stand could just as easily be taken as an indication that the company's public opposition to NSA/FBI spying is accompanied by private cooperation. It is, after all, just the behavior one would expect if that were the case.

    How might the NSA/FBI best reward Apple? By giving the company's executives a stack of "get out of jail free" cards for corporate wrongdoing. Nothing could be more valuable not even money.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.