No one paying attention should be shocked that the NSA has placed “backdoors” in the firmware of hard drives and networking equipment. For those with less technical savvy, firmware is the low-level software that mechanically operates equipment: spin this fast, move the needle this way, and so on. It does point emphasize something the US government has long known: a government must maintain total control over its own supply chain for secure hardware. From the circuit boards all the way up to the high-level operating systems, everything must be totally secure from foreign intrusion. For the US and China, this is all well and good, and has been practiced for decades.
But what to do if you’re Canada or Taiwan? Both are active internationally, with modern militaries and hopes for regional influence. Neither has the infrastructure to affordably be maintaining an entire supply chain for secure hardware. That’s really difficult. Canada doesn’t have huge microchip fabs; Taiwan does, but they were founded by foreigners. Neither has the resources of an NSA to develop completely secure software for government use. The US and China have a hard time keeping secrets from each other; the Canadians and Taiwanese, and for that matter the Dutch and Vietnamese and Koreans should have approximately zero confidence in their secrecy. Only a few powers have the intellectual and infrastructural capacity for mostly-secure computing: the US, China, Japan, Russia and possibly the Europeans.
A hypothesis: the nature of electronic surveillance is a force tending towards tight power blocs. If you are Canada, you could try to start up and maintain a secure hardware environment no matter the cost and risks. But if you could guarantee your safety by using the NSA-approved gear…well, it might better to know the Americans are listening than merely suspecting the Chinese. If you’re a poor country relying on Chinese development aid, the choice is even clearer – take whatever the Chinese are giving you with open hands. You may have to toe the Party line, but at least the CIA won’t know about your plan to invade North Trashcanistan.
The electronic umbrella is similar to the Cold War’s nuclear umbrella, but more interesting. Nuclear weapons usage is drastic, infrequent, and incontrovertible. Electronic surveillance is commonplace, continuous, and deniable. In particular, targets tend not to know when they’ve been hacked. A known quantity of surveillance from friends might be much better than an unknown quantity from an enemy. As the implications sink in for the second-tier powers of the world, the borders of hardware and OS could end up just as clearly drawn as that of economic systems a generation ago.
Today the Washington Post ran a story that should (but won’t) finally make government spying a household issue. Under the name PRISM, the NSA has had a direct line into the servers of leading internet companies – Google, Facebook, Skype, and others. For years, they have been able to tap into virtually all the information that these companies have collected about people, using cross-connections and logins to track people across the entire internet. The Post is somewhat unclear on whether the actual content is being collected, or metadata – for example, an email’s timestamp and destination is metadata, whereas the actual subject line and text are the content itself.
This is not only unconstitutional, but very obviously and blatantly unconstitutional. The Fourth Amendment to the US Constitution reads in full as such:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Emails and Facebook data very clearly count as “papers and effects”, reading their data without their consent is obviously a “search”, and pulling indiscriminately from all web traffic is an extremely unreasonable search. Somehow I doubt that the NSA got warrants either. Their justification is that certain statistical signifiers are used to indicate at least 51% certainty that a target isn’t American – though of course even when they’re spying on foreigners they end up pulling tons of data on Americans as well (e.g., emails sent from Americans to the targets).
To state the obvious: this is illegal behavior from the NSA and horrifyingly shameful behavior from Silicon Valley. With all their self-righteous talk of privacy and user protection, this is craven and disgusting behavior from companies that aspire to be trusted partners for all Americans. As for the NSA, those responsible should be fired and preferably jailed.
On the bright side, it’s kind of funny that it turns out all the conspiracy theories about the NSA have turned out to be correct. For many years, kooky nuts have insisted that the NSA has been watching every electronic communication in America. It generally focuses on the ECHELON system (the NSA sure seems to be fond of all-caps names, incidentally) but it turned out to be called PRISM. Responsible adults generally respond by pointing out that such a vast conspiracy would be impossible to keep secret, and furthermore would be so obviously illegal that the NSA’s lawyers would steer clear. Well, the responsible adults were wrong and the kooks were right.