The virus of U.S. surveillance

Eddie Keogh, Reuters
Graffiti on a wall near the headquarters of Britain's eavesdropping agency, known as GCHQ, in Cheltenham.


April 17, 2014
A story is developing around the "Heartbleed" computer bug that's rather rich in irony. Apparently, a few technology companies - including Google - uncovered the bug, which has thrown the Internet into disarray, in March.


Google was then able to patch most of its services, as well as notifying a few other companies about the bug, before making the information public April 7. (Major services often wait to disclose such bugs to the public until they can patch them in an effort to keep user information out of criminals' hands.)
Among those who say that they did not know about Heartbleed until April 7 include the federal government. The White House has said that it knew nothing about the problem until companies disclosed it.
The irony lies in the fact that the federal government might have kept knowledge of the bug from the public, too - if it had known about it.
The Heartbleed turmoil has exposed the fact that the National Security Agency has retained the power to exploit software holes it uncovers, rather than disclosing them to vendors for fixes.
It's called a "zero day vulnerability" - a vulnerability that's unknown to the software vendor, and therefore unpatched.
Even after President Obama decided in January that the NSA must disclose any Internet security vulnerabilities it uncovers to major companies for fixes, he left a loophole that allows the NSA to keep secret any flaws with "a clear national security or law enforcement" use. The idea is to allow the NSA to exploit these flaws for these purposes.
It's a terrible idea for many reasons.
The language is much too broad, for starters. National security or law enforcement could mean just about anything the NSA decides it should be.
With no checks on the NSA's use of zero days, who's to say they won't stretch into 10 or 20 days - or longer? Meanwhile, Americans' computers could be going infected and their businesses disrupted and identities stolen.
In addition, the national-security value of this loophole is questionable at best.
"We don't have much evidence that these zero days are useful for preventing terrorism," said Yan Zhu, a staff technologist at the Electronic Frontier Foundation. "And if the NSA knows about a bug, there's a good chance other hackers do too. So the public is going unprotected."
Heartbleed is a reminder that when these bugs happen, they must be fixed as quickly and comprehensively as possible. Allowing bugs to persist so the NSA can probe them - for no specific reason - is dangerous for a different kind of national security.