President Obama decided earlier this month that when the National Security Agency discovers Internet security issues such as the recent Heartbleed, it should make the flaws public. However, he left some wiggle room for "national security and law enforcement need."
This exception is cause for concern, according to Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology."Each security flaw that the government does not disclose, but holds back for later use, is a flaw that could be fixed and make people and their data safer," he said. "It's not as if the NSA or FBI are the only ones looking for flaws like this. Other government intelligence services as well as organized criminals also spend a good deal of time and money finding flaws."
It's also unclear how much this policy will change things, given the broadness of the exception.
"This loophole is so enormous that the previous program would seem to meet it," Hall explained. "So, without further disclosure from the administration about the technical details, in writing, of this plan, it is not clear it is any different from the last one."
The current lack of disclosure was also highlighted by Rebecca Jeschke, Digital Rights Analyst for the Electronic Frontier Foundation.
"We should know the basics of policies and procedures so we can make sure that any program is fair and lawful," she said. "You can have that kind of transparency and still fulfill national security goals."
So what can Internet users do to protect their information? Hall suggested taking the following steps to stay safe while browsing:
- Always keep software up to date. No matter how much you hate updating software, it's crucial that you do so on a regular basis, lest the government or criminals use old unfixed flaws against you.
- Use a password manager. A password manager stores passwords, but also creates secure, random passwords.
- If you work in airports and cafes a lot, realize that the connection between your computer and the hotspot that is giving you Internet is not secure. So, if you're surfing to a non-encrypted site -- it will be http:// instead of https://... the "s" is for secure -- all the information you send to that site is viewable by the people around you if they know what they're doing (it's illegal, but that doesn't stop folks from snooping). You should us a Virtual Private Network (VPN) which is a piece of software you fire up in one of these "unsafe" network places. The software makes sure that anything you send on the unsafe network is encrypted and sent from a location other than where you're actually sitting.
- Finally, learn about and download the Tor Browser. Tor Browser is a web browser, built off of the popular Mozilla Firefox browser, that allows you to communicate anonymously online. It does this by 1) encrypting all your communications; but, also by 2) bouncing your traffic all over the world before sending it on to your destination -- like a pinball machine. This means that it's a bit slow, but it also means that unless you type "Hi, I'm Joe Hall!!1!" into a search engine, it's very difficult for people to identify you.
Jeschke suggested that to protect against bugs like Heartbleed, more website operators should use something called "perfect forward secrecy." While perfect forward secrecy can protect users in situations when a third party is monitoring their data, many browsers and servers still do not support it.
"All security breaches are different, and require different fixes," she said. "Transparency about security vulnerabilities is extremely important, so people can protect themselves adequately."
And while the government may pass this kind of snooping off as necessary for security and law enforcement, it could be counterproductive in the long run, as Hall pointed out.
"The first step in having a safe digital society is making sure that the underlying infrastructure is as strong as it can be, and these unreported flaws are evidence that it is not yet strong enough," he said.
Photo Credit: NBC News