Google and NSA: Friends with benefits?

For all those denials of carrying out governance surveillance, Google's relationship with the National Security Agency (NSA) is reportedly closer than first thought.

NSA surveillance reportedly hits offline PCs
NSA surveillance reportedly hits offline PCs

 

That was the picture put across by the Al Jazeera news network, which yesterday published a batch of emails between the two, highlighting not only the friendly communication but also the growing collaboration.


After submitting a Freedom of Information (FOI) request, the news network obtained two groups of emails from 2012 - a year before the leaks from former CIA contractor Edward Snowden, and these appear to indicate that senior executives from the Silicon Valley search giant conversed with NSA officials on a regular basis.


NSA Director General Keith Alexander emailed Google co-founder Sergey Brin and executive chairman Eric Schmidt about a secret government program known as the Enduring Security Framework (ESF). The initiative seems innocuous enough, inviting companies and the government to work together on security issues.


As one example, an email from Alexander on 28 June 2012 requested Schmidt to attend a half-day “classified threat briefing” a month later at a secure facility near the San Jose, California airport. The meeting was to be focused on “mobility threats and security”, although Schmidt was unable to attend and politely declined.


This would likely put paid to the idea then that the NSA could, perhaps, have met with Google in a bid to secretly capture data about Google service users, even if chairman Schmidt is widely-reported to support government surveillance


Crytography guru Bruce Schneier, formerly of BT but now at Co3 Systems, told SCMagazineUK.com that it's hard to tell if the NSA and Google are more than friends.


“I think the Al Jazeera headline is slightly hyperbole,” said Schneier, who added that there was ‘no smoking gun' in the documentation. “It's hard to tell if they're really close or if they're just talking to each other.”


Schneier - who spoke for the need for encryption in light of government surveillance at the recent RSA conference - added that it's “troubling” that Google didn't detail this publicly (he admitted though that they may have been sworn to secrecy) and urged companies to be more transparent.


“The more transparent you can be, the better,” said Schneier, who claimed that we're now in a world of ‘extraordinary mistrust'.


Caspar Bowden, an independent security researcher who predicted PRISM in a report to the European Parliament back in 2012 - added that the implication of devious activity would hurt Google the most.


“The NSA has tried to tighten their embrace of strategic technology companies under a 'cyber-security' banner since 2008,” he told SCMagazineUK.com.


“These emails reveal no smoking gun, but the larger strategy carries the 'enduring' implication that NSA will have access to a perpetual pipeline of exploitable vulnerabilities, before they are fixed and disclosed.”


Bowden added that while cloud companies have not yet been asked to trawl data under the law underlying PRISM (FISA 702), that could change.


“So far it appears cloud companies have not been asked to trawl through all their account data looking for keywords, but that same power has been extensively used on data carried by telcos,” he added.


“This is a critical point in determining whether PRISM can be used in future for far more extensive direct mass-surveillance of cloud data. The public should know what discussions have taken place.”

 

Regular meetings


In Google's defence, meetings like these appear to be a fairly regular occurrence, as the NSA often has intimate relationships with companies to build awareness on the latest security threats.


In the email sent to Brin and Schmidt, Alexander detailed how Google, Apple and Microsoft worked together with the NSA to develop a ‘set of core security principles'.


“A group (primarily Google, Apple and Microsoft) recently came to agreement on a set of core security principles,” reads the email, which goes onto ask for CEO briefings on ‘specific threats we believe can be mitigated'.


Citing six people who have been involved with these discussions, The Information newswire said that the companies would often meet to discuss state-sponsored cyber threats, data breaches and how they would assist the government in the event of a cyber war. Indeed, one of the emails obtained by Al Jazeera suggests that Intel, AMD, HP, Dell and Microsoft worked with the NSA to foil a BIOS threat from China.


“In recent years, top executives from U.S. technology giants such as Google, Microsoft and Intel routinely filed into a secured room deep inside the bowels of the National Security Agency's headquarters in Fort Meade, Md,” reads the The Information article.


“During the visits, which continue today, the NSA and other U.S. government agencies provide classified, “top secret” intelligence about existing and potential cyber threats to company systems from foreign government attackers, such as China, Russia and Iran.”


David Lacey, futurologist at IOActive, agrees that this meeting is likely a regular occurrence, misconstrued as something more sinister.


“It's essential for government security authorities to brief major vendors on security threats. I'd be worried if there was no such communication. And why the convoluted cover story? If NSA had a secret dialogue I doubt they would regularly email the CEO,” he told SCMagazineUK.com.


Google has, officially, emphasised numerous times that it does not collaborate with the NSA's PRISM program.


In fact, the search giant last year filed a legal form to complain about the media regularly linking the two parties.


"Google's reputation and business has been harmed by the false or misleading reports in the media, and Google's users are concerned by the allegations," read the filing. "Google must respond to such claims with more than generalities.”