Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/15/2013
08:16 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

NSA Surveillance: IT Pro Survey Says What?

To understand the relationship between security and privacy, we should pay more attention to IT professionals and spend less time asking loaded questions.

A majority of Americans who don't understand security find the National Security Agency's use of secret court orders to collect phone and email data acceptable. IT professionals, however, see things differently.

When the Washington Post published the results of a Pew Research poll on the subject last month, it concluded that most Americans (56%) accept NSA data collection, even at the expense of privacy, as a defense against terrorism. But it didn't characterize its 1,004 survey respondents as ignorant about computer security.

Stu Sjowerman, CEO of security training firm KnowBe4.com, did so indirectly. He posed the same survey questions, via SurveyMonkey, to more than 1,500 IT professionals — people who do understand computer security — and came to the opposite conclusion. In Sjowerman's survey, some 70% said the NSA's actions were unacceptable, compared to 41% in the Washington Post-Pew survey.

[ Learn more about the role major companies have in NSA surveillance. Read Microsoft Helped NSA Siphon Hotmail, Skype User Data. ]

Sjowerman, in a phone interview, said he decided to replicate the Post-Pew survey because he "didn't think that people really understand the implications [of the NSA's data gathering], especially long term."

There are two major issues. "One, if you do this kind of dragnet long-term," said Sjowerman, "you're creating a profile of everyone in the U.S. That is totally, as far as I'm concerned, violating the Fourth Amendment. Two, the U.S. government doesn't have a very good record of keeping everything secure. There will be data breaches."

Some 654 respondents offered a written explanation of their thoughts on the matter. Their answers for the most part echo Sjowerman's views.

"Too many law enforcement agencies have demonstrated they cannot be trusted and often put themselves above the law to achieve their goals," said respondent #4. "Those goals are not always in the best interests of citizens, but more often seem to favour large corporations or the rich and powerful."

Respondent #231 wrote, "Law enforcement officials do have a legitimate need to access some private information and communication, but such access must always be authorized beforehand by a properly executed warrant, limited to a very specific scope and duration, conducted under the oversight of the judge who issued that warrant, and cannot be done off record under a veil of secrecy. The rights of the people must not be trampled under a stampede towards security."

There are other viewpoints too, some who gladly surrender their privacy for what they perceive as security and others who see negligence in the intelligence community and its contractors for allowing Edward Snowden, the 29-year-old fugitive whistleblower responsible for exposing the scope of the NSA's activities, access to so much information.

But the takeaway here is that all surveys are not created equal. It's doubtful anyone would seek surgical advice from bar patrons, parachuting instruction from preschoolers or nautical knowledge from those who shun the sea. Asking average Americans their views on NSA data collection just isn't good enough. Some domain experience is necessary to reach an informed conclusion.

And not all questions are created equal. Consider this question, posed both by Pew and Sjowerman: "As you may know, it has been reported that the National Security Agency has been getting secret court orders to track telephone call records of MILLIONS of Americans in an effort to investigate terrorism. Would you consider this access to telephone call records an acceptable or unacceptable way for the federal government to investigate terrorism?"

The problem is that once you throw "terrorism" into the mix, the discussion ends. Only terrorists support terrorism, right? But as others have noted, the chance of being killed in a terrorist attack is extremely low. Reason in 2011 put it at one in 20 million, noting that in the past five years a person would be four to five times more likely to be killed by lightning than by a terrorist. (The recent Boston bombing may have shifted the odds a tiny bit.)

Would the average American be as accepting of the NSA's data gathering if the stated reason were to protect people from a bolt from above? Or imagine a much more hostile U.S. administration. Recall that President Nixon kept an enemies list. With the data squirreled away on NSA servers, imagine what one could do.

Then again, imagination is the real problem here. We imagine a fearful world. We might be better served if we imagined less and listened more to people with real-world privacy experience. To understand the relationship between security and privacy, we should pay more attention to IT professionals and spend less time asking loaded questions. We can find a balance without throwing away the Constitution.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
JuanV770
50%
50%
JuanV770,
User Rank: Apprentice
7/16/2013 | 9:19:38 PM
re: NSA Surveillance: IT Pro Survey Says What?
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
7/17/2013 | 12:50:27 AM
re: NSA Surveillance: IT Pro Survey Says What?
Very good point. Let knowledgeable people in on the operational detail of NSA systems and see what critique, what feedback they can give us. Law enforcement without public watchfulness tends to go outsde the law. With public watchfulness, it's much more accountable. I also agree the chances of being killed in a terrorist act are infinitesimal. On the other hand, note the difference in the second attack on the World Trade Center from the first, where the intent of setting off a van loaded with conventional explosives in the parking garage was to topple the building.The first try failed, What followed was plan B. Soon we'll be at plan C, I regret the circumstance, but at some point, we will want to know everything we can about the plan. Charlie Babcock
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
7/17/2013 | 1:41:05 PM
re: NSA Surveillance: IT Pro Survey Says What?
Interesting. And this is very good point: "And not all questions are created equal."

Jim Donahue
Managing Editor
InformationWeek
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
7/18/2013 | 11:12:59 AM
re: NSA Surveillance: IT Pro Survey Says What?
56% of the people agree? That is the same 56% that also are in favor of banning gay marriage, banning abortion (because it kills life), extending the death penalty to petty crimes, having a right-wing extremist Republican as president, and making gun ownership mandatory. Who did the Washington Post ask? The same 1,001 cleverly selected people to get a good headline? Or is the majority of people really that dumb and uninformed?
Thankfully, folks in IT see it differently and hopefully they have the guts to object when ordered to provide data to organizations outside of the company. If data doesn't even leave the premises in the first place we do not need heroes like Snowden.
immadmacs
50%
50%
immadmacs,
User Rank: Apprentice
7/19/2013 | 9:50:49 PM
re: NSA Surveillance: IT Pro Survey Says What?
I think you will find the people that agree are more likey to be the ones that voted for the current administration. I haven't seen a lot of Democrats leading the charge to stop this abuse of power. Barring that, your salivating divisive rhetoric is shameful. Every American from all political leanings should unite to resist this attack of our constitutional rights. I will stand with any man or woman, without regard for their politics, to stop this totalitarian policy. That includes you.
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
7/18/2013 | 1:03:21 PM
re: NSA Surveillance: IT Pro Survey Says What?
Respondent #231 hit the nail on the head. There is a need for law enforcement to obtain some data as a matter of public security, but I would agree that there needs to be a legitimate reason for that access. Collecting a treasure trove of information about citizens -- even those who are not a threat -- does violate constitutional rights, and the laws must be adjusted so as to not allow the government to overstep its boundaries in the name of security. More oversight is definitely needed.
anon9697038972
50%
50%
anon9697038972,
User Rank: Apprentice
7/18/2013 | 4:50:58 PM
re: NSA Surveillance: IT Pro Survey Says What?
Some cybersecurity tips government agencies can benefit from http://themodernnetwork.com/se...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11083
PUBLISHED: 2020-07-14
In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users of...
CVE-2020-5246
PUBLISHED: 2020-07-14
Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only impacts instances with L...
CVE-2019-12773
PUBLISHED: 2020-07-14
An issue was discovered in Verint Impact 360 15.1. At wfo/help/help_popup.jsp, the helpURL parameter can be changed to embed arbitrary content inside of an iFrame. Attackers may use this in conjunction with social engineering to embed malicious scripts or phishing pages on a site where this product ...
CVE-2019-12783
PUBLISHED: 2020-07-14
An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the rd parameter can accept a URL, to which users will be redirected after a successful login. In conjunction with CVE-2019-12784, this can be used by attackers to "crowdsource" bruteforce login attempts on the targe...
CVE-2019-12784
PUBLISHED: 2020-07-14
An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the login form can accept submissions from external websites. In conjunction with CVE-2019-12783, this can be used by attackers to "crowdsource" bruteforce login attempts on the target site, allowing them to guess an...