NSA sued for hoarding details on use of ‘zero day' exploits
The National Security Agency has been hit with several lawsuits since leaks began to expose its spy programs last year. Now the latest legal challenge, filed this week, finds fault with the NSA for its unwillingness to explain its use of certain exploits.
On Tuesday, the Electronic Frontier Foundation filed a complaint for injunctive relief against the NSA because the agency has failed to answer Freedom of Information Act requests filed by the digital advocacy group concerning the United States intelligence community’s use of so-called “zero day exploits,” or computer vulnerabilities that are unknown to its respective developers and therefore un-patched and easy to exploit.
Any person with intimate knowledge of zero days, or 0-days, may choose to use that information to their advantage and exploit any which vulnerability that is otherwise unknown. Previously, RT has reported that the NSA has indeed entered into an agreement with a French 0-day vendor, and the Obama administration has not hid the fact that the US government sees advantages in using these types of exploits.
When US President Barack Obama ordered a review of the NSA’s policies in the wake of last year’s unauthorized disclosures, an administration-appointed panel wrote that “US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks.”
“In rare instances,” the group continued, “US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, inter-agency review involving all appropriate departments.”
When reports surfaced a few months later suggesting that US spies were long aware of the Heartbleed vulnerability that impacted the OpenSSL cryptographic library, the Office of the Director of National Intelligence responded in the negative and claimed that it had “reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities” in the wake of the review group’s findings. That process, the ODNI added, was officially named the “Vulnerabilities Equities Process,” and was established following “a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.”
Hoping to learn more, the EFF responded right away by filing a FOIA request seeking electronic records concerning “the development or implementation of the ‘Vulnerabilities Equity Process’ and . . . the ‘principles’ that guide the agency ‘decision-making process for vulnerability disclosure.’”
The EFF’s request, dated May 6, has yet to garner a response from the NSA. Now in an attempt to force the agency to produce the requested documents, the EFF filed a complaint this week in the US District Court for the Northern District of California asking the Justice Department to intervene.
"This FOIA suit seeks transparency on one of the least understood elements of the US intelligence community's toolset: security vulnerabilities," EFF legal fellow Andrew Crocker said in a statement released by the group this week. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country."
"Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors," added Eva Galperin, a global policy analyst for the EFF.
Previously, the EFF filed suit against the NSA regarding the agency’s spy operations, both before and after Edward Snowden, a former intelligence contractor, began leaking secret documents to the media last year.