IE 11 is not supported. For an optimal experience visit our site on another browser.

US crypto researchers to NSA: If you must track, track responsibly

Image: A Maryland State Trooper sits in an unmarked SUV outside the grounds of the NSA
A Maryland State Trooper sits in an unmarked SUV outside the grounds of the National Security Administration just north of Washington, in Fort Meade, Md.Jim Lo Scalzo / EPA, file

A group of cryptography researchers from universities around the country is condemning the weakening of security infrastructure by the U.S. government and NSA, and warning against storing mass amounts of sensitive data.

In the open letter published Friday, the researchers write that data collection activities uncovered in the last 10 months stand to "chill free speech and invite many types of abuse, ranging from mission creep to identity theft." 

The group hopes to improve the knowledge of privacy-preserving technology that already exists, that could aid legal surveillance proceed in a targeted manner. Should the NSA choose to use them, the cryptographic research community has and is developing tools and projects that can "protect civil liberties while enabling legit government searches," Amit Sahai, a crypto researcher at UCLA who signed the letter, told NBC News. Though, "the exact ways in which they would fit together would very much depend on the precise questions that need to be addressed."

For example, Sahai noted that a kind of secure communication protocol would let phone companies — rather than the government — hold onto cell phone data, while allowing government entities to selectively search for information on a suspect. In this setup, the phone companies would not be privy to the exact searches, and the government would not have access to all available data.

In 2010, the FBI followed digital crumbs to track down a bank-robbing duo who’d been involved in a spate of teller heists across Arizona and Colorado. After getting the greenlight from a judge, feds analyzed data from four Verizon cell towers near affected banks, and found one number that had accessed three of those towers on the days each of the banks was robbed.

This turned up the suspects, but according to Ars Technica's report of the event, data from 150,000 cell phones were recovered along the way. In the last year, law enforcement has filed more than 9,000 requests for similar “tower dumps,” according to the Washington Post, rattling civil rights advocates as well as security researchers.

Today, there are "privacy preserving ways of doing these kinds of computations" like looking through mass cell phone records, Bryan Ford, a cryptography researcher at Yale and co-writer of a new letter from the crypto community to the government, told NBC News. "Should 149,998 innocent users necessarily get scooped up into this moderately targeted dragnet in order to identify the one criminal? That's not the case."

The data already collected is also a cause for concern. "The very act of collecting and storing this unprecedentedly massive amounts of sensitive information invites disaster," Joan Feigenbaum, professor of computer science at Yale University, one of the letter's co-authors told NBC News. "They’re just asking for some kind of leak or some kind of break in or some kind of corruption of these databases."

Encrypting data is one way to secure that information, but encrypted data is notoriously hard to access. Under come circumstances, there are ways to efficiently access it. For example, "secure multiparty computation" allows for search and calculation on encrypted data, Steven Bellovin, a security researcher at Columbia University wrote to NBC News in an email. But, he added that "putting everyone’s phone calls into an encrypted database doesn’t protect privacy; we really need limits on what goes in."

Feigenbaum said that members of the security community would be willing to help the government use or craft technologies that could collect information in targeted manner, and store that data safely. 

"A lot of the [current] debate is about a false tradeoff, that we can have either national security or privacy and I think that’s not true," Ford said. Informing the public and policy makers about technology that already exists could go a long way towards "actual solutions that serve national security interests and serve privacy and freedom interests."

As next steps towards patching some of the vulnerabilities, the group points to the "Global Government Surveillance Reform" manifesto published by companies like Apple, Google and Microsoft.

Nidhi Subbaraman writes about technology and science. You can follow her on FacebookTwitter and Google+