Google-NSA partnership should be more public, less private
Google has raised some eyebrows lately, first by going public in January with the news that it had been hacked and blaming the Chinese government for illegally accessing some Chinese Gmail accounts. This kind of openness in the area of cybersecurity is as unusual as it is welcome.
Less welcome is the recent news that Google and the National Security Agency are negotiating an agreement for sharing information, apparently with an eye toward unraveling the attack itself and creating effective defenses against future attacks.
New evidence in Google attack points East
NSA to partner with Google to investigate cyber attacks
The plea for better public-private cooperation in cybersecurity has been made by both government and industry for more than 15 years, and it should be good news that Google and NSA are practicing what has been preached for so long. But if it is to serve the public interest, any public-private partnership needs to be as public as it is private. So far, this relationship does not seem to fit that description.
Neither Google nor the NSA has commented publicly on the agreement. Absent any openness, there is no way for Google customers to know what information the company is giving NSA and no way for U.S. citizens to know what NSA is doing for Google in return.
EPIC, the Electronic Privacy Information Center, last week filed a Freedom of Information Act request with NSA seeking records regarding the partnership. The request seeks, “All records concerning an agreement or similar basis for collaboration, final or draft, between the NSA and Google regarding cybersecurity; all records of communication between NSA and Google concerning Gmail, including but not limited to Google's decision to fail to routinely encrypt Gmail messages prior to Jan. 13, 2010; and all records of communications regarding NSA's role in Google’s decision regarding the failure to routinely deploy encryption for cloud-based computing service, such as Google Docs.”
This is the nightmare of every company that collaborates with government. FOIA is the bugaboo cited to justify reluctance in sharing information with agencies because they fear proprietary information will be leaked to the public. But when a company has access to the volume and kinds of information that Google has, it has strong obligations to respect and protect the privacy of customers.
It is not enough for Google to say it is not sharing anything inappropriate. The people whose privacy is at stake must be able to verify this and have a mechanism for enforcing it if necessary. It also is not enough to say they are only sharing it with the government. Disclosure of information to the government is just as much a breach of privacy as disclosure to any other party. To the individual, it makes precious little difference whether personal information is taken without permission by the Chinese government, or given without permission to the U.S. government.
On the other hand, NSA has no business working privately for Google or any other company. Information uncovered in the investigation of the attack should be available to all those who can use it, and any NSA techniques or tools for detecting, preventing or mitigating an attack should be made publicly available.
The ways to ensure these conditions are met are through a transparent process of negotiating any agreement and an open, enforceable agreement that protects the rights of the public as well as business and government.
A likely objection to this approach is that that it is an awkward, inefficient way to ensure public cybersecurity and national cyber defense. This is probably true, but it makes no difference. Both government and industry have obligations they must meet whether or not it is convenient. Ensuring our privacy and our security are among them.