THE ELECTRONIC FRONTIER FOUNDATION (EFF) has launched a lawsuit against the US National Security Agency (NSA) and the Office of the Director of National Intelligence (ODNI) over the right to access to information about zero-day software flaws.
The suit alleges that the NSA chooses when and where it will inform the community on the discovery of zero-day flaws and asks it to be more transparent. We asked the NSA to comment, but it has declined.
The EFF refers to a shadowy system in which the authorities might exploit vulnerabilities - Heartbleed is a quoted example - for their own purposes.
The NSA has already denied pre-knowledge of Heartbleed, releasing a glib denial in a statement on Facebook in which it said, "NSA was not aware of the recently identified Heartbleed vulnerability until it was made public."
The government also announced this in a statement released at the same time, but two weeks later it told anyone who was still listening that it would only disclose vulnerabilities when it felt that it was appropriate. Then it said that it had policies in place to cover such decisions.
"There are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences," said White House cybersecurity coordinator Michael Daniel.
"Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks."
The EFF wasn't buying it then, and it isn't buying it now. It said that it has already sent a number of freedom of information requests, but is yet to get a response. Now it is looking to force the agency to disclose its policies with its Freedom of information lawsuit.
"This FOIA suit seeks transparency on one of the least understood elements of the US intelligence community's toolset: security vulnerabilities," said EFF legal fellow Andrew Crocker. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country."
Security firm Sophos has expressed support for the EFF case, and has posted its own report on the lawsuit.
"Wouldn't it be nice to know just how, exactly, the spy agency determines when to let vendors, and the vulnerable users of their products, know about new flaws?" it asked.
"Wouldn't it be nice to know how long the NSA silently sits on those zero days, leaving businesses and individuals with their bellies exposed, as it exploits vulnerabilities for spying purposes?" µ