As online providers thrive on offering free products and services in exchange for marketing data, government has started piggybacking on these surveillance mechanisms.

nsa heartbleed NSA has piggybacked on corporate surveillance efforts

The adage goes that if something is free, the users are probably the product. With an increasing smartphone penetration rate, we Internet users are practically carrying surveillance devices in our pockets all day, and have become unwitting participants in government spying activity, security expert Bruce Schneier argued during a talk at the recently-concluded SOURCE Boston conference.

“Surveillance is the business model of the Internet,” Schneier told attendees in his keynote. “We build systems that spy on people in exchange for services. Corporations call it marketing.”

But what’s even more concerning is how this massive data collection effort by businesses has made it easier for governments to do their surveillance on citizens. “The NSA woke up and said ‘Corporations are spying on the Internet, let’s get ourselves a copy,’” Schneier said.

He explained how the Internet is built around the data economy, in which corporations have thrived on offering free services in exchange for learning more and more about users’ lives. In exchange for “free or convenience,” users have become goldmines for companies like Google and Facebook, which want to get even more data from users in order to better sell targeted advertising. “I like to think of this as a feudal model. At a most fundamental model, we are tenant farming for companies like Google. We are on their land producing data,” he said.

“Metadata is us,” Schneier said, referring to the tidbits of information attached to the content we exchange online and through other connected networks. This means that it’s not just the content that is important, but the connections in between: what time you sent a message, where you are, who the recipient is, and how often you correspond, among others.

Surveillance made easier

The fact that society today is so enthralled with social media and mobile devices makes it easier for agents to do their surveillance work. Surveillance work is no longer just “follow that car,” Schneier says, referring to the traditional way of keeping track of a person by following his whereabouts. It is now “tell me everywhere the car has been for the past month.” Meta data leaves a trail, after all, and we are all unwitting participants to this widespread surveillance effort with all the breadcrumbs we leave behind.

This is compounded even more by the recent Heartbleed bug in OpenSSL, which enables an attacker to draw out chunks of data from a server’s memory, including passwords, encryption keys and other information. The bug reportedly affects about half a million websites, leaving about 66 percent of the web vulnerable to attacks. Notably, portals like Yahoo were reported to have been vulnerable. Other services — Gmail, Dropbox and the like — have taken steps to patch or update their servers to address Heartbleed.

Traditionally, client-side security is considered to be a bigger risk. “The main threat is between the cracks, which sometime is caused by poor management of client side security, namely passwords or secured keys,” shared Amit Cohen, co-founder and CEO of Amazon EC2 cloud security firm FortyCloud. “Users need to pay close attention to how they manage their passwords,” he told VR Zone. But with Heartbleed, even the strongest of passwords and the strongest of encryption protocols will prove no match, as the server itself can be fooled to give out data to third parties.

Beyond server attacks, however, clients can also be vulnerable to man-in-the-middle attacks, assuming a hacker has already obtained encryption keys from the server. “Anything that speaks TLS using OpenSSL is potentially vulnerable,” according to the developers at Meldium. This is essentially “reverse Hearbleed,” which can affect clients like web browsers, apps and routers. This could also affect open agents that accept URLs, such as popular social networking sites, file sharing services, and the like.

Has the NSA known all along?

What can be disconcerting here is that the National Security Agency has reportedly known about the bug for two years now, according to two sources “familiar with the matter”, reports Bloomberg. Infopolicy site Falkvinge even cites that “a great deal of funding was going towards meticulously auditing OpenSSL,” and that the NSA has spent “$1.6 billion a year on data processing and exploitation.”

However, the NSA has denied any knowledge, as well as exploiting the vulnerability for its own purposes. “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong,” said National Security Council spokeswoman Caitlin Hayden said in a media briefing on Friday.

“When Federal agencies discover a new vulnerability in commercial and open source software … it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose,” she added.

It might be easy to take the NSA’s word for granted. However, it’s a fact that in this data economy, users have indeed become too reliant on services that collect our data. In fact, the very devices we carry around all day — our smartphones, and soon wearables like smart watches — have become impromptu tracking devices for the NSA. They didn’t even have to plant the bugs, because we’re willingly buying and using these, anyway.