Bulk data collection doesn't work without trust

In last week’s post I explored government calls for increased internet surveillance in the wake of awful terrorist attacks, and noted how that might not be the best way to boost security.

Only a week later there are now even more justifications being made to grab the data of individuals, businesses, governments and other organisations because 'it’s the best way to collect lots of information'.

According to a report released this week from the US National Research Council:

“There are no technical alternatives that can accomplish the same functions as bulk collection and serve as a complete substitute for it; there is no technological magic."

The report was sponsored by the US Office of the Director of National Intelligence, so its conclusions weren't too surprising.

But bulk data collection only works when there is trust in those doing the collecting.

A few years ago the Chinese embarked on a data siphoning campaign against US defense targets, and really hit the jackpot. [PDF] 

They managed to purloin the radar and engine designs for the F-35 joint strike fighter which Australia's Government has ordered in large numbers.

Not content with obtaining the F-35 data, the Chinese also grabbed missile navigation and tracking systems information from the US Navy, along with designs for nuclear submarines and anti-air missile blueprints, as well as other sensitive data such as records on 30,000 officers.

The US was kind enough to alert its Five Eyes partners (Australia included) of the breach, but the question remains - how on earth were the Chinese able to run riot in US defense networks?

They somehow managed to break into at least 1600 computers and 600,000 user accounts and do away with around 50 terabytes of data - yes, you read that correctly, 50 terabytes.

The networks and sensitive data supposedly guarded by signals intelligence agencies appear to have been pretty much left wide open.

There’s no other explanation for the large number of systems being breached and huge amount of data exfiltrated.

Why they weren’t secured?

The US National Security Agency and its Five Eyes counterparts clearly have plenty of expertise, resources and tools, and at their core are tasked with keeping sensitive data secure.

But they failed to do so, and yet are calling for the ability to collect and store mass amounts of data on individuals and businesses.

The poor record of governments safeguarding their own networks and the data stored on them needs to be considered before any consent is given to collect and retain significant troves of data. Governments should also be subject to public audits of their data security.

National security agencies have lost our trust, and without proving they are up to the task of securing our sensitive information, cannot expect the public to support their surveillance efforts, whether it's for our own safety or not.