EFF sues NSA over hoarding details of zero day flaws

Security exploits

The Electronic Frontier Foundation has filed a complaint against the NSA, alleging it knew about the Heartbleed bug for years before the public learned of its existence.

The internet freedom campaign organisation claimed that the NSA chooses where and when it informs the security community about zero-day flaws and is aiming to get the spy agency to be more transparent.

In April, it was revealed by Bloomberg News that the NSA had secretly exploited the Heartbleed bug in the OpenSSL for at least two years before the public knew of its existence. The US government denied the report and said it had developed a Vulnerability Equities Process for deciding when to share knowledge of exploits with firms and the public.

The White House explained in a blog at the time this process was to disclose flaws and said it had "established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure".

But in the same post said that the process had "no hard and fast rules".

The EFF said it had lodged a Freedom of Information request for records related to zero day flaws with both the NSA and the US Office of the Director of National Intelligence. It made the FOIA request on 6 May but has yet to have received any documentation. The privacy campaigners also want more detail on how intelligence agencies choose whether to disclose exploits.

"This FOIA suit seeks transparency on one of the least understood elements of the US intelligence community's toolset: security vulnerabilities," said EFF Legal Fellow Andrew Crocker. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country."

EFF Global Policy Analyst Eva Galperin said that while spy agencies held onto zero day exploits, the wider community was left defenceless against hackers and cybercriminals as well as unfriendly foreign governments.

"Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors," she said.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.