Now We Know a Little Bit More About How the NSA Uses Software Vulnerabilities

Activists protesting NSA surveillance on July 27, 2013 in Berlin.

Photo by Sean Gallup/Getty Images

It seems pretty reasonable to assume that the NSA has some type of secret access into many (probably most) mainstream digital communication services. Some are more resistant than others, but the NSA’s bag of tricks is extensive and includes a roster of software vulnerabilities that the agency is hoping no one else will find and patch. Except if the NSA intentionally withholds information about “zero day” vulnerabilities (that are unknown to software makers), it exposes users not just to its own surveillance, but to any bad actors who know about the hole and are also exploiting it.

Now we know more about what’s going on: On Friday, the Electronic Frontier Foundation announced that it had obtained the National Security Agency’s Vulnerabilities Equities Process (or VEP) through a Freedom of Information Act suit. The documents provide some context for how the NSA decides which software vulnerabilities to disclose. But specific information about individual vulnerabilities and the NSA’s decision-making process are redacted, so this doesn’t clarify everything.

The VEP documents obtained by EFF show that the NSA keeps records of its known vulnerabilities and releases an (internal) annual report about them. A section on the “Threshold for Entering VEP” notes, “to enter the process a vulnerability must be both newly discovered and not publicly known.” Because of redactions, it’s still not totally clear from the documents how the NSA decides which vulnerabilities to disclose and which to keep secret for itself. But learning about the context and government partners helps fill out the picture.

EFF says it is contemplating challenging some of the redactions. “We [still] don’t know how this process squares with the government’s claims that in the vast majority of cases it discloses vulnerabilities to the public rather than holding on to them for intelligence or law enforcement purposes,” EFF wrote.

The NSA has lost some bulk data collection authority, but don’t think it’s not still working and growing in other areas of surveillance.