EFF sues NSA over hoarding details of zero day flaws

Alleges spy agency knew about Heartbleed and other flaws but kept quiet

Security exploits

The Electronic Frontier Foundation has filed a complaint against the NSA, alleging it knew about the Heartbleed bug for years before the public learned of its existence.

The internet freedom campaign organisation claimed that the NSA chooses where and when it informs the security community about zero-day flaws and is aiming to get the spy agency to be more transparent.

In April, it was revealed by Bloomberg News that the NSA had secretly exploited the Heartbleed bug in the OpenSSL for at least two years before the public knew of its existence. The US government denied the report and said it had developed a Vulnerability Equities Process for deciding when to share knowledge of exploits with firms and the public.

The White House explained in a blog at the time this process was to disclose flaws and said it had "established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure".

But in the same post said that the process had "no hard and fast rules".

The EFF said it had lodged a Freedom of Information request for records related to zero day flaws with both the NSA and the US Office of the Director of National Intelligence. It made the FOIA request on 6 May but has yet to have received any documentation. The privacy campaigners also want more detail on how intelligence agencies choose whether to disclose exploits.

"This FOIA suit seeks transparency on one of the least understood elements of the US intelligence community's toolset: security vulnerabilities," said EFF Legal Fellow Andrew Crocker. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country."

EFF Global Policy Analyst Eva Galperin said that while spy agencies held onto zero day exploits, the wider community was left defenceless against hackers and cybercriminals as well as unfriendly foreign governments.

"Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors," she said.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
NSA issues guidance on encrypted DNS usage
Domain Name System (DNS)

NSA issues guidance on encrypted DNS usage

15 Jan 2021
NSA warns smartphone users of ‘large scale data tracking’
privacy

NSA warns smartphone users of ‘large scale data tracking’

5 Aug 2020

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
IT Pro Panel: Why IT leaders need soft skills
professional development

IT Pro Panel: Why IT leaders need soft skills

26 Jul 2021