United States (US)-based digital rights group the Electronic Frontier Foundation (EFF) has filed a Freedom of Information Act (FOIA) lawsuit against the National Security Agency (NSA) and the Office of the Director of National Intelligence.
The group hopes to gain access to documents showing how American intelligence agencies made use of “zero day attacks” to gain access to a target’s computer.
Zero days are exploits that have been discovered by researchers but have not yet been patched by developers and can provide backdoor access into a user’s computer.
“A thriving market has emerged for these zero days; in some cases governments – including the United States – will purchase these vulnerabilities, which they can use to gain access to targets’ computers,” the EFF said.
One such devastating zero day vulnerability was discovered by researchers earlier this year. The exploit, known as Heartbleed, was found in numerous versions of the OpenSSL cryptographic library and was thought to have made two thirds of websites vulnerable to hackers.
The NSA was accused of knowing about and exploiting the Heartbleed bug prior to its discovery, an accusation that was later denied.
A White House cyber security officer said the government had “established principles to guide agency decision-making” including “a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.”
On May 6, 2014 the EFF filed a FOIA request for the documents detailing government protocols for disclosing information relating to vulnerabilities to the public but has not received any as of yet.
“This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community’s toolset: security vulnerabilities,” EFF legal fellow Andrew Crocker said.
“These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country.”
The organisation said disclosing vulnerabilities the government exploits would result in patches, protecting the public from identity thieves and foreign governments.
“Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors,” said global policy analyst Eva Galperin.
Image courtesy of Shutterstock