Classified Data Leaks Tough to Stop, Sure to Continue, Experts Say

With global citizens and governments dealing with cyber-surveillance and its impact on personal freedom, classified document leaks will continue and that's not a bad thing, say security and law experts.

LAS VEGAS—The leak of secret U.S. documents describing the expansion of the government's Terrorist Screening Database has reopened the debate over whether whistleblowers should be prosecuted and how agencies and companies can prevent leaks of sensitive information.

At the Black Hat security conference here, noted security expert Mikko Hypponen argued that many breaches—Edward Snowden's leaks of National Security Agency documents among them—shed light on the opaque operations of government and so serve a public good. Because of the penchant for over-classification and the restriction of information about government operations, information relevant to personal freedoms and human rights is rarely released by the government on its own initiative.

"I hope that we get more people like Snowden, but in other countries, not just the United States," said Hypponen, the chief research officer at F-Secure. "We have learned a lot because of Snowden, but the rest of the world continues to be opaque."

On Aug. 5, The Intercept, the publication co-founded by journalist Glenn Greenwald, released documents leaked by a source "in the intelligence community" other than Snowden. The documents reveal that 680,000 people are in the Terrorist Screening Database, frequently referred to as a "terrorism watchlist," and that 40 percent of those people are not affiliated with any known terrorist organization.

The leak represents a third major source of classified information on U.S. government operations in the last two years, according to Bruce Schneier, chief technology officer for incident-response toolmaker Co3 Systems. In addition to Snowden, another source has leaked information from Germany on the NSA's TAO group and on the targeting of German chancellor Angela Merkel, he told eWEEK at the Black Hat security conference.

Companies do not have much defense against such leaks, but can harden their businesses using a variety of processes and technologies. They should hire trusted people who share their mission. In addition, companies can use technology and policies to make it difficult for employees to steal information. Finally, employees can be trained to watch each other for signs that they are turning rogue.

"An organization is made up of people, who by definition can hurt you," he said. "So fundamentally, you can't stop the leaks."

Other experts agree. It's likely that such leaks will continue, at least in the United States, because a leaky government serves both the needs of the executive branch and the needs of the populace, David E. Pozen, associate professor of law at Columbia Law School, argued in a December 2013 paper published in the Harvard Law Review and cited by Schneier.

"The great secret about the U.S. government's notorious leakiness is that it is a highly adaptive mechanism of information control, which has been refined through a nuanced system of social norms," Pozen concluded in the article. "The great secret about the laws against leaking is that they have never been used in a manner designed to stop leaking—and that their implementation threatens not just gauzy democratic ideals but practical bureaucratic imperatives, not just individual whistleblowers but the institution of the presidency."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...