Analysis: NSA's data grab ought to boost privacy concerns
by Byron Acohido
SEATTLE — The latest revelation of how government spies tap into the personal data that U.S. consumers so blithely place into the control of the Internet's advertising giants is the most profound yet.
The Washington Post today outed a National Security Agency data snooping program, code-named MUSCULAR, that copies all traffic flowing between two of the largest online advertising giants: Google and Yahoo.
In the latest installment of revelations from Edward Snowden, the Post is reporting that NSA partnered with its British counterpart, GCHQ, to carry out MUSCULAR.
"This is the first real evidence of deep intrusions by NSA and GCHQ into the internal networks of major Internet companies," says Dave Jevans, chief technology officer of mobile security firm Marble Security. "By essentially copying all traffic that flows through these networks, the intelligence agencies can see everything that happens at these companies."
CyberTruth video: Cybersecurity experts react to the NSA's surveillance rationale
MUSCULAR appears to give government snoops access to not just contact lists and address books — last week's Snowden revelation — but all e-mail and business documents, including Google docs which is used by hundreds of thousands of companies.
It's unlikely the government does any data mining beyond the narrow parameters of ferreting out terror plots; NSA chief, Gen. Keith Alexander, has said the surveillance programs that tap in commercial Internet traffic has helped curtail 54 terrorists attacks.
"Consider what the NSA is trying to do — detect and monitor terrorist organizations," says Dave Frymier, chief information security officer at IT supplier Unisys, "They are looking for a proverbial needle in the haystack — and to find that needle, you need access to the haystack."
Yet the steady flow of revelations from the Snowden documents may be having the effect of keeping convenience-minded consumers more attuned to the intensive harvesting of their every online move by Google, Yahoo, Facebook, Instagram, LinkedIn, Microsoft, AOL and other major and minor players treating consumer privacy as a free profit-making resource.
Tanuj Gulati, chief technology officer at security intelligence firm Seuronix, says raising the privacy consciousness of consumers and businesses could alter the course of how we use mobile devices and Internet cloud services.
"In the last few years, many businesses have increased their reliance on cloud providers for essential service," says Gulati. "If NSA is able to get their hands on this data, there may be others that may be tapping into the same data. All cloud providers need to act quickly to regain customer confidence."
Consumers and companies should not take this lightly. "We can assume a whole new level of threat," Jevans says. "The NSA and GCHQ must have insiders either working at Google and Yahoo, or in the data centers where their servers are housed."
Global companies could be susceptible to similar government snooping and should assess the security of data transfers between various data centers. "This is going to add significant cost to the operation of these data centers," Jevans says.
The large-scale collection of data that is happening through the MUSCULAR program would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner, The Washington Post explained.
"The scope of MUSCULAR program and the fact that it blatantly leverages loopholes in the legal system is particularly concerning," says Michael Sutton, a researcher at network security firm Zscaler. "MUSCULAR is fundamentally different than PRISM, which is subject to oversight from U.S. courts. MUSCULAR is intentionally focused overseas where the same U.S. laws don't apply and the NSA has far greater freedom with data collection practices."
Even so, many security and military experts and law enforcement officials strongly support in principal the NSA's antiterrorism efforts.
Says Sutton: "We shouldn't blame the NSA — they're performing exactly what they've been tasked to do — use every legal means necessary to collect intelligence. Blame for programs such as PRISM and MUSCULAR rests squarely with the politicians that have implemented a system riddled with loopholes and such loose oversight that the rules are meaningless."
J.J. Thompson, founder and CEO of the security consultancy firm Rook Consulting, agrees. "The leading intelligence agencies are doing what they need to do to detect and prevent threats. In this case, fiber optic taps appear to be used on international Internet connections and in insecure locations within the trusted network space in the Google and Yahoo data centers."
Bike share programs — a new public safety hazard?
by Micheline Maynard
The US bike-sharing fleet has doubled but helmet use is low, prompting concern among health care experts
The streets of big cities such as New York, Chicago and San Francisco have gotten a little more crowded lately — not with automobiles but with bicycles.
Since spring, all three have launched bike-sharing programs, joining a raft of other cities in the United States and around the world that allow people to rent bikes by the hour or day.
Thanks to the newcomers, the U.S. bike-sharing fleet has doubled since the beginning of 2013, and it is expected to double again by the end of 2014, according to the Earth Policy Institute .
Public-health officials see just one problem with this: Bike sharers, for the most part, are not wearing helmets when they ride. And officials are worried how many riders will show up in emergency rooms.
According to the American Association of Neurological Surgeons (AANS), cycling represented the highest number of head injuries requiring emergency room visits of any recreational sport in 2009, the latest year for which information is available. Cycling-related head injuries were almost twice those for football and dwarfed those for baseball and softball, basketball, water sports and motor-powered recreational vehicles such as go-carts and all-terrain vehicles.
About 600 people die each year from cycling injuries, with two-thirds of those involving brain injuries. The AANS says the use of helmets while bicycling can reduce the risk of head injury by 85 percent, and the risk of severe brain injury by 88 percent.
In 2012, emergency medical physician Christopher Fischer released a study of the Hubway in Boston and Capital Bike Share in Washington, D.C., that estimated that 80 percent of the systems' riders were not wearing helmets.
Now that the new systems have opened, Fischer, who is affiliated with the Harvard Medical School, believes helmet use is up slightly, to 20 to 30 percent of bike sharers.
But, he says, “that number is too low. It should be higher.”
Are helmets a must?
Researchers at McGill University in Montreal found a big difference in helmet use between people riding their own bicycles and those hopping on shared bikes, which are widely available in the Canadian city.
About 59 percent of cyclists said they always wear a helmet when using their own bikes, according to the study. But among people using Montreal's bike-sharing program, Bixi, only 45 percent always wore a helmet. And even the cyclists who always wear a helmet while riding their own bikes get lax when it comes to shared bikes.
Only 22% of the cyclists who said they always wear a helmet on their own bikes put one on while using Bixi, said Ahmed El-Geneidy, an associate professor at McGill's School of Urban Planning. “It is bike-sharing itself that makes people not wear one, since they are always wearing one with their personal bicycle,” he said.
The helmetless bike-sharing cyclists are adding to the discussion of whether helmets are a must for casual cyclists or whether they're safe enough on short trips without them.
Greg Kagay, an avid cyclist from Fredericksburg, has been riding bikes since he was 6 and used to maintain a website on folding bikes. He doesn't ride anywhere without a helmet, he said. But he didn't always wear one. During his senior year of high school in 1984, “I had a bad accident that gave me a concussion and left me disoriented for about a week,” he said.
He began using a hard plastic helmet for training and races, even though cycling organizations did not then require them. Because of his recent interest in folding bikes, Kagay said he's eager to try out big-city bike-sharing programs. “But only if I had a helmet,” he said.
Car vs. bike
Jana Kinsman toting beehives in Chicago as part of her community beekeeping project. Although she's wearing a helmet in this photo, she said she often rides without one. Steven Vance
In Chicago, Jana Kinsman, an equally fervent cyclist, says she often rides without a helmet. That's despite being attacked in August while she was plying the streets of Chicago looking after the beehives that are part of her Bike-a-Bee project.
Kinsman said the issue is not whether cycling is safe; it's the constant tension between bicyclists and cars on U.S. roads. “In other countries, it's much more an acknowledged part of transportation,” she said of cycling.
Fischer sees “an overall reluctance to even having a thoughtful discussion about it, which is too bad.
“There's a thought that you want to encourage bicycle use for lots of reasons. If you start talking about safety and helmet use, you give the impression that bicycling isn't safe.”
Beyond that discussion, there is the question of mechanics. How do you connect bike-sharing users with helmets? Most travelers can't afford to give up space in their suitcases and carry-on bags to pack a bike helmet on the off chance that they might need it.
Some cities have tried to make rental helmets available near bike-sharing kiosks, with varying degrees of success. In New York, Citi Bike has partnered with Bike and Roll, a bike-rental company, to offer helmets for rent at 12 locations in Brooklyn and Manhattan. Helmets rent for $3 a day or $15 per week.
In Boston, Hubway was supposed to team up with a start-up company called HelmetHub. It planned to offer helmets at kiosks near Hubway docks. But HelmetHub scrapped its planned launch this summer, and no new date has been set for the system to go live.
Puget Sound Bike Share, a Seattle system set to open in May, plans to offer bikes and helmets for rent. Some Seattle residents have raised questions about whether the helmets, which the system says will be collected and disinfected each night, will actually be sanitary.
Fischer isn't worried as much about that as he is about the kind of injuries that bicyclists can suffer — “everything from ‘I laid down my bike and skinned my knee' to ‘I got hit by a bus,'” he said.
He said head injuries account for one-third of all bicycle injuries and about three-quarters of bicycle-related deaths, which is why he is particularly worried about the lack of helmet use by bike sharers. Many may be visiting cities for the first time and aren't familiar with roads or traffic, increasing the chances they could be hurt.
With bike-sharing systems coming on line so quickly across the United States, Fischer said, there are “lots of options to increasing helmet use, from just talking about it all the way up to mandating it.”
Kinsman thinks that would be going way too far. She was not wearing a helmet the day two men in an SUV pulled up next to her bike and a backseat passenger grabbed her messenger bag, dragging her with the vehicle, letting go only when she crashed into a parked car.
She was treated at a hospital for contusions, road rash and cuts to her legs, arms and hips. She said she was mentally shaken for a week afterward, and it took about a month for her injuries to heal. But the incident did not make her into a firm helmet convert.
“It wouldn't have mattered,” she said. “I could have been wearing a bubble suit” and the passing motorist still could have grabbed her.
Kinsman said she feels safe riding without a helmet because of her cycling expertise. “I feel confident in my ability as a rider. I also feel I know the roads and the path that I travel,” she said. “I think that the approach of ‘We need to get helmets for people on bike-sharing' is a very Western-medicine way.”
But she thinks cycling safety is “a good thing to talk about.” Kinsman said all cyclists, whether on their own bikes or ones from bike-sharing systems, can benefit from improvements like the dedicated bike lanes that have been installed in Chicago and other cities.
“The ideal is that there's bike sharing in Chicago means more cyclists are on the road, people start slowing down, and the roads are safe for everybody,” she said.