NSA sued over online security flaws

Privacy advocates have filed a lawsuit against U.S. spy agencies for documents that detail how the government takes advantage of glitches in Internet code.

The Electronic Frontier Foundation (EFF) on Tuesday sued the National Security Agency (NSA) and the Office of the Director of National Intelligence under the Freedom of Information Act (FOIA), more than a month after first filing a request for the documents.


"This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community's toolset: security vulnerabilities," EFF legal fellow Andrew Crocker said in a statement. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country."

Agencies such as the NSA use the coding flaws, which can be the equivalent of a typo, to sneak into some computer networks and grab information about suspected terrorists and other targets. According to documents released by former contractor Edward Snowden, the NSA spent more than $25 million to buy up information about the vulnerabilities last year. 

Privacy and digital rights advocates worry that the practice undermines security of the Internet, as the flaws could make it easier for online terrorists or agents in China or Russia to break into U.S. systems.

Since details about the NSA’s use of the glitches first emerged last year, the Obama administration has made a number of moves to limit spies’ use of the glitches.

Privacy groups have said the new policy is riddled with loopholes, however, and has never been formally explained. 

Instead, the White House revealed the changes in denying a report that the NSA took advantage of the massive “Heartbleed” bug, which forced Web users to change passwords at sites across the Internet. 

The new policy is “biased” to disclosing the vulnerabilities, a White House spokesperson explained at the time, unless “there is a clear national security or law enforcement need” to hold onto them.

The vulnerabilities are known as “zero days,” because the developer has zero days to develop a code before they can be taken advantage of.  

The EFF filed a FOIA request for the documents on May 6 but has not yet received any, it said.