​US government demands for vendors' source code are nothing new

Whether you think the push to get source code is overreach or not, governments around the world have done it for years. Often, they just have to ask -- or steal it.
Written by Stilgherrian , Contributor

News that the US government has made numerous attempts to obtain source code from tech vendors highlights the fundamental tensions between civil liberties and national security -- but such attempts are a normal part of how intelligence and law enforcement agencies operate.

In the post-Snowden world, however, some vendors are far less comfortable talking about it than they used to be.

Take Microsoft, for example.

Microsoft's Shared Source Initiative makes source code available to "qualified customers, enterprises, governments, and partners for debugging and reference purposes". There's almost no information on the company's website about their Government Security Program (GSP). Just two sentences. But the first of those sentences notes that requests might come from "local, state, provincial, or national governments or agencies".

When the GSP was launched back in 2003, however, Microsoft was happy to tell the media that Windows source code was made available to a number of governments and international organistions, including Russia, NATO, the UK, and China. Another report said that Australia, Austria, Finland, Norway, Taiwan, and Turkey were also on the list.

Governments that sign up for a GSP licence aren't allowed to modify Microsoft's code and recompile it, but would anyone know if they did? That'd be harder in these days of cryptographic code-signing, but probably not impossible for some agencies.

Here in Australia, the Australian Signals Directorate (ASD) -- our equivalent to and partner with the US National Security Agency (NSA) -- routinely asks for source code.

Vendors hoping to sell secure products to Australian government agencies must submit to an ASD Cryptographic Evaluation. New Zealand government agencies also rely on the ASD's processes.

Even the processes of close allies, such as the UK's CAPS scheme, the USA's FIPS-140, and the USA and Canadian Cryptographic Module Validation Program (CMVP), according to the ASD, are not a replacement for an ASD Cryptographic Evaluation.

And to pass an ASD Cryptographic Evaluation, vendors usually have to provide the source code.

"To achieve a higher level of confidence in the implementation and architecture of the cryptographic security, greater scrutiny must be applied through an independent review of the source code. The provision of source code usually expedites the cryptographic evaluation as fewer assumptions are made about the ICT product, given that evaluators can view the full implementation as they require it," says the ASD website.

Australia is a member of the Five Eyes alliance, so equivalent rules apply in the US, the UK, Canada, and New Zealand.

Apple doesn't provide its iOS source code to agencies, as ZDNet reported on Thursday, but the company uses open source cryptographic code, such as OpenSSH, which can be evaluated separately.

Given that Microsoft, Apple, and other vendors also have to sell their products, there's also nothing to stop agencies from just buying them, disassembling them, and reverse engineering the code. They have smart people, remember, and lots of them. Or they can infiltrate the supply chain, or just do spooky stuff and steal the code from someone who's already got it.

None of this is exactly a secret.

Nor is it a secret -- at least not any more -- that Microsoft effectively operated as an NSA branch office, giving the agency direct access to email flowing through Outlook.com at a "pre-encryption stage", helping the NSA circumvent Skype's video encryption, and much more.

When I visited Microsoft's Redmond campus in 2010, they even boasted how every single image uploaded to their servers, even those in email, were run through their algorithms to detect child abuse material, in a joint project with the FBI.

Do you imagine that all of these things no longer happen?

Given that everything I've described so far is routine, and has been routine for years, why is this week's news significant? Because communications security isn't about operating system vendors any more. It's about apps that provide end-to-end encryption, where the vendor is in a "zero knowledge" situation, and can't decrypt communications even if they wanted to.

The top-end spook agencies could still just reverse engineer everything, but it's a lot easier if you've got the source code.

Most vendors don't talk about this stuff, for good reasons. For most vendors, their revenue growth isn't in the US any more, but in Europe, and in the so-called BRICS countries -- Brazil, Russia, India, China, and South Africa.

American products are rather less attractive to non-US customers when their data isn't being protected from the US government. Perception is everything.

From governments' point of view, the new push is a logical extension of what they've always done. Whether you agree with that is a separate question, of course -- and one you'll need to take up with your political leaders.

Editorial standards