US government pushed tech firms to hand over source code

Obtaining a company's source code makes it radically easier to find security flaws and vulnerabilities for surveillance and intelligence-gathering operations.
Written by Zack Whittaker, Contributor

The US courthouse in Washington DC which houses the secret Foreign Intelligence Surveillance Court, which authorizes the government's surveillance operations. (Image: AP Photo/Cliff Owen)

NEW YORK -- The US government has made numerous attempts to obtain source code from tech companies in an effort to find security flaws that could be used for surveillance or investigations.

The government has demanded source code in civil cases filed under seal but also by seeking clandestine rulings authorized under the secretive Foreign Intelligence Surveillance Act (FISA), a person with direct knowledge of these demands told ZDNet. We're not naming the person as they relayed information that is likely classified.

With these hearings held in secret and away from the public gaze, the person said that the tech companies hit by these demands are losing "most of the time."

When asked, a spokesperson for the Justice Dept. acknowledged that the department has demanded source code and private encryption keys before. In a recent filing against Apple, the government cited a 2013 case where it won a court order demanding that Lavabit, an encrypted email provider said to have been used by whistleblower Edward Snowden, must turn over its source code and private keys. The Justice Dept. used that same filing to imply it would, in a similar effort, demand Apple's source code and private keys in its ongoing case in an effort to compel the company's help by unlocking an iPhone used by the San Bernardino shooter.

Asked whether the Justice Dept. would demand source code in the future, the spokesperson declined to comment.

It's not uncommon for tech companies to refer to their source code as the "crown jewel" of their business. The highly sensitive code can reveal future products and services. Source code can also be used to find security vulnerabilities and weaknesses that government agencies could use to conduct surveillance or collect evidence as part of ongoing investigations.

Given to a rival or an unauthorized source, the damage can be incalculable.

We contacted more than a dozen tech companies in the Fortune 500. Unsurprisingly, none would say on the record if they had ever received such a request or demand from the government.

Cisco said in an emailed statement: "We have not and we will not hand over source code to any customers, especially governments."

IBM referred to a 2014 statement saying that the company does not provide "software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data." A spokesperson confirmed that the statement is still valid, but did not comment further on whether source code had been handed over to a government agency for any other reason.

Microsoft, Juniper Networks, and Seagate declined to comment.


The NSA had acquired source code from a number of major hard drive makers to quietly install software used to eavesdrop on computers around the world. (Image: file photo)

Dell and EMC did not comment at the time of publication. Lenovo, Micron, Oracle, Texas Instruments, and Western Digital did not respond to requests for comment. (If this changes, we will provide updates.)

Apple's software chief Craig Federighi said in a sworn court declaration this week alongside the company's latest bid to dismiss the government's claims in the San Bernardino case that Apple has never revealed its source code to any government.

"Apple has also not provided any government with its proprietary iOS source code," wrote Federighi.

"While governmental agencies in various countries, including the United States, perform regulatory reviews of new iPhone releases, all that Apple provides in those circumstances is an unmodified iPhone device," he said.

The declaration was in part to allay fears (and the US government's claims) that it had modified iPhone software to agree to China's security checks, which include turning over source code to its inspectors.

But even senior tech executives may not know if their source code or proprietary technology had been turned over to the government, particularly if the order came from the Foreign Intelligence Surveillance Court (FISC).

The secretive Washington DC-based court, created in 1979 to oversee the government's surveillance warrants, has authorized more than 99 percent of all surveillance requests. The court has broad-sweeping powers to force companies to turn over customer data via clandestine surveillance programs and authorize US intelligence agencies to record an entire foreign country's phone calls, as well as conduct tailored hacking operations on high-value targets.

FISA orders are generally served to a company's general counsel, or a "custodian of records" within the legal department. (Smaller companies that can't afford their own legal departments often outsource their compliance to third-party companies.) These orders are understood to be typically for records or customer data.

These orders are so highly classified that simply acknowledging an order's existence is illegal, even a company's chief executive or members of the board may not be told. Only those who are necessary to execute the order would know, and would be subject to the same secrecy provisions.

Given that Federighi heads the division, it would be almost impossible to keep from him the existence of a FISA order demanding the company's source code.

It would not be the first time that the US government has reportedly used proprietary code and technology from American companies to further its surveillance efforts.

Top secret NSA documents leaked by whistleblower Edward Snowden, reported in German magazine Der Spiegel in late-2013, have suggested some hardware and software makers were compelled to hand over source code to assist in government surveillance.

The NSA's catalog of implants and software backdoors suggest that some companies, including Dell, Huawei, and Juniper -- which was publicly linked to an "unauthorized" backdoor -- had their servers and firewall products targeted and attacked through various exploits. Other exploits were able to infiltrate firmware of hard drives manufactured by Western Digital, Seagate, Maxtor, and Samsung.

Last year, antivirus maker and security firm Kaspersky later found evidence that the NSA had obtained source code from a number of prominent hard drive makers -- a claim the NSA denied -- to quietly install software used to eavesdrop on the majority of the world's computers.

"There is zero chance that someone could rewrite the [hard drive] operating system using public information," said one of the researchers.

Editorial standards