EFF Sues NSA, Director of National Intelligence for Zero Day Disclosure Process | Electronic Frontier Foundation Skip to main content About Contact Press People Opportunities Issues Free Speech Privacy Creativity and Innovation Transparency International Security Our Work Deeplinks Blog Press Releases Events Legal Cases Whitepapers Take Action Action Center Electronic Frontier Alliance Volunteer Tools Privacy Badger HTTPS Everywhere Surveillance Self-Defense Certbot Atlas of Surveillance Cover Your Tracks Crocodile Hunter Donate Donate to EFF Shop Other Ways to Give Membership FAQ Donate Donate to EFF Shop Other Ways to Give Search form Search Email updates on news, actions, and events in your area. Join EFF Lists Copyright (CC BY) Trademark Privacy Policy Thanks Electronic Frontier Foundation Donate Electronic Frontier Foundation About Contact Press People Opportunities Issues Free Speech Privacy Creativity and Innovation Transparency International Security Our Work Deeplinks Blog Press Releases Events Legal Cases Whitepapers Take Action Action Center Electronic Frontier Alliance Volunteer Tools Privacy Badger HTTPS Everywhere Surveillance Self-Defense Certbot Atlas of Surveillance Cover Your Tracks Crocodile Hunter Donate Donate to EFF Shop Other Ways to Give Membership FAQ Donate Donate to EFF Shop Other Ways to Give Search form Search EFF Sues NSA, Director of National Intelligence for Zero Day Disclosure Process Government Needs to Reveal Decision-Making Process for Publicizing Vulnerabilities PRESS RELEASE Press Release July 1, 2014 EFF Sues NSA, Director of National Intelligence for Zero Day Disclosure Process Share It Share on Twitter Share on Facebook Copy link San Francisco - The Electronic Frontier Foundation (EFF) today filed a Freedom of Information Act (FOIA) lawsuit against the NSA and the Office of the Director of National Intelligence (ODNI) to gain access to documents showing how intelligence agencies choose whether to disclose software security flaws known as "zero days." A zero day is a previously unknown security vulnerability in software or online services that a researcher has discovered, but the developers have not yet had a chance to patch. A thriving market has emerged for these zero days; in some cases governments—including the United States—will purchase these vulnerabilities, which they can use to gain access to targets' computers. In April 2014, Bloomberg News published a story alleging that the NSA had secretly exploited the "Heartbleed" bug in the OpenSSL cryptographic library for at least two years before the public learned of the devastating vulnerability. The government strongly denied the report, claiming it had a developed a new "Vulnerability Equities Process" for deciding when to share vulnerabilities with companies and the public. The White House's cybersecurity coordinator further described in a blog post that the government had "established principles to guide agency decision-making" including "a disciplined, rigorous and high-level decision-making process for vulnerability disclosure." But the substance of those principles has not been shared with the public. EFF filed a FOIA request for records related to these processes on May 6 but has not yet received any documents, despite ODNI agreeing to expedite the request. "This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community's toolset: security vulnerabilities," EFF Legal Fellow Andrew Crocker said. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country." Over the last year, U.S. intelligence-gathering techniques have come under great public scrutiny. One controversial element has been how agencies such as the NSA have undermined encryption protocols and used zero days. While an intelligence agency may use a zero day it has discovered or purchased to infiltrate targeted computers or devices, disclosing its existence may result in a patch that will help defend the public against other online adversaries, including identity thieves and foreign governments that may also be aware of the zero day. "Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors," Global Policy Analyst Eva Galperin said. For the complaint: https://www.eff.org/document/eff-v-nsa-odni-complaint Contacts: Andrew Crocker    Legal Fellow    Electronic Frontier Foundation    andrew@eff.org Eva Galperin    Global Policy Analyst    Electronic Frontier Foundation    eva@eff.org Related Issues NSA Spying Related Cases EFF v. NSA, ODNI - Vulnerabilities FOIA Share It Share on Twitter Share on Facebook Copy link Join EFF Lists Join Our Newsletter! Email updates on news, actions, events in your area, and more. Email Address Postal Code (optional) Anti-spam question: Enter the three-letter abbreviation for Electronic Frontier Foundation: Don't fill out this field (required) Thanks, you're awesome! Please check your email for a confirmation link. Oops something is broken right now, please try again later. Related Updates Deeplinks Blog by India McKinney, Cindy Cohn | July 28, 2021 Should Congress Close the FBI’s Backdoor for Spying on American Communications? Yes. All of us deserve basic protection against government searches and seizures that the Constitution provides, including requiring law enforcement to get a warrant before it can access our communications. But currently, the FBI has a backdoor into our communications, a loophole, that Congress can and should close.This week, Congress will... Deeplinks Blog by Root User | December 26, 2020 Snowden: "We Can Fix a Broken System" Below is a message from whistleblower Edward Snowden. His revelations about secret surveillance programs opened the world’s eyes to a new level of government misconduct, and reinvigorated EFF’s continuing work in the courts and with lawmakers to end unlawful mass spying.EFF is grateful to Ed for his support in... Deeplinks Blog by rainey Reitman | November 12, 2020 Podcast Episode: The Secret Court Approving Secret Surveillance Episode 001 of EFF’s How to Fix the InternetJulian Sanchez joins EFF hosts Cindy Cohn and Danny O’Brien as they delve into the problems with the Foreign Intelligence Surveillance Court, also known as the FISC or the FISA Court. Sanchez explains how the FISA Court signs off on surveillance of... Deeplinks Blog by Aaron Jue | July 24, 2020 EFF Joins HOPE 2020 EFF staff members will present some of our latest work at 2600 Magazine's biennial Hackers on Planet Earth (HOPE) conference beginning this weekend. HOPE is a diverse hacker event that has drawn thousands of tinkerers, security researchers, activists, artists, and makers since 1994. In a departure from the infamous... Deeplinks Blog by Danny O'Brien | July 16, 2020 EU Court Again Rules That NSA Spying Makes U.S. Companies Inadequate for Privacy The European Union’s highest court today made clear—once again—that the US government’s mass surveillance programs are incompatible with the privacy rights of EU citizens. The judgment was made in the latest case involving Austrian privacy advocate and EFF Pioneer Award winner Max Schrems. It invalidated the “Privacy Shield,”... Deeplinks Blog by India McKinney, Mark Rumold | May 26, 2020 The House Is Voting on Section 215, Again. The Bill Still Needs More Reform Later this week, the House of Representatives is once again voting on whether or not to extend the authorities in Section 215 of the PATRIOT Act—a surveillance law with a rich history of government overreach and abuse, along with two other PATRIOT Act provisions, and possibly, an amendment.Congress considered... Deeplinks Blog by India McKinney, Andrew Crocker | April 16, 2020 Yes, Section 215 Expired. Now What? On March 15, 2020, Section 215 of the PATRIOT Act—a surveillance law with a rich history of government overreach and abuse—expired. Along with two other PATRIOT Act provisions, Section 215 lapsed after lawmakers failed to reach an agreement on a broader set of reforms to the Foreign Intelligence Surveillance... Deeplinks Blog by India McKinney | February 26, 2020 Reform or Expire Earlier today, the House Committee on the Judiciary was scheduled to mark up the USA FREEDOM Reauthorization Act of 2020, a bill meant to reform and reauthorize Section 215 of the USA PATRIOT Act, as well as some other provisions of FISA, before they are due to... Deeplinks Blog by Mark Rumold | December 17, 2019 Surveillance Court to the FBI: You Have Some Explaining to Do The Foreign Intelligence Surveillance Court, the normally-secretive federal court based in Washington, D.C. that oversees much of the nation’s foreign intelligence surveillance programs, took an unusual step yesterday: it issued a public order chastising the FBI for its handling of the applications submitted to conduct surveillance of Carter Page, a... Deeplinks Blog by India McKinney | November 19, 2019 House Lawmakers Extend Section 215 into Next Year Even Though They Had Years to Stop Illegal Overcollection of Americans’ Sensitive Data With federal agencies set to run out of money this week, House lawmakers today passed a short-term funding bill that contained a nasty surprise. Tucked into the end of this must-pass legislation, in a section titled “Other Matters,” is language reauthorizing three Foreign Intelligence Surveillance Act (FISA) authorities currently... Back to top Follow EFF: twitter facebook instagram youtube flicker rss Contact General Legal Security Membership Press About Calendar Volunteer Victories History Internships Jobs Staff Diversity & Inclusion Issues Free Speech Privacy Creativity & Innovation Transparency International Security Updates Blog Press Releases Events Legal Cases Whitepapers EFFector Newsletter Press Press Contact Donate Join or Renew Membership Online One-Time Donation Online Shop Other Ways to Give Copyright (CC BY) Trademark Privacy Policy Thanks JavaScript license information