The EFF’s action for disclosure of government use of “zero day” vulnerabilities

EFF v. NSA, Office of the Director of National Intelligence, Case 3:014-cv-03010 (N.D. Cal. filed July 1, 2014)

“Zero day” vulnerabilities are previously unknown security flaws in software or on line services that a researcher has discovered, but the developer has not yet patched. In its report of December 12, 2013, “Liberty and Security in a Changing World,” the President’s Review Group on Intelligence and Communications Technology recommended that there be regular interagency review, chaired by the staff of the National Security Council, of US government attacks exploiting zero day vulnerabilities. While recommending that “US policy generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks,” the Review Group allowed that Zero Days might be briefly authorized “in rare instances“for high priority intelligence collection.”

This injunctive action seeks government compliance with the EFF’s FOIA request, made on May 6, 2014, for the principles and policies governing the government’s exploitation of “zero day” software flaws and vulnerabilities to “gain access to computer systems, compromise security, intercept sensitive information, or otherwise exploit the software’s weakness.”

The documents released by the government are available at https://www.eff.org/cases/eff-v-nsa-odni-vulnerabilities-foia. EFF’s discussion of the meagerness of and heavy redactions in the documents it has received from the government is available at https://www.eff.org/deeplinks/2015/03/government-says-it-has-policy-disclosing-zero-days-where-are-documents-prove-it.

Leave a Reply