Vulnerability Management

EFF sues NSA in bid for records related to Heartbleed disclosure

The Electronic Frontier Foundation (EFF) has filed a lawsuit against the National Security Agency (NSA), accusing the agency of knowing about and exploiting the Heartbleed bug for many years before it was revealed to businesses and the public.

The Office of the Director of National Intelligence has previously denied knowledge — and exploitation — of the zero day vulnerability, a claim that the EFF takes issue with in its suit, citing published news reports to the contrary.

In April, a White House blog gave a murky explanation as to how the government chooses to disclose vulnerabilities, citing reliance on a Vulnerabilities Equity Process that it calls “a disciplined, rigorous and high-level decision-making process for vulnerability disclosure,” albeit one with “no hard and fast rules.”

The suit, filed in a U.S. District Court in San Francisco, stems from a May Freedom of Information Act (FOIA) request when the EFF asked NSA to provide records on “the development or implementation of the ‘Vulnerabilities Equity Process.'” The organization asked the agency to expedite the request due to the “urgency to inform the public concerning actual or alleged federal government activity.”

The NSA agreed to turn over the records (though EFF still awaits the information), but the agency denied the request for expedition. Noting the vast number of FOIA requests that agencies must fulfill, EFF Legal Fellow Andrew Crocker told in email correspondence that he didn't "think the government is intentionally dragging its feet." But the privacy advocacy group noted in its suit that the NSA has exceeded the standard 20-day deadline for processing FOIA requests, and that the EFF had exhausted all administrative avenues.

"It's important to get these criteria because the decisions that the government makes on whether to disclose vulnerabilities can have a large impact on the individual users' security," said Crocker. Pointing out that despite reports in the press, "there has been very little transparency from the government itself," he said. "As with other areas of the ongoing debate, the public needs greater insight into this process in order to form an opinion — one of the core purposes of FOIA."

The suit asks the Court to order the NSA to produce the requested documents quickly and in their entirety, as well as pick up legal fees incurred by the action.

[Update: This article has been updated to include additional comments from Andrew Crocker from the EFF.]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.