The article confusingly conflates several very different things:
1. Reverse engineering popular antivirus software so the agencies can see what data it sends home.
2. Monitoring the emails of cybersecurity companies.
The first of those is totally fine. It's the agencies' whole mission. The question is not whether they're allowed to reverse engineer software, but who/what they start spying on using the things they learn. If they're spying on Al Qaeda, I don't care if they're using antivirus vulnerabilities, OS zero-days, or a wiretap at the ISP. Seems OK. The choice of technology doesn't seem relevant. And if they're spying on teenagers sending naughty pics to each other, it's equally as not OK no matter which of those technologies is being used.
The second set of behavior is far more worrying though. Our government shouldn't be spying on the internal communications of law abiding companies.
Eh? Both of them are just as "bad" or "good" depending on who exactly they've been tracking, and what capabilities one thinks an intelligence organization in the 21st century should have.
From reading the published slides it was actually a pretty nifty operation. They've tracked data from security vendors to learn if their tools are being detected, and more importantly getting information about operations which are being run by other organizations and nations.
For the past decade or so security vendors mostly non-US one's have detected and published research about operations that were run by the US possibly by the NSA, a smart move would be to gather information about those companies to understand what and how they discover such operations.
Also since the NSA and similar organizations have better knowledge of how such operations work in the 1st place they most likely got better chance of detecting new malware which might not be picked up or properly classified by your average security vendor/solution.
So again not really a surprise, if you are going to invest 100's of millions of dollars in developing an entire operational trade craft consisting of specialized software and it's entire supportive echo system you would monitor organizations that can blow your operation apart, and already have done so in the past.
When Kaspersky finds the latest version of some RAT used by the NSA or the Israeli NSU or by who ever they blow a huge operation, and again nothing in this is to say that Kaspersky is bad or that they support terrorism, or that they shouldn't release such information, but you can't expect the organizations on the other side of that story to not do anything about it.
The first bit still needs oversight rather than the security agency having carte blanche.
To some extent it's a positive thing that it was a warrant asking a court for continued permission that was leaked. It suggests that, at least to some extent, GCHQ are trying to be above board.
Whether or not the court is acting in a way that balances privacy and security is another matter. I don't know enough to have a firm view.
> 1. Reverse engineering popular antivirus software so the agencies can see what data it sends home.
How is this totally fine? The DMCA in the USA prevents this sort of thing, look at Russian programmer Dmitry Sklyarov, he was jailed for several weeks and detained for five months in the United States. I'm not a big believer in "intellectual property", but if the act of invention is sacred, and confers property rights on the inventor, then spy agencies need to respect that. Otherwise, either (a) the DMCA is an instrument of oppression or (b) the spy agencies are instruments of oppression, or (c) both (a) and (b).
I'm not sure how to interpret your remark. Generally, we want people to obey the law for a number of reasons, like their own safety, safety of others, morality, protecting rights of minorities (or even majorities), the ability to speak out about wrongs or injustices. Generally, we have laws that we hope encourage us to do good things, and discourage us from doing bad things.
Shouldn't spy agencies do good things, and avoid doing bad things? Letting spy agencies not be accountable for bad behavior seems like a policy that won't work out too well, that will lead to contradictions like eating meat, but hating the butcher for killing animals.
That is, if freedom from being spied on is a good policy for US citizens, it seems like it's a good policy for everyone, regardless of citizenship. The opposite policy (no spying on citizens, but spying on everyone else) ends up making the lack of surveillance a temporary privilege, to be revoked by someone if and when the policy becomes inconvenient.
It wasn't a normative statement. Rather, it was intended to point out what you just did: if you want spy agencies to follow the same laws everyone else does, you're effectively arguing that there should be no spy agencies.
The DMCA outlaws bypassing copy protection schemes and access controls. It explicitly _exempts_ (ie, does not make illegal) bypassing copy protection for legal reverse engineering activity, including security research.
Read the DMCA. It's surprisingly readable. It does not outlaw reverse engineering.
1. Reverse engineering popular antivirus software so the agencies can see what data it sends home.
2. Monitoring the emails of cybersecurity companies.
The first of those is totally fine. It's the agencies' whole mission. The question is not whether they're allowed to reverse engineer software, but who/what they start spying on using the things they learn. If they're spying on Al Qaeda, I don't care if they're using antivirus vulnerabilities, OS zero-days, or a wiretap at the ISP. Seems OK. The choice of technology doesn't seem relevant. And if they're spying on teenagers sending naughty pics to each other, it's equally as not OK no matter which of those technologies is being used.
The second set of behavior is far more worrying though. Our government shouldn't be spying on the internal communications of law abiding companies.