At this time Internet is filled with news, post, and queries about the "HeartBleed" vulnerability that was discovered two days before by the security firm Codenomicon along with Neel Mehta a Google Security engineer.
This Vulnerability is one of the biggest security issues in Internet Security history. This is simply because almost every third-forth of the websites were vulnerable to this Bug. Internet giants like Google, Facebook, Yahoo, and so on were affected by this Security loophole.
After this, a new report has been coming up from Bloomberg, which claims that the US National Security Agency has been exploiting Heartbleed for at least two years.
Initially, the NSA spokesman declined to comment on Bloomberg reports, but after some time on Twitter NSA Public Affairs made a tweet regarding this issue. In the Tweet, they denied exploiting the HeartBleed bug.
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.
— NSA/CSS (@NSA_PAO) April 11, 2014
Additionally, there was no such evidence that proves that the NSA was aware of this vulnerability. As OpenSSL would have been one of the agency’s primary targets because of its broad reach and the sensitive information it protects. Intelligence agencies have been said to hunt for and even purchase software bugs that can be used in their efforts.
Moreover, The National Security Council has also issued a denial on this, which states the following-
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.
In response to the recommendations of the President’s Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
If this happens and comes true that NSA was aware of this big vulnerability of the Internet then you can imagine how much data they collect.
For the Surveillance program, on December 2013, Facebook, Google, and other firms in the industry launched Reform Government Surveillance, which set out principles advocating for more transparency and reform of surveillance laws and practices around the world.