Schneier on Security
A blog covering security and security technology.
« Random Number Generators |
| Movie-Plot Threat Contest Winner »
June 15, 2006
NSA Combing Through MySpace
New Scientist has discovered that Pentagon's National Security Agency, which specialises in eavesdropping and code-breaking, is funding research into the mass harvesting of the information that people post about themselves on social networks. And it could harness advances in internet technology - specifically the forthcoming "semantic web" championed by the web standards organisation W3C - to combine data from social networking websites with details such as banking, retail and property records, allowing the NSA to build extensive, all-embracing personal profiles of individuals.
Posted on June 15, 2006 at 6:13 AM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
We must admit. NSA guy are amazing hackers. It's impressive the number of ways of getting what they want that they invent. :-)
In a similar manner to the "facts" written into Wikipedia, people could write up their version of the truth in a blog or social network profile so it could then be harvested. Its also well known that people like to live out their fantasies and have alteregos on such sites. Surely this could lead to the polution the database and could lead to dangerous conclusions... I shall now retire to my wood pannelled library.
I dont have any problem with them collecting information that people freely put into a public forum. Its just when they eavesdrop on (theoretically private) phone calls and emails without a warrant that its a problem.
Plus there should always be a time limit on how long the govt can retain dossiers on people who are not suspected of a specific crime.
And of course severe punishment for employees of these agencies who use the information for non-professional purposes or take it home on laptops and have it stolen...
... and what a prize all that data will be for identity thieves.
The data brokers don't have a time limit on their dossiers -- why should the government (especially if the government can subpeona data broker records)?
The NSA guys have unlimited funds and total freedom to so whatever they want without regard for law... I would say they are just hacks.
By having all their exploits make it to the public the "NSA Guys" are alerting the bad guys that they are being watched and studied.
Over time this will backfire and key information will be tainted or hidden from them.
The NSA Guys in my mind should be like ghost in the machine... you should never even know they were there.
Instead they are in the news more than Paris Hilton. Hacks.
WHY, though, is it necessary for me to fund this?
How does society benefit?
I don't need a Big Brother, thanks.
You don't think we should live in an open society?
Otherwise, I think it may be time to revoke the NSA's charter.
Oh come on - what would make anybody think that what people post about themselves on MySpace etc has anything to do with the truth? Aficionado is quite right; if the NSA wants to do this it will end up with a seriously weird database.
Unless, of course, they have ways of applying a virtual polygraph to all of that stuff....
All my bank accounts just went to Zero, the IRS is knocking on the door to audit, I got drafted, deported, and evicted all in the five minutes after I posted my comments on the NSA!?!
Sounds like more movie-plot "security" - just the sort of thing the kiddies at NSA would think up - but how real is it? How would they know that the "Libby Miller" who has a blog on LiveJournal is the same Libby Miller who is a terrorist suspect (because she visits a friend whose apartment is in the same block as Yusuf Ali's, whose third cousin, one Friday, was one of 200 people who happened to attend the same mosque as Khalid Sheikh Mohammed)? There's no way that they can link all this information automatically until people who post on websites are obliged to identify themselves unambiguously. Of course, if the NSA kids spend endless man-hours (women have more sense) actually *reading* all that trash they might discover inter-references - which might or might not be accurate, but they wouldn't care about that.
Who exactly is the NSA going to catch with this sort of data? At best only the stupidest of terrorists or child pornographers. You know...the ones that aren't terribly effective, anyway, because everybody knows they are nut cases.
But I don't believe any of the recently publicized widespread surveillance is about catching terrorists or child pornographers. It is about stifling dissent. The point is to have a chilling effect on people expressing dissent and/or to identify dissenters to harrass. I believe more peace activists have been investigated than actual terrorists, and it is precisely such people who can be effectively identified through things like MySpace and telephone call traffic analysis.
"Anonymous is right "But I don't believe any of the recently publicized widespread surveillance is about catching terrorists or child pornographers. It is about stifling dissent." But did he just catch on to this?
Historically the foremost users of terror have been police agencies out to get increased control of "their side."
If Al Queda has a MySpace, we want to know about it!
You all seem a bit paranoid to me. From the article (you did read it, right?):
"The research ARDA funded was designed to see if the semantic web could be easily used to connect people. The research team chose to address a subject close to their academic hearts: detecting conflicts of interest in scientific peer review. [...] So the team developed software that combined data from the RDF tags of online social network Friend of a Friend (www.foaf-project.org), where people simply outline who is in their circle of friends, and a semantically tagged commercial bibliographic database called DBLP, which lists the authors of computer science papers."
It's quite a leap from peer-review conflicts based on volunteered FOAF data to "extensive, all-embracing personal profiles of individuals." Besides, if you put it on the web it's public--that means even the NSA can read it.
Makes you wonder what the NSA has been up to on the web before now. I doubt they've been averting their eyes from all that juicy data all this time.
I've wondered in the past about NSA web-spiders. With computing resources that are presumably in the KiloGoogle range, it seems reasonable to suppose that the NSA has been constructing its own private dynamic web index, customized for its own notion of relevance (presumably not identical to Google's).
Not being a webmaster, I don't have logs to peruse for robot activity, and I don't know that much about what I would look for. Presumably Yahoo, Google, MSN and the rest spider away from known subnets. If those subnets are filtered out, it seems to me that one could reverse-datamine the NSA, by checking web logs for discrete spider activity from government subnets, or from IP addresses assigned to beltway bandits not otherwise associated with web search, but known to contract with the government.
Could be an interesting distributed computing project.
@JakeS: How do you know so much about "Libby Miller" and who do you work for?
Hmm... Wonder what Al Qaeda uses to communicate.... Gotta be the smileys.
Frankly if it's out there, it's out there.
What's more distressing is whether what is done with this info is legal. Last Sunday the NYTimes had an article that talked about employers digging through MySpace to pry into their prospect's private lives. In many places they could not, in a job interview, ask an applicant if they were gay, or ask if they were a religious fundamentalist. But when they seek and find this stuff on the web they open themselves to subtle bias and blatant discrimination that may be against their company's policies and their local government's laws.
My question is, what kinds of mis-uses could the NSA have for this stuff? Disruption or subversion of legal protest activities that are part of real democracy is one, but nothing new. Are there others?
This reminds me of an old program called "Racter". Racter was an Eliza-like program, except it was insane. But by speaking insanely to it, you could cause it to go off into some very weird verbal gibberish that had no resemblence to sentience at all. That is the fun part of these "data mining" programs. If you throw enough lies and insane babble at them, they get very confused. I expect that "gaming the data mining bots" will become a new game, similar to what is done to Google or Amazon recomendations on occasion.
Yet another place to put "spook" strings to attract the attention of "nosy-neighbor" programs.
counter intelligence Noriega BCCI Europol Reno Lon Horiuchi e-bomb pink noise SDI UOP clones CDMA digicash corporate security crypto anarchy
@Lou: the name comes from the foaf project that's mentioned in the New Scientist story (see http://www.libbymiller.com/) - the rest is just the kind of fantasy that passes for intelligence thsse days. ;-)
The NSA is an agency in search of mission. Sadly, it appears to believe that its future lies in providing political and social intelligence to corporations rather than operational intelligence in defense of the national interest.
I am comforted by the idea that somewhere out there, there is an operations center with skilled, highly dedicated people who keep tabs on the Internet and watch carefully for signs of terrorist activity.
Too bad their native language is Chinese.
Another reason why I NEVER, post peronal information anywhere, it's not just about the NSA but anyone. What can I say I am definitely paranoid.
If there's ever an NSA-built link into SemWeb, then I'm sure "Libby Miller" is going to be _the_ most well-documented person alive.
What's the FOAF markup for "My friend went to Guantanamo Bay and all I got is this lousy orange boilersuit" ?
So all I have to do is write up a nice MySpace account for the next President of the United States and the government will suddenly believe that he/she is a pedophile? Somehow I think the government is, or should be, a tad smarter than that.
OTOH, there are stupid people in the world, and rounding up the ones using MySpace for creating high school Al Quaeda-like cells might work. The problem is still the fact that what's presented doesn't always correlate to reality. It's not like anyone blogging or using FaceBook has to take a polygraph to verify the truth of their posting.
In the article:
"...whose blogs they might follow. People often list other facets of their personality including political preferences too..."
Well, since i come here (schneier's blog) i've seen some strange information logs on my server. Things like: usdoj.gov and such. Am i suspect? :-)
They use Gestapo methods, scary people from NSA. Well they can put it on my resume, see if i care.
Public agencies are very keen on amassing statistics - they collect them, add them, raise them to the nth power, take the cube root and prepare wonderful diagrams. But what you must never forget is that every one of those figures comes in the first instance from the village watchman, who just puts down what he damn pleases."
- Sir Josiah Stamp
I was about to say "look, I think you're going a bit too far with your Gestapo comparison", but then I was reminded again of abductions, secret jails, torture, and people incarcerated without any access to the legal process... so yes, these are getting close to Gestapo methods. Wonder when we're going to hear the government celebrating the first child that turned their parents in.
But all this is really nothing compared to the "signing staments". What is particularly amazing to me is that there is ANY congressional support for the bold statement of the Bush administration that "Oh yeah, we fought hard to get the Patriot Act through, and had to make some concessions, but, psst, you know what? We don't really give a damn anyway. The President has the right to do whatever he thinks is necessary." Ever heard of balance of powers?
The sheer magnitude on which they are operating all this, really scares me. Everytime it starts to fade in my mind, Bruce pops another article about the NSA, and i'm back :D
Your headline is a misleading representation of the story. NSA-funded academics writing a report on the possibility of combing through social networking sites does not equal "NSA Combing through MySpace."
My analysis of the story, written a few days ago, is here:
Ha, it's not just the NSA looking at MySpace. Read a story in the last week somewhere to the effect that smart corporations also look into Google & postings on social networks before hiring people. The story related how some kids had lost good job opportunities because of what they had posted or what was found out about them online.
Also a lot of people who post their resume's online are giving away useful info to data gathers and identity thieves.
My ROT is never use my real name and never post my resume, real email address, photo or basically, any identifiable info online. I've Googled myself and thankfully, there is nothing to be found, despite many thousands of posts I have made in a variety of places over the years.
It should be interesting what shows up in the future when today's young people decide to run for political office!
Will the REAL Libby Miller Please Stand Up? Sorry - I couldn't resist!
I agree with the many posting that any form of data farming through the "social networks" can create highly skewed results. My concern is the idea of purposeful skewing on the part of the "bad guys" by strategically posting skewed information to send the NSA and others considered to be "do-gooders" off on wild goose chases (WGC's).
Seriously Now... Asside from all of this - the people who really NEED / WANT to communicate privately can encrypt their communications. If done properly even the NSA can not read it. By "properly" I'm not talking about any form of SSL or Public Key Encryption... I'm talking True One Time Pad stuff. As long as the protocols are followed its is unbreakable.
I for one, welcome our new ubergeeks.
But more serously, I like to piggy-back my pizza orders through Al Quaeda channels. I'd like to know what they're gonna do about that.
Oh and I'll have a marghareta/pepperoni supreme, with a can of Coke.
@bg "I was reminded again of abductions, secret jails, torture, and people incarcerated without any access to the legal process... so yes, these are getting close to Gestapo methods."
Let me know when we are there.
No surprise is exactly right.
Private investigators use information sources readily available to them...heck, profit and even non-profit orgs do investigations with data from sites like MySpace. Public investigators are just following suit. I wouldn't expect anything different. However, even if you say the public investigators should not be allowed to behave like this or that, the bigger/new question is whether they will exploit the loophole of using private or foreign orgs as a proxy.
I'm sure they produce vectors of potential threath containing people, and are doing a good job by that. You can do it yourself by google up someone and connect the dots and trails they have made in the past. But having this info is trivial and low risk because smart people will not talk about attacks or plans to bomb things, they are not capable of this by the latter if they do not take in consideration what to say on a global net.
I can imagine that they scan foreign blogs, like arabic blogs and personal sites trying to link them to organizations and build vectors of group structure. But if john dough talks about he grows pot on his private blog, who cares, waste of time.
So if they are doing this on Myspcae and e-friends the likes, they have other intentions. Being big brother like, and verctorizing people on the net.
Which is the same thing by tagging or barcoding people in real-life.
There are definatly some ingenius hackers in certain places , my main computer isn't even connected to the net and doesn't have wireless . Yet after researching areas such as semiotics, binaural sound , global 3 , and mind control , someone got into the computer proving signals can reach the computer and be transmitted in ways we cannot stop . My G3 cellular phone recieved some kind virus which communicates with my computer and heaps of trust certificates from verisign and others which i cannot erase . But hack away , what started out as research into sound production has seeded a quest to free the soul from mind control.
The fact is that the NSA does not care about protecting Americans. They want to develop an all inclusive database to completely control them. Its seems most of their time is spent investigating Americans...the only one's that can shut them down. Now there is NSA, FBI, CIA, Homeland Security, DEA, FDA.....Soon America will be a police state. Already the USA has 25% of the worlds prison population with only 5% of the worlds population. So...you are 5 times more likely to be incarcerated in the land of the free. Go ahead and give up your liberty for freedom and wake up someday as a serf!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.