Schneier on Security
A blog covering security and security technology.
« Why It's Important to Publish the NSA Programs |
| The NSA's New Risk Analysis »
October 8, 2013
Me on Surveillance
This is a video of me talking about surveillance and privacy, both relating to the NSA and more generally.
EDITED TO ADD (10/13): YouTube link is more reliable.
Posted on October 8, 2013 at 1:05 PM
• 36 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I just watched the whole video, liked it.
About searching instead of sorting and data going into clouds: No, that is not a given. One of the first things I did recently to gain more privacy was to download Wikipedia. That way I can search inside Wikipedia and more or less read what I want when I want without anybody knowing it. Storage is cheap and getting cheaper, so I can store in principle the parts of the internet that interest me at some point in time and look at it and search through it later on, whenever I want. Of course, at the moment, searching is less convenient and downloading also, but technologically that would not be very difficult. I could imagine, for example, to download various news sites and pick the news that interest me later in private, and so on. That would of course, harm some businesses but also open new business opportunities.
For me there is and always will be a hard line between what I produce at home, electronically or otherwise, and what I export out of my home. If companies stop offering that possibility, I simply chose alternatives. Adobe maybe deciding in the future no longer to offer Photoshop as a standalone product but only via cloud, so jo business for them with me. Apple maybe deciding in the future to close Mac OS in similar ways as iOS (which they have already started), so hello Linux. And maybe a Jallo phone, and so on.
Privacy has that kind of value for me and it does translate to $$$. :)
By the way, so far I have not even used my offline Wikipedia once (except for trying it out), but already having the option makes me feel more comfortable.
Freedom is a strange beast... :)
Maybe the limited privacy for Europeans is allowed only because Europe instantly transfers most of its data covertly to the NSA (like bank transfers which are done by Swift).
no phone as evidence to not wanting to be tracked
Maybe the limited privacy for Europeans is allowed only because Europe instantly transfers most of its data covertly to the NSA (like bank transfers which are done by Swift).
What I would like to know more about how much of this work is coordinated between the countries. For example there is already some evidence that German secret service gets data from NSA.
Europeans already volunteer more data to their government than what Americans do, for one thing because they have to inform the government when they move to a different address. This is not the only piece of detail they usually like to gather and the situation is the same in Oz (as anyone who has been asked to fill their ridiculously invasive population census form can tell).
A brief notice I read in a European news article about a decade ago stated that Europol was collecting information on every potential criminal. This could easily be taken to mean everyone and considering what we know today, that is probably what it meant too.
So what I am saying is that the amount of personal details may already be higher on Europeans than Americans.
After all the Europan privacy regulations probably do not apply to their governments. Or if they do apply, good luck finding out what Europol et al are doing. I think those countries there need their own Snowden.
@ Bruce Schneier
Speaking of surveillance...
Funny behavior this last week, and I have a number of systems and configurations--the network environment is significant in its design and security, Using a role-based model, each layer adds a level of resistance to attacks in a progressive manner with instrumented devices and logging from the front to back. This kind of acts as an early warning system. This week Adobe began leaking data from a host well back of my outer most layer--I don't have any "systems" on the first hop inside--it's more a honey net (there is IPS/IDS scanning and filtering on the inside layer). I also updated my version of Adobe right about the time of the disclosed breach. Hmmm...
Systems on the network connect one hop away from the first inside layer for my research systems (iPhone and a Kindle) that have ready access to sites but the first layer filtering kills most tracking/privacy sites/scripts. The next layer is also a research system and it is locked down with group policy standards (that tells you it is windows). The next layer is the instrumented layer. This layer is fully logged and alarmed (two logging devices, a management server, etc.IPS/IDS is bidirectional with only specified port service access for a devices), the layer below that--is the data and information layer. This is on another abstracted network layer...it is a "white list" only layer--including certificates and certificate authorities...it is tight. The last layer is for all practical purposes and internal network only layer--no proxy access or network traversal...basically I can print from it.
I say all this because there have been some anomolies recently--and it could be related to my involvement here...My copy of Liars and Outliers, is missing from my Kindle--no reasons logged on the kindle (I have a shell for the version of android running on my kindle and I diff the logs from each start-up). I know, I am one paranoid mother--but I am not without cause. I have even had to retire my tin-foil (aluminum) hat. Anyway, I wa also stating some dirs and I had a duplicate file name--I looked five times--and it was still there. But I messed up--before capturing the screen to record the anolomy I issued a set of commands and when I scrolled the frame buffer back, it was gone. I may be a bit paranoid but this is not your typical set of system or application behavior. My reason for sharing goes to the fact that the e-book missing from my Kindle is Bruce's book.
@ unimportant, @ Ulysses Underscore
Maybe the limited privacy for Europeans is allowed only because Europe instantly transfers most of its data covertly to the NSA (like bank transfers which are done by Swift)
It would seem that you are not very informed on the matter. Article 8 of the European Convention on Human Rights (ECHR) provides a right to respect for one's "private and family life, his home and his correspondence". In the US, there is no federal or statutory law granting an explicit right to privacy.
Under EU law, personal data can only be gathered legally under strict conditions and for a legitimate purpose. Furthermore, persons or organisations which collect and manage personal information must protect it from misuse and must respect certain guaranteed rights of the data owners. The EU's Data Protection Directive (DPD ; officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) also foresees specific rules for the transfer of personal data outside the EU. As we speak, there is a new General Data Protection Regulation (GDPR) in the making that will supersede the DPD. Neither DPD or GDPR have a legal counterpart in the US, with the sole exception of some provisions in the 1974 Privacy Act.
The SWIFT information exchange is governed by the 2010 EU-US Agreement on the Processing and Transfer of Financial Messaging Data from the EU to the US for purposes of the EU-US Terrorist Finance Tracking Program. According to Snowden's documents, the NSA however seems to be snooping on SWIFT outside of this agreement too.
After all the European privacy regulations probably do not apply to their governments.
You must be joking. Of course they do, and every EU member state/government has a formal obligation to enforce the provisions of the 1995 Data Protection Directive and the 2002 Electronic Communications Directive (Directive 2002/58 on Privacy and Electronic Communications). Something they were reminded about in the 2009 Madrid Privacy Declaration.
In short: from a strictly legal (and academic) perspective, the EU citizen is much better protected from invasions of his privacy and data than the US citizen is. But since the USG, the NSA and its EU spy partners like GCHQ obviously don't give a rat's *ss about our laws and sovereignty, the reality is that at least in theory - and according to James Clapper - Americans would enjoy better protection.
You stated that you think everything will naturally move to the cloud; I think that's correct for the rest of the decade, but I think that the long term evolution will be towards complete decentralization of our data with massive peer to peer networks. Our private data that we want to access everywhere will be on a giant, redundant, distributed filesystem, encrypted or not, depending on the content. It's probably not feasible today on a large scale, but I do think it will be in the future. The good thing about this is that you have no illusion about what's visible by everyone and what's visible by only the people you want to see it; the only thing worse than a lack of privacy/security is an illusion of privacy/security.
Personally, I would love to see someone come up with a peer to peer social networking app that encrypts your data so only the people you want to see it can see it. I do think that The Silk Road could very likely be replaced by a peer to peer commerce/classified ad system, in which users are anonymous, and each transaction is represented by a public key, in which the buyer holds the private key and signs the comment/seller rating. Not sure how you would do an escrow system with that, so it may be buyer beware. The trick is doing it in a way in which just storing that information is not a crime, e.g. it should be difficult enough to go from the encrypted blocks to the search index so that you can say "Hey, I had no way of knowing what was stored, it could have just as likely been legitimate." Ideally you would advertise the system as an alternative to ebay or craigslist rather than a place to buy drugs.
EU mandatory data retention laws are insanity defined. What we need is Iceland to start massive cloud infrastructure. No EU data laws, very strong free speech laws, very strong privacy laws, and MLAT is only approved for criminals, not whistleblowers or FBI agents trying to break into Wikileaks servers.
Also a good location, central between N. America and Europe. Norway, Iceland and Brazil are basically some of the few countries that can be trusted. Sweden used to be a country that could be trusted then judges were found to be working for copyright cartels, politicians receiving bribes from RIAA/MPAA..
Criminals can still use non MLAT countries like Belarus or Russia. Iceland is just to protect the rest of us from warrantless mass spying and easy political blackmail. Lavabit fought tooth and nail to stop from having their private SSL keys handed over. Google/Apple/MS probably doesn't care, oh you want secret unrestricted access to all traffic ok we won't fight you because we don't want to lose government contracts.
>Personally, I would love to see someone come up with a peer to peer social networking app that encrypts your data so only the people you want to see it can see it. I
That software already exists, called Syndie. Also, GnuNet can do this but it's not ready yet. Nightweb is decentralized but I don't believe it's encrypted. It's written in Clojure though wouldn't be hard to implement.
"But since the USG, the NSA and its EU spy partners like GCHQ obviously don't give a rat's *ss about our laws and sovereignty, the reality is that at least in theory - and according to James Clapper - Americans would enjoy better protection."
On the other hand, all such data is illegally obtained evidence. Parallel construction would void the other evidence and I know that in many countries, judges will throw out cases based on illegal snooping. So, such data can never show up in a court case, or any other halfway official function.
"On the other hand, all such data is illegally obtained evidence. Parallel construction would void the other evidence and I know that in many countries, judges will throw out cases based on illegal snooping. So, such data can never show up in a court case, or any other halfway official function."
Unfortunately it is not that easy. In Germany there are much less strict "poisonous fruits of the tree" regulations compared to the anglo-saxon law system.
Is there any chance you could post a download link for the video please? (... and, where possible, do this in future)
For various good reasons (squid-blocking third-party rubbish, NoScript paranoia, and disabling flash which is buggy and exploitable) I cannot see or play embedded video. Thx.
On the other hand, all such data is illegally obtained evidence... ...So, such data can never show up in a court case, or any other halfway official function.
Sadly not true of the UK any longer. When Tony Blair was Prime Minister, he and his old flat mate Lord Faulkener so damaged the UK legal system that not only is hearsay against the defendant(s) alowed as part of the legal process the defendants are effectivly denied not only the same right but worse the right to challange the hearsay...
I've seen this in play by the UK's OfCom where Clive Corrie stood up in court and provided false and misleading evidence against the directors of a company...
Bruce, your hour long talk at the Congress on Privacy & Surveillance was extremely broad and thought provoking. I will just comment and enumerate on a few points.
I agree on these points:
1. Meta equals surveillance (including time, geoposition and individual tagging).
2. The laws are not keeping up with technology.
3. Industry naturally mines data for targeting of said individual for advertizing profit.
4. All computers, iphones and Android phones, Kindles and other digital leave digital foot prints.
5. The data is not Ephemera like the old phone conversation. It is basically stored on hard drives forever and data mined. And, the data is owned by those who control the hard drives.
6. The military industrial complex is dependent on Google, Facebook and Microsoft and the reverse is also true.
I’ll stop right here.
The ugly problem is that our data is being weaponized at an increasing rate due to so called “National Security” reasons. That weaponized data is now being used against us. Further, we don’t know who will be using the weaponized data and for what reasons (and how far into the future).
The situation is somewhat like the Manhattan project where uranium was concentrated by industrial military complex to produce a horrendously powerful atomic weapon. Worse, that data weapon could be used against the American public or innocents in other locations. This is not a pretty picture.
My short term solution is to recommend that the NSA or related secretive agencies be quickly defunded or their budgets significantly reduced! We have enough budget problems as it is.
Next, I will comment on the enumerated issues:
1] Politicians who claim “meta-data” collection is not surveillance are lying. They need to be held accountable for such lies. This is particularly dangerous when geoposition of an individual (or a tag leading to an individual) is collected. Stiffer laws regarding the collection of “meta-data” and geoposition must be in enacted.
2] Its very clear to me that lawmakers such as Diane Feinstein and others need more than a law degree to make coherent digital laws. They need technological training. That is not going to happen with out a struggle.
3] The industrial giants that collect personal data and mine said data should not be allowed to sell that data to the military!
4] The digital foot prints are certainly there. But, they must be limits and laws to protect privacy of those digital foot prints. This is complex subject – but one that needs to be debated.
5] There should be an expiration date on data of civilian nature. If civilian data can be held forever you revert back to a militarized data infrastructure – or even a criminal one. Sure, history must go on but we don’t need to record every single American’s phone, text, voice, email, and medical record time stamped; geolocated and stored in a “Lock Box” for five or more years! That granularity of that data is dangerous and violates privacy.
6] There must be a bright line between the civilian and military operations - period. It is very dangerous to allow the military to exploit civilian data! No more civilian to military data transactions or violations of privacy - without Very Stringent Safeguards! And,no more legal “immunity” for large corporations who conduct privacy breaches!
Here is an idea:
Since many gov officials and politicians (e.g. Sen. D. Feinstein) do not want to understand the importance of privacy to the average citizens, we need to teach them a lesson:
Establish a donation fund (possible source - all those who donate now to projects promoting technical solutions to hide oneself's digital presence) which will pay for private investigators to collect meta data about targeted officials/politicians, and to post the findings publicly. Since, per noted Senators, metadata is not surveillance, there is no problem doing so.
I bet that said targets will change their opinion after their cellular metadata, locations, travel itineraries and search terms etc. will be shown to all - especially at times just before elections when dirty deals are rampant.
This may do more good to privacy issues than devising all kind of technical solutions to bypass surveillance.
Can we get you to provide automatice translation of non-English posts so the rest of us that are ignorant of foreign languages can also read those posts. Such posts present the appearance that the blog is being used as a "private" conversation or messaging portal.
If you refer to the Japanese posts, they are all spam and need to be deleted.
Oh, and the posts in Russian are also all spam. Just hover your mouse over the name and see the underline link - they try to push Nike shoes...
"You stated that you think everything will naturally move to the cloud; I think that's correct for the rest of the decade, but I think that the long term evolution will be towards complete decentralization of our data with massive peer to peer networks. Our private data that we want to access everywhere will be on a giant, redundant, distributed filesystem, encrypted or not, depending on the content."
Not so sure. The idea of FreedomBox (see here and here), for example, would be to store your private data inside your house inside your FreedomBox hardware, because laws in most countries typically give you better legal protection there, plus optionally would allow you to store some encrypted backups in some friend's FreedomBoxes in their homes. Of course, the idea would also be to enable social networks between friends resp. their FreedomBoxes using a peer-to-peer system, i.e. bypassing the the current CA hierarchy, etc.
By coincidence, I was at the 20th Debian Birthday event this summer, because it was in Switzerland and an ex coworker is a big fan of Debian and attended the debconf13 conference. There I heard the talk about FreedomBox by Bdale Garbee (link to ogv video). Seems like they would want to go all the way with FreedomBox, including in the end using only hardware without NDAs, as he said in the talk.
Incidentally, as he also said, that here had been a forest fire this year in early summer that had started very close to his home and completely destroyed it. Otherwise he would have wanted to go forward with FreedomBox this summer and produce a first software release (for Debian).
Quite obviously, that could be the start of a conspiracy theory, but to me personally, this tells me mainly that the project is maybe really hitting a "nerve" of this time, because it could really have a big impact on the balance of "security through privacy" vs. "security through surveillance".
To me personally, something like FreedomBox feels like something I would like to have in my home.
Jacob: I still reckon all spam is full of steganographic orders to sleeper agents. :-)
@Albert, many thanks.
@Jacob - the embedded "Nike" and "brand" words are a clue.
Then again Nike was the g(r)eek goddess of victory. maybe it's Ed S. sending coded messages ... :)
Bookshop man: Who sent you?
Lemming: The lady in the tobbacconists.
Bookshop man: Did she have a hook ... and a duelling scar? ...
Alain: I have something very similar to a 'freedom box' - just an old Pentium that I have installed FreeBSD on. It ensures that the second NIC is firewalled with packetfilter so traffic is either transparently put through my anon setup or dropped if it can't (e.g. UDP, ICMP, etc.) and allows me to have confidence that you just can't have if you are using the tor client (and/or browser bundle) on a PC (leakage of IP through js, browser exploits, flash, etc.). It also runs a torified DNS resolver and also presents SOCKS and HTTP (via privoxy) interfaces for computers on my normal net (on the primary NIC) that don't require high anonymity (usually just if I want to quickly see if a website is working from outside our network I will go into my Firefox config and tick the proxy to enabled).
My setup involves the box setting up a tor connection. Through the tor circuit an ssh connection is established to an intermediate host (an openbsd free shell account that was obviously signed up through an anon proxy so there's no trail). It starts tor client and I use ssh port forwarding to bring it back to the BSD box. I also have another free shell account on another system which I can route my traffic to. From that I can terminate traffic on its IP (which isn't known as a tor exit node) if I want to which makes it great for sites which block known tor egress points.
Why? Just for the hell of it. ;-). and it is fun for pen testing (esp as the shell account doesn't block all the ports tor does). Downsides? Latency about 350ms....
@Aspie "@Jacob - the embedded "Nike" and "brand" words are a clue."
At some point in the future, Bruce may want to put in quarantine posts with links outside of a whitelist of hostnames he will have to maintain.
Or, if he does not have that disponibility, the spam will grow to the point where discussion will no more be possible, and Bruce will eventually forbid comments.
Bruce, I wish you could be on Coast to Coast AM. Every once in a while they actually have a guest who is a real expert in a field, like Dr. Michio Kaku, and it would be excellent to hear you talk about the NSA and your latest book about trust. You are a really good speaker, and your delivery is great.
Couldn't agree more:
The belief in the United States is [that] more intelligence is better....
I think the rest of the world would agree.
Or we could authenticate ourselves (retina scan I propose) and post that way.
I think Bruce wants this to be an open forum so that comments are not unnecessarily precluded by firewalls or MITMA blockers.
Besides I'm sure he can find a way to trace the source of these spams and ... uh ... deliver a message.
Mike: Yeah, that sounds pretty safe :)
Is there a transcript somewhere? I haven't been able to get the video to play, despite multiple attempts from multiple machines on multiple days.
Disregard my request for a transcript. I see someone posted a YouTube link and that plays just fine.
Can some public-spirited individual post youtube links for the other CoPS talks?
To answer my own question, in the source code of each video web page there is a HTML5 VIDEO element with a data-youtube-id attribute, from which the youtube url can be derived, e.g. for the Caspar Bowden video:
Aspie: given the trolls we have had recently I think it's expected that we will soon have them impersonating regulars (Clive, Dirk, etc.) for their own amusement. If this becomes an issue - rather than authenticating users I think it wouldn't be too difficult for an extension to moveable type that - if a submission is published with the PGP SIGNED header for it to pull it out and if its a valid sig then add an icon (maybe a little tick or something) and put the keyID and fingerprint next to the name. Or we could just have optional registration for those who are victims. Those registered names can't be entered as free text (you'd probably want to strip out everything nonASCII and ignore spaces and surpious dots so they don't work around it) anymore and those who post as regd users get an icon or color change to signify they are registered. I don't think it is a big deal esp if you maintain the ability for anyone to post without registering and keep it optional. Those who cared could go through proxies anyway...
@Mike the goat
That sounds like a workable scheme.
I also thought about bayesian analysis of postings. Individual writing idiosyncrasies could make our posts more identifiable. If the bayesian filter became confused/undecided it could request an additional verification step - such as your key idea?
During the talk you mentioned that is is not unrealistic to store all the data's internet trace of one user per year. Between 40 to 80GB + 5GB for phone conversation / year.
How do you get to those numbers?
Many thanks, M
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.