Dan Geer Explains the Government Surveillance Mentality

This talk by Dan Geer explains the NSA mindset of “collect everything”:

I previously worked for a data protection company. Our product was, and I believe still is, the most thorough on the market. By “thorough” I mean the dictionary definition, “careful about doing something in an accurate and exact way.” To this end, installing our product instrumented every system call on the target machine. Data did not and could not move in any sense of the word “move” without detection. Every data operation was caught and monitored. It was total surveillance data protection. Its customers were companies that don’t accept half-measures. What made this product stick out was that very thoroughness, but here is the point: Unless you fully instrument your data handling, it is not possible for you to say what did not happen. With total surveillance, and total surveillance alone, it is possible to treat the absence of evidence as the evidence of absence. Only when you know everything that *did* happen with your data can you say what did *not* happen with your data.

The alternative to total surveillance of data handling is to answer more narrow questions, questions like “Can the user steal data with a USB stick?” or “Does this outbound e-mail have a Social Security Number in it?” Answering direct questions is exactly what a defensive mindset says you must do, and that is “never make the same mistake twice.” In other words, if someone has lost data because of misuse of some facility on the computer, then you either disable that facility or you wrap it in some kind of perimeter. Lather, rinse, and repeat. This extends all the way to such trivial matters as timer-based screen locking.

The difficulty with the defensive mindset is that it leaves in place the fundamental strategic asymmetry of cybersecurity, namely that while the workfactor for the offender is the price of finding a new method of attack, the workfactor for the defender is the cumulative cost of forever defending against all attack methods yet discovered. Over time, the curve for the cost of finding a new attack and the curve for the cost of defending against all attacks to date cross. Once those curves cross, the offender never has to worry about being out of the money. I believe that that crossing occurred some time ago.

The total surveillance strategy is, to my mind, an offensive strategy used for defensive purposes. It says “I don’t know what the opposition is going to try, so everything is forbidden unless we know it is good.” In that sense, it is like whitelisting applications. Taking either the application whitelisting or the total data surveillance approach is saying “That which is not permitted is forbidden.”

[…]

We all know the truism, that knowledge is power. We all know that there is a subtle yet important distinction between information and knowledge. We all know that a negative declaration like “X did not happen” can only proven true if you have the enumeration of *everything* that did happen and can show that X is not in it. We all know that when a President says “Never again” he is asking for the kind of outcome for which proving a negative, lots of negatives, is categorically essential. Proving a negative requires omniscience. Omniscience requires god-like powers.

The whole essay is well worth reading.

Tags: , , , , ,

Posted on November 11, 2013 at 6:21 AM59 Comments

Comments

Winter November 11, 2013 7:03 AM

“Omniscience requires god-like powers.”

It looks like those defensive data minders will end up with a very small and limited data universe in which they are the gods.

Gweihir November 11, 2013 8:07 AM

It can, of course, not work in the real world. Sure, semi-competent attackers may be caught that way (Have any so far? I only know of incompetent ones…), but competent attacker will always find a new way to do things. Hidden channels, channels not under surveillance, encryption that is hard to break, etc.. The NSA has no chance against anybody competent.

Unless they are terminally incompetent (something which I by now am unwilling to rule out), they know that. Hence I disagree with Geer. I still think this is about getting the maximum possible level of control over ordinary people and attackers only up to the semi-competent level. That again means this is about establishing a surveillance and police state, not about fighting external threats. The economic espionage results may also be critical, as the US would likely be in even worse economic state without them.

Craig November 11, 2013 8:19 AM

So, in other words, the NSA really is dedicated to making Orwell’s 1984 a reality. And they call this defending our freedom. That’s Newspeak for you.

Jeff A. Taylor November 11, 2013 8:29 AM

Let me make explicit what Gweihir is suggesting: The end product of mass surveillance is the creation of informants. We need to wrap our heads around this unpleasant truth.

65535 November 11, 2013 8:50 AM

I will say that with the Utah facility coming on line NSA will come close to “collect everything” and disclose nothing (unless the right customer/politician is in range).

Here are some questions:

  1. When does defensive cross the line and become offensive? When does the defender become the offender?
  2. What happens when your partners in intelligence sharing 5-eyes group take the same “collect everything” mindset? Does this mindset make them the offender?
  3. What happens if other countries use the “collect everything” mindset? Do Americans become the target? Do American companies become the enemy?
  4. Let’s take an example. How does this “collect everything” mindset work on a navy DDG -1000 where everything is interconnected? “Each CDS system can run multiple Linux virtual machines atop LynuxWorx’s LynxSecure, a separation kernel tthat has been implemented in CDS as a hypervisor. This allows the workstation to connect to various networks partitioned by security level and purpose. “Every watch stander station runs out of the same box,” Raytheon’s DDG-1000 developer lead Robert Froncillo told me. “So they can sit at any CDS and bring up their station.” With men and women of all walks of life – some from China – how does this “total collection” work? Can you trust the human element? It seems like you trust a lot of rocket fuel and munitions to a fully interconnected system connected to an outside system with rotating ship personnel; where you would require “total surveillance of data handling.” -arstechnica

http://arstechnica.com/information-technology/2013/10/the-navys-newest-warship-is-powered-by-linux/

Winter November 11, 2013 8:58 AM

@65535
“What happens if other countries use the “collect everything” mindset?”

More directly, what would have happened if it had been found out that the BND (German Secret Service) had eavesdropped on Obama’s phone for years?

You think the USA government would have send a delegation send to Berlin politely asking to stop eavesdropping on Obama?

All the excuses for storing everything as needed to save the world break down when USA politicians, services, and companies are the victim instead of the perpetrator.

65535 November 11, 2013 9:06 AM

What? Is this insider trading? Is this legal?

“In-Q-Tel sold 5,636 shares of Google, worth over $2.2 million, on Nov 15, 2005. The stocks were a result of Google’s acquisition of Keyhole, the CIA funded satellite mapping software now known as Google Earth.”

“As of August 2006, In-Q-Tel had reviewed more than 5,800 business plans, invested some $150 million in more than 90 companies, and delivered more than 130 technology solutions to the intelligence community. In 2005 it was said to be funded with about $37 million a year from the CIA.”

“Former board members include Norman Augustine, William Perry, Anita K. Jones and Gilman Louie.” – Wikipedia

https://en.wikipedia.org/wiki/In-Q-Tel

Christian November 11, 2013 9:20 AM

“Omniscience requires god-like powers.”

The problem is… it doesn’t!

I would call it enought to have for every single human another human that would do the surveillance i.e. standing behind the surveilled one and looking over his shoulder.

If we are ever able to automate that task, i.e. have some AI system for doing this task as well as a human could do, it will be done and we would get a very thorough surveillance system over any human!

Dear NSA if you read this please don’t understand it as manual/instruction, as you did with 1984!

Alan November 11, 2013 9:59 AM

Dan is also the one who brilliantly wrote that “perfect security is neither desirable nor achievable.” Mortal omniscience is an illusion.

Tony November 11, 2013 10:02 AM

So the NSA and by extension the government know who and where all the paedophiles are and have proof that this is so? Surely that is a very good use of total surveillance and justifys its use?

Meh November 11, 2013 10:02 AM

I fail to see how this total monitoring software can prevent data from being copied from a computer screen to a sheet of paper with stylus ink on it.

Nick P November 11, 2013 10:25 AM

I haven’t read the essay just yet but everyone should remember something about Geer: he’s the CISO of In-Q-Tel. In-Q-Tel is a CIA R&D and venture capital company. Their goal is to come up with the tools needed for the job defensively, analytically, and for boots on the ground.

Just might pay to keep that in mind when reading his views about govt operations such as surveillance. He’s a smart guy, though, so I do look forward to reading the full essay later.

Brian M. November 11, 2013 10:30 AM

Bruce is right, it’s a good essay. From the essay:

Howard Brin was the first to suggest that if you lose control over what data is collected on you, the only freedom-preserving alternative is that if everyone else does, too. If the government or the corporation can surveil you without asking, then the balance of power is preserved when you can surveil them without asking.

We have no balance of power. We are surveilled at the will of those who own the datacenters. They collect the data, they store the data, and that’s all there is to it. Our stuff is in their garage. How they use our stuff isn’t what we can manage.

We should be able to surveil both the government and the corporations. We should have free and unfettered access to everything that is gathered on us.

But of course, we don’t. We are not the customers, we are the product. We have been collected and analyzed, all for the benefit of some company gaining an alleged competitive advantage. And of course the NSA comes along, looking to vacuum up data to try and catch terrorists.

But they aren’t catching terrorists. They are just wasting money, and lying.

Some_Guy_In_A_Diner November 11, 2013 11:15 AM

I don’t have time for these old cold war guys. Zero out their budgets, fire them all, yank their clearance, and lock up the criminals. NSA and the rest of them are a security threat. Armies were not allowed in Rome, neither should these guys.

Mailman November 11, 2013 11:20 AM

With today’s technology, collecting data is easy.
Finding meaningful information in the deluge of data is what’s difficult.

At this point collecting more and more data to find something relevant is akin to looking for a needle in a haystack by piling on more and more hay in hope that a second needle might be in there somewhere.

NobodySpecial November 11, 2013 11:26 AM

@Mailman – assuming finding meaningful information is your goal.
It usually comes down the traditional corruption/incompetence/malice explanation.

The are simply in it to keep their funding, increase their slice of the pie and line up a nice directorship on retirement.

They want to collect everything so they can spin some quote about “having been watching” person after they commit the act – so they were doing their job even if they didn’t prevent the act.

They actually are spying on everybody in order to take over the world/country/party

Kurzleg November 11, 2013 11:27 AM

@Gweihir: “I still think this is about getting the maximum possible level of control over ordinary people and attackers only up to the semi-competent level. That again means this is about establishing a surveillance and police state, not about fighting external threats.”

I think that immediately after 9/11 (and for several years after that) it WAS about fighting external and internal (i.e. sleeper cell) threats since the government didn’t seem to know much of anything about possible threats. I don’t question the motives at all even if I don’t agree with the methods. HOWEVER, now that so many resources have been devoted to the project and so much capability has been created, there is substantial risk that a surveillance/police state will develop. And that’s not least because the Supreme Court as it’s currently comprised is quite deferential to the executive branch (and to “authority” generally) when it comes to this sort of thing.

Bob Robertson November 11, 2013 11:32 AM

“Omniscience requires god-like powers.”

Sadly, there are many in government service who believe they have such powers.

Wael November 11, 2013 11:33 AM

@ Christian,

“Omniscience requires god-like powers.” The problem is… it doesn’t!

It actually does. Nevertheless, that’ll not stop creatures from attempting to attain that level of knowledge. Omniscience in general means knowing everything about everything, past, present, and future. Having someone looking over your shoulder will not make them omniscient. They wouldn’t know what you’ll do next year, for example. Because even if they can read your mind, it wouldn’t help them, simply because you don’t know what you’ll do. As Spock once said: “One cannot guarantee the actions of another”. I cannot find a reference for that, so I am quoting from memory. He also said: After a time, you may find that having is not so pleasing a thing, after all, as wanting. It is not logical, but it is often true.
–Spock in ‘Amok Time’
So they want, but if they had it, they wouldn’t be happy, and the logical next stop (or step) would be control — Omnipotence is next. Luckily, they’ll attain neither.

David November 11, 2013 11:36 AM

Brian M.: +1. I’ve been saying this for years. Fighting surveillance is futile; that genie is much too wily to be coaxed back into the bottle.

What we should be spending our energy fighting for is parity and transparency: level the playing field. At this point, I’m not optimistic. When even taking photos of courthouses is now prima facie evidence of evil intent, we’re not likely to ever gain a footing in this regard.

Gweihir November 11, 2013 11:48 AM

@Alan: To that I fully agree. Perfect security would also eliminate all independent though and all ideas. Bruce’s excellent “outliers” show clearly that it would be an unmitigated disaster.

@Meh: From time to time we have customers that think data leakage is a problem that can be solved purely by technology. We use the pen&paper example to illustrate that this is not the case. As to communication, if all else fail, meet clandestinely in person. Leave mobile electronics behind or remove the batteries.

Rob Woodrough November 11, 2013 12:16 PM

@Geeve – Mass surveillance has proved to be a pretty blunt tool for defence against terrorism, and criminality. It would be much more effective to monitor the storage, sale, and movement of the materials needed to commit the terrorist, or criminal acts. Mass surveillance is futile and should be banned.

Someone November 11, 2013 12:57 PM

One thing’s for certain – The stress of being cognizant of being constantly surveilled is going to lead me to an early grave. I can’t cope with this. I have been in constant pain since the leaks started.

I honestly don’t know if I should be thanking Snowden or cursing him. I firmly believe that ignorance is bliss, but I don’t know how much longer the NSA could have been carrying on before the excesses would have been apparent to the common-person. I don’t know if it is too late to combat surveillance. I am living in a state of constant fear and terror…….

Indoctrinated November 11, 2013 1:07 PM

One motivation for mass surveillance that explains why certain parts of the military might support it, is for targeting counter-propaganda.

Let’s say you have increasing cultural exchange with a country that is heavily brainwashed. Then to preserve national ideological integrity, you might feel the need to engage in counter-brainwashing operations.

Naturally, the military can’t point to this reason without calling attention to massive psychological manipulation.

Put another way, the military planners might argue that it is better to fight a psychological way rather than a physical one. By control of the world’s media, they can put the future on a glide path to universal harmony.

But the unspoken premise is that the military has claimed the right to dictate the shape and content of an individual’s mind.

Someone November 11, 2013 1:45 PM

This article refers to some language from the Intel community which does confirm some fears…

http://www.pcworld.com/article/2060660/us-intelligence-officials-nsa-reform-bill-is-flawed.html

Excerpt:

The bill is “flawed” because it presumes intelligence officials often have specific targets when looking for terrorist activity, said Patrick Kelley, acting general counsel of the Federal Bureau of Investigation. “That’s the essence of terrorism prevention—we don’t know who we’re after,” he said.”If we’re limited to seeing numbers from a known [suspect], then we’re not very effective.”

herman November 11, 2013 1:45 PM

The problem is that the NSA is a leaky sieve. They steal all the data and then it leaks out via sharing agreements with other agencies the world over and also people like Snowden. So once they got your banking details, there is no telling where it will end up, or which mafiosi will clean out your account.

Ironically, they complain about Snowden stealing their stolen data. Is stealing a stolen item really stealing?

Joe P. November 11, 2013 1:50 PM

The question is not “is there positive benefit in total surveillance”. There obviously is.

The question we need to be asking are “Do those benefits outweigh the cost to society?” I would say they do not. No one can or should be trusted with that much power.

The other questions we need to be asking are “Did the NSA leadership break the law?” and “Were any members of Congress criminally negligent in their oversight of the NSA?” (Yes and Probably)

Daniel November 11, 2013 2:00 PM

Sorry, not impressed by that essay. It seems to me that it is a lot of hoo ha that is essentially trying to create a technological solution to what is a political problem. And the political problem is actually a cultural-psychological problem which is “never again”. Never again is madness, by any definition.

There are two basic kinds of perceptual data in the world. The first kind is our perception of difference, what Richard Rorty called “contrast effects”. The second kind of data is control data, our understanding of whether or not an object is within our power. Human beings do not normally feel threatened by differences or a lack of control alone but the combination of the two.

Omniscience grapples with differences by bringing everything under control. This is doomed to failure because humans can’t be god-like. If the NSA truly controls the internet history tells us either something will come along to replace it or people will abandon it. So it’s a waste of money long-term, culturally speaking. (It may not be a waste of money in terms of short term political interests, which is to say ass-covering or blame shifting.)

If Geer’s point is that people feel threatened by things which are different and are going to attempt to bring such different things under their control that is not a novel or even interesting idea. If his point is that the NSA will try to take control holistically then the proper response to the NSA is to point and laugh. We have been down that road. We know how the story goes. It doesn’t end well because it is an impossibility.

name.withheld.for.obvious.reasons November 11, 2013 2:55 PM

@Joe P.

“Were any members of Congress criminally negligent in their oversight of the NSA?”

I’d argue a conspiracy–the way the FAA was drafted was deliberate in its attempt to put a number of legal instruments in place that sole purpose was to bury the truth. The truth was reserved for the IC, exclusively. The DoJ and all requests put before the FISC are to contain specific languange that specified both methods and operative facts (the two things that constitute classification as secret). In other words, even the court could translate the requests/orders. IT IS DELIBERATE AND IMMORAL, a conspiracy against the sovereign.

Brian M. November 11, 2013 4:16 PM

@A. Mortal:
Last time I checked, nothing ends well. ^o^

These are the things that do end well:
WELLS <well=v> [v]
WELLY {wellie=n} [n -LIES]
WELLED <well=v> [v]
WELLIE a Wellington boot [n -S]
WELLIES <wellie=n> [n]
WELLING <well=v> [v]
WELLADAY {wellaway=n} [n -DAYS]
WELLAWAY an expression of sorrow [n -WAYS]
WELLBORN of good birth or ancestry [adj]
WELLCURB the stone ring around a well (a hole dug in the ground to obtain water) [n -S]
WELLDOER a doer of good deeds [n -S]
WELLHEAD the source of a spring or stream [n -S]
WELLHOLE the shaft of a well [n -S]
WELLNESS the state of being {healthy=adj} [n -ES]
WELLSITE a mineral [n -S]
WELLADAYS <welladay=n> [n]
WELLAWAYS <wellaway=n> [n]
WELLCURBS <wellcurb=n> [n]
WELLDOERS <welldoer=n> [n]
WELLHEADS <wellhead=n> [n]
WELLHOLES <wellhole=n> [n]
WELLSITES <wellsite=n> [n]
WELLNESSES <wellness=n> [n]

These are the things that begin well:
DWELL to {reside=v} [v DWELT or DWELLED, DWELLING, DWELLS]
SWELL {stylish=adj} [adj SWELLER, SWELLEST] / to increase in size or volume [v SWELLED, SWOLLEN, SWELLING, SWELLS]
UNWELL not well [adj]
UPWELL to well up [v -ED, -ING, -S]
INDWELL to live within [v -DWELT, -DWELLING, -DWELLS]
INKWELL a small container for ink [n -S]
MAXWELL a unit of magnetic flux [n -S]
UPSWELL to swell up [v -SWELLED, -SWOLLEN, -SWELLING, -SWELLS]
FAREWELL to say goodby [v -ED, -ING, -S]
GROMWELL an {herb=n} [n -S]

Now you know! :p

MingoV November 11, 2013 5:13 PM

“… Unless you fully instrument your data handling…”

How does one instrument data handling? Instrument as a verb means equip something with measuring devices. Instrument in the above sentence means nothing but sounds impressive.

Troutwaxer November 11, 2013 6:54 PM

You can’t find a needle by making a virtual copy of the haystack. The approach needs to be subtractive, not additive.

name.withheld.for.obvious.reasons November 11, 2013 6:59 PM

@ herman

The problem is that the NSA is a leaky sieve.

I’m afraid it is already finding its way into legislation. Looks like background checks will be reoccurring…wait for…you can guess…five years. The same period of time as the data retention policy of the N F of S A. Guess who’s not subject to it…

CountryBoy November 11, 2013 7:19 PM

@Troutwaxer

The needle/haystack analogy only works for physical sifting.

For concept formation, there is a natural reduction of many into one through the process of induction.

Having more examples of something provides more precision when forming generalizations.

Muddy Road November 11, 2013 7:28 PM

Perfect surveillance is tyranny.
Perfect surveillance has no place in imperfect democracy.
I read the article.
Frankly it came across and typical agency arrogant b.s. and doubletalk. He tried to spin tyrannical surveillance as some mystical, magical state of perfection.

NO!

Data is Power.
Power is Data.
Tyranny is tyranny and vice versa.

As for one quote, “biometrics as a solution to authentication? At this moment in time, facial recognition ispossible at 500 meters, iris recognition is possible at 50 meters,and heart-beat recognition is possible at 5 meters.”

When I want to be a bad guy, I wear a disguise or maybe simply forget to shave and wear sunglasses.

Tinted glasses and/or contact lenses should take care of a retina scanner and an iPod in my shirt playing loud rock and roll would likely take out a sensitive heart beat microphone.

I think he is saying they are working on these technologies which will be implemented on innocent citizenry to keep the fear levels up and therefore control by the tyrants up too. But, as usual crooks and fools will simply foil the surveillance, pay no attention or buy their way around it.

Frankly, I know gobbledegook when I read it.

Passer By November 11, 2013 7:56 PM

Nobody will ever be able to achieve full control “by control”. True peace comes from love, not from imposing will on others. Suggested reading: The Holy Bible.

Dirk Praet November 11, 2013 8:56 PM

But only rarely do we ask our Legislatures to make mitigation effective. Instead, over and over again we ask our Legislatures to make failure impossible.

Probably a good time to quote Hermann Goering again:

“The people can always be brought to the bidding of the leaders. That’s easy. All you have to do is tell them they are being attacked and denounce the peacemakers for lack of patriotism and exposing the country to danger. It works the same in any country.”

Nobody wants a total surveillance state ruled by a small and powerful elite if you try to sell it in such an obvious way. Not even by claiming that total surveillance is the only way to protect a complex technological society from its own endemic threats. You get the people’s buy-in by scaring the living daylights out of them so they will go along with anything believing it’s for their own good. That’s what we’ve seen happening in the US ever since 9/11. The people have asked their Legislatures nothing. They have just been moulded into compliance by establishment controlled mainstream media and politicians doing the bidding of an out-of-control military-industrial complex.

@ Herman

Ironically, they complain about Snowden stealing their stolen data. Is stealing a stolen item really stealing?

+1

JP November 11, 2013 10:13 PM

Today, we celebrate the 29th glorious anniversary of the Information Purification Directives. We have created, for the first time in all history, a garden of pure ideology. Where each worker may bloom secure from the pests of contradictory and confusing truths. Our Unification of Thoughts is more powerful a weapon than any fleet or army on earth. We are one people, with one will, one resolve, one cause. Our enemies shall talk themselves to death and we will bury them with their own confusion. We shall prevail!

On June 6th The media announced xKeyScore. And you’ve see why 2014 is like 1984.

Figureitout November 11, 2013 10:31 PM

I’d argue a conspiracy…
name.withheld.for.obvious.reasons/Joe P.
–Not to try to bring up a troll topic, but //Dirk Praet\ made mention of it (9/11) as being the start of an unacceptable police state and it was a very important event in history. I don’t remember the police being so burdensome before then. TSA start grabbing balls and I just saw one of their vehicles driving near me; even not flying I can’t keep these idiots away from me.

The reason I bring it up is b/c I think there was “criminal negligence” on the part of our military for conducting a NORAD drill and leaving NYC and Washington DC wide open for air strikes. They were unable to intercept planes after a confirmed strike. Thus we rewarded the incompetence and gave them more money and power…

And let us not forget, did the terrorists not stay at the Valencia Motel, a few miles away from NSA headquarters…

It’s incompetence, they are unable to keep us safe. I tested this for myself and found these agents to be highly obvious and sometimes flat out retarded. They will not catch competent terrorists.

65535 November 11, 2013 11:50 PM

My time is constrained (due to job and family). Most of the commentators have echoed my feelings. I will make some observations (Please excuse my grammar and spelling errors).

First, to Winter: “More directly, what would have happened if it had been found out that the BND (German Secret Service) had eavesdropped on Obama’s phone for years?” “You think the USA government would have send a delegation send to Berlin politely asking to stop eavesdropping on Obama?”

I don’t know the answer. If Obama knew, and that is a big if, I would assume he would apply all the levers of power to extract the method and the information from the Germans. But, we don’t know – too many variables.

Observations:

  1. There seems to confirmation of mass surveillance on US citizens. This would include warehousing of vast amounts of private data.

“…The Intelligence Community has felt the heat of too much information to handle for some time. The business community is feeling it now insofar as it is far cheaper to keep everything than it is to do careful selective deletion…” -Geer, 97% down page

This seems to indicate that indeed the Utah and other NSA facilities do intend to vacuum-up and store US citizen’s and International citizen’s data for the foreseeable future. This mass collection of data appears to violate the Fourth Attendant and various international laws.

[More on mass data retention]

“Data retention for observable data is growing by legislative fiat seemingly everywhere… I proposed at the outset, neither you nor I would be concerned with some entity having access to one of our transmitted messages, but 1000 of them is a different story, and all-of-them forever is a different world.” -Geer, 10% down page

“…[The] intelligence agencies that hoover up everything are reacting rationally to the demand that they ensure “Never again” comes true…” -Geer, 20% down page

All of the above seems to confirm NSA mass surveillance – in contraction of the US Constitution (Which the NSA and its top people are sworn to uphold).

  1. Geer mentions the Administrations “war on leaks” which would seem to be against the First Amendment.

“Leonard Downie, the former executive editor of The Washington Post,wrote in that very paper on October 4th:

‘Many reporters covering national security and government policy in Washington these days are taking precautions to keep their sources from becoming casualties in the Obama administration’s war on leaks. They and their remaining government sources often avoid telephone conversations and e-mail exchanges, arranging furtive one-on-one meetings instead.’” -Geer, about 70% down page

Sure, there needs to be leak prevention but bugging the AP and other news organization phone lines in DC appears too draconian and against the First and Fourth and Fifth Amendments (and other various laws).

  1. Geer alerts us to the dual purpose use of data that was originally meant for advertising revenue – which now is used as a weapon to track our every move.

“I have become convinced that all security tools and all the data that they acquire are, as they say in the military, dual use – the security tools and their data can be used for good or for ill.” and “… John Gilmore famously said, “Never give a government a power you wouldn’t want a despot to have.” –Geer, about 75% down page

“Anything that has “wireless” in its name creates an opportunity for traffic analysis.” and “In tune with my claim that everything is dual use, any entity (such as a government) that can acquire the entirety of all social media transactions learns nearly everything there is to learn, and all in one place, and all courtesy of the participants themselves. The growth of social networks is a surveiller’s dream come true.” –Geer, 85% down page

  1. Geer also points out the hot-button issue of data mining all US citizen’s medical information. This is a serious issue because medical information is very sensitive.

“In medicine, we have well established rules about medical privacy.Those rules are helpful. Those rules also have holes big enough to drive a truck through…” [Discussion of mandatory reporting on leaks of medical information] “…Is that data that you want to share? Sharing it can only harm you. It might help others.” -Geer, 80% down page.

[and]

“How do you feel about public health surveillance done by requiring Google and Bing to report on searches for cold remedies and the like? … Have you or would you install that toilet that does a urinalysis with every use?” –Geer, about 30% down page.

[and]

“The Obama administration’s issuance of a National Strategy for Trusted Identities in Cyberspace is case-in-point; it “calls for the development of interoperable technology standards and policies — an ‘Identity Ecosystem’ — where individuals, organizations, and underlying infrastructure — such as routers and servers — can be authoritatively authenticated.” “…Do you trust those who hold surveillance data on you over the long haul by which I mean the indefinite retention of transactional data between government services and you…” -Geer, about 55% down

Think of a young woman who is pregnant. She then goes to see a doctor and has an MRI. That MRI is digitized and sent to many other insurance companies and other specialists. Next, the baby is born with a slight birth defect (which is not uncommon). That data is then broadcast out to even more specialist and insurance companies and the like. Now, that child has a permanent record which a number of governmental agencies which could include the NSA. Who knows what will happen with that data in future. Will it be used against the child?

  1. After being on the inside of game and profiting from it Geer indicates that he will opt-out of the data mining pit.

“I have amassed all the fortune I am going to amass… I am old enough that I can opt out of many of the corporate data collection schemes and live out the remainder of my days unaffected by what I might be missing out on… That those corporations are agents of government data collection means that for now I am opting out of some of that as well… It is your choice and responsibility to be part of the problem or part of the solution…” –Geer 95% down.

This last portion brings up the brings up ethics, financial disclosure laws, the nexus between huge corporations and the government, and basic privacy laws. Now that the monster is out of the bottle how do we put it back in?

I would guess old fashion economics will play a roll. Someone or some group will start building communication solutions that are void of government/Corporate data mining. Or, some type of auditing of all software and hardware built by big corporations will be audited for government data mining capabilities. Maybe, there will be some responsible politician that will over see and disclose all privacy issues that have come to light regarding the NSA’s spying. Possible, there will be a mixture of the three. I can only hope.

Figureitout November 12, 2013 12:26 AM

Will it be used against the child?
65535
–‘Sigh’, it absolutely will. I’ve noticed just in my short lifespan a horrible trend for younger people. More and more is expected out of them; look back to oh say 100 years ago, basic math was an accomplishment and tech had its roots but was still rather simple.

I have amassed all the fortune I am going to amass… I am old enough that I can opt out of many of the corporate data collection schemes and live out the remainder of my days unaffected by what I might be missing out on.
to: (Dan Geer)
–Yeah just go die already if you’re not going to be part of the solution. Thanks for leaving this monstrosity for us trying to live a little longer.

Me November 12, 2013 12:45 AM

@ Herman and Dick P.

“Ironically, they complain about Snowden stealing their stolen data. Is stealing a stolen item really stealing?”

Yes. It’s no different than if Thief A steals a stereo and sells it to a pawnshop and Thief B steals the item from the pawnshop. Both can be charged with theft. Stealing is defined by taking something that isn’t yours without permission from the owner. Whether it is legally owned by the actual possessor is irrelevant.

Figureitout November 12, 2013 1:09 AM

Me
Dick P
–Lol, well the ‘N’ is kind of far from the ‘D’ on an American keyboard. Don’t see any “Dick P’s” around here nor why you’re addressing what he said lol. Good one though.

Winter November 12, 2013 1:57 AM

@Figureitout
“Will it be used against the child?
65535
–‘Sigh’, it absolutely will. I’ve noticed just in my short lifespan a horrible trend for younger people.”

That is a political question. Where I live, this the privacy rights of a child are absolute. Sharing this information or using it against the child’s consent at any time in her life is a criminal offense.

Doctors have become paranoid about these matters for good reason. Any sharing of data is anonymous, and attempts to deanonymize are a criminal offense too.

Clive Robinson November 12, 2013 2:22 AM

@ Figureitout,

Whilst D&N are further appart on the keyboard than C&H there is a much disliked UK politico named Jerremy Hunt.

For some reason BBC Radio 4’s early morning team got confused and much ammusment was had at Mr Hunt’s expense for a while. Many of his supposed political allies lept to his deffence but even they could not keep straight faces… And so the “ear worm” spread and spread to the point every time Mr Hunt’s name is mentioned a small smile starts on peoples faces 😉

Nick P November 12, 2013 2:40 AM

@ figureitout

“Lol, well the ‘N’ is kind of far from the ‘D’ on an American keyboard. Don’t see any “Dick P’s” around here nor why you’re addressing what he said lol. Good one though.”

LOL

Wesley Parish November 12, 2013 3:34 AM

I’m afraid I prefer to believe Vernor Vinge’s point delivered through his two novels “A Fire upon the Deep” and “A Deepness in the Sky” that universal surveillance leads to “ubiquitous law enforcement” leads to societal collapse.

Facetiously, just read history. Human tolerance of a gap between rhetoric and reality is not very great; it’s frequently fatal for states.

Clive Robinson November 12, 2013 5:10 AM

@ Winter, 65535,

Yes it will be used against the children, without doubt.

My family tend to be in our fourties when we have children, and the difference between four generations is imense.

My great grandfather who fought in WWI and lost half his lungs to gas and was shot by a sniper but survived (because he was on church parade and had a couple of florins and a prayer book in his chest pocket that stopped the bullet) was considered “educated” because he could do accounts and was widly read was transfered from being an infantry (machine) gunner into signals because of it.

My father because he was left handed had his hand repeatedly smashed with the likes of ebony rules because it was “sinister” and thus failed basic exams with the excuse of poor penmanship did manage to get proffessional qualifications and during WWII was eventualy moved into “special communications” in the signals and handled “Ultra” traffic. My mother who remarkably for the time had a degree worked in Radar research during WWII and met several of the leading charecters one of whom she had a very very low opinion of.

I being left handed got similar “sinister” treatment from the old lags in education which my parents dealt with through the use of the legal process. However I was considered a failure not because I did well in exams and was in the top 5% of the English schools, but because I was marked down as being indolent or upperty by the old lags and was not given good refrences because of my father trying to protect me from them. Luckily the people who had worked in industry and were teachers in a technical collage realised I had a very enquiring mind and so I went into engineering not accountancy. Having got the equivalent of a degree I was still in the top 10% of my time and I went onto a Masters top 1% and would have gone on to a PhD but ran up against the problem of “do our research for us” from the readers and I was not interested in what they wanted doing (I wanted to research world spanning but secure distributed databases which at the time were not even considered by academics as a “horizon problem” but as we now know are ultra-critical for nearly all aspects of life).

As for my offspring well the way education is in the UK now you need a degree to be a filing clerk or work in the mail room. So I’m having to push, and it’s homework every night and atleast one day of the weakend…

But are the kids learning anything usefull, outside of science and maths it appears to be mainly “makework” especialy in the likes of IT/Comms they get taught how to use MS-Office packages not anything particularly usefull…

The likes of what they call “programing” has only been introduced as part of the national curriculum this year and to be frank it’s fairly usless.

But when you look carefully at the world of work qualifications are a “P1551ng Contest” for those “not connected” and the youngsters get treated like dogs in a Pony&Cart circus act. For those connected the primary requirment appears to be “how to chant managment speak” and “how to slurp up the crack of seniors” whilst taking rediculous chances but jumping ship to avoid any consequences by “networking” into other organisations.

Little or no real life skills are taught these days which is why “Trades” are getting big money but cann’t manage it thus go broke/bankrupt or have it stolen by banks.

As for “fundementals” forget it most Teachers think I’m some kind of genius (which says more about them than my real abilities) as I can link knowledge from a large array of fields which they appear to not consider… a similar problem exists in higher education and unfortunatly as can be seen with “Proffessional Training” in IT and Comms security it’s much the same in industry.

Now if people agree or disagree with me thats their choice but before they “write me off as an old fart/reactionary” I urge them to think a little bit about just how long their current knowledge base is going to remain current…

65535 November 12, 2013 5:19 AM

@FigureIO

“‘Sigh’, it absolutely will.”

I agree. That is most troubling.

Nice play on words “Dick P’s” haha.

@Winter

The word “absolute” can and probably will change with changing laws/interpretations.

“Any sharing of data is anonymous.” Does that mean the NSA can “anonymously” share medical information with the MI5 or others? If sharing is anonymously than how do you know who is sharing what and for whom?

What procedures are in place to assure no leakage of medical information? Who audits the leakage or non-leakage of medical information? What are the penalties for leaking medical information? How will they be enforced? Can you site a federal statute or an international statute?

name.withheld.for.obvious.reasons November 12, 2013 7:52 AM

With a possible breach of my own protocol (not really, just the loss of a layer that is recoverable), the point is it seems usless to consider the United States Constitution to be relevant, useful, or instructive. I’d proffer that K-12 and higher ed just skip the whole business of a democratic republic. A statest view should be emphasiZed.
Maybe we can purchase from Russia some posters and placards for use in public squares and places “Uncle Sam, I have your back–so watch it or it’s coal in your stocking for you!” Propaganda is so far from the reality, that reality, is so far from history, that is so far from the wisdom of past, and so far from the possibilities for the future.
My own work (irrespective of its relevance to you) has been a waste for the last year–the NSA has flattened the world–now I have to recalibrate my telescopes.
Damage is being done to domestic entities via this unethical, immoral, illegal, and unaccountable set of statutes, agencies, and legislators. This is total BS.

Dirk Praet November 12, 2013 9:38 AM

@ Nick P, @ figureitout, @ 65535, @ Clive

“Lol, well the ‘N’ is kind of far from the ‘D’ on an American keyboard. Don’t see any “Dick P’s” around here nor why you’re addressing what he said lol. Good one though.”

I think @Me was probably referring to yours truely since I gave a thumbs up to @Herman’s comment. As I said before, I’ve gotten used to having my first name massacred to Dick, Dork, Kirk, Turk, Jerk and so on. Dick P. is somewhat novel, though. Guess @Me somehow (con)fused Nick P. and Dirk Praet.

Corwin November 12, 2013 10:53 AM

Some comments indicate that their posters are understanding that all the surveillance data absolutely needs to be completely public. I am frankly surprised by the celerity of that outbreak of common sense.

plank November 12, 2013 11:30 AM

@Indoctrinated

By control of the world’s media, they can put the future on a glide path to universal harmony.

I remember reading something similar in Bernays’ works…

name.withheld.for.obvious.reasons November 12, 2013 12:25 PM

@ Clive Robinson

Having got the equivalent of a degree I was still in the top 10% of my time and I went onto a Masters top 1% and would have gone on to a PhD but ran up against the problem of “do our research for us” from the readers and I was not interested in what they wanted doing (I wanted to research world spanning but secure distributed databases which at the time were not even considered by academics as a “horizon problem” but as we now know are ultra-critical for nearly all aspects of life).

In the early 80’s I was running Xenix/Ultrix/VMS/MPM systems at home and for
servicing consultancy contracts. Anyone remember the HP transportable the Intregral?
Our polytechnic offered advanced development on a new Prime with Unix “System 3” and “a” C compiler. Yeppie! Already had a wired house (5 rooms, not the bathroom but did considered a Tandy 100 for use in the commode) with a simple sneaker net and a UUCP gateway.

File server, development systems, prototypes, and all manner of hardware where “in the house”. Academia (the Prime took one year to get up and running) seems to trail in many ways and lead in others…it’s a mixed bag. My experience taught me this is what I must do–teach myself. No one locked the libraries, closed book stores, closed down hobbyist or user group communities and ham radio is your friend.

But are the kids learning anything usefull, outside of science and maths it appears to be mainly “makework” especialy in the likes of IT/Comms they get taught how to use MS-Office packages not anything particularly usefull…

The likes of what they call “programing” has only been introduced as part of the national curriculum this year and to be frank it’s fairly usless.

Seems the idea of the hobbyist has long since passed–today there is little that binds young people to the world–but–I am concerned that the mentors to our youth are missing in action.

As for “fundementals” forget it most Teachers think I’m some kind of genius (which says more about them than my real abilities) as I can link knowledge from a large array of fields which they appear to not consider… a similar problem exists in higher education and unfortunatly as can be seen with “Proffessional Training” in IT and Comms security it’s much the same in industry.

I have been trying to generate interest in the engineering community to look at multi-disciplinary approaches–thinking across a problem and not about an aspect of the problem–see it in a full context. The very skills that are needed to answer complex problems of the day requires the critical thinking that you exercise Ciive, I am afraid it is to rare a trait. Part of it is fear; standing up for an idea can get you noticed, fired, responsible, committed, and a lead for others. It is easier to be silent, do what is asked, and collect your pay check.

I don’t know how many meetings I’ve attended and have been met (I am sure you can tell stories Clive) with the chirping of crickets (and not with bats). Funny thing, a month or six later it would be on the table. Was in a joint meeting with ABB on a power system design and suggested a design feature in the meeting (wanted to cut down on the interconnect mapping issues) and everyone stopped, looked, and thought “What?” and went on their way.

The next day the lead ABB architect decided to ask me what I was proposing specifically–guess he realized that there could be significant cost savings. Until you can appeal to some other “self” interest it is difficult to sell any good idea.

Lawrence D’Oliveiro November 12, 2013 8:19 PM

We all know that a negative declaration like “X did not happen” can only proven true if you have the enumeration of everything that did happen and can show that X is not in it.

No we don’t.

pointless_hack November 12, 2013 8:37 PM

I’m glad there are people around who have read 1984. NSA is certainly Orwellian. The official language near the comment, “It’s easier to keep everything than targeted specific deletion,” appears to mean, the people collecting it are in danger of having too much data to read it all.

Has espionage ceased, because of these measures? Ordinary citizens live in terror of a super-max Damocles sword, descending under the heading, “ignorance is no excuse,” but why aren’t real spies getting arrested?

Drug dealers (the entrepreneurs who deliver and take compensation for the product,) seem to employ lookouts. Who colludes with spies? Who tells THEM the NSA is coming?

Even one trial a year would convince me it might be worth it. It wouldn’t solve the problem, only justify it, but I would FEEL better!

I’m rooting for the surveillance state’s biggest foe: lethargy! The welfare state may be in abeyance, but it cannot lose, and therefore it will win. Only ubiquitous alcoholism could compete.

Is all kvetching pointless kvetching? (I’m not Jewish, just heard the word.)

Doubt is a fickle ally.

vas pup November 13, 2013 9:25 AM

@ Brian M:
“We should be able to surveil both the government and the corporations. We should have free and unfettered access to everything that is gathered on us.”
Correct!
First, the law should exist mapping FOIA right to private corporations.
Second, Court System should enforce FOIA requests to the government and to corporation and apply huge fines for non-compliance.
Third, until all people become angels, existence of NSA and other alphabetical soup of LE Agencies and their activity including data collection is required. The problem is to force them fight real criminals, real terrorists (through oversight), not the part of society not within their circle or targeting people for actually using constitutional rights/political opinions/thoughts.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.