The Changing Cost of Surveillance

From Ashkan Soltani's blog post:

The Yale Law Journal Online (YLJO) just published an article that I co-authored with Kevin Bankston (first workshopped at the Privacy Law Scholars Conference last year) entitled "Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones." In it, we discuss the drastic reduction in the cost of tracking an individual's location and show how technology has greatly reduced the barriers to performing surveillance. We estimate the hourly cost of location tracking techniques used in landmark Supreme Court cases Jones, Karo, and Knotts and use the opinions issued in those cases to propose an objective metric: if the cost of the surveillance using the new technique is an order of magnitude (ten times) less than the cost of the surveillance without using the new technique, then the new technique violates a reasonable expectation of privacy. For example, the graph above shows that tracking a suspect using a GPS device is 28 times cheaper than assigning officers to follow him.

Posted on January 15, 2014 at 6:23 AM • 38 Comments

Comments

Bob S.January 15, 2014 8:28 AM

It does seem reasonable to consider the actual cost of surveillance in establishing a reasonableness search standard.

I suppose the government might send out military drones to track potential J-walkers. Would that seem reasonable in relation to the cost? Does cost matter?

I am anxiously fearful of the inevitable Supreme Court decision(s) covering high tech and the 4th (et al) amendment(s). Will the court side with the people or the political aristocracy?

Will the Court be reasonable?

AlanSJanuary 15, 2014 9:21 AM

The courts endlessly struggle with interpreting the 4th amendment in light of new technologies. The "reasonable expectation of privacy" test comes from Katz 1967, which overturned Olmstead 1928. In Olmstead, Brandeis argued, in his dissent, that the interpretation of the 4th Amendment needs to keep up with discoveries that make surveillance easier. (His dissent is a blistering attack on the "unjustifiable intrusion by the government upon the privacy of the individual" and the "insidious encroachment [on liberty] by men of zeal, well-meaning but without understanding" --worth reading.)

In later cases the "third party doctrine" was adopted that narrowed the scope of "reasonable expectation of privacy" and has continued to drastically narrow the scope as technologies have evolved. See especially Smith vs. Maryland 1979 which involves pen registers and the whole issue of content vs envelop, metadata etc. (There is a good discussion of all this in Dan Solove's Nothing to Hide book.) Smith vs. Maryland is important for the way Foreign Intelligence Surveillance Court operates. This all came up in critical ways in the testimony by the Review Group to Congress yesterday (see discussion here: http://justsecurity.org/2014/01/14/morell-there-bit-content-metadata/).

There is a new interpretation of "reasonable expectation of privacy" in Jones which makes that case important (see Dan Solove's discussion here: http://docs.law.gwu.edu/facweb/dsolove/files/BNA-Jones-FINAL.pdf. For critical discussion of the "mosaic theory" see writings by Orin Kerr).

Note that Judge Leon's decision (Klayman vs. Obama) last month argues that Smith v. Maryland is antiquated (it predates cell phones) and draws on Jones.

NobodySpecialJanuary 15, 2014 10:34 AM

Bob S - it's the LOW cost of surveillance that worries the court.

It was ok that you had "no reasonable expectation of privacy" in public because it was unlikely that the police would have a team of undercover agents following everyone 24x7.

Now that they can follow everyone 24x7 with CCTV, mobile phone tracking, access to transit fare gates etc - then does the court need to re-adjust the reasonable level of privacy you expect?

RichJanuary 15, 2014 10:52 AM

@AlanS and all:
Has anyone tested the "third party doctrine" from the position of a stockholder in, say, A.T.&T.?

I don't hold that much hope for that approach. I fear it would go something like this:

1) Buy 100 shares of A.T.&T.
2) Read the Times for the next revelation.
3) Go to court.
4) Court rules: Yes, you are a part owner of the metadata about you. But -- the police can go to any other co-owner and collect it.

HahahahaJanuary 15, 2014 11:20 AM

I need to remind you folks here: some recent so called "leaks" appear to be "leaked" by NSA, such as the NSA secret dongle used to transmit data over long distance, I don't doubt its existence, but tiny dongle transmitting data over a max of 10 miles? Physics does not allow that, plus any sophisticated government agency would be able to scan it (even the data transmission is encrypted), plus faraday cage is also an option.
I suspect some fake "leaks" were intentionally given away to make the adversary search for "useless" clues, while the NSA is doing the real thing.

DanielJanuary 15, 2014 11:31 AM

This is nothing more than yet another attempt by the Ivy League elites to create the great justice system computer in the sky. The legal profession still hasn't gotten over the fact that modern technology hasn't freed them from having to do their rent seeking face to face.

This proposal is part and parcel of their attempt to reduce "reasonable doubt" to a mathematical number too. What is reasonable doubt they ask? Why it is 70% doubt!

All this does in the long run is make fetish of numbers. Privacy can no more be reduced to a number than doubt can be.

AlanSJanuary 15, 2014 11:46 AM

@Rich

I don't think that would fly as the logic of the Smith v Maryland decision, as I understand it, is that because the numbers were voluntarily disclosed to the phone company there can be no expectation of privacy. This was before smart phones, cloud computing, etc. so it has become very problematic. Laws like ECPA don't help much as they are also very dated. If you buy into Smith the only way to have privacy in the modern world is to not live in the modern world. Go back to late 18th C. or
http://www.theonion.com/video/google-opt-out-feature-lets-users-protect-privacy,14358/

Also see: What You Need to Know about the Third-Party Doctrine And what it will likely mean as the NSA lawsuits work their way through the courts.
http://www.theatlantic.com/technology/archive/2013/12/what-you-need-to-know-about-the-third-party-doctrine/282721/


hermanJanuary 15, 2014 11:48 AM

We can detect incredibly weak signals. Think of radio astronomy. Then think again about how many kilometers one can track a little bug, given a good directional antenna.

wiredogJanuary 15, 2014 11:58 AM

"28 times cheaper"
What are they multiplying by 28, and how does that result in a smaller number?

AspieJanuary 15, 2014 12:02 PM

With apols to other posters; OT
//Figureitout

Arrange some contact details and I'll flow you some code and schematics if you want to tinker with the project.

No compiler as yet but the bytecode is as easy - if not easier - than assembler and fun!

At the very least you'll have a neat programmable calc you can customise to bits. I'd post on hackaday but the thing isn't evolved much yet and you mentioned you wanted to be involved.

It needs a compiler - preferably native but it's not a big task. You can source the bits for about ten bucks and it's easy to build. The main task - which I'm looking into - is AES and SHA primitives. Presently an RS232 interface (yes, I know you'll like that) needs a MAX232 if you want RS232 line-levels else TTL options will work.

Next bits of work are designing the stackable interface and the SPI-enabled peripherals.

3cjh4cbhc3jJanuary 15, 2014 12:39 PM

I found it interesting that the NSA compromised FSB(Russian) networks just as easily as they did everyone else. Russia is suppose to have the best security people in the world and extremely high literacy standards..

The NSA basically has full access to all Russian intel..

Captain ObviousJanuary 15, 2014 12:40 PM

As Bob mentioned, a "reasonable expectation of privacy should not be based on the cost, though it could be an indicator, but on the actual expectation.

The Gov is very good at making things expensive. A drone or even a satellite could be monitoring you without your knowledge, and that wouldn't be cheap. The key is knowledge.

If someone follows you around all day it's reasonable that you would notice. If invisible tech is following you it is not. All govt IT systems are required to inform users that their actions are being monitored for a reason: to establish no expectation of privacy.

AlanSJanuary 15, 2014 1:28 PM

@Captain Obvious

I think the trouble is that a lot of these measures of "reasonable expectation" end up being troublesome in some way. The real issue is what is the harm in the government knowing x, y z? The authors of the 4th Amendment thought there was lots of potential for harm based on the history of general warrants. Hence the requirement that persons be secure in their papers except under warrant issued upon "probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

The third-party doctrine makes a mockery of this in the current context and confuses privacy with secrecy. Here's Sotomayor writing in Jones:

"I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection. See Smith, 442 U. S., at 749 (Marshall, J., dissenting) (“Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes”); see also Katz, 389 U. S., at 351–352 (“[W]hat [a person] seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected”)."

TroutwaxerJanuary 15, 2014 1:41 PM

Which brings us to the other side of the equation: How can we increase the cost of surveillance to the point where it is no long effective? It goes without saying, of course, that we have the right to affirmatively protect our First, Fourth, and Fifth Amendment rights.

pointless_hackJanuary 15, 2014 1:48 PM

Harm reduction arguments have their place, but I am not prepared to let strangers do anything that causes no harm. "Where's the harm in raiding my refrigerator," or, in real life, a panty raid? It's not illegal, bur punitive measures are EXPECTED to teach ignorant frat boys and feral nerds this is NOT ACCEPTABLE behavior.

The government could improve by seeking to improve my chances of developing a widget without hackers or a Chinese APT stealing my developments for profit or insider trading.

I agree that in the face of large sums of money, new tech can render expecting privacy a little disingenuous. What's to do, is deter violators with punishment of some kind.

Milo M.January 15, 2014 4:09 PM

@AlanS:

Thank you for all of the references.

A link to the Brandeis dissent (of which I was unaware, as well as being unaware of the case, until today):

http://www.fjc.gov/history/home.nsf/page/tu_olmstead_doc_15.html

Here's a 10 year old paper ("Katz Is Dead. Long Live Katz") that might also be helpful:

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=490623

The title suggests a Schrodinger disciple.

On the subject of the Yale Law Review post, it seems somehow wrong that the cost of the technology should have anything to do with privacy. Just because it's cheap doesn't mean that law enforcement agencies or snoops are obliged to use it. Conversely, just because it's costly doesn't imply that it's legal.

AnuraJanuary 15, 2014 4:25 PM

Reasonable expectation of privacy is all good and well, but I think there are really two debates we need to seriously have, not just here, but the world in general: How much privacy do we want online, in general? How easy should it be for an individual to be anonymous online? We seem to get lost in the way things are and never talk about the way things should be.

Personally, I am on the side of regulating private and public data collection and sharing to give us a reasonable expectation of privacy, as well as working to rebuild the foundation of the internet in order to maximize anonimity, as well as the ease of being anonymous. I don't expect much privacy today, but that doesn't mean that this is the way it should be.

RomerJanuary 15, 2014 5:46 PM

"We estimate the hourly cost .... to propose an objective metric: if the cost of the surveillance using the new technique is an order of magnitude (ten times) less...."

How about this metric: if a lawyer, court, bureaucrat, or judge cannot reasonably infer the meanings of the 1st, 4th, 5th and 7th Amendments, and how those are violated by "bulk data collection," they should be disbarred, fired, or impeached.

Reducing these heinous violations of the law and of American history should not be subject to pragmatic or cost/benefit analysis.

FigureitoutJanuary 15, 2014 6:28 PM

Aspie
--Alright! You know me all too well. :) Just set up a throwaway email, didn't know if files were involved so I opted for a more "full featured" version. BM-2cToSg9V5qsJUP9qSv6rBG2DLrfmE9mw59@bitmessage.ch

If you must send encrypted can generate some keys too (I can go full retard on it too). Trying to get a silly arduino repeater going w/ my radio but I go back and "forth" b/w projects when I get the time.

JonSJanuary 15, 2014 8:28 PM

@ anura: "a debate we need to seriously have, not just here, but the world in general: How much privacy do we want online, in general?"

I understand what you're getting at, but I think you might have mis-framed it. There is simply no answer to how much privacy *we* want. What I want is different to what you want is different to what she wants is different to what they want.

It's an important debate to have, but I don't think trying to come to some kind of consensus is a useful approach - there's always going to be those off-the-grid nobbits who view everything as a breach of privacy, and also those who *ahem* 'over share.' And there is always, ALWAYS going to be a huge commercial push from the likes of Facebook and Google to link up eveything you do, and the explicit cost of privacy and anonymity.

And that touches on your second debate question: "How easy should it be for an individual to be anonymous online?" Again, I think this question is either misframed, or being looked at the wrong way around. Currently, it is trivially easy to be anonymous online: just unplug your broadband router, and you have all the online anonymity you could possibly want. As Facebook and Google can rightly but deceptively say: you *gave* them all that daya. no one held a gun to your head and forced you to use Facebook, or Farmville, or LinkedIn, or GMail, or ...

I think the question needs to be more along the lines of "How can an individual fully utilise the web, and all the services thereon, while remaining anonymous?" (in meatspace, I can use cash. What do I do on the web?) with a corollary of "how can an individual change their level of privacy - up or down - at any time, and have that change ripple throughout the web?" (in meatspace, if I spectacularly screw up I can pack up and move to another location and try starting over. On the web that isn't as practical. in fact, the web is increasingly making that an impractical strategy in meatspace also. Schneier has talked about the masses of digital detritus we leave as part of every online activity - how do we clean up or at least manage that detritus?), and perhaps a second corollary of "how can an individual have multiple levels of privacy, depending on the audience?" (I don't mind my close friends knowing about my prediliction for [stuff], but I really don't want to share that with mum or granny).

In other words, I guess, what are the online analogues for the ability to individually manage privacy and anonymity offline?

RobertTJanuary 15, 2014 9:38 PM

It's interesting to consider the "cost of surveillance" implications of your personal security regiment and how far certain cheap actions that the user can undertake result in an exponential increase in the cost and difficulty associated with maintaining accurate surveillance information. .

Today smartphones, laptops and Tablets are our constant companions, so any information that leaks from these devices not only reveals our location but also links all the different aspects of our lives, which any security aware person would naturally try to segregate

For me the leakage of data associated with one of my online "personas" is no where near as concerning as the concept that all my online persona's are linked. Add to this the real time tracking of physical devices (phones / tablets etc) and you quickly conclude that all my actions online and in the real world are inexorably linked and track-able in real-time. There are enough wackos in this world that frankly I find this concept is beyond scary, its down-right terrifying.

My solution is to intentionally constrain certain personas to certain physical devices and then ensure that the devices all connect through different untraceable ISP's and VPN's. It's a lot of work and the vale of anonymity that these procedures create all comes tumbling down IF someone can determine and track the actual physical locations of the devices that I use. Overcoming the location tracking problem is something that I'm actively working on but it is proving much more difficult than I originally anticipated.

Does anyone have a good solution for the tracking issue?

Of course there's the option of simply turning all the electronic devices off(removing their batteries) and removing/disabling all passive embedded RFID tags BUT for the moment I've still got a life to live so...
Other options...anyone?

BuckJanuary 15, 2014 9:58 PM

@RobertT

Your "personas" are inexorably linked, if not now, then in the very near future. Accept it; or consider life as a hobbit...
It seems all mitigation efforts will be countered with further squandering of resources to keep you in the grid. :-(
The root of all evil will not permit profits lost thanks to those pesky privacy nuts! Solutions will be political (or a way of thinking about post-scarcity futures), not technological under the current paradigm.

FigureitoutJanuary 15, 2014 11:16 PM

JonS
Currently, it is trivially easy to be anonymous online: just unplug your broadband router, and you have all the online anonymity you could possibly want.
--While I catch your drift and one big defence that is overlooked is the data flood; the reality is that one MUST use the internet to have a job or get an education. Email for instance (that now worthless insecure system), and a program at my school, I must use it, it's a requirement of the class; and for the first time one of these academic programs is asking for my facebook account (b/c that site is a place where productive work gets done). So yeah, I did delete my account; imagine that awkward silence when you meet someone and they ask about your facebook...and girls like to basically walk around w/ their cameras taking pictures constantly, they tell me to get an account so that affects my chances of getting a good girlfriend. Guess what, that social isolation gets to you after awhile...thankfully there's other sites that are equally bad time-wasters; but it's a guilty pleasure most all partake in.

Also, the reality of IP cameras at intersections and many other places, not to mention people w/ their smart phones snapping pics non-stop and then putting it on the internet; you literally cannot escape the internet in "meatspace". Search the evil google "live IP cameras". Of course, technology these days is getting way too ridiculous, over 2 years ago my dad said some of these intersection cameras can see your face 2 miles away when the angle to your face is perfect; and cameras in sports stadiums can count the hairs on your head...

http://arstechnica.com/gadgets/2011/01/one-mans-journey-through-the-world-of-unsecured-ip-surveillance-cams/

http://security-today.com/articles/2013/12/01/cameras-at-the-intersection.aspx

All these questions are extremely hard to answer and it's getting to the point that it's impossible in my view no matter how much OPSEC you think can evade it; and evading it makes you a "criminal". My question is...just how bad will it get?

RobertTJanuary 15, 2014 11:53 PM

@Buck
"Your "personas" are inexorably linked, if not now, then in the very near future. Accept it.."

Trouble is, to paraphrase the Garth Brooks song, I got friends in low places....

Many a comment that I've made would earn me a bullet execution style if everything were linked or ever is linked. In cyber space I cant uncomment so my only defense is to make sure that these comments are NEVER attributable to the real physical me.

I dont imagine I'm the only person that travels extensively in parts of the world where the local security forces would not think twice to terminate your visit with extreme prejudice, if only they knew what the NSA probably does and Google certainly does.

65535January 16, 2014 3:14 AM

I agree the cost of surveillance is not the only factor of establishing a reasonable cause for search. But, “cost” is hard economics and the government must consider it.

As Bruce has pointed out the cost of GPS device surveillance is much cheaper than 4 or 5 $131,000 salaried FBI agents. Hence, the government is about 28 times more potent in conducting GPS searches – and that is like having a FBI agent in your car at all times. Planting tiny GPS units or simply following a cell phone target is too invasive and against the Fourth amendment.

[I will also say that disgruntled spouse have used such technology to seek evidence of infidelity and grounds for divorce. That is a very ugly trend]

To level the playing field these GPS searches should be highly restricted. But, the legal tide seems to be against us.

On the legal side I would suggest promoting technically savvy judges to potent positions. The current set of old judges is not doing the job. We need new blood in the system.

On the Technical side I would recommend that obscuring of civilian GPS be employed – at least as an option to the consumer (we are now forced to buy devices is highly accurate and dangerous cell phone GPS and other GPS enabled mobile devices). There must be other methods of obscuring GPS tracking but I’ll leave that up to others to elaborate.

Clive RobinsonJanuary 16, 2014 7:35 AM

@ AlanS,

    In later cases the "third party doctrine" was adopted that narrowed the scope of "reasonable expectation of privacy" and has continued to drastically narrow the scope as technologies have evolved.

    It's not just where technology is involved that the general principle of third-party confidentiality is being erroded, removed or worse turned into compulsion.

    Under English law various communications were considered priveledged this included but was not limited to,

    1, Spouses.
    2, Priests.
    3, Lawyers.
    4, Those acting in a medical capacity
    5, Qualified Accountants.
    6, Journalists.

    Usually the change was occasioned by some event or class of event but was subsiquently argued into something broader.

    Take spouses at one time wives were not allowed to give testimony against their husbands, neither the Police or members of the judiciary were even allowed to ask questions and even if told they had to legaly disregard it.

    However it was used by some as a method of being held unacountable for abuse, rape and even murder. Because of the serious nature of these crimes changes were made to alow spouses to testify against each other. Few if anybody would regard these changes as unreasonable on the face of it and as usuall the "think of the children" emotive arguments were used to silence nay sayers.

    However some nay sayers pointed out quite correctly that this legal dam once breached would go from a trickle to a flood which would cause very real and dangerous harm. And this is what has happened, it's now reached the point in the UK where spouses are being not just threatend with prosecution for witholding evidence but actually being committed to jail by judges.

    Even the legal proffession is being "got at" in that what is covered by client-attorny privealedge is being weakend. Other proffessions are likewise being told not just "no priveledge" but to report "any suspicions", thus accountants, architects, bank clerks are required to report any suspicion of "money laudering" or "tax evasion". So for instance where there is a transaction limit where they are required to report the transaction (aprox 10,000USD equivalent) if you say take out a small amount of cash (say 200USD equivalent) from the bank and tell the cashier it's "to pay for car repairs" then as far as the law is concerned the cashier now has reasonable suspicion and should report it to the government. So worried are some proffesions they report not just transactions but enquires as well in order to protect themselves.

    Worse perhaps is that "business records" can be siezed with less and less protection. In the past individuals details were not considered part of a business transaction record, and had a semi protected status in that lawfull authority had to be obtained by presenting argument and evidence to a circuit judge, who would be able to assess if there was valid reason to sieze the records.

    However as I know this has been weakened for the likes of OfCom who can drag a magistrate in without the presence of a court clerk present false information and preasure the magistrate into signing the warrent. But further OfComs "agent" (Clive Corrie of OfCom's Birmingham office in this case) exceeds their lawfull authority to sieze all records knowing full well that he has absolutly no entitlement to them. Further he then without lawfull authority releases these illegaly obtained records to whom so ever he choses for the purpose of "creating trouble" as a revenge tactic.

    But it gets worse further the UK Government dispite legislation otherwise belive it's OK to "sell all medical records" with little or no anonymisation. The official blurb talks about "research" and making the UK a world leader, however the facts are they will be sold to US and other companies and taken outside of UK and EU data protection zones and in all likely hood get sliced and diced and cross compiled with other escaped data from the financial and marketing worlds and re-packaged and sold on at a premium. However just to make it abundantly clear the original legislation to enable this made it very clear there are "first class" and "second class" citizens. Those in selected positions and their familes will be exempt, the rest of us not. Some UK patients had the forsight to write to their Dr's forbiding them putting their records onto Government systems (see UK "NHS Spine" disaster that BT amongst the other "usual suspects", was involved with, it was once billed as "The worlds most expensive IT disaster"). So the Government under "lobbying Preasure" from US Healthcare companies responded by making Drs income involve the adding of patient records in a disproportianate way. Thus objecting patients became a financial liability to a Drs income and some found themselves without a General Practicioner fairly promptly. These people now have at best very limited access to health care and the current UK Gov is running around trying to make the situation far far worse, in that those attending Accident and Emergancy Departments at hospitals are being in effect refused access unless triage staff deam that what the patient presents with is a genuine emergancy, with the first step of the process being providing your GP Details...

    But this gets worse the UK Government are forcing everybody to contact them "electronicaly" which basicaly means shody call center staff or EMail via insecure methods. This in turn means you are commpeled to have contact with a telecoms company, who are required to collect and store all metadata.

    And this brings me onto "Smith vs. Maryland" back prior to 1979 the bulk of important communications was still via the postal service. Partly this was to do with the relative cost with postage being less expensive than a two minute phone call, thus the compulsion then was to postal communications that were more difficult to "tap into" and due to the effort involved carefull thought went into the composition of corespondance.

    It was back then when many US citizens still did not have electronic communications in their homes or access to them at work still just possible if you were "fuddy duddy" enough to view personal electronic communications as a luxury that was neither an enabler or requirment for partisipation in society and thus a "life style choice" not a "necessity".

    This is nologer true you are not just compelled to use electronic communications in general it's reached the point where it's not possible to get employment or access many services needed to participate in society without it, it's now almost as essential as access to water. It's ubiquity is such that even socialy it's a requirment from a very early age, and with it the "familiarity that breeds contempt" and more importantly informality and lack of carefully considered thought. This is excacerbated by the general view that unlike written communications electronic communications are some how ephemeral or easily disposed off.

    For those with their ears and eyes open then and now the Olly North court case should have been a clarion wake up call. Most people who were adults and living in First world / Western nations had it trotted out to them via newspaper, television and radio, not just in the daily news slots but also in editorials and talk shows (this was no doubt helped by Fawn Hall who was a journalists dream witness).

    It was repeated over and over again that the "smoking gun" evidence was from emails that had been copied countless times onto backup tapes. Not just at the mail servers at either end but at quite a few points in between. The lesson then was switched from "you can communicate privately" to "you have no control on plaintext or communications meta data", the lesson now is "everything you do generates meta data and it's all colllected without your consent or control and most certainly not for your benifit, and you will not be alowed to opt-out".

    Judges and legislators should "wake up and smell the coffee" and at the very least recognise this change in society's reality.

    All communication to third-parties in whatever form be they direct or business records should be regarded as "privaledged" and requiring a specific and limited in time and scope warrant to access. The warrent should also limit who has access to "named individuals" and also limit the retention period by authorities as well as full disclosure to all individuals at the end of that period.

AlanSJanuary 16, 2014 8:34 AM

@RobertT

"Of course there's the option of simply turning all the electronic devices off(removing their batteries) and removing/disabling all passive embedded RFID tags BUT for the moment I've still got a life to live so...
Other options...anyone?"

Switching off or removing the battery doesn't guarantee that you can't still be tracked. To be safe I think you have to stick the device in a Faraday cage during those times that you want to go dark. Snowden used a fridge. Some fridges may function to prevent wireless transmissions, others may just function to prevent monitoring of conversations.

See discussion here:
thelede.blogs.nytimes.com/2013/06/25/why-snowdens-visitors-put-their-phones-in-the-fridge/

BuckJanuary 16, 2014 10:05 AM

@Robert

Well considering you don't have a bullet in your head, that means one of a few things I suppose...

  • you're OPSEC is working
  • nobody low enough has bothered to connect the dots
  • you may be considered "useful"

If I had to guess, I'd say the second possibility is most likely... The dots are sittin on some sever(s) somewhere, just waiting on someone to connect them.

Going forward, it seems far more difficult to maintain... Even if you leave behind all but "virgin" electronics, there are plenty of satellites in the sky & cameras on the street corner to fairly accurately know the location of pretty much everybody at all times...

Hmmm... maybe try blending in with large crowds? Regularly...

Nick PJanuary 16, 2014 10:39 AM

@ Buck

I'd add the possibility that he doesn't matter enough to them. This might be because he genuinely isn't a threat to them or because they don't perceive him as a threat based on information they have. Contrary to much paranoid thinking, they really are only after a tiny portion of the population at any given time, use high-tech targeted efforts on an even tinier portion, and use brutal methods on even less.

If he ever matters, the methods he describes aren't good enough to stop agents of a highly capable organization. Let's assume he's considered a serious threat while using bulletproof INFOSEC & good OPSEC. The simplest method I see working would be to spy on (or lean on) his contacts to initiate a referral. When he shows up to do business & ID is confirmed, they have people posing as police grab him. The drugs, beatings and imprisonment are then used to bypass any digital security mechanisms he uses. And they move onto the next threat.

jonesJanuary 16, 2014 11:26 AM

There's no making the surveillance more expensive. It will keep getting cheaper so long as our society values growth and subsidizes industry. The only thing that will fix this is the type of broad, social change that will lead to fewer people driving, less factory farming, less conspicuous consumption, less monopoly control over industry that prefers planed obsolescence to durably, and ending support of the two-party system, since both parties pursue growth policies.

BuckJanuary 16, 2014 11:26 AM

@NickP

That wasn't really a possibility to consider given @Robert's premise: "I got friends in low places.... Many a comment that I've made would earn me a bullet execution style if everything were linked or ever is linked."

Now maybe those low-life friends are not in any of the domestic law enforcement agencies, but it would be foolishly unwise to believe that criminal elements or foreign security services could never tap into the national security databases...

RobertTJanuary 16, 2014 7:43 PM

@Buck
Well considering you don't have a bullet in your head, that means one of a few things I suppose...
you're OPSEC is working
nobody low enough has bothered to connect the dots
you may be considered "useful"

While my opsec is pretty good, it is now clear to me that it has not been good enough. So I'm fairly sure the truth is that nobody has bothered to connect the dots. That's a concern and goes back to the title, to Change the Cost of Surveillance. Today it costs practically zero to track someone because the databases already exist. All anyone needs to do is connect the dots, and possibly pay a little money for the privilege. Unfortunately these databases dont just disappear, after a year, rather they grow and year by year they accumulate more and more dots/details until even the blind can see how the dots are connected.

The problem is that once you've connected the dots it becomes 10 times easier to link individuals to specific events. Such as, was he in the country at the time, (maybe but not sure) alternative question was his personal cell phone OFF or in a static unmoved state for the period in question? See how innocent meta data about the mobility of my personal cell phone quickly tightens the noose (who does not even move their phone for 3 or 4 days?....Ans:someone who is not really there)

Think about some of the worlds true nutters and how little though they give to killing their own relatives, even those that actually raised them. They dont have just one death on their minds rather they've killed 1000's and possibly tens of thousands, so your life is meaningless to them. Now imagine they have access to global data bases so they can link the dots and identify those people that have caused them some grief in the past. The US has already pioneered the practice of international "extraordinary rendition" so in today's world it would seem legal to mine some global database, identify the "guilty" send in a wet team to carry out the rulings of your own kangaroo court, that the perp was never even aware existed. (sounds a little like the US drone program)

You might say that they'd never have the 6a11's to grab anyone off the streets of the USA, so I'm OK. Well maybe and maybe not, but what happens when you travel? say on a business trip to China. Do you suddenly end up with a bus's front wheel parked directly on your head and a police report detailing how it was an accident because you jumped in front of the speeding bus? (google it)

@Nick P
These day the only thing I'm really a threat to is the local fish population. my only concern is that someone holds a grudge and might want to give me a hand (or a push) with late night swimming lessons.

@Buck
All is not always as it appears at the time, however as time progresses you learn just how ruthless your colleagues really are, sometimes you even gain a glimpse of the real puppeteer and maybe the real purpose, that's when things suddenly become very dangerous. BTW it's not just others connecting your dots that's dangerous, sometimes you might inadvertently be the one connecting their dots, or maybe they might just believe you want to connect their dots.


@AlanS
Interesting link about cell phones in the fridge rather than just removing the battery. Makes sense although I'm not sure their is anyway to really utilize the RAM/real time clock(RTC) battery backup as a power-up source. I'm certain that it cant happen with any cell phone devices that I designed but it is something to look into wrt to the chipsets of others. The real trouble is that these forms of power-up especially through parasitic body diodes can be unbelievably difficult to spot even when you have the full chip simulation / layout database available (and know what you are doing). Matter of fact they are so hard to spot that we used to run special layout database scripts just to identify bodydiode and possible parasitic well diodes through which an isolated supply like the RTC might accidentally result in some other part of the chip powering up. Sometimes this power-up path happens external to the chip. Eg RTC control signal is routed back on the PCB to an I/O pin where the PMOS VDD supply connects back to the main power-up supply. So whenever the RTC output goes HIGH the chip powers up, IF this connection goes through a serial external FET than this power-up (from the RTC clock) could be made conditional on the system state at power down. Tricky....very tricky...not sure I believe that anyone has implemented this but it is possible, this is a real advanced system style fault.



RobertTJanuary 16, 2014 8:58 PM

@AlanS
Further on phones in the refrigerator.

I was just thinking about system level power-up specs for Smart phones.
In the good old days Moto (flip phones)had a power-up spec for their phones that required a special hardware state machine that tested the strength of the battery before allowing the firmware to proceed with system boot.

In this case (moto) a standard RTC battery would fail this test so the system would not proceed to boot. I've never seen an equivalent startup test spec called for with any Apple or Samsung devices although maybe it is completely unnecessary because a standard startup probably draws much more than 1A from the battery so it just fails and sits in an infinite power-up fail cycle. The old Moto phones had power-up sequences that were somewhat optimized to allow them to still work even when the battery was weak/old same goes for Nokia. These days failing gracefully with old weak batteries is a dont-care. BUT it is still interesting that the hardware state machine required to test battery state is missing from the spec Hmmm, does potentially open the door to someone reworking the boot sequence or maybe just slowing down the CPU clock so that the startup sequence can be accomplished from an RTC battery.


Clive RobinsonJanuary 17, 2014 12:28 AM

@ RobertT,

    In the good old days Moto (flip phones)had a power-up spec for their phones that required a special hardware state machine that tested the strength of the battery before allowing the firmware to proceed with system boot

Not just Moto and cells, other companies and cordless and PMR which was synthed. Some of the tricks people used to get around such "Apollo 13" problems were quite mind bending.

I designed a simple circuit using just two transistors and three resistors to get over one of the problems, which with a further little fiddeling could also be hidden in a voltage regulator.

For those reading along that are thinking "why would you need it?" there is a very real problem with batteries and uninitialised logic that can at the worst be fatal to the device and can cause high return rates for "soft faults" if not mitigated.

When people talk about battery powered equipment few if any have actually designed such devices for FMCE where the profit per item is small and return rate cost is very asymetric and thus an increase in return rate of a fraction of one percent can wipe profit out (for those that live in the UK I can remember Alan Sugar blowing his top at a design team when I told him they were going to cause him high return rates by trying to fix a different problem).

The problem arises from the fact that both the battery and electronics have very nonlinear charecteristics and both have hysterisis as well, so when combind you have to design around these problems.

Problem "zero" is battery choice, all families of batteries have different charecteristics (like did you know even carbon zinc dry cells can be recharged if done properly?). So you need to pick the family type with care.

Problem number one is that the battery terminal voltage is mainly a function of load not charge due to internal charecteristics. That is you can only use the terminal voltage as an aproximate indicator of charge when it's either very nearly fully charged or on significant load, and whilst they both change absolute values with not just the number of charge/discharge cycles but the speed and current of those cycles, the former is more effected than the latter.

This means that the off load terminal voltage can be a lot higher than the voltage of even a small load at the bottom end of the charge capacity. As a crude aproximation the battery internal series resistance is inversly related to charge (which should raise "here be dragons" alarm bells in any design engineers head due to "negative resistance" and how it can be used to make oscilators amongst other things).

Problem number two is "in rush current" from the earliest electromechanical devices it's been known that "loads" are not constant that is they can draw a much much larger current at startup than when running normally. DC motors and filement light bulbs were the two early electrical engineers new by heart.

However with modern electronics the problem is slightly different. If you look at the resistance charecteristic of a forward biased PN junction semiconductor diode you will see that it is high untill a certain voltage is reached, then it drops to a very low value. The more PN junctions you have in series the higher this voltage. When it comes to transistors in the likes of TTL logic it's easy to see that there are several junctions in series between the rails. Even the "Field Effect" devices used in CMOS devices have voltage thresholds.

Few engineers ask themselves what effect these threshold voltages have in terms of start up currents, even less have asked themselves what happens when the voltage rises enough to exceed some thresholds but not all and then either stops or worse drops.

Well this is what happens when a fully discharged battery with a permanently connected semiconductor device such as a microprocessor is charged.

If the charging circuit cannot meet the current required to both charge the battery and supply the semiconductor startup in rush current then significant problems will occure and at best the charger will current limit and the microprocessor just "hang" in a safe metastate.

Thus the simplistic aproach is to up the "current limit" of the charger, however many familes of rechargable batteries react badly to high charge currents when close to or at charged (they can vent flamable/explosive gas as one problem). Generaly at the very least the battery life is going to be significantly shortened so "trickle charging" at or close to charge is "a must" to reduce returns rates.

So simple chargers are out unless you can fix the problem another way, one of which is to have a battery low detector that puts the electronics into shutdown mode whilst the battery voltage is still quite high, and thus always have sufficient charge on the battery to avoide or transition through the high current in rush stage of start up.

The problem with this is it causes other battery problems which can make the product look unreliable.

Thus over the past twenty to thirty years many solutions have been tried, and we arive at the interesting point we are at today where the charger has it's own microcontroller as does the battery which talk to each other to decide the optimal charging stratagy based on the batteries previous charge / discharge life, load usage, service life etc etc.

Which as the battery microcontroler has flash or equivalent non volatile memory to store it's "life history" means that it can potentialy be used as a storage place for malware etc...

Who said a "security engineers life must be a dull one", we certainly have been cursed to always "live in interesting times".

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..