Page 2 of 8
Pew Research has released a new survey on American’s perceptions of privacy. The results are pretty much in line with all the other surveys on privacy I’ve read. As Cory Doctorow likes to say, we’ve reached “peak indifference to surveillance.”
Interesting essay about James Bamford and his efforts to publish The Puzzle Palace over the NSA’s objections. Required reading for those who think the NSA’s excesses are somehow new.
Good essay by Molly Sauter: basically, there is no legal avenue for activism and protest on the Internet.
Also note Sauter’s new book, The Coming Swarm.
This is not good news.
Widely known as the “bloggers law,” the new Russian measure specifies that any site with more than 3,000 visitors daily will be considered a media outlet akin to a newspaper and be responsible for the accuracy of the information published.
Besides registering, bloggers can no longer remain anonymous online, and organizations that provide platforms for their work such as search engines, social networks and other forums must maintain computer records on Russian soil of everything posted over the previous six months.
This research project by Brandon Wiley—the tool is called “Dust”—looks really interesting. Here’s the description of his Defcon talk:
Abstract: The greatest danger to free speech on the Internet today is filtering of traffic using protocol fingerprinting. Protocols such as SSL, Tor, BitTorrent, and VPNs are being summarily blocked, regardless of their legal and ethical uses. Fortunately, it is possible to bypass this filtering by reencoding traffic into a form which cannot be correctly fingerprinted by the filtering hardware. I will be presenting a tool called Dust which provides an engine for reencoding traffic into a variety of forms. By developing a good model of how filtering hardware differentiates traffic into different protocols, a profile can be created which allows Dust to reencode arbitrary traffic to bypass the filters.
Dust is different than other approaches because it is not simply another obfuscated protocol. It is an engine which can encode traffic according to the given specifications. As the filters change their algorithms for protocol detection, rather than developing a new protocol, Dust can just be reconfigured to use different parameters. In fact, Dust can be automatically reconfigured using examples of what traffic is blocked and what traffic gets through. Using machine learning a new profile is created which will reencode traffic so that it resembles that which gets through and not that which is blocked. Dust has been created with the goal of defeating real filtering hardware currently deployed for the purpose of censoring free speech on the Internet. In this talk I will discuss how the real filtering hardware work and how to effectively defeat it.
EDITED TO ADD (9/11): Papers about Dust. Dust source code.
It turns out that the NSA’s domestic and world-wide surveillance apparatus is even more extensive than we thought. Bluntly: The government has commandeered the Internet. Most of the largest Internet companies provide information to the NSA, betraying their users. Some, as we’ve learned, fight and lose. Others cooperate, either out of patriotism or because they believe it’s easier that way.
I have one message to the executives of those companies: fight.
Do you remember those old spy movies, when the higher ups in government decide that the mission is more important than the spy’s life? It’s going to be the same way with you. You might think that your friendly relationship with the government means that they’re going to protect you, but they won’t. The NSA doesn’t care about you or your customers, and will burn you the moment it’s convenient to do so.
We’re already starting to see that. Google, Yahoo, Microsoft and others are pleading with the government to allow them to explain details of what information they provided in response to National Security Letters and other government demands. They’ve lost the trust of their customers, and explaining what they do—and don’t do—is how to get it back. The government has refused; they don’t care.
It will be the same with you. There are lots more high-tech companies who have cooperated with the government. Most of those company names are somewhere in the thousands of documents that Edward Snowden took with him, and sooner or later they’ll be released to the public. The NSA probably told you that your cooperation would forever remain secret, but they’re sloppy. They’ll put your company name on presentations delivered to thousands of people: government employees, contractors, probably even foreign nationals. If Snowden doesn’t have a copy, the next whistleblower will.
This is why you have to fight. When it becomes public that the NSA has been hoovering up all of your users’ communications and personal files, what’s going to save you in the eyes of those users is whether or not you fought. Fighting will cost you money in the short term, but capitulating will cost you more in the long term.
Already companies are taking their data and communications out of the US.
The extreme case of fighting is shutting down entirely. The secure e-mail service Lavabit did that last week, abruptly. Ladar Levison, that site’s owner, wrote on his homepage: “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision.”
The same day, Silent Circle followed suit, shutting down their e-mail service in advance of any government strong-arm tactics: “We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.” I realize that this is extreme. Both of those companies can do it because they’re small. Google or Facebook couldn’t possibly shut themselves off rather than cooperate with the government. They’re too large; they’re public. They have to do what’s economically rational, not what’s moral.
But they can fight. You, an executive in one of those companies, can fight. You’ll probably lose, but you need to take the stand. And you might win. It’s time we called the government’s actions what they really are: commandeering. Commandeering is a practice we’re used to in wartime, where commercial ships are taken for military use, or production lines are converted to military production. But now it’s happening in peacetime. Vast swaths of the Internet are being commandeered to support this surveillance state.
If this is happening to your company, do what you can to isolate the actions. Do you have employees with security clearances who can’t tell you what they’re doing? Cut off all automatic lines of communication with them, and make sure that only specific, required, authorized acts are being taken on behalf of government. Only then can you look your customers and the public in the face and say that you don’t know what is going on—that your company has been commandeered.
Journalism professor Jeff Jarvis recently wrote in the Guardian: “Technology companies: now is the moment when you must answer for us, your users, whether you are collaborators in the US government’s efforts to ‘collect it all—our every move on the internet—or whether you, too, are victims of its overreach.”
So while I’m sure it’s cool to have a secret White House meeting with President Obama—I’m talking to you, Google, Apple, AT&T, and whoever else was in the room—resist. Attend the meeting, but fight the secrecy. Whose side are you on?
The NSA isn’t going to remain above the law forever. Already public opinion is changing, against the government and their corporate collaborators. If you want to keep your users’ trust, demonstrate that you were on their side.
This essay originally appeared on TheAtlantic.com.
Slashdot thread. And a good interview with Lavabit’s founder.
We’re starting to see Internet companies talk about the mechanics of how the US government spies on their users. Here, a Utah ISP owner describes his experiences with NSA eavesdropping:
We had to facilitate them to set up a duplicate port to tap in to monitor that customer’s traffic. It was a 2U (two-unit) PC that we ran a mirrored ethernet port to.
[What we ended up with was] a little box in our systems room that was capturing all the traffic to this customer. Everything they were sending and receiving.
Declan McCullagh explains how the NSA coerces companies to cooperate with its surveillance efforts. Basically, they want to avoid what happened with the Utah ISP.
Some Internet companies have reluctantly agreed to work with the government to conduct legally authorized surveillance on the theory that negotiations are less objectionable than the alternative—federal agents showing up unannounced with a court order to install their own surveillance device on a sensitive internal network. Those devices, the companies fear, could disrupt operations, introduce security vulnerabilities, or intercept more than is legally permitted.
“Nobody wants it on-premises,” said a representative of a large Internet company who has negotiated surveillance requests with government officials. “Nobody wants a box in their network…[Companies often] find ways to give tools to minimize disclosures, to protect users, to keep the government off the premises, and to come to some reasonable compromise on the capabilities.”
Precedents were established a decade or so ago when the government obtained legal orders compelling companies to install custom eavesdropping hardware on their networks.
And Brewster Kahle of the Internet Archive explains how he successfully fought a National Security Letter.
Evgeny Morozov makes a point about surveillance and big data: it just looks for useful correlations without worrying about causes, and leads people to implement “fixes” based simply on those correlations—rather than understanding and correcting the underlying causes.
As the media academic Mark Andrejevic points out in Infoglut, his new book on the political implications of information overload, there is an immense—but mostly invisible—cost to the embrace of Big Data by the intelligence community (and by just about everyone else in both the public and private sectors). That cost is the devaluation of individual and institutional comprehension, epitomized by our reluctance to investigate the causes of actions and jump straight to dealing with their consequences. But, argues Andrejevic, while Google can afford to be ignorant, public institutions cannot.
“If the imperative of data mining is to continue to gather more data about everything,” he writes, “its promise is to put this data to work, not necessarily to make sense of it. Indeed, the goal of both data mining and predictive analytics is to generate useful patterns that are far beyond the ability of the human mind to detect or even explain.” In other words, we don’t need to inquire why things are the way they are as long as we can affect them to be the way we want them to be. This is rather unfortunate. The abandonment of comprehension as a useful public policy goal would make serious political reforms impossible.
Forget terrorism for a moment. Take more mundane crime. Why does crime happen? Well, you might say that it’s because youths don’t have jobs. Or you might say that’s because the doors of our buildings are not fortified enough. Given some limited funds to spend, you can either create yet another national employment program or you can equip houses with even better cameras, sensors, and locks. What should you do?
If you’re a technocratic manager, the answer is easy: Embrace the cheapest option. But what if you are that rare breed, a responsible politician? Just because some crimes have now become harder doesn’t mean that the previously unemployed youths have finally found employment. Surveillance cameras might reduce crime—even though the evidence here is mixed—but no studies show that they result in greater happiness of everyone involved. The unemployed youths are still as stuck as they were before—only that now, perhaps, they displace anger onto one another. On this reading, fortifying our streets without inquiring into the root causes of crime is a self-defeating strategy, at least in the long run.
Big Data is very much like the surveillance camera in this analogy: Yes, it can help us avoid occasional jolts and disturbances and, perhaps, even stop the bad guys. But it can also blind us to the fact that the problem at hand requires a more radical approach. Big Data buys us time, but it also gives us a false illusion of mastery.
The US Department of Defense is blocking sites that are reporting about the Snowden documents. I presume they’re not censoring sites that are smearing him personally. Note that the DoD is only blocking those sites on its own network, not on the Internet at large. The blocking is being done by automatic filters, presumably the same ones used to block porn or other sites it deems inappropriate.
Anyone know if my blog is being censored? I’m kinda curious.
Adding a remote kill switch to cell phones would deter theft.
Here we can see how the rise of the surveillance state permeates everything about computer security. On the face of it, this is a good idea. Assuming it works—that 1) it’s not possible for thieves to resurrect phones in order to resell them, and 2) that it’s not possible to turn this system into a denial-of-service attack tool—it would deter crime. The general category of security is “benefit denial,” like ink tags attached to garments in retail stores and car radios that no longer function if removed. But given what we now know, do we trust that the government wouldn’t abuse this system and kill phones for other reasons? Do we trust that media companies won’t kill phones it decided were sharing copyrighted materials? Do we trust that phone companies won’t kill phones from delinquent customers? What might have been a straightforward security system becomes a dangerous tool of control, when you don’t trust those in power.
Sidebar photo of Bruce Schneier by Joe MacInnis.