Entries Tagged "history of security"

Page 5 of 11

The Changing Economics of Surveillance

Cory Doctorow examines the changing economics of surveillance and what it means:

The Stasi employed one snitch for every 50 or 60 people it watched. We can’t be sure of the size of the entire Five Eyes global surveillance workforce, but there are only about 1.4 million Americans with Top Secret clearance, and many of them don’t work at or for the NSA, which means that the number is smaller than that (the other Five Eyes states have much smaller workforces than the US). This million-ish person workforce keeps six or seven billion people under surveillance—a ratio approaching 1:10,000. What’s more, the US has only (“only”!) quadrupled its surveillance budget since the end of the Cold War: tooling up to give the spies their toys wasn’t all that expensive, compared to the number of lives that gear lets them pry into.

IT has been responsible for a 2-3 order of magnitude productivity gain in surveillance efficiency. The Stasi used an army to surveil a nation; the NSA uses a battalion to surveil a planet.

I am reminded of this paper on the changing economics of surveillance.

Posted on March 12, 2015 at 6:22 AMView Comments

1971 FBI Burglary

Interesting story:

…burglars took a lock pick and a crowbar and broke into a Federal Bureau of Investigation office in a suburb of Philadelphia, making off with nearly every document inside.

They were never caught, and the stolen documents that they mailed anonymously to newspaper reporters were the first trickle of what would become a flood of revelations about extensive spying and dirty-tricks operations by the F.B.I. against dissident groups.

Video article. And the book.

Interesting precursor to Edward Snowden.

Posted on January 10, 2014 at 6:45 AMView Comments

World War II Anecdote about Trust and Security

This is an interesting story from World War II about trust:

Jones notes that the Germans doubted their system because they knew the British could radio false orders to the German bombers with no trouble. As Jones recalls, “In fact we did not do this, but it seemed such an easy countermeasure that the German crews thought that we might, and they therefore began to be suspicious about the instructions that they received.”

The implications of this are perhaps obvious but worth stating nonetheless: a lack of trust can exist even if an adversary fails to exploit a weakness in the system. More importantly, this doubt can become a shadow adversary. According to Jones, “…it was not long before the crews found substance to their theory [that is, their doubt].” In support of this, he offers the anecdote of a German pilot who, returning to base after wandering off course, grumbled that “the British had given him a false order.”

I think about this all the time with respect to our IT systems and the NSA. Even though we don’t know which companies the NSA has compromised—or by what means—knowing that they could have compromised any of them is enough to make us mistrustful of all of them. This is going to make it hard for large companies like Google and Microsoft to get back the trust they lost. Even if they succeed in limiting government surveillance. Even if they succeed in improving their own internal security. The best they’ll be able to say is: “We have secured ourselves from the NSA, except for the parts that we either don’t know about or can’t talk about.”

Posted on December 13, 2013 at 11:20 AMView Comments

Government Secrecy and the Generation Gap

Big-government secrets require a lot of secret-keepers. As of October 2012, almost 5m people in the US have security clearances, with 1.4m at the top-secret level or higher, according to the Office of the Director of National Intelligence.

Most of these people do not have access to as much information as Edward Snowden, the former National Security Agency contractor turned leaker, or even Chelsea Manning, the former US army soldier previously known as Bradley who was convicted for giving material to WikiLeaks. But a lot of them do—and that may prove the Achilles heel of government. Keeping secrets is an act of loyalty as much as anything else, and that sort of loyalty is becoming harder to find in the younger generations. If the NSA and other intelligence bodies are going to survive in their present form, they are going to have to figure out how to reduce the number of secrets.

As the writer Charles Stross has explained, the old way of keeping intelligence secrets was to make it part of a life-long culture. The intelligence world would recruit people early in their careers and give them jobs for life. It was a private club, one filled with code words and secret knowledge.

You can see part of this in Mr Snowden’s leaked documents. The NSA has its own lingo—the documents are riddled with codename—its own conferences, its own awards and recognitions. An intelligence career meant that you had access to a new world, one to which “normal” people on the outside were completely oblivious. Membership of the private club meant people were loyal to their organisations, which were in turn loyal back to them.

Those days are gone. Yes, there are still the codenames and the secret knowledge, but a lot of the loyalty is gone. Many jobs in intelligence are now outsourced, and there is no job-for-life culture in the corporate world any more. Workforces are flexible, jobs are interchangeable and people are expendable.

Sure, it is possible to build a career in the classified world of government contracting, but there are no guarantees. Younger people grew up knowing this: there are no employment guarantees anywhere. They see it in their friends. They see it all around them.

Many will also believe in openness, especially the hacker types the NSA needs to recruit. They believe that information wants to be free, and that security comes from public knowledge and debate. Yes, there are important reasons why some intelligence secrets need to be secret, and the NSA culture reinforces secrecy daily. But this is a crowd that is used to radical openness. They have been writing about themselves on the internet for years. They have said very personal things on Twitter; they have had embarrassing photographs of themselves posted on Facebook. They have been dumped by a lover in public. They have overshared in the most compromising ways—and they have got through it. It is a tougher sell convincing this crowd that government secrecy trumps the public’s right to know.

Psychologically, it is hard to be a whistleblower. There is an enormous amount of pressure to be loyal to our peer group: to conform to their beliefs, and not to let them down. Loyalty is a natural human trait; it is one of the social mechanisms we use to thrive in our complex social world. This is why good people sometimes do bad things at work.

When someone becomes a whistleblower, he or she is deliberately eschewing that loyalty. In essence, they are deciding that allegiance to society at large trumps that to peers at work. That is the difficult part. They know their work buddies by name, but “society at large” is amorphous and anonymous. Believing that your bosses ultimately do not care about you makes that switch easier.

Whistleblowing is the civil disobedience of the information age. It is a way that someone without power can make a difference. And in the information age—the fact that everything is stored on computers and potentially accessible with a few keystrokes and mouse clicks—whistleblowing is easier than ever.

Mr Snowden is 30 years old; Manning 25. They are members of the generation we taught not to expect anything long-term from their employers. As such, employers should not expect anything long-term from them. It is still hard to be a whistleblower, but for this generation it is a whole lot easier.

A lot has been written about the problem of over-classification in US government. It has long been thought of as anti-democratic and a barrier to government oversight. Now we know that it is also a security risk. Organizations such as the NSA need to change their culture of secrecy, and concentrate their security efforts on what truly needs to remain secret. Their default practice of classifying everything is not going to work any more.

Hey, NSA, you’ve got a problem.

This essay previously appeared in the Financial Times.

EDITED TO ADD (9/14): Blog comments on this essay are particularly interesting.

Posted on September 9, 2013 at 1:30 PMView Comments

"The Next Generation Communications Privacy Act"

Orin Kerr envisions what the ECPA should look like today:

Abstract: In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to regulate government access to Internet communications and records. ECPA is widely seen as outdated, and ECPA reform is now on the Congressional agenda. At the same time, existing reform proposals retain the structure of the 1986 Act and merely tinker with a few small aspects of the statute. This Article offers a thought experiment about what might happen if Congress repealed ECPA and enacted a new privacy statute to replace it.

The new statute would look quite different from ECPA because overlooked changes in Internet technology have dramatically altered the assumptions on which the 1986 Act was based. ECPA was designed for a network world with high storage costs and only local network access. Its design reflects the privacy threats of such a network, including high privacy protection for real-time wiretapping, little protection for non-content records, and no attention to particularity or jurisdiction. Today’s Internet reverses all of these assumptions. Storage costs have plummeted, leading to a reality of almost total storage. Even United States-based services now serve a predominantly foreign customer base. A new statute would need to account for these changes.

The Article contends that a next generation privacy act should contain four features. First, it should impose the same requirement on access to all contents. Second, it should impose particularity requirements on the scope of disclosed metadata. Third, it should impose minimization rules on all accessed content. And fourth, it should impose a two-part territoriality regime with a mandatory rule structure for United States-based users and a permissive regime for users located abroad.

Posted on August 26, 2013 at 7:02 AMView Comments

Stories from MI5

This essay is filled with historical MI5 stories—often bizarre, sometimes amusing. My favorite:

It was recently revealed that back in the 1970s—at the height of the obsession with traitors—MI5 trained a specially bred group of Gerbils to detect spies. Gerbils have a very acute sense of smell and they were used in interrogations to tell whether the suspects were releasing adrenaline—because that would show they were under stress and lying.

Then they tried the Gerbils to see if they could detect terrorists who were about to carry a bomb onto a plane. But the gerbils got confused because they couldn’t tell the difference between the terrorists and ordinary people who were frightened of flying who were also pumping out adrenaline in their sweat.

So the gerbils failed as well.

Posted on August 14, 2013 at 12:06 PMView Comments

Pre-9/11 NSA Thinking

This quote is from the Spring 1997 issue of CRYPTOLOG, the internal NSA newsletter. The writer is William J. Black, Jr., the Director’s Special Assistant for Information Warfare.

Specifically, the focus is on the potential abuse of the Government’s applications of this new information technology that will result in an invasion of personal privacy. For us, this is difficult to understand. We are “the government,” and we have no interest in invading the personal privacy of U.S. citizens.

This is from a Seymour Hersh New Yorker interview with NSA Director General Michael Hayden in 1999:

When I asked Hayden about the agency’s capability for unwarranted spying on private citizens—in the unlikely event, of course, that the agency could somehow get the funding, the computer scientists, and the knowledge to begin making sense out of the Internet—his response was heated. “I’m a kid from Pittsburgh with two sons and a daughter who are closet libertarians,” he said. “I am not interested in doing anything that threatens the American people, and threatens the future of this agency. I can’t emphasize enough to you how careful we are. We have to be so careful—to make sure that America is never distrustful of the power and security we can provide.”

It’s easy to assume that both Black and Hayden were lying, but I believe them. I believe that, 15 years ago, the NSA was entirely focused on intercepting communications outside the US.

What changed? What caused the NSA to abandon its non-US charter and start spying on Americans? From what I’ve read, and from a bunch of informal conversations with NSA employees, it was the 9/11 terrorist attacks. That’s when everything changed, the gloves came off, and all the rules were thrown out the window. That the NSA’s interests coincided with the business model of the Internet is just a—lucky, in their view—coincidence.

Posted on June 27, 2013 at 11:49 AMView Comments

1 3 4 5 6 7 11

Sidebar photo of Bruce Schneier by Joe MacInnis.