I must admit I was quite skeptical when I first saw this video as my reaction was ‘yet another journalist jumping on the information security bandwagon’. But Peter Warren Singer’s talk isn’t a bad overview for the man in the street and some of the questions from the Googlers are not bad, (I must admit I thought I might see some more nuanced questions and points from them).
Phil Zimmermann may not be a household name, but he should be. If it wasn’t for him and others like him fighting battles back in the 1990s about access to encryption e-commerce and PayPal wouldn’t have been possible. He wrote the original PGP encryption software to protect the contents of emails and was a co-founder of secure communications firm Silent Circle.
If you get a chance have a read of Crypto by Steven Levy which outlined the battle around cryptographic technology during the early 1990s
Mr Zimmermann did a wide ranging interview with Om Malik on the current state of privacy, of which one statement stood out which could be considered to be Zimmermann’s Law:
…the natural tendency of data and Moore’s Law is that data wants to be free. The natural flow of technology tends to move in the direction of making surveillance easier.
Big data intentionally creates a concentration of data and has a corrupting influence.
In spite of this, Mr Zimmermann has a positive outlook noting that cynicism has a paralysing effect on public discourse and the movement for positive change.
Like most other socially deficient people I tuned into Apple’s live web cast of its opening keynote for the Apple World Wide Developers Conference (WWDC). For the best part of quarter of a century the WWDC has been the one constant in Apple’s calendar for product announcements.
This year was no exception with unveiling of the new Mac Pro model of computers, the latest version of iOS7 and OS X Mavericks. One of the most striking features of iOS7 and OS X Mavericks was iCloud Keychain®.
iCloud Keychain® is an encrypted federated keychain that holds credit card details, existing passwords that suggests automated passwords for new accounts, or as Apple described it:
iCloud Keychain®, which safely stores your website login information, credit card numbers and Wi-Fi passwords, and pushes them to all of your devices so you don’t need to remember them. Information is always protected with AES-256 encryption when it’s stored on your Mac and when it’s pushed to your devices
I found this particularly interesting, as it is an extremely sticky application. No more challenge managing passwords, but also no migration path to Android or Windows. That is immensely powerful as it holds your bank details, your Amazon account or your Ocado account; literally your life in their hands. It’s mention in Apple’s keynote and related materials is supplementary to other features. The UI may get people in, but it will be iCloud Keychain® that will keep them around and sell them up on other parts of the Apple product range.
Or less charitably, iCloud Keychain® is a gateway drug to the Apple eco-system.
Apple Releases Developer Preview of OS X Mavericks With More Than 200 New Features
OS X Mavericks – The next big release of the world’s most advanced operating system coming this fall
It took a bit longer to develop this post than normal, I had a number of data points and ideas kicking around my head regarding PRISM when the news came out. I don’t have a definite conclusion from them and they seem to raise as many questions as answers about our wider relationship with technology.
PRISM pulls in meta-data from across the major internet services en-masse. There is speculation about whether this is targeted searches or an overall trawl and whether the data comes directly from the internet companies servers.
According to PowerPoint slides obtained by The Guardian; the NSA takes data from optical fibres and directly from the servers of US internet services: Microsoft, Yahoo!, Google, Paltalk (a video chatting service that I hadn’t heard of), AOL, Skype, YouTube and Apple. PRISM is pulling meta-data from the internet services.
What is meta-data?
The glib answer would be data about data. Examples of meta data that you would come across include the document properties section of a Microsoft Word document. Or ripping a CD into iTunes. This sends information on the length of each CD track and the number of tracks on the CD over the internet to a database service (Sony’s Gracenote (formerly CDDB), Discogs, AMG LASSO, MusicBrainz or freedb) and then come back with what it thinks is the CD and suggested track names and artists.
In the non-digital world; the games people watching and animal, mineral or vegetable is a good analogy of using meta data for investigative powers. The old adage about 70 per cent of communication being non-verbal implies the value of meta-data. Real-world meta data includes things like body language, the way we dress, personal space distances (cross-referenced with cultural norms), who we are seen in the company of etc.
In the intelligence world it could learn about:
- Who is connected to who
- How often do they communicate
- Variations on the patterns (this is what they mean by chatter on terrorist networks increasing or decreasing on 24)
PRISM and Twitter
It was interesting that Twitter was noticeable by its absence from the PRISM stories. Some have speculated that it maybe because of the combative nature that Twitter has taken to protecting users information.
It could also be that the kind of activities intelligence operators would be interested in likely require long form communications.
A third option is that most of the valuable data one would need from Twitter is already publicly available via social media monitoring tools using their API:
- Who follows whom – there needs to be a relationship there for direct messages
- Public @ messages
- Twitter lists (you can follow account content this way without following the account in question)
In fact, about the only thing missing would be direct messages, however those can only occur between people whom you know that the person is already connected to and you could watch them come through via their email account.
One of the most interesting books about technology that I have read over the past few years is What Technology Wants by Kevin Kelly. When doing the promotion for the book, Kevin was asked by BoingBoing to define his concept of ‘The Technium’
We all realize that we’re kind of surrounded with technology: there’s little device here recording us, there’s tables, chairs, spoons, light bulbs. Each of these things seem pretty mechanical, pretty inert in a certain sense, not very interactive, you know, a hammer, roads. But each one of these technologies actually requires many other technologies to make and produce. So your little thing in your pocket that you use for a phone might require thousands of other technologies to create it and support it and keep it going, and each of those technologies may require hundreds of thousands of subtechnologies below it. And that network of different technologies and the co-dependency that each of those technologies have on each other forms a virtual organism, a super organism.
We can keep stepping back and realize that all these technologies are in some ways co-dependent and related and connected to each other in some way and that largest of all the networks of all these technologies together I call the Technium. What it suggests is that technologies like the spoon or light bulb are not standalone independent technologies but are part of the ecosystem of this superorganism and that superorganism, like any kind of network, exhibits behaviors that the individual technologies themselves don’t.
As a whole the Technium has lifelike properties that the individual technologies do not. So your iPhone is not lifelike and the light bulb is not lifelike but the Technium itself is.
In some respects, the information access provided by PRISM and the ability to process it is an inevitable part of technology’s march. The latest edition of Wired magazine talks about the Internet of things as a programmable world where use of predictions based on past behaviour would allow services be provided to consumers as they need them:
- Their air con being turned on at home as they leave the office
- Their sandwich order started as they come closer to their lunch time spot or coffee shop
This data would lend itself to physical surveillance as well as communications surveillance, in the same way that satellites and CCTV systems are used in the films Eagle Eye and Enemy of The State.
And I haven’t even mentioned the kind of data that could be pulled from the health 2.0 systems from the snake-oil of Nike Fuel to medical grade devices.
Instead of the man on the grassy knoll packing a hunting rifle and scope in the future it could be a Pringle’s can with a wi-fi aerial inside and a scope attached that would be used to send a localised extended range signal to hack the undesirable politician’s insulin dosemeter, pace-maker, hearing aid or TENS unit to facilitate an accidental death.
All of this makes life a lot easier for employees at intelligence companies, reducing manual labour and expense spent in surveillance; which could then be used to focus on high value targets. The same kind of forces that reshape industries also change government functions including intelligence.
There would be less people required to sit in a van or walk around town following a subject. Less people required to do Watergate-style break-ins or sit hunched over reel-to-reel tape-recorders.
If one thinks about these things in terms of the inevitable progress of technology PRISM had to happen; what we feel about it is irrelevant to that process.
Thinking about The Technium as a concept it is probably no coincidence that quantum computing and cryptography has drawn new interest as states and commercial institutions look provide protection and access to future information networks.
One of the things that hasn’t been sufficient reflected on yet, due the moral outrage at government surveillance and treason is the wide range of surveillance that people have already willingly submitted themselves to.
From Bloomberg’s journalists looking at the behaviour of terminal subscribers to behavioural advertising that follows you online and your credit score, commercial businesses have got data acquisition to such an art-form that US department store Target may realise you are pregnant before anyone else.
As a society we sell our privacy cheaply to allow Facebook to advertise to us, or having a black box tracking our every movement in our car to get cheaper insurance. Our credit card companies analyse a detailed record of our purchase behaviour to try and limit credit card fraud.
Why is this ok, but government surveillance beyond the pale? Is there something wrong with the ethical calculus at work, or have we sleepwalked into a world we are no longer comfortable in and PRISM has made more people aware of this?
Shock (the lack of)
PRISM isn’t a new idea:
In the 1990s, the UK government is alleged to have used a listening tower at Capenhurst in Cheshire that tapped all the international phone traffic that came from Ireland. Ireland was linked to international networks via a fibre-optic cable called UK-Ireland 1 which came ashore at Holyhead and then transmitted across country via microwave towers. Capenhurst allegedly fell out of use when the design of the Irish telephone network changed. Presumably the equivalent task is completed in a different manner.
This kind of behaviour sets a precedent.
In 2000, the European Commission filed a final report on ECHELON claimed that:
- The US-led electronic intelligence-gathering network existed
- It was used to provide US companies with a competitive advantage vis-à-vis their European peers; rather like US defence contractors have alleged to undergone by Chinese hackers
So it is not unreasonable to suspect that the US government would have a 21st century equivalent of ECHELON in place.
Swiss encryption product company Crypto AG has been accused of rigging its products in order to provide the NSA access to its clients messages. Crypto AG has repeatedly denied these claims.
The European Union has legislation in place that obliges telecoms companies to keep historic usage data archived for future use by law enforcement agencies.
For a number of years the US PATRIOT Act has been used by non-US cloud providers as a way of separating US technology companies from their customers. For instance BAe declined to use Microsoft’s Office 365 as they were concerned that their data would be turned over to US-based rivals.
It was also probably no coincident that foreign government interest in Linux and open source software has increased since the European Commission ECHELON final report back in 2000.
PRISM is likely to be a timely reminder to foreign companies and other organisations (like research universities) that they are likely to be under sustained attack for US commercial advantage.
Consumers generally are less concerned about their privacy, so there is likely to be less of an impact to the consumer internet services thought to be involved. However that doesn’t mean that the European Union countries in particular won’t take action against Google and Facebook in particular. Privacy is an emotive political issue, particularly in the former Warsaw Pact countries who used to have an extensive surveillance infrastructure to keep their populace in check.
Facebook and Google have both had privacy-related legal issues in the past and PRISM gives regulators another reason to go back and look at them.
UPDATE: Thanks to Hasan Diwan for pointing out that Sweden has banned the use of Google Apps in public institutions due to privacy concerns.
The more paranoid members of the US government may wonder if the disclosure of PRISM and Boundless Informant are timed to coincide with US-China government talks. It certainly looks as if it takes the wind out of US foreign policy around allegations of cyber-war. Both Mr Xi and Mr Obama agreed to disagree about cyber-security in their summit.
Fuel may be added to the fire amongst conspiracy theorists when the source of the PRISM news coverage Edward Snowden surfaced in Hong Kong.
It is also interesting that at the time of writing, the Chinese state media haven’t made more of the debacle.
There are wider implications for US foreign policy; PRISM applies a greater focus (if you will excuse the pun) on exceptionalism in US foreign policy. From US legal system giving itself extra-territorial powers in the case of Megaupload to the PATRIOT Act. This is more likely to be challenged as the US wanes in it’s position as a global super-power.
PRISM, as it is perceived, damages US arguments around freedom-of-speech. State surveillance is considered to have a chilling effect in civilian discussions and has been criticized in the past, yet PRISM could be considered to do the exactly same thing as the Americans oppose in countries like Iran.
I don’t think that President Obama will be diminished by the episode. Liberal leaders such as Bill Clinton and Tony Blair proved to be as war-like, if not more so than their conservative counterparts.
By the numbers: The NSA’s super-secret spy program, PRISM | FP Passport
European Commission Final Report on Echelon and coverage that appeared at the time of the report’s release: EU releases Echelon spying report • The Register
Patriot Act und Cloud Computing | iX – German technology press on the risks posed by the Patriot Act
Defense giant ditches Microsoft’s cloud citing Patriot Act fears | ZDNet – BAe worried about US intelligence community handing over their information to US-based technology rivals
US surveillance revelations deepen European fears | Reuters – great if you are European seller of quantum computing cryptography equipment, not so great if you are a US SaaS vendor
Microsoft, the USA PATRIOT Act, and European cloud computing | Paul Miller – The Cloud of Data
NSA Global Data Gathering (Old News) – watch a quantum computing-based cryptographic war break out
What Technology Wants by Kevin Kelly
Such a Long Journey – An Interview with Kevin Kelly – Boing Boing – on the Technium or the inevitable progress of technology
In the Programmable World, All Our Objects Will Act as One | Wired.com – why worry about the government spying on you when your coffee shop will at it as well?
NSA’s Prism surveillance program: how it works and what it can do | guardian.co.uk
PRISM, The Tech Companies & Monitoring Versus Requests
The strange similarities in Google, Facebook, and Apple’s PRISM denials | VentureBeat
Tech Giants Built Segregated Systems For NSA Instead Of Firehoses To Protect Innocent Users From PRISM | TechCrunch
Obama is the big loser in NSA fallout | Irish Examiner
EU DGs – Home Affairs – Data retention – historic telecoms reports
Peng Liyuan’s iPhone could be security risk for China｜WantChinaTimes.com – guessing that this hasn’t had more publicity due to imminent meeting of China and US governments. Not too much of loss of face etc
This is going to be a convoluted long post, so I just decided to pick a point and start.
The Draft Communications Bill, what is it?
The Draft Communications Bill is a piece of legislation that builds upon work done by the European Union and the previous Labour administration. It is designed (as the government sees it) to maintain capability of law enforcement to access communications. It builds on a number of different pieces of legislation.
Communications Data Bill 2008 – sought to built a database of connections:
- Websites visited
- Telephone numbers dialled
- Email addresses contacted
This data would be collected by internet service providers. The current government had described these plans at the time as Orwellian.
Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or public communications networks and amending Directive 2002/58/EC – requires data retention to identify users and details of phone calls made and emails sent for a period between six months and two years. This information is to be made available, on request, to law enforcement authorities to investigate and deal serious crime and terrorism.
The UK already has used non-legislative means to force 95 per cent of internet access through a filtered system, predominantly BT’s Cleanfeed which blogs blacklisted sites or pages. It has been used to filter child pornography, there were discussions about using it to block content that was deemed to glorify terrorism and has the potential to block content in a similar way to other more authoritarian nations. In a well-known case Cleanfeed had blocked a Wikipedia page on The Scorpions Virgin Killer album originally issued in 1976.
In addition, the UK government had evaluated (and rejected) internet connections being filtered for pornographic content by default – apparently due to a lack of appetite from parents for content filtering.
The Digital Economy Act of 2010 allowed sites to be blocked and allowed prosecution of consumers based on their IP address which was problematic.
So there is already a complex legal and regulatory environment that the Draft Communications Bill is likely to be part of.
In essence, the Draft Communications Bill gives the capability to build a database of everyone’s social graph. Everyone you have called, been in touch with or been in proximity to. It requires:
- A wide range of internet services, not just ISPs to keep a record of user data for 12 months
- That retained data to be kept in safe and secure way; just like say credit card information or user names and passwords
- The ability to search, filter and match data from different sources allowing a complex near-complete picture to be built up of our digital lives. Which would be of interest to hackers, criminals, private investigators or over-zealous journalists (a la the recent News International phone hacking scandals)
What the government have been keen to stress is that the process would not look at the content inside the communication. If we use the analogy of the postal service, recording all the external information on an envelope or parcel, but not peaking inside. The reason for this can be found in a successful case taken by Liberty and other organisations against the UK government in 2008. Article eight of the European Convention on Human Rights focuses on respect for private and family life, home and correspondence.
During the 1990s, the UK government had intercepted calls, faxes and electronic communication placed internationally by people in Ireland via a specially built microwave communications tower in Capenhurst. The Electronic Test Facility was uncovered by Richard Lamont in 1999 and was subsequently covered by Channel 4 news and The Independent.
Once the Electronic Test Facility came out into the public domain, the court case followed.
There are concerns about how this information can be used indiscriminately to build up a Stasi-like picture of the UK population. This is more sensitive given the controversial black list provided to the construction industry by The Consulting Association. Latent public anxiety about commercial services like Facebook and behavioural advertising also contribute to this mindset.
Why all the power?
Modern police work and intelligence work doesn’t look like Spooks, James Bond or Starsky and Hutch. In reality, it looks more like The Wire. Investigations revolve around informants and painstaking investigation work.
A key part in this is network analysis. Understanding the structure of relationships between participants allows them to be caught. A key part in the film The Battle of Algiers shows how French paratroopers looked to break suspects to find out the structure of their terrorist cells. If they can break them fast enough before conspirators flee, the French could roll up the terrorist infrastructure. The film’s main protagonist who instigates this policy is a portmanteau of numerous counterinsurgency specialists including Jacques Massu, Marcel Bigeard and Roger Trinquier, all of whom had been involved in the French counterinsurgency campaign from 1954 – 57 which had successfully rolled up Algerian separatist networks in the capital Algiers.
Move forward five decades and the US counterinsurgency work in Afghanistan and Iraq puts a lot of focus on degree centrality and social network analysis as part of its efforts to dismantle al-Qaeda and other fellow travellers.
Secondly, good operational security techniques from the use of stenography or encryption of communications if implemented well can be difficult even for governments to crack. If you know the network structure, this gives you two options to gain information on the communications:
- Look at the communications metadata: how much is going on, where is it being sent to, is the volume larger or less than normal. These can all be used as indicators that something maybe happening, changes in power within an organisation (who is giving the orders)
- Focus resources on cracking communications that would be deemed important, for instance those to a particular number
The all-up data picture would be deemed important to provide a better picture of network analysis. When I think about myself for a minute:
I have a range of different online identities, many of which are due to the limitations of the service on which they are held or when I set them up.
I have one main UK mobile phone number, but I have had different ancillary ones:
- Work phones
- Temporary PAYG numbers to sell things on The Gumtree and Craigslist
- SIMs that I have used for data only on my iPad and smartphones over the years
Now, let’s do a thought experiment, imagine a gang of drug dealers each with a set of pill boxes like old people have labelled up for each day of the week. In each section of the box would be a SIM card. They would then swap those SIMs in and out of their phones on a regular basis making their communications hard to track if you were just following one number. They could be using regularly changed secondhand mobile phones so that the IMEI number changes as well.
The SIMs could be untraceable, they could be bought and topped up for cash if they were bought outside the UK. I can go into my local convenience store here in Hong Kong and buy and top-up them up for cash or a pre-paid credit card with no one asking to see my ID.
Untraceable UK SIMs could be acquired along with bank accounts from students going home, paid off electronically, perhaps even with the debit cards attached to the accounts and the accounts topped up with ATM deposits.
But if you interrogate a database once you have one or more numbers and look for numbers that appear on a network in the same location immediately after the number you know disappears you are well on the way to tracking down more of the mobile graph of the drug dealers.
Now imagine the similar principles being applied to messaging clients, email addresses or social networking accounts in order to provide the complete network analysis of the gang of drug dealers created in the thought experiment.
How does this fit in with the people?
Under the previous Labour administration councils were given wide-ranging surveillance powers that were used to deal with incidents such as putting the wrong kind of materials in the recycling bins. This annoyed and educated British consumers on privacy. The Draft Communications Bill smacks to many as a similar kind of snoopers charter.
The internet itself, has been political and has become political. If one goes back to the roots of the early public internet, one can see the kind of libertarian themes running through it in a similar way to the back to the land efforts of the hippies which begat the modern environmental movement. This was about freedom in the same way the American pioneers could go west for physical freedom the internet opened up a new virtual frontier where one could make one’s own fate. It was no coincidence that people involved in ‘the hippy movement’ like Stewart Brand and Kevin Kelly were involved in setting the political tone of the internet. Or that the Grateful Dead have had an online presence since 1995.
When these freedoms have been overly curtailed or threatened, internet users have struck back; sometimes unsuccessfully. The Pirate parties that sprang out of The Pirate Bay | copyright discussion have had limited political success, which has misled many to believe that the internet isn’t a political issue. What they managed to do is highlight the issue and their concerns to a wider range of people, in a similar way to how far right movements put immigration on mainstream political agendas across Europe.
It is also coupled with a decline in trust in authority, partly due to the financial crisis and the cosy relationship with the media which came to light during the phone hacking scandal.
Even The Economist realised that something was going on and called internet activism the new green. It takes mainstream political systems a while to adjust to new realities. It took at least two decades for green issues to become respectable amongst mainstream politicians and it seems to be even harder for them to grasp the abstract concepts behind the digital frontier.
The signs are all there for a change in the public’s attitude; when you have The Mail Online providing critical commentary of the Draft Communications Bill and providing recommendations of encryption software readers can use to keep their communications confidential you know that something has changed.
How does this differ from what companies can derive anyway?
This is probably where I think that things get the most interesting.
Network analysis tools are available off the shelf from the likes of Salesforce.com, IBM or SAS Institute. They have been deployed to look for fraudulent transactions, particularly on telecoms networks, and are also used to improve the quality of customer service. Many of them get inputs directly from social network such as Twitter and Facebook.
Deep packet inspection software and hardware again is available off the shelf from a number of suppliers. Companies like Narus and TopLayer Networks pioneered deep packet inspection for a wide range of reasons from surveillance to prioritising different types of network traffic. The security implications became more important (and lucrative) after 9/11; now the likes of Cisco and Huawei provide deep packet inspection products which are used for everything from securing corporate networks, preventing denial of service attacks and in the case of Phorm – behavioural advertising.
Skyhook Wireless and Google have location data that services can draw down on providing accurate information based on cell tower triangulation and a comprehensive map built-up of wi-fi hotspots.
Credit information can be obtained from numerous services, as can the electoral role. If this data is put together appropriately (which is the hard part), there is very little left of a life that would be private anyway.
Companies are trying to get to this understanding, or pretend that they are on the way there. Google’s Dashboard shows the consumer how much it infers about them and information that consumers freely give Facebook makes it an ideal platform for identity theft.
One of the most high-profile organisations to get close to this 360 view of the consumer is Delta Airlines who recently faced a backlash about it.
So what does this all mean?
We should operate on the basis that none of our electronic information is confidential. Technology that makes communication easier also diminishes privacy. The problem isn’t the platforms per se but our behavioural adjustment to them.
Giant database plan Orwellian | BBC News
Directive 2006/24/EC (PDF)
Written answers on internet pornography – They Work For You
UK government rejects ‘opt in’ plans for internet porn – TechRadar
Internet Filtering: Implications of the “Cleanfeed” System School of Law, University of Edinburgh Third Year PhD Presentation Series TJ McIntyre Background Document for 12 November 2010 Presentation (PDF)
Councils’ surveillance powers curbed | The Guardian
The new politics of the internet Everything is connected | The Economist
Blacklist Blog | Hazards magazine
UK government plans to track ALL web use: MI5 to install ‘black box’ spy devices to monitor British internet traffic | Mail Online
Most UK citizens do not support draft Data Communications Bill, survey shows | Computer Weekly
How Britain eavesdropped on Dublin | The Independent
Cases, Materials, and Commentary on the European Convention on Human Rights By Alastair Mowbray
U.S. Army Counterinsurgency Handbook By U S Dept of the Army, Department of Defense
Draft Communications Data Bill – UK Parliament
Deep packet inspection (DPI) market a $2 billion opportunity by 2016 – Infonetics Research
Big Brother Unmasked… As Delta Airlines – smarter TRAVEL