It took a bit longer to develop this post than normal, I had a number of data points and ideas kicking around my head regarding PRISM when the news came out. I don’t have a definite conclusion from them and they seem to raise as many questions as answers about our wider relationship with technology.
PRISM pulls in meta-data from across the major internet services en-masse. There is speculation about whether this is targeted searches or an overall trawl and whether the data comes directly from the internet companies servers.
According to PowerPoint slides obtained by The Guardian; the NSA takes data from optical fibres and directly from the servers of US internet services: Microsoft, Yahoo!, Google, Paltalk (a video chatting service that I hadn’t heard of), AOL, Skype, YouTube and Apple. PRISM is pulling meta-data from the internet services.
What is meta-data?
The glib answer would be data about data. Examples of meta data that you would come across include the document properties section of a Microsoft Word document. Or ripping a CD into iTunes. This sends information on the length of each CD track and the number of tracks on the CD over the internet to a database service (Sony’s Gracenote (formerly CDDB), Discogs, AMG LASSO, MusicBrainz or freedb) and then come back with what it thinks is the CD and suggested track names and artists.
In the non-digital world; the games people watching and animal, mineral or vegetable is a good analogy of using meta data for investigative powers. The old adage about 70 per cent of communication being non-verbal implies the value of meta-data. Real-world meta data includes things like body language, the way we dress, personal space distances (cross-referenced with cultural norms), who we are seen in the company of etc.
In the intelligence world it could learn about:
- Who is connected to who
- How often do they communicate
- Variations on the patterns (this is what they mean by chatter on terrorist networks increasing or decreasing on 24)
PRISM and Twitter
It was interesting that Twitter was noticeable by its absence from the PRISM stories. Some have speculated that it maybe because of the combative nature that Twitter has taken to protecting users information.
It could also be that the kind of activities intelligence operators would be interested in likely require long form communications.
A third option is that most of the valuable data one would need from Twitter is already publicly available via social media monitoring tools using their API:
- Who follows whom – there needs to be a relationship there for direct messages
- Public @ messages
- Twitter lists (you can follow account content this way without following the account in question)
In fact, about the only thing missing would be direct messages, however those can only occur between people whom you know that the person is already connected to and you could watch them come through via their email account.
One of the most interesting books about technology that I have read over the past few years is What Technology Wants by Kevin Kelly. When doing the promotion for the book, Kevin was asked by BoingBoing to define his concept of ‘The Technium’
We all realize that we’re kind of surrounded with technology: there’s little device here recording us, there’s tables, chairs, spoons, light bulbs. Each of these things seem pretty mechanical, pretty inert in a certain sense, not very interactive, you know, a hammer, roads. But each one of these technologies actually requires many other technologies to make and produce. So your little thing in your pocket that you use for a phone might require thousands of other technologies to create it and support it and keep it going, and each of those technologies may require hundreds of thousands of subtechnologies below it. And that network of different technologies and the co-dependency that each of those technologies have on each other forms a virtual organism, a super organism.
We can keep stepping back and realize that all these technologies are in some ways co-dependent and related and connected to each other in some way and that largest of all the networks of all these technologies together I call the Technium. What it suggests is that technologies like the spoon or light bulb are not standalone independent technologies but are part of the ecosystem of this superorganism and that superorganism, like any kind of network, exhibits behaviors that the individual technologies themselves don’t.
As a whole the Technium has lifelike properties that the individual technologies do not. So your iPhone is not lifelike and the light bulb is not lifelike but the Technium itself is.
In some respects, the information access provided by PRISM and the ability to process it is an inevitable part of technology’s march. The latest edition of Wired magazine talks about the Internet of things as a programmable world where use of predictions based on past behaviour would allow services be provided to consumers as they need them:
- Their air con being turned on at home as they leave the office
- Their sandwich order started as they come closer to their lunch time spot or coffee shop
This data would lend itself to physical surveillance as well as communications surveillance, in the same way that satellites and CCTV systems are used in the films Eagle Eye and Enemy of The State.
And I haven’t even mentioned the kind of data that could be pulled from the health 2.0 systems from the snake-oil of Nike Fuel to medical grade devices.
Instead of the man on the grassy knoll packing a hunting rifle and scope in the future it could be a Pringle’s can with a wi-fi aerial inside and a scope attached that would be used to send a localised extended range signal to hack the undesirable politician’s insulin dosemeter, pace-maker, hearing aid or TENS unit to facilitate an accidental death.
All of this makes life a lot easier for employees at intelligence companies, reducing manual labour and expense spent in surveillance; which could then be used to focus on high value targets. The same kind of forces that reshape industries also change government functions including intelligence.
There would be less people required to sit in a van or walk around town following a subject. Less people required to do Watergate-style break-ins or sit hunched over reel-to-reel tape-recorders.
If one thinks about these things in terms of the inevitable progress of technology PRISM had to happen; what we feel about it is irrelevant to that process.
Thinking about The Technium as a concept it is probably no coincidence that quantum computing and cryptography has drawn new interest as states and commercial institutions look provide protection and access to future information networks.
One of the things that hasn’t been sufficient reflected on yet, due the moral outrage at government surveillance and treason is the wide range of surveillance that people have already willingly submitted themselves to.
From Bloomberg’s journalists looking at the behaviour of terminal subscribers to behavioural advertising that follows you online and your credit score, commercial businesses have got data acquisition to such an art-form that US department store Target may realise you are pregnant before anyone else.
As a society we sell our privacy cheaply to allow Facebook to advertise to us, or having a black box tracking our every movement in our car to get cheaper insurance. Our credit card companies analyse a detailed record of our purchase behaviour to try and limit credit card fraud.
Why is this ok, but government surveillance beyond the pale? Is there something wrong with the ethical calculus at work, or have we sleepwalked into a world we are no longer comfortable in and PRISM has made more people aware of this?
Shock (the lack of)
PRISM isn’t a new idea:
In the 1990s, the UK government is alleged to have used a listening tower at Capenhurst in Cheshire that tapped all the international phone traffic that came from Ireland. Ireland was linked to international networks via a fibre-optic cable called UK-Ireland 1 which came ashore at Holyhead and then transmitted across country via microwave towers. Capenhurst allegedly fell out of use when the design of the Irish telephone network changed. Presumably the equivalent task is completed in a different manner.
This kind of behaviour sets a precedent.
In 2000, the European Commission filed a final report on ECHELON claimed that:
- The US-led electronic intelligence-gathering network existed
- It was used to provide US companies with a competitive advantage vis-à-vis their European peers; rather like US defence contractors have alleged to undergone by Chinese hackers
So it is not unreasonable to suspect that the US government would have a 21st century equivalent of ECHELON in place.
Swiss encryption product company Crypto AG has been accused of rigging its products in order to provide the NSA access to its clients messages. Crypto AG has repeatedly denied these claims.
The European Union has legislation in place that obliges telecoms companies to keep historic usage data archived for future use by law enforcement agencies.
For a number of years the US PATRIOT Act has been used by non-US cloud providers as a way of separating US technology companies from their customers. For instance BAe declined to use Microsoft’s Office 365 as they were concerned that their data would be turned over to US-based rivals.
It was also probably no coincident that foreign government interest in Linux and open source software has increased since the European Commission ECHELON final report back in 2000.
PRISM is likely to be a timely reminder to foreign companies and other organisations (like research universities) that they are likely to be under sustained attack for US commercial advantage.
Consumers generally are less concerned about their privacy, so there is likely to be less of an impact to the consumer internet services thought to be involved. However that doesn’t mean that the European Union countries in particular won’t take action against Google and Facebook in particular. Privacy is an emotive political issue, particularly in the former Warsaw Pact countries who used to have an extensive surveillance infrastructure to keep their populace in check.
Facebook and Google have both had privacy-related legal issues in the past and PRISM gives regulators another reason to go back and look at them.
UPDATE: Thanks to Hasan Diwan for pointing out that Sweden has banned the use of Google Apps in public institutions due to privacy concerns.
The more paranoid members of the US government may wonder if the disclosure of PRISM and Boundless Informant are timed to coincide with US-China government talks. It certainly looks as if it takes the wind out of US foreign policy around allegations of cyber-war. Both Mr Xi and Mr Obama agreed to disagree about cyber-security in their summit.
Fuel may be added to the fire amongst conspiracy theorists when the source of the PRISM news coverage Edward Snowden surfaced in Hong Kong.
It is also interesting that at the time of writing, the Chinese state media haven’t made more of the debacle.
There are wider implications for US foreign policy; PRISM applies a greater focus (if you will excuse the pun) on exceptionalism in US foreign policy. From US legal system giving itself extra-territorial powers in the case of Megaupload to the PATRIOT Act. This is more likely to be challenged as the US wanes in it’s position as a global super-power.
PRISM, as it is perceived, damages US arguments around freedom-of-speech. State surveillance is considered to have a chilling effect in civilian discussions and has been criticized in the past, yet PRISM could be considered to do the exactly same thing as the Americans oppose in countries like Iran.
I don’t think that President Obama will be diminished by the episode. Liberal leaders such as Bill Clinton and Tony Blair proved to be as war-like, if not more so than their conservative counterparts.
By the numbers: The NSA’s super-secret spy program, PRISM | FP Passport
European Commission Final Report on Echelon and coverage that appeared at the time of the report’s release: EU releases Echelon spying report • The Register
Patriot Act und Cloud Computing | iX – German technology press on the risks posed by the Patriot Act
Defense giant ditches Microsoft’s cloud citing Patriot Act fears | ZDNet – BAe worried about US intelligence community handing over their information to US-based technology rivals
US surveillance revelations deepen European fears | Reuters – great if you are European seller of quantum computing cryptography equipment, not so great if you are a US SaaS vendor
Microsoft, the USA PATRIOT Act, and European cloud computing | Paul Miller – The Cloud of Data
NSA Global Data Gathering (Old News) – watch a quantum computing-based cryptographic war break out
Such a Long Journey – An Interview with Kevin Kelly – Boing Boing – on the Technium or the inevitable progress of technology
In the Programmable World, All Our Objects Will Act as One | Wired.com – why worry about the government spying on you when your coffee shop will at it as well?
NSA’s Prism surveillance program: how it works and what it can do | guardian.co.uk
PRISM, The Tech Companies & Monitoring Versus Requests
The strange similarities in Google, Facebook, and Apple’s PRISM denials | VentureBeat
Tech Giants Built Segregated Systems For NSA Instead Of Firehoses To Protect Innocent Users From PRISM | TechCrunch
Obama is the big loser in NSA fallout | Irish Examiner
EU DGs – Home Affairs – Data retention – historic telecoms reports
Peng Liyuan’s iPhone could be security risk for China｜WantChinaTimes.com – guessing that this hasn’t had more publicity due to imminent meeting of China and US governments. Not too much of loss of face etc