Thursday, June 06, 2013

Thoughts on the loss of privacy

I'm going to start with three data points.

One: Some of the Chinese military hackers who were implicated in a broad set of attacks against the U.S. government and corporations were identified because they accessed Facebook from the same network infrastructure they used to carry out their attacks.
Two: Hector Monsegur, one of the leaders of the LulzSac hacker movement, was identified and arrested last year by the FBI. Although he practiced good computer security and used an anonymous relay service to protect his identity, he slipped up.

And three: Paula Broadwell,who had an affair with CIA director David Petraeus, similarly took extensive precautions to hide her identity. She never logged in to her anonymous e-mail service from her home network. Instead, she used hotel and other public networks when she e-mailed him. The FBI correlated hotel registration data from several different hotels -- and hers was the common name.
The Internet is a surveillance state. Whether we admit it to ourselves or not, and whether we like it or not, we're being tracked all the time. Google tracks us, both on its pages and on other pages it has access to. Facebook does the same; it even tracks non-Facebook users.

[...]

Facebook, for example, correlates your online behavior with your purchasing habits offline. And there's more. There's location data from your cell phone, there's a record of your movements from closed-circuit TVs.

This is ubiquitous surveillance: All of us being watched, all the time, and that data being stored forever. This is what a surveillance state looks like, and it's efficient beyond the wildest dreams of George Orwell.
===============
In a speech earlier this year in New York, the CIA’s chief technical officer, Gus Hunt, said, “The value of any piece of information is only known when you can connect it with something else that arrives at a future point in time … Since you can’t connect dots you don’t have, it drives us into a mode of, we fundamentally try to collect everything and hang on to it forever.” In his very public statement, Hunt pointed to what the NSA’s Verizon order evidences; as Drake puts it, “This is a surveillance state.”

[...]

...(R)easserting Fourth Amendment protections in a meaningful way would be an uphill battle, requiring a government committee with the political will and resolve akin to the committee created by Sen. Frank Church in the 1970s.

It was, after all, Church who cautioned in 1975, “The [National Security Agency’s] capability at any time could be turned around on the American people, and no American would have any privacy left, such is the capability to monitor everything: telephone conversations, telegrams, it doesn’t matter. There would be no place to hide.”

Church’s dystopic projections are our reality. As Drake told Salon, total, blanket surveillance is “a cancer on the body politic” that will be very hard to remove indeed.
===============
When I read about the news last night on my various connected devices, I was shocked. But not at the revelation. Rather, I was taken aback that so many people were surprised and enraged by the blanket surveillance.
The reality is that we all live in clouds of deeply personal data, and we carry that information everywhere we go and in nearly everything we do. Stop for a moment, and think about all of the services you use and the conveniences you enjoy. Do you really think that Verizon is the only company divulging your information? Or that the NSA is the only organization doing the monitoring?
[...]

Before you argue that this infringes on our liberty, privacy, and free speech, consider the Boston Marathon bombing. The attackers were found and caught precisely because we submit to constant surveillance. A photo posted to social networks, combined with CCTV, mobile broadcast signals, and hordes of overnight activists allowed us to find two out of 600,000 people. (To be sure, this very same technology was also to blame for misreporting, possible libel, and potentially another death.)

I’m certainly not shilling here for big credit card companies, who turn your data over to advertisers. Or for the NSA for that matter. That said, it's 2013, not 1942. Violence isn't just restricted to remote battlefields. It's arrived at our national monuments and our neighborhood sidewalks. The fact that our data is being transmitted for purposes outside of our personal information clouds isn't good or bad. It's our inevitable and present reality.

===============
We don't know a lot about how the government spies on us, but we know some things. We know the FBI has issued tens of thousands of ultra-secret National Security Letters to collect all sorts of data on people -- we believe on millions of people -- and has been abusing them to spy on cloud-computer users. We know it can collect a wide array of personal data from the Internet without a warrant. We also know that the FBI has been intercepting cell-phone data, all but voice content, for the past 20 years without a warrant, and can use the microphone on some powered-off cell phones as a room bug -- presumably only with a warrant.

We know that the NSA has many domestic-surveillance and data-mining programs with codenames like Trailblazer, Stellar Wind, and Ragtime -- deliberately using different codenames for similar programs to stymie oversight and conceal what's really going on. We know that the NSA is building an enormous computer facility in Utah to store all this data, as well as faster computer networks to process it all. We know the U.S. Cyber Command employs 4,000 people.
We know that the DHS is also collecting a massive amount of data on people, and that local police departments are running "fusion centers" to collect and analyze this data, and covering up its failures. This is all part of the militarization of the police.

Remember in 2003, when Congress defunded the decidedly creepy Total Information Awareness program? It didn't die; it just changed names and split into many smaller programs. We know that corporations are doing an enormous amount of spying on behalf of the government: all parts.

We know all of this not because the government is honest and forthcoming, but mostly through three backchannels -- inadvertent hints or outright admissions by government officials in hearings and court cases, information gleaned from government documents received under FOIA, and government whistle-blowers.

There's much more we don't know, and often what we know is obsolete. We know quite a bit about the NSA's ECHELON program from a 2000 European investigation, and about the DHS's plans for Total Information Awareness from 2002, but much less about how these programs have evolved. We can make inferences about the NSA's Utah facility based on the theoretical amount of data from various sources, the cost of computation, and the power requirements from the facility, but those are rough guesses at best. For a lot of this, we're completely in the dark.

And that's wrong.