The day the wiretaps go dead
With all of the attention that the Foreign Intelligence Surveillance Act (FISA) update (and the administration's vigorous attempts to immunize the criminals telcos), it seems like a good time to explore the issues surrounding surveillance and privacy in America today.
NSA: We're watching you....
(Credit: National Security Agency)While there are so many scary things being done by intelligence and law enforcement, hope is not far away. Easy to use privacy technologies are upon us, and with them, comes a radical shift in the balance of power. As this article will explain, the scalable techniques with which the NSA, FBI and other agencies can spy on innocent Americans may soon be made useless - forcing them to go back to the old school (and labor intensive) black bag job.
First, a few facts:
- Fact: The National Security Agency (NSA) has data-mined the call records of millions of Americans. These records were handed over to the spying agency without a court order or warrant.
- Fact: Calling your Aunt Susan in Australia? The NSA is listening. No warrant? No problem. What about for international calls made to a lawyer, doctor or priest? No warrant necessary there either.
- Fact: Mobile phones transmit extremely accurate location information back to the wireless carriers. The FBI, DEA and other federal law enforcement agencies routinely get access to this location data without demonstrating "probable cause," which is typically required before a judge will issue a warrant.
- Fact: Most mobile providers claim that they do not save copies of text messages sent to phones and pagers for extended periods of time. However, up until the point that the messages are deleted, the companies will happily turn them over to the police without a warrant, requiring only that the prosecutors claim that the records are "relevant and material" to an investigation.
- If you are arrested by the police, in addition to searching your body, they are also permitted to search through your mobile phone and look through anything that they can find. Got an iPhone? They may be able to browse through hundreds of emails from your gmail account using the device, all without the pesky requirement that they first get a warrant.
As the debate over FISA and telco immunity has demonstrated, the telecom companies are willing to completely eviscerate consumer privacy in order to help law enforcement and the intelligence community. With the telcos getting handsomely paid for their participation in illegal surveillance programs, its clear that consumers cannot rely upon AT&T and Verizon to protect their privacy.
Consumers will need to take matters into their own hands - and luckily, secure communication technology is finally user-friendly enough to be usable by non-geeks.
In addition to enabling the average Joe to regain a bit of his privacy, the rapid deployment of easy to use crypto will have a major impact on our society: The end of large scale surveillance.
Raising The Bar: The Black Bag Job
The big problem with the surveillance techniques currently used by the NSA, aside from the fact that they are creepy and illegal, is that they scale so well.
Just like Google, if the NSA wants to expand its surveillance abilities, it simply has to build another data center. Want real-time spying on the phone calls of 10 million more people? No problem -- just buy another 10,000 computers, and set them up with NSA's existing pattern recognition software
In the old days, the spooks would have to rely on the so called 'black bag job' -- a term to describe the act of breaking into a suspect's house in order to install bugs and other listening equipment. The team doing it, at least in Hollywood movies, were, like ninjas, dressed in all black.
The nice thing about the black bag job - is that it is labor intensive. Want to install bugs in the home of a suspected Soviet agent? That'll take a team of five agents, plus around the clock surveillance for a few days beforehand. Using traditional techniques, spying on an additional 10,000 Americans would require an additional 50,000 NSA black-bag-job agents to install the bugs.
As large as the NSA is, it simply doesn't have that level of resources. Thus, simply due to the man hours required, the NSA's surveillance net was limited in scope.
Unfortunately, due to computers, and the willing assistance of telecom companies - this is no longer a problem. Surveillance today scales very very easily, and it is almost trivial for the NSA to spy on an additional 100,000 Americans.
The deployment of easy to use cryptography for the average user will significantly upset the status quo. Large scale surveillance will no longer be possible, and the spooks will have to return to the days of the black bag job. Will they still be able to focus on high-profile terrorist targets? Sure. However, their days of spying on the average American, simply because it's easy, could be over.
I'll now explore the technologies that will make that possible.
Secure Instant Messaging
I've written extensively about this form of secure communication before. Adium, one of the most popular instant messaging applications for the Mac, ships with high-end encryption out of the box. Similarly, Pidgin, an IM application shipped with practically every Linux distribution, also includes support for the same encryption protocol that Adium uses. A port of Pidgin is also available for Windows users.
An encrypted conversation in Adium
(Credit: The Adium Dev Team)These IM applications and the off-the-record encryption standard they use are protocol independent. That is, they work with AOL Instant Messenger, Google Talk, Yahoo IM, and others. By using one of these applications, your IM communications are encrypted, authenticated, and completely deniable.
No amount of telecom company assistance will enable the Feds to passively snoop on an encrypted IM conversation. In order to have any chance at getting a copy of the messages, Uncle Sam will need to resort to a significantly more invasive (and riskier) surveillance techniques.
Secure Voice over Internet Protocol (VOIP)
Unfortunately, out of the box, most internet based telephony services are horribly insecure. Use Vonage, Packet8, or one of the other popular VOIP services? Your calls are going over the wire in the clear. Using one of several open source hacking tools, it's trivially easy for an attacker or nosey neighbor to snoop on your calls.
With regard to the mainstream voice solutions, Skype is the clear exception to the rule. All Skype communications are encrypted (as long as you don't live in China, where the government has forced the eBay owned software company to install some fairly suspect filters).
Skype has been extremely secretive about the technical details of their encryption technologies. They paid a few security consultants to conduct a review of the system, which, not surprisngly, was rewarded with rave reviews. However, some crypto geeks have been able to reverse engineer Skype, and have determined that by and large, the program does a pretty good job.
Skype's security is good enough, it seems, to stump the police and intelligence agencies in Germany. They've had to resort to paying 2500 euros per victim suspect to install malware that secretly records the audio as its recorded and played on the user's PC during a Skype call.
Thus, for most users, Skype is more than good enough - and a complete pain in the ass for law enforcement.
For those users not willing to trust their communications to a closed-source communications system, the gold standard really is Zfone, an encrypted VOIP solution made by famed cryptographer and cypherpunk Phil Zimmerman. While it's easily the best tool out there, it unfortunately suffers from the network effect -- that is, there really isn't anyone using it right now.... and Skype has, in a few years, become the most widely deployed cryptographic application ever.
If you can get your pals to install it, go for Zfone, but for those you can't, Skype is probably good enough.
Anonymous Web Surfing
One word: Tor. If you're not using it already, you need to be.
Encrypted Computer Data
Both Microsoft Windows Vista and Mac OS X include encrypted disk support out of the box. While I can't speak to the Windows experience, I can say that encrypted disk support is a piece of cake on the Mac. As recent court cases have shown, this disk encryption can be a total roadblock for law enforcement, and can completely derail any attempted investigation or prosecution.
Mobile phones
As fans of the HBO show The Wire will already know, mobile phone privacy and anonymity is something that there is a significant market need for. For now, psuedo-anonymity can potentially be achieved through the use of prepaid phones, but this provides no safety against a government agent with a wiretap order (or a spying agency willing to break the law).
For now, we as consumers are left out in the cold. However, the rise of devices such as the iPhone and Google's Android OS do give me some hope. If we get Skype on mobile phones (a not so unrealistic possibility), law enforcement is going to have a very very tough time. Furthermore, if we can replace SMS text messages with off-the-record encrypted IMs, users will finally get the privacy they deserve.
While we can't rely on Steve Jobs to bring this to us, there is a decent chance that Google's Android system may end up having these features. It's an open platform, right? So it's just a matter of time until someone hacks it up, and releases it.
Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure. 
This is not targeted access to communications. This is broad-net surveillance and fishing. "Voluntary" participation by the private sector? My money's on AT&T being an early "volunteer" for the program. This just legalized the illegal surveillance that's been going on all this time - that's what it's really about.
If done correctly - and by that I mean establishing privacy controls, standards for data collection and reporting, providing a mechanism for conducting the reporting, and an interface to obtain data in aggregate so WE can know when there's cyber-trouble afoot - then this program could provide a lot of value. Put the NSA gizmo on the network - don't think so. Uh, unless you're AT&T and don't want to sustain the brand damage that accompanies the realization that you've rolled over on the rest of us.
Oh yeah, and AT&T, while you're listening - you will never get another dime from me, or anyone I'm able to influence, forever.
Also, they have the right and ability to tap into every computer. YES EVERY COMPUTER. And the software companies MUST leave the door open for them. Yes even the virus/anti virus companies are forbidden to plug the govt access. Its part of the wiretap laws, and dates back to the 70's.
The bigger problem is that when you can purchase WebWatcher from Awareness Technologies for less than $100, and Flexispy for under$200, everyone has the ability to conduct covert stealth state-of-the-art surveillance on anyone they want to target. And you can't tell if it's your spouse, your neighbor, local police, county detectives, or FBI agents. Because the surveillance is lacking the warrant, each will not want to expose the other's possible illegal warrant-less surveillance - better yet they will likely work to confuse you.
It is best NOT TO DETECT THIS OR KNOW IT.
Imagine the destruction of your life, personally, professionally and financially. I don't have to imagine. I've experienced it first hand. For the last 12 months, and it continues...
- by srn3 March 18, 2008 7:15 AM PDT
- It's not enough to turn off your cell phone. It's a bug unless/until you physically remove the battery. Remember *all* behaviors of cellphones are firmware-controlled, including the behavior of the on/off switch. It can look like it's off but still be on, and every sound in the vicinity can be being recorded remotely. Moreover, the firmware can be replaced any time, and often is. You can't tell when this happens, nor can you tell what the new firmware does. You can only know what the firmware is designed to make the telephone tell you, including whether it's off or on.
- Like this Reply to this comment
-
(8 Comments)Liberty is everywhere and always under attack. Right now, Voldemort (fascism) is back. The only way to defend liberty is to exercise it, which is why I never remove the battery from my cell phone, and at the same time I do what I can to speak out against fascism and its handmaidens, militarism, characterization of individuals and groups as "evil" (and all other forms of fear-mongering) and government secrecy. A freedom unexercised is a freedom surrendered. Never hesitate to exercise your Constitutional freedoms. If this brings trouble, call the ACLU. (And, if you possibly can, support the ACLU. It's good to invest in liberty, and to put your money where your mouth is.) (And, yes, my cell phone battery has been dying quite early. Big deal. I'm not the governor of New York, nor am I running for governor in Alabama. I'm just a U.S. citizen deeply worried about the freedoms of all Americans.)