If you thought that the National Security Agency's warrantless wiretapping was limited to AT&T, Verizon and Sprint, think again.
While these household names of the telecom industry almost certainly helped the government to illegally snoop on their customers, statements by a number of legal experts suggest that collaboration with the NSA may run far deeper into the wireless phone industry. With over 3,000 wireless companies operating in the United States, the majority of industry-aided snooping likely occurs under the radar, with the dirty-work being handled by companies that most consumers have never heard of.
A recent article in the London Review of Books revealed that a number of private companies now sell off-the-shelf data-mining solutions to government spies interested in analyzing mobile-phone calling records and real-time location information. These companies include ThorpeGlen, VASTech, Kommlabs, and Aqsacom--all of which sell "passive probing" data-mining services to governments around the world.
ThorpeGlen, a U.K.-based firm, offers intelligence analysts a graphical interface to the company's mobile-phone location and call-record data-mining software. Want to determine a suspect's "community of interest"? Easy. Want to learn if a single person is swapping SIM cards or throwing away phones (yet still hanging out in the same physical location)? No problem.
In a Web demo (PDF) (mirrored here) to potential customers back in May, ThorpeGlen's vice president of global sales showed off the company's tools by mining a dataset of a single week's worth of call data from 50 million users in Indonesia, which it has crunched in order to try and discover small anti-social groups that only call each other.
Slide from "Identification of Nomadic Targets " ISS Webinar
(Credit: ThorpeGlen)Clearly, this is creepy, yet highly lucrative, stuff. The fact that human-rights abusing governments in the Middle East and Asia have deployed these technologies is not particularly surprising. However, what about our own human-rights-abusing government here in the U.S.? Could it be using the same data-mining tools?
To get a few answers, I turned to Albert Gidari, a lawyer and partner at Perkins Coie in Seattle who frequently represents the wireless industry in issues related to location information and data privacy.
When asked if there is a market for these kinds of surveillance data-mining tools in the U.S., Gidari told me: "Of course. It is a global market and these companies have partners in the U.S. or competitors."
The question is not if the government would like to use these tools--after all, what spy wouldn't want to have point-and-click real-time access to the location information on millions of Americans? The real mystery is how the heck the National Security Agency can legally get access to such large datasets of real-time location information and calling records. The answer to that, Gidari said, is the thousands of other, lesser-known companies in the wireless phone and communications industry.
The massive collection of customer data comes down to the interplay of two specific issues: First, thousands of companies play small, niche support roles in the wireless phone industry, and as such these firms learn quite a bit about the calling habits of millions of U.S. citizens. Second, the laws relating to information sharing and wiretapping specifically regulate companies that provide services to the general public (such as AT&T and Verizon), but they do not cover the firms that provide services to the major carriers or connect communications companies to one other.
Thus, while it may be impossible for the NSA to legally obtain large-scale, real-time customer location information from Verizon, the spooks at Fort Meade can simply go to the company that owns and operates the wireless towers that Verizon uses for its network and get accurate information on anyone using those towers--or go to other entities connecting the wireless network to the landline network. The wiretapping laws, at least in this situation, simply don't apply.
Giardi explained it as follows:
Networks are more and more disaggregated and outsourced, from customer service call centers overseas with full viewing access to data to key infrastructure components and processing. A single communication is handled by many more parties than the named provider today. Moreover, interoperability protocols include network identifiers--send a message from company A to company B and the acknowledgment of delivery may include location and other information. That's just the way the system is designed--location was about billing in the early years and no one bothered to undo the existing protocols when business models changed and interoperability became common practice or a myriad of new messaging companies came into being...So my point is that there are many access points--albeit less convenient than one-stop shopping at the big carriers--to get information including real-time data.
ThorpeGlen's product appears to be a mashup of Google Earth + phone location data (in this case, from 50 million people in Indonesia)
(Credit: ThorpeGlen)For example, if a Sprint Wireless customer in Virginia calls a relative in Montana--who is a customer of a small, regional landline carrier--information on the callers will spread far beyond just those two communications companies.
Sprint doesn't own any of its own cellular towers, and so TowerCo, the company that owns and operates the towers, of course, learns some information on every mobile phone that communicates with one of its towers. This is just the tip of the iceberg, though. There are companies that provide "backhaul" connections between towers and the carriers, providers of sophisticated billing services, outsourced customer-service centers, as well as Interexchange Carriers, which help to route calls from one phone company to another. All of these companies play a role in the wireless industry, have access to significant amounts of sensitive customer information, which of course, can be obtained (politely, or with a court order) by the government.
With the passage of laws like the FISA Amendments Act and the USA Patriot Act, in most cases, requests for customer information come with a gag order, forbidding the companies from notifying the public, or the end users whose calling information is being snooped upon. Gidari summed it up this way:
So any entity--from tower provider, to a third-party spam filter, to WAP gateway operator to billing to call center customer service--can get legal process and be compelled to assist in silence. They likely don't volunteer because of reputation and contractual obligations, but they won't resist either.
Seeking clarification, I turned to Paul Ohm, a former federal prosecutor turned cyberlaw professor at the University of Colorado Law School and a noted expert on surveillance laws.
Before getting into the details of the issue, Ohm first outlined the basic problem of the various wiretap and surveillance laws; they are extremely confusing and few people fully understand them. The 9th Circuit Court of Appeals seemed to share Ohm's view, stating a few years ago that the Electronic Communications Privacy Act is a "complex, often convoluted area of the law" (United States v. Smith, 155 F.3d 1051).
Ohm then said that the "one thing I can say with confidence is that you are correct to note that the [Stored Communication Act's] voluntary disclosure prohibitions (in 18 USC 2702(a)) apply only to providers to the public."
After describing all the ways that the government could legally collect real-time data on millions of U.S. citizens, Gidari said that essentially, the existence of such a program would likely remain a secret (barring a whistle-blower or leaks to the press by government officials). Summing it up, he stated that:
Whether [a] vendor to a carrier to the public cooperates with agencies (either for a fee or by acquiescence in an order), is something you will not find out as FISA makes it so, regardless of whether the person is in the U.S. or communicating with a person abroad. Such means and methods largely are hidden.
However, if the existence of such a program were ever confirmed, Ohm said that Congress would not be too happy:
If [the sharing of data by niche telecom providers] is seen as allowing an end-around an otherwise clear prohibition in the SCA, Congress is likely to throw a fit when it is revealed and try to amend the law. DOJ is sensitive to this kind of thing (despite what the NSA wiretapping program would lead you to believe) and would probably try to avoid blatantly bypassing otherwise clear language in this way.
With all of the attention that the Foreign Intelligence Surveillance Act (FISA) update (and the administration's vigorous attempts to immunize the criminals telcos), it seems like a good time to explore the issues surrounding surveillance and privacy in America today.
NSA: We're watching you....
(Credit: National Security Agency)While there are so many scary things being done by intelligence and law enforcement, hope is not far away. Easy to use privacy technologies are upon us, and with them, comes a radical shift in the balance of power. As this article will explain, the scalable techniques with which the NSA, FBI and other agencies can spy on innocent Americans may soon be made useless - forcing them to go back to the old school (and labor intensive) black bag job.
First, a few facts:
- Fact: The National Security Agency (NSA) has data-mined the call records of millions of Americans. These records were handed over to the spying agency without a court order or warrant.
- Fact: Calling your Aunt Susan in Australia? The NSA is listening. No warrant? No problem. What about for international calls made to a lawyer, doctor or priest? No warrant necessary there either.
- Fact: Mobile phones transmit extremely accurate location information back to the wireless carriers. The FBI, DEA and other federal law enforcement agencies routinely get access to this location data without demonstrating "probable cause," which is typically required before a judge will issue a warrant.
- Fact: Most mobile providers claim that they do not save copies of text messages sent to phones and pagers for extended periods of time. However, up until the point that the messages are deleted, the companies will happily turn them over to the police without a warrant, requiring only that the prosecutors claim that the records are "relevant and material" to an investigation.
- If you are arrested by the police, in addition to searching your body, they are also permitted to search through your mobile phone and look through anything that they can find. Got an iPhone? They may be able to browse through hundreds of emails from your gmail account using the device, all without the pesky requirement that they first get a warrant.
As the debate over FISA and telco immunity has demonstrated, the telecom companies are willing to completely eviscerate consumer privacy in order to help law enforcement and the intelligence community. With the telcos getting handsomely paid for their participation in illegal surveillance programs, its clear that consumers cannot rely upon AT&T and Verizon to protect their privacy.
Consumers will need to take matters into their own hands - and luckily, secure communication technology is finally user-friendly enough to be usable by non-geeks.
In addition to enabling the average Joe to regain a bit of his privacy, the rapid deployment of easy to use crypto will have a major impact on our society: The end of large scale surveillance.
Raising The Bar: The Black Bag Job
The big problem with the surveillance techniques currently used by the NSA, aside from the fact that they are creepy and illegal, is that they scale so well.
Just like Google, if the NSA wants to expand its surveillance abilities, it simply has to build another data center. Want real-time spying on the phone calls of 10 million more people? No problem -- just buy another 10,000 computers, and set them up with NSA's existing pattern recognition software
In the old days, the spooks would have to rely on the so called 'black bag job' -- a term to describe the act of breaking into a suspect's house in order to install bugs and other listening equipment. The team doing it, at least in Hollywood movies, were, like ninjas, dressed in all black.
The nice thing about the black bag job - is that it is labor intensive. Want to install bugs in the home of a suspected Soviet agent? That'll take a team of five agents, plus around the clock surveillance for a few days beforehand. Using traditional techniques, spying on an additional 10,000 Americans would require an additional 50,000 NSA black-bag-job agents to install the bugs.
As large as the NSA is, it simply doesn't have that level of resources. Thus, simply due to the man hours required, the NSA's surveillance net was limited in scope.
Unfortunately, due to computers, and the willing assistance of telecom companies - this is no longer a problem. Surveillance today scales very very easily, and it is almost trivial for the NSA to spy on an additional 100,000 Americans.
The deployment of easy to use cryptography for the average user will significantly upset the status quo. Large scale surveillance will no longer be possible, and the spooks will have to return to the days of the black bag job. Will they still be able to focus on high-profile terrorist targets? Sure. However, their days of spying on the average American, simply because it's easy, could be over.
I'll now explore the technologies that will make that possible.
Secure Instant Messaging
I've written extensively about this form of secure communication before. Adium, one of the most popular instant messaging applications for the Mac, ships with high-end encryption out of the box. Similarly, Pidgin, an IM application shipped with practically every Linux distribution, also includes support for the same encryption protocol that Adium uses. A port of Pidgin is also available for Windows users.
An encrypted conversation in Adium
(Credit: The Adium Dev Team)These IM applications and the off-the-record encryption standard they use are protocol independent. That is, they work with AOL Instant Messenger, Google Talk, Yahoo IM, and others. By using one of these applications, your IM communications are encrypted, authenticated, and completely deniable.
No amount of telecom company assistance will enable the Feds to passively snoop on an encrypted IM conversation. In order to have any chance at getting a copy of the messages, Uncle Sam will need to resort to a significantly more invasive (and riskier) surveillance techniques.
Secure Voice over Internet Protocol (VOIP)
Unfortunately, out of the box, most internet based telephony services are horribly insecure. Use Vonage, Packet8, or one of the other popular VOIP services? Your calls are going over the wire in the clear. Using one of several open source hacking tools, it's trivially easy for an attacker or nosey neighbor to snoop on your calls.
With regard to the mainstream voice solutions, Skype is the clear exception to the rule. All Skype communications are encrypted (as long as you don't live in China, where the government has forced the eBay owned software company to install some fairly suspect filters).
Skype has been extremely secretive about the technical details of their encryption technologies. They paid a few security consultants to conduct a review of the system, which, not surprisngly, was rewarded with rave reviews. However, some crypto geeks have been able to reverse engineer Skype, and have determined that by and large, the program does a pretty good job.
Skype's security is good enough, it seems, to stump the police and intelligence agencies in Germany. They've had to resort to paying 2500 euros per victim suspect to install malware that secretly records the audio as its recorded and played on the user's PC during a Skype call.
Thus, for most users, Skype is more than good enough - and a complete pain in the ass for law enforcement.
For those users not willing to trust their communications to a closed-source communications system, the gold standard really is Zfone, an encrypted VOIP solution made by famed cryptographer and cypherpunk Phil Zimmerman. While it's easily the best tool out there, it unfortunately suffers from the network effect -- that is, there really isn't anyone using it right now.... and Skype has, in a few years, become the most widely deployed cryptographic application ever.
If you can get your pals to install it, go for Zfone, but for those you can't, Skype is probably good enough.
Anonymous Web Surfing
One word: Tor. If you're not using it already, you need to be.
Encrypted Computer Data
Both Microsoft Windows Vista and Mac OS X include encrypted disk support out of the box. While I can't speak to the Windows experience, I can say that encrypted disk support is a piece of cake on the Mac. As recent court cases have shown, this disk encryption can be a total roadblock for law enforcement, and can completely derail any attempted investigation or prosecution.
Mobile phones
As fans of the HBO show The Wire will already know, mobile phone privacy and anonymity is something that there is a significant market need for. For now, psuedo-anonymity can potentially be achieved through the use of prepaid phones, but this provides no safety against a government agent with a wiretap order (or a spying agency willing to break the law).
For now, we as consumers are left out in the cold. However, the rise of devices such as the iPhone and Google's Android OS do give me some hope. If we get Skype on mobile phones (a not so unrealistic possibility), law enforcement is going to have a very very tough time. Furthermore, if we can replace SMS text messages with off-the-record encrypted IMs, users will finally get the privacy they deserve.
While we can't rely on Steve Jobs to bring this to us, there is a decent chance that Google's Android system may end up having these features. It's an open platform, right? So it's just a matter of time until someone hacks it up, and releases it.
- prev
- 1
- next
