Prism and Verizon surveillance discussion thread

[Cain]

an external working group to evaluate transparency in the program.

Isn't that otherwise known as The Senate Select Committee on Intelligence?

Meanwhile back in reality...

http://www.theguardian.com/world/2013/aug/09/nsa-loophole-warrantless-searches-email-calls

Once Americans' communications are collected, a gap in the law that I call the 'back-door searches loophole' allows the government to potentially go through these communications and conduct warrantless searches for the phone calls or emails of law-abiding Americans.

[Telarus]

No comment necessary:

http://www.chronicle.su/news/dog-the-bounty-hunter-to-pursue-snowden-bounty/

[Don Coyote]

No comment necessary:

http://www.chronicle.su/news/dog-the-bounty-hunter-to-pursue-snowden-bounty/

I just read some of the other articles there.

[Triple Zero]

Worth mentioning this, from all the way back in 2007

http://www.cryptogon.com/?p=624

(snip)

Somehow I get the feeling I've read this article before, but that's all pretty solid advice. Some of it used to (seem to) be a bit on the tinfoil side back then, but it's pretty effective. And with what we know now to be the case, tinfoil's again something to pack your lunch with.

[Mesozoic Mister Nigel]

No comment necessary:

http://www.chronicle.su/news/dog-the-bounty-hunter-to-pursue-snowden-bounty/

That site is awesome.

[Triple Zero]

Adam Curtis, the BBC documentary maker, is having fun.

Just got this link via IRC : http://www.bbc.co.uk/blogs/adamcurtis/posts/BUGGER , didn't watch all the embedded video clips, but it's a pretty good read.



Additionally, about the idea of flooding Them with noise / bad information / etc, in theory it might work, but Cain and V3X already explained pretty well there are a few catches. The main problem seems to be that we don't quite know what exactly they are looking for, and what techniques they already use to filter out the (ubiquitous) noise in their data.

Additionally, not all of the data is textual. There's been this talk about "just metadata". That is location data, duration/timing data, IP/MAC addresses, cellphone tower data, electricity/water/power usage, traffic cameras, anything, and most importantly data about network nodes. That is, any kind of "social" network or anything that bears a vague resemblance to this, not what you write on FB, email, chat, but the graphs made up of the nodes you interact with, your buddy lists, your contact lists, and those of the nodes around you. And more.

This kind of data contains huge amounts of information, especially if you feed it to a Machine Learning algorithm that eats Big Data for lunch.

It also has the nice quality of consisting mostly of numbers and other types of easily machine-readable datatypes--unlike email/chat text logs, which need keyword matching or natural language parsing before it becomes useful, even if the keywords are provided by a human agent looking for something in particular, this still means that large amounts of text data cannot be mined for their true information potential. Metadata, however, the more they collect, the more complete of a picture this paints.

It's also hard to fake. Humans have a hard time visualizing the "shape" of your local social network to, say, 3 degrees of separation. That's probably a few thousands of people, after all. This is peanuts to a machine. The result of this? You probably have no idea how highly specific and unique the shape of your local social graph is. Say you are absent on one particular social network, or you have taken pains to keep separate identities from work / discordians / family. That's great to keep private eyes and crazy exes off your trail, but with the NSA's resources it's a simple pattern matching task. Even without any names, they will locate the "hole" in the graph of the social network you are not participating in, they will easily find the connections in your life you tried to keep compartmentalised, all they need to look for are the connections of your friends, friends-of-friends and friends-of-friends-of-friends and fit these very very specific unique structures, just a bunch of nodes connected by lines, and it doesn't quite matter if it's your FB friends, cellphone contacts, email contacts, IM chat buddies. Pattern matching fill find the same loci, even if they aren't exactly the same, I am convinced the structures they form are more uniquely identifying than DNA+fingerprints.

About the previous paragraph, slight disclaimer: this is a hunch. I haven't read any scientific articles about doing exactly the above, but I've read a couple that did some rather similar things (there was one where they guessed a person's sexual orientation to a high degree of accuracy using the shape of their extended social graph). And I believe I have fairly a good idea of the information-theoretical requirements that need to and are present to make this possible. The website http://33bits.org got its name from the FACT that you only need 33 bits of statistically independent data, or 33 bits of entropy in order to uniquely identify any individual in the world. Here "entropy" and "bit" are used in the information-theoretical sense of the words, it has to be a coinflip 50/50 odds that is entirely independent from the bits you've already gather or otherwise it counts as less than a whole bit (for instance knowing someone is straight, going with the oft-quoted statistic this is the case for 90% of people, will yield you 0.15 bits, whereas knowing the converse would yield 3.3 bits). Anyway, social graphs contain lots and lots of bits (even given your local graph structure is not quite statistically independent from that of your friends), the trick is to extract them into a useful machine-searchable and machine-learnable form.

I'm just not sure where to even start spoofing or misleading such types of datamining. You could have a group of people making 5 FB accounts and friend eachother in meticulously planned ways, but you'd never be sure if you'd escape actual fingerprinting.

Then there is another problem about the way they use the text data. This is about IF you ever become a "person of interest", or maybe one of your friends does, they can search the backlog of information. And you can spoof and write disinfo all you want, but it'd take a huge amount of effort to sufficiently "noise it up", all of it, for any particular slice of time they decide to look into, including the stuff they already gathered before you even knew of the NSA leaks.

Now, they said that they weren't able to store all that data for longer than 24 hours. But for one, that slide is from 2008, five years ago. Also, that doesn't prevent them at all from storing *some* of the data on everyone, anything that might fit into a "personal report/file", I imagine that if you filter out all the obvious crud, the cat pictures, the retweets, the spam, the newsletters, repeated quotes in a discussion, most people's textual communications wouldn't fill more than a few megabytes per year (for comparison: The Hitchhiker's Guide to the Galaxy parts 1-6 are just 1.5MB in uncompressed ASCII, Lord of the Rings is about 2-3x that).

Then there's voice, say the avg person speaks 20 minutes on the phone/Skype per day, the GSM standard can squeeze intelligble voice into as little as 6.5 kbit/s, that's only about 360MB on a yearly basis. Times the US population that's 114 petabytes. The Utah Data Centre is estimated to have capacity for between 3000 and 12000 petabytes. I don't know if they have the computing capacity to make this data full-text searchable (fuzzy speech matching is easier than actual speech-to-text, false positives can be checked by hand after a query is done), I just don't know. Requesting "calls made to people on list XYZ between dates A and B" is easy and powerful enough, however.

I'm pretty sure that the overwhelming majority of the rest of all Internet data nowadays is made up of streaming video of the Torrent, YouTube, porn and Netflix kinds, for which they probably have no reason to store. Although if they could filter out all the duplicate content, and wanted to, they could still do it (IIRC all Hollywood movies ever made in 10GB BluRay format is less than 5 petabyte, but don't quote me on that) (which incidentally is the reason why I believe that the 25 petabytes they seized from MegaUpload and lost must have been mostly non-infringing).

For completeness, I bet a good fraction of traffic is also made up of random DDoS collateral, the contents of which is complete junk and its origins generally untraceable. It would be funny if they would store that, though (but they can't, the numbers are stupid immense).

[Pæs]

So the solution is to hide our communications inside DDoS.

[Triple Zero]

Yes. It'd have to be some sort of redundant peer-to-peer communications protocol using fountain codes, with the fountains being firehoses, because CDNs tend to drop anything that looks like DDoS traffic, but once you get around that, you'd totally have them by the nads.

Sorry for answering that seriously, my head is still in braindump mode

I shall make it good with a pun: Two IP packets walk into a Tier-1 Switch. They start drinking like madmen, ordering beer-to-beer, because they didn't have much TTL.

[Cain]

Worth mentioning this, from all the way back in 2007

http://www.cryptogon.com/?p=624

(snip)

Somehow I get the feeling I've read this article before, but that's all pretty solid advice. Some of it used to (seem to) be a bit on the tinfoil side back then, but it's pretty effective. And with what we know now to be the case, tinfoil's again something to pack your lunch with.

I think you actually linked to it, back in 2007, as a worst case scenario on how to stay anonymous on the web.

[Triple Zero]

 

[Cain]

By the by

https://s3.amazonaws.com/s3.documentcloud.org/documents/750223/obama-administrations-legal-rationale-for.pdf

Likewise, the program does not violate the First Amendment, particularly given that the telephony metadata is collected to serve as an investigative tool in authorized investigations of international terrorism.

Likewise, copying all the data on the internet by means of beam-splitters doesn not violate the First Amendment, since it is copied to seve as an investigative tool in authorized investigation of international terrorism.

Or something.

The Obama Administration would like you to believe that PRISM is the full extent of NSA surveillance.  It is not.  PRISM only exists to fill in the gaps from UPSTREAM, the NSA program of using beam-splitters to copy information off the internet. PRISM exists to supplement an even farther-reaching, more invasive program.

Don't let them sucker you into concentrating entirely on PRISM.

[Cain]

http://blog.foreignpolicy.com/posts/2013/08/09/making_you_comfortable_with_spying_is_obamas_big_nsa_fix

And the President's message really boiled down to this: It's more important to persuade people surveillance is useful and legal than to make structural changes to the programs.

"The question is, how do I make the American people more comfortable?" Obama said.

Not that Obama's unwilling to make any changes to America's surveillance driftnets — and he detailed a few of them — but his overriding concern was that people didn't believe him when he said there was nothing to fear.

[Pæs]

When asked what people think about our crazy new power-extending spy bill, the Prime Minister responded "I think [New Zealanders] care more about the snapper quota".

Asked again, "But I'm not asking about snapper, I'm asking about the GCSB bill."

"They care more about the snapper quota."

"Why is that?"

"They like catching fish."

http://www.3news.co.nz/Key-NZers-care-more-about-snapper-than-GCSB/tabid/817/articleID/308665/Default.aspx

Almost a literal red herring.

[Junkenstein]

While not related, both seem very relevant:

http://arstechnica.com/security/2013/08/diy-stalker-boxes-spy-on-wi-fi-users-cheaply-and-with-maximum-creep-value/

You may not know it, but the smartphone in your pocket is spilling some of your deepest secrets to anyone who takes the time to listen. It knows what time you left the bar last night, the number of times per day you take a cappuccino break, and even the dating website you use. And because the information is leaked in dribs and drabs, no one seems to notice. Until now.

Enter CreepyDOL, a low-cost, distributed network of Wi-Fi sensors that stalks people as they move about neighborhoods or even entire cities. At 4.5 inches by 3.5 inches by 1.25 inches, each node is small enough to be slipped into a wall socket at the nearby gym, cafe, or break room. And with the ability for each one to share the Internet traffic it collects with every other node, the system can assemble a detailed dossier of personal data, including the schedules, e-mail addresses, personal photos, and current or past whereabouts of the person or people it monitors.

Short for Creepy Distributed Object Locator, CreepyDOL is the brainchild of 27-year-old Brendan O'Connor, a law student at the University of Wisconsin at Madison and a researcher at a consultancy called Malice Afterthought. After a reading binge of science fiction novels, he began wondering how the growing ubiquity of mobile computing was affecting people's ability to remain anonymous, or at least untracked or unidentified, as they went about their work and social routines each day.

http://arstechnica.com/security/2013/08/no-this-isnt-a-scene-from-minority-report-this-trash-can-is-stalking-you/

Renew, the London-based marketing firm behind the smart trash cans, bills the Wi-Fi tracking as being "like Internet cookies in the real world" (see the promotional video below). In a press release, it boasts of the data-collection prowess of the cans' embedded Renew "ORB" technology, which captures the unique media access control (MAC) address of smartphones that belong to passersby. During a one-week period in June, just 12 cans, or about 10 percent of the company's fleet, tracked more than 4 million devices and allowed company marketers to map the "footfall" of their owners within a 4-minute walking distance to various stores.

I'd guess that either of these could take off and be incredibly profitable within the near future. Given that the NSA seems to have access to practically everything anyway, these would be a cracking tools for them to use in urban areas.

[Cain]

We've known for a while that UK law enforcement has basic tracking abilities which are linked to mobile phones.  Even as far back as the early 2000s, I remember a police spokesperson letting slip that they could track someone's movements due to their phone (it was regarding a murder case, IIRC).

I think the initial way it worked was triangulation via different mobile phone towers in an area, whereas this is obviously a more sophisticated update.  Either way - if you're up to mischief, you should be turning your phone off and leaving it at home.