Tag: 1984 was a Warning not a Blueprint

Legally Speaking, You’re The Property Of The State

The All Writs Act is a piece of legislation that made it clear in vague but certain terms that everybody in the United States is the property of the State:

Basically, it’s “a very short, cryptic statute” that gives the courts “all sorts of incidental powers” to require things not specifically covered by other laws, according to Stephen Vladeck, a law professor at American University.

In the past, the act has been used to compel non-parties — like service providers of tech companies — to help in criminal investigations, Vladeck said. But that help has typically been limited to straightforward requests, like activating or turning off particular features and using systems that are already in place, he said.

The new order is different: It tells Apple to help the government by creating an entirely new software to help investigators bypasses security features. “That requires Apple to go much further than any company has ever been required to go in one of these cases,” said Vladeck.

Although the statue is short and rather vague its intention is quite clear: to give the State the legal authority to compel people into performing actions. It’s currently being cited to compel Apple to create a custom backdoor for the Federal Bureau of Investigations (FBI). But this isn’t he first time this archaic law has been used to force technology companies to perform the State’s will.

Can a court compel a person to act? If so that effectively makes everybody the slave of any judge with an order. It’s clear that the State believes a judge has such authority because it allows them to hold disobedient individuals in a cage for being in contempt of court. Therefore it must be said that the All Writs Act creates a form of legalized slavery.

Detecting Wrongthink Early

1984 taking place in London was very appropriate. The United Kingdom (UK) has become the granddaddy of the surveillance state. Surveilling an entire nation isn’t easy, which is why the UK, like every other surveillance state, is desperately searching for new way to automate its activities. I’m sure that desperation is what lead to this idiocy:

London, United Kingdom – Schoolchildren in the UK who search for words such as “caliphate” and the names of Muslim political activists on classroom computers risk being flagged as potential supporters of terrorism by monitoring software being marketed to teachers to help them spot students at risk of radicalisation.

The “radicalisation keywords” library has been developed by the software company Impero as an add-on to its existing Education Pro digital classroom management tool to help schools comply with new duties requiring them to monitor children for “extremism”, as part of the government’s Prevent counterterrorism strategy.

[…]

The keywords list, which was developed in collaboration with the Quilliam Foundation, a counter-extremism organisation that is closely aligned with the government, consists of more than 1,000 trigger terms including “apostate”, “jihadi” and “Islamism”, and accompanying definitions.

I’m not sure if schools in the UK have deteriorated as far as the schools here but if they haven’t then it’s quite plausible that many of the keywords being looked for would appear quite frequently in a history class. What’s more interesting is that they keywords don’t seem to so much be targeting terrorism as Islam.

It must be noted that using keywords to detect wrongthink is a fruitless endeavor. Because terrorism is currently the biggest target of the State’s propaganda it is a topic of general interest. A lot of people searching for keywords related to terrorism aren’t interested in becoming terrorists but merely want to learn about events related to terrorism. The number of false positives such a system will throw out are going to be far greater than any potentially useful information. Drowning out the signal in noise is counterproductive but it seems to be the strategy most automated surveillance systems rely on.

When Karma Bites You In The Ass

The National Security Agency (NSA), which is supposedly tasked with security domestic networks in addition to exploiting foreign networks, has caused a lot of damage to overall computer security. It appears one of its efforts, inserting a backdoor into the Dual Elliptic Curve Deterministic Random Bit Generation algorithm, may have bit the State in the ass:

The government may have used compromised software for up to three years, exposing national security secrets to foreign spies, according to lawmakers and security experts.

Observers increasingly believe the software defect derived from an encryption “back door” created by the National Security Agency (NSA). Foreign hackers likely repurposed it for their own snooping needs.

[…]

The software vulnerability was spotted in December, when Juniper Networks, which makes a variety of IT products widely used in government, said it had found unauthorized code in its ScreenOS product.

[…]

The case is especially frustrating to security experts because it may have been avoidable. The hackers, they say, likely benefited from a flaw in the encryption algorithm that was inserted by the NSA.

For years, the NSA was seen as the standard-bearer on security technology, with many companies relying on the agency’s algorithms to lock down data.

But some suspected the NSA algorithms, including the one Juniper used, contained built-in vulnerabilities that could be used for surveillance purposes. Documents leaked by former NSA contractor Edward Snowden in 2013 appeared to confirm those suspicions.

Karma can be a real bitch.

This story does bring up a point many people often ignore: the State relies on a great deal of commercial hardware. Its infrastructure isn’t built of custom hardware and software free of the defects agencies such as the NSA introduce into commercial products. Much of its infrastructure is built on the exact same hardware and software the rest of us use. That means, contrary to what many libertarians claim as a pathetic justification not to learn proper computer security practices, the State is just as vulnerable to many of the issues as the rest of us and is therefore not as powerful as it seems.

The Networks Have Ears

Can you trust a network you don’t personally administer? No. The professors at the University of California are learning that lesson the hard way:

“Secret monitoring is ongoing.”

Those ominous words captured the attention of many faculty members at the University of California at Berkeley’s College of Natural Resources when they received an email message from a colleague on Thursday telling them that a new system to monitor computer networks had been secretly installed on all University of California campuses months ago, without letting any but a few people know about it.

“The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus, and has enough local storage to save over 30 days of *all* this data (‘full packet capture’). This can be presumed to include your email, all the websites you visit, all the data you receive from off campus or data you send off campus,” said the email from Ethan Ligon, associate professor of agricultural and resource economics. He is one of six members of the Academic Senate-Administration Joint Committee on Campus Information Technology.

When you control a network it’s a trivial matter to setup monitoring tools. This is made possible by the fact many network connects don’t utilize encryption. E-mail is one of the biggest offenders. Many e-mail server don’t encrypt traffic being sent so any network monitoring tools can’t read the contents. Likewise, many websites still utilize unencrypted connections so monitoring tools can easily read what is being sent and received between a browser and a web server. Instant messaging protocols often transmit data in the clear as well so monitoring tools can read entire conversations.

It’s not feasible to only use networks you control. A network that doesn’t connect to other networks is very limited in use. But there are tools to mitigate the risks associated with using a monitored network. For example, I run a Virtual Private Network (VPN) server that encrypts traffic between itself and my devices. When I connect to it all of my traffic goes through the encrypted connection so local network monitoring tools can’t snoop on my connects. Another tools that works very well for websites is the Tor Browser. The Tor Browser sends all traffic through an encrypted connection to an exit node. While the exit node can snoop on any unencrypted connections local monitoring tools cannot.

Such tools wouldn’t be as necessary to maintain privacy though if all connections utilized effective encryption. E-mail servers, websites, instant messengers, etc. can encrypt traffic and often do. But the lack of ubiquitous encryption means monitoring tools can still collect some data on you.

Getting Off The No-Fly List

With the rekindled excitement for prohibition people on the government’s terrorist watch lists from purchasing firearms it’s a good time to review how terrible of an idea the lists themselves are. The lists and the criteria for appearing on them are secret so there is no due process involved. We know approximately 40 percent of the names on the lists aren’t affiliated with any known terrorist organization. To make matters even worse there’s no way to know whether you’re on the lists until you try to fly and end up being detained and interrogated for hours. And once you’re on the lists getting off of them is no simple matter:

Kadura, an American citizen, was placed on the federal government’s no-fly list in 2012. Since then, in addition to being prevented from boarding flights, he has been detained, interrogated, and harassed at border crossings and pressured by authorities to become a government informant.

yaseen Yaseen Kadura Photo: Courtesy of Yaseen KaduraThe 25-year-old American medical student, who was raised in Indiana, has spent the last three years trying to coax information out of the government and clear his name. Last year, he sued in federal court over his watchlisting, joining four other Muslim Americans represented by lawyers from the Michigan chapter of the Council on American-Islamic Relations. That case was still ongoing, when, this past September, Kadura suddenly received a brief, terse letter from the government indicating that he was no longer on the list and could board a plane without impediment.

Since 2012 Kadura hasn’t been able to fly. He finally found his ability to fly restored but there is no indication of why. There was no known process for him to file an appeal. He initiated a lawsuit, which hadn’t concluded when his ability to fly was restored so no information of how one might restore their privileges was drawn out during the hearing. Like getting on the list, getting off of the list is a black box.

Proponents of barring people on the terrorist watch lists from purchasing firearms like to say, “If you can’t fly, you shouldn’t be able to own a gun.” It’s idiocy that ignored the fact that nobody on the terrorist watch lists should be prohibited from flying since there is no due process involved in appearing on the lists nor is there a known way of getting remove.

Everything Is Becoming A Snitch

The Internet of Things promises many wonderful benefits but the lack of security focus guarantees there will be severe detriments. A column in the New York Times inadvertently explains how dire some of these detriments could be:

WASHINGTON — For more than two years the F.B.I. and intelligence agencies have warned that encrypted communications are creating a “going dark” crisis that will keep them from tracking terrorists and kidnappers.

Now, a study in which current and former intelligence officials participated concludes that the warning is wildly overblown, and that a raft of new technologies — like television sets with microphones and web-connected cars — are creating ample opportunities for the government to track suspects, many of them worrying.

“ ‘Going dark’ does not aptly describe the long-term landscape for government surveillance,” concludes the study, to be published Monday by the Berkman Center for Internet and Society at Harvard.

The study argues that the phrase ignores the flood of new technologies “being packed with sensors and wireless connectivity” that are expected to become the subject of court orders and subpoenas, and are already the target of the National Security Agency as it places “implants” into networks around the world to monitor communications abroad.

The products, ranging from “toasters to bedsheets, light bulbs, cameras, toothbrushes, door locks, cars, watches and other wearables,” will give the government increasing opportunities to track suspects and in many cases reconstruct communications and meetings.

Encryption is only part of the electronic security puzzle. Even if your devices are properly implementing encryption to secure the data they store, transmit, or receive they may not be properly enforcing credentials. Authorized users are expected to be able to gain access to plaintext data so bypassing the security offered by encryption can be done by gaining access to an authorized user account.

Let’s consider the Amazon Echo. The Echo relies heavily on voice commands, which means it has a built-in microphone that’s always listening. Even if the data it transmits to and receives from Amazon is properly encrypted an unauthorized user who gains access to the device as an authorized user could use the microphone to record conversations. In this case cryptography hasn’t failed, the device is merely providing expected access.

Internet of Things devices, due to the lack of security focus, often fail to enforce authorization. Some devices require no authorized at all, have vulnerabilities that allow an unauthorized user to gain access to an authorized user’s account, include built-in backdoor administrative accounts with hardcoded passwords, etc. That gives the State potential access to a great deal of sensors in a targeted person’s household.

I’m not against the idea behind the Internet of Things per se. But I’m wary of such devices at the moment because the manufacturers are, in my opinion, being sloppy with security. In time I’m sure the hard lessons will be learned just as they were learned by operating system developers in the past. When that finally happens and I can be reasonably assured the security of my smart television isn’t nonexistent I may becoming more willing to buy such products.

Mandatory Tracking

Fitness trackers are convenient devices for tracking health related information. Unfortunately many organizations see genuinely good ideas and decide they must be mandatory. That’s what the Oral Roberts University in Oklahoma has decided:

Oral Roberts University in Tulsa, Oklahoma, is requiring incoming freshmen to wear Fitbit fitness trackers to record 10,000 steps per day, with the information being made available to professors.

“ORU offers one of the most unique educational approaches in the world by focusing on the Whole Person — mind, body and spirit,” ORU President William M. Wilson said in a statement, a local CBS News affiliate reported.

“The marriage of new technology with our physical fitness requirements is something that sets ORU apart,” he said. “In fact, when we began this innovative program in the fall of 2015, we were the first university in the world to offer this unique approach to a fitness program.”

The Fitbit device uses GPS technology to track how and where students exercise, eat and sleep, as well as the calories they burn, how much they weigh and other personal information, EAGNews reported.

This raises so many privacy related questions. How does the university verify each student has taken the right number of steps per day? Is the information synced to the student’s smartphone (assuming the student has a smartphone)? If so, is the data collected by an app created by the university or Fitbit’s app? If the latter does the university demand students hand over their Fitbit account credentials? Is the health data accessible at any time to the university?

More concerning is how this technology will be mandated in the future. Will health insurance companies begin mandating that customers must wear Fitbits and meet a certain number of daily steps? While one can choose not to attend the Orwell, err, Oral Roberts University they cannot decide to forgo health insurance less they be fined by the State. Could businesses require employees to wear Fitbits as part of a wellness program (one of my friends works a place where wearing a Fitbit is required to receive a health insurance discount but it’s not mandatory yet)?

Technology is great so long as it remains voluntary. It’s when organizations start mandating the use of a technology that things become frightening.

Police Body Cameras Won’t Save Us

Setting aside the severe privacy implications of pervasive police body cameras the biggest issue is that the police remain in sole control of the devices and data. Even in cities that require police to wear body cameras I still urge people to record any and all police interactions they’re either a party to or come across. When individuals record the police the footage isn’t in the polices’ control so there are barriers that make it more difficult for them to use it to prosecute somebody. Footage recorded by individuals is also more resilient to the body camera memory hole:

Chicago Police Department officers stashed microphones in their squad car glove boxes. They pulled out batteries. Microphone antennas got busted or went missing. And sometimes, dashcam systems didn’t have any microphones at all, DNAinfo Chicago has learned.

Police officials last month blamed the absence of audio in 80 percent of dashcam videos on officer error and “intentional destruction.”

When the only footage of a police encounter comes from a police controlled device it’s a simple matter for the officer to disable it. The best way to counter such a threat is to record police interactions yourself.

Most people carry smartphones, which usually come equipped with a decent camera. You can use the builtin video recording app but there are better options in my opinion. A friend of mine who spends a lot of time recording the police uses and recommends Bambuser. The American Civil Liberties Union has region specific apps for recording the police. Both options are good because they upload the video to a remote server so a cop cannot destroy the footage by confiscating or destroying your recording device.

Police body cameras sound like a great idea on paper but as with most things in life if you want something done right you should do it yourself.

The Public-Private Surveillance Partnership

Between government and corporate surveillance I would, nominally, agree that government surveillance is more dangerous. This is because corporations aren’t in the practice of sending armed goons to your home to kick in your door, shoot your dog, and kidnap you based on what their surveillance has uncovered. But the distinction is only nominal because the data collected from corporate surveillance often finds its way into the government’s hands:

Throughout the United States—outside private houses, apartment complexes, shopping centers, and businesses with large employee parking lots—a private corporation, Vigilant Solutions, is taking photos of cars and trucks with its vast network of unobtrusive cameras. It retains location data on each of those pictures, and sells it.

It’s happening right now in nearly every major American city.

The company has taken roughly 2.2 billion license-plate photos to date. Each month, it captures and permanently stores about 80 million additional geotagged images. They may well have photographed your license plate. As a result, your whereabouts at given moments in the past are permanently stored. Vigilant Solutions profits by selling access to this data (and tries to safeguard it against hackers). Your diminished privacy is their product. And the police are their customers.

The company counts 3,000 law-enforcement agencies among its clients. Thirty thousand police officers have access to its database. Do your local cops participate?

One of the biggest risks of corporate surveillance is the collected data, either through sale or warrant, ends up in the hands of the State. While I have no real concerns about Facebook using my social graph to justify sending armed goons to kidnap me I do have concerns about judge granting a warrant to a law enforcement agency to obtain that data as a justification for kidnapping me.

No Hero Goes Unpunished In The United States

The United States has a very proud history of punishing its heroes. William Binney had armed goons storms his home and kidnap him because he revealed rather concerning National Security Agency’s (NSA) programs. When Chelsey Manning revealed war crimes being committed by the United States military she ended up in a military prison. Edward Snowden is still in exile for revealing the NSA’s illegal surveillance operations. Now the United States government is going after the man who revealed the corruption in the Foreign Intelligence Surveillance Court:

A former Justice Department lawyer is facing legal ethics charges for exposing the President George W. Bush-era surveillance tactics—a leak that earned The New York Times a Pulitzer and opened the debate about warrantless surveillance that continues today.

The lawyer, Thomas Tamm, now a Maryland state public defender, is accused of breaching Washington ethics rules for going to The New York Times instead of his superiors about his concerns about what was described as “the program.”

Tamm was a member of the Justice Department’s Office of Intelligence Policy and Review and, among other things, was charged with requesting electronic surveillance warrants from the secret Foreign Intelligence Surveillance Court.

The District of Columbia Court of Appeals Board of Professional Responsibility said Tamm became aware in 2004 that certain applications to the FISA Court for national security surveillance authority “were given special treatment.

Isn’t it ironic how the State keeps urging whistleblowers to come forth if their information is related to a private organization but prosecute any whistleblower who comes forth with information about government corruption? If a whistleblower can lead the government to some wealth to steal it is grateful but when its dirty laundry is aired it becomes angry and violent.