Tuesday, January 31, 2012

The Origins of Facebook and Google 2: The Cyber Price For National Security

How the government and law enforcement agencies view your online privacy.
Read In New Wide Format

In a book by author Susan Landau, titled, Surveillance or Security?: The Risks Posed by New Wiretapping Technologies, the question of the vulnerabilities of our internet infrastructure created by desire of law enforcement and national security agencies to make them "wiretappable."  As many know, in 1994, The Communications Assistance for Law Enforcement Act (CALEA) was passed by Congress.  According to an article in Boston Review,
CALEA requires that telecommunications carriers and equipment manufacturers assist federal agencies by building remote surveillance capabilities into their devices, infrastructure, and services—i.e., making them wiretappable. But Congress, realizing that this could strangle innovation in the nascent online sector, exempted providers of “information services.” The exemption, however, was too general, never spelling out how to deal with hybrid services such as Voice over Internet Protocol, or VoIP, of which Skype is a notable example. VoIP is functionally similar to telephony because it enables distant parties to talk to each other. But VoIP services rely on Internet infrastructure and may be considered a kind of information service. 
Even if the war on terrorism ends, the surveillance infrastructure it spawned is likely to remain in place for decades. Susan Landau

According to this same article in 2005, Congress clarified this ambiguity by extending CALEA obligations to "interconnected VoIP services" but not to peer to peer VoIP services such as Skype.  Even the sponsor of the CALEA bill opposed any expansion of it into these areas:
Congress recognized the unique architecture of the Internet and explicitly excluded it from the scope of CALEA's surveillance design mandates, and we did that to allow Congress to re-visit the appropriateness of such an extension as the Internet developed. Any extension of CALEA - a law written for the telephone system in 1994 - to the Internet in 2005 would be inconsistent with congressional intent.
The previous mentioned Boston Review article provides a chilling explanation of just how much surveillance law enforcement and security agencies wish:
According to Christopher Soghoian, an expert on information security and government surveillance, law enforcement agencies are seeking three powers currently outside CALEA. First, they want authority to intercept communications exchanged on Twitter, Facebook, and other services in real time as well as to intercept a suspect’s future searches, emails, or chats, as opposed to requesting them retroactively, as it does now. Second, they want to wiretap audio and video chats that are offered as auxiliary services by social networks or game platforms, such as Microsoft’s XBox 360, which allows gamers to chat with each other while playing online. Finally, they’d like to keep tabs on users who are running Virtual Private Networks (VPNs) to hide their traffic or login remotely to closed networks, a common practice in business, academia, and government.
This quote implies then, that at the present time, government agencies do not legally have the power to track all that is going on on Facebook, and social media with the flip of a switch.  It would be assumed that they still need a court order.  We include a lecture by Mr. Soghoian on this issue.  If you cannot see the embedded video, here is the link: http://youtu.be/t0aQojDGSD4.  In this video, we find a quote from Mr. Soghoian:
Your Internet, phone and web application providers are all, for the most part, in bed with the government. They all routinely disclose their customers' communications and other private data to law enforcement and intelligence agencies. Worse, firms like Google and Microsoft specifically log data in order to assist the government, while AT&T and Verizon are paid $1.8 million per year in order to provide real time access to customer communications records to the FBI.
The explanatory note in the YouTube video goes on to explain how different carriers handle government requests:
The differences in the privacy practices of the major players in the telecommunications and Internet applications market are significant: Some firms retain identifying data for years, while others retain no data at all; some voluntarily provide the government access to user data - Verizon even argued in court that it has a 1st amendment right to give the NSA access to calling records, while other companies refuse to voluntarily disclose data without a court order; some companies charge the government when it requests user data, while others disclose it for free.

There are several reasons why these desired "backdoors" will not be either effective or secure:

  1. They cannot be forced on all online communication carriers.  As soon one service is made compliant, a new one would come out without compliance.  This new service is the one that any would be "terrorist" would use.  Some companies are overseas rendering them immune to U.S. regulations.
  2. If Deep Packet Inspection is used on all activities as opposed to just its limited purpose of keeping viruses and other malware out, this will result in the majority of people becoming anonymous using TOR services.
  3. With the abundance of information from social media sites like Four Square, Facebook, Twitter and other places where people post their location as well as credit card information a person's movement can easily be tracked.
  4. Law enforcement and security agencies already have tools like CIPAV (Computer and Internet Protocol Address Verifier) that monitors activity in a target computer without revealing its presence.
The new ally to law enforcement and security agency may be advertisers.  We end with this rather ominous passage from the Boston Review website previously cited.  Speaking of a new approach the FBI may be taking about surveillance it states,
...this may explain why it seems to be changing tactics and, instead of demanding new laws to make backdoors mandatory, is also trying to convince companies to modify their services and make them data-sensitive. Such alterations would help the FBI and the industry: win-win. The dangers of such an unholy alliance between the highly customized advertising excesses of modern capitalism and the data-gathering excesses of the modern surveillance state are obvious: Internet companies are licensed to collect and analyze as much information as possible precisely because the state may one day ask them for it. 
Given how much private companies know about us, it is naïve to expect that the FBIs and NSAs of the world would be content to acquire new tools and develop better investigative techniques while leaving that trove of data unmined. There are already companies collecting the information that law enforcement agencies want: they need only reach out and take it while leaving those companies to continue aggregating and analyzing information, secure in the knowledge that users never read the terms of service.
In our next installment we shall deal with Facebook's and Google's alleged connections with national security agencies. 


Anonymous said...

Hello, i read your site, this a best site from me, thanks!

Tehnomag12 said...

правилно терористы везде и в сети особенно,террарюги это страшно нам всю страну одно время задрочили,шутки плохи с этими клоунами.они звери.