27.06.2013
Surveillance state: What we knew already
Yassamine Mather surveils the recent UK-US electronic spying scandal
Edward Snowden’s revelations about internet and phone surveillance by the Government Communication Headquarters (GCHQ) in the UK and National Security Agency (NSA) in the US did not come as a surprise to anyone with knowledge of the current state of communication technology and the extensive use of the ‘terrorist’ threat as an excuse to spy on citizens - as well as gathering information about other states. The surprising elements can be found in the detail: for example, the extent to which GCHQ and MI5 set up traps to capture data during the G20 conference in 2009:
“Setting up internet cafés where they used an email interception programme and key-logging software to spy on delegates’ use of computers;?penetrating the security on delegates’ BlackBerrys to monitor their email messages and phone calls; ?supplying 45 analysts with a live round-the-clock summary of who was phoning who at the summit”; as well as “reading people’s email before/as they do”.1
Engineers and scientists, who were amongst the first academics using email in the 1980s, were well aware that this new form of communication was susceptible to interception and surveillance. Indeed, they warned new researchers and students to treat this electronic form of communication as if they were sending an open letter: ‘Don’t put anything in an email you wouldn’t like everyone else to know about.’ This community knew that every email could be read by state research and spying institutions. In those days, security forces were targeting Marxist groups for surveillance and many academics (mainly non-political scientists and engineers) took it upon themselves to shield email users from the security forces. For years, every scientific email sent between the Massachusetts Institute of Technology, Imperial College and a host of universities involved in joint computing or engineering projects with them ended with a long list of words used by the CIA and MI5 to track leftwing students/activists. So it would be no surprise to get an email about, say, ‘Advances in transputer technology’ containing tag words such as ‘Marxism’, ‘Leninism’, ‘Red Army Faction’, ‘Baader Meinhof’, etc. Extensive use of key search words in every email was a way of combating state surveillance of individual messages. Distributed computing and the internet have come a long way since then, yet the majority of IT users are unaware that collection of personal data happens constantly - remotely in automated systems - or that databanks are used by both states and private companies to store the information.
With the exception of remote rural areas in some third-world countries, it is normal for states, charities, NGOs and private firms to use computers to save data about us. Everyone’s medical, employment and tax details are recorded by the state, and in addition banks and financial institutions store the data collected every time we use cards, cheques, direct debit, etc - not just about our salaries, debts and other financial details, but every aspect of our private lives. This data can be used by the state and the security forces. In addition, metadata companies are making profits by selling profiles of our lives obtained from all the above sources to private companies which use the data for personalised, targeted adverts and marketing.
Increasingly, online sales websites encourage us to use Facebook accounts when making an enquiry or a purchase. There are good reasons for this. Facebook associates our online behaviour and that of our friends with our consumer profile offline, so that we can be grouped for marketing and advertising purposes. Companies use this information to create a profile of every customer for the purpose of targeted advertising. This form of advertising is more efficient than, for example, sending spam emails which offer breast implants to male users or hair transplant remedies to young women.
A reporter from the US magazine, The Atlantic, used a tool called Collusion to find out who was tracking his internet usage and found that, during one 36-hour period, 105 companies were doing so.2 It is easy to see how the same profile could be put to more sinister use not just by an Orwellian state, but by fascist sympathisers, megalomaniacs or even the ‘democratic’ security services.
It is well known that providers keep connection and login records, including IP addresses (the unique identifier of the connection you use either on broadband or wifi) and that states can demand access to such records. In both the US and UK, the authorities need a warrant from a judge to search physical property. However, rules governing virtual property searches - be it for emails or files held on computers - are far more lax. According to Google’s own admission, between January and June 2012, United States law enforcement agencies requested data for 16,281 Gmail/Google accounts and the company complied with 90% of them. What is interesting about the Prism surveillance program operated by the NSA is that the agency has used legislation such as the Patriot Act and US Foreign Intelligence Surveillance Court rulings to “make use of inadvertently acquired” domestic communications, whenever they were believed to contain any information relevant to cybersecurity - and in this, they had the IT companies’ full cooperation.
Public and private sector cooperation in this is remarkable - and it is likely to continue as long as capitalism and the market exist.
NSA operations
The National Security Agency, which was at the centre of Snowden’s whistle-blowing, has access to more than the above. Satellites constantly record our location using data beamed from cell phones to complement CCTV records, and the NSA collects intelligence using geostationary satellites in cooperation with the military forces of ‘US allies’. No wonder the organisation boasts the largest group of supercomputers capable of dealing with metadata. Every day it intercepts and stores 1.7 billion emails, phone calls and other types of communication.3
The NSA is often described as the world’s largest single employer of mathematicians. They have worked on the agency’s advanced encryption programme, while researching into a project named ‘random number generator’ - allegedly used to allow access to all encrypted data using random numbers.
The NSA spends millions of dollars financing academic research. Thousands of research papers submitted to academic journals between 2007 and 2011 mention the NSA as the source of their funding. In response to a freedom of information lawsuit this year, the NSA released a 651-page research paper entitled Untangling the web: a guide to internet research,4 a must-read for anyone interested in the subject. Amongst other things, it shows how searches using Google, Yahoo, Wikipedia, etc can be classified and correlated.
In the US, the debate about privacy and data protection has concentrated on the rights of US citizens, as opposed to anyone else’s - when challenged, the NSA draws attention to information on its web pages5 showing its efforts to avoid spying on private communications; but these relate to US citizens exclusively. The issue has infuriated US allies in Europe and beyond. This commentary by Jakob Augstein in Der Spiegel is one amongst many in the European press: “Those who believed that drone attacks in Pakistan or the camp at Guantanamo were merely regrettable events at the end of the world should stop to reflect. Those who still believed that the torture at Abu Ghraib or that the waterboarding in CIA prisons had nothing to do with them are now changing their views ... A regime is ruling in the United States today that acts in a totalitarian way, when it comes to its claim to total control. Soft totalitarianism is still totalitarianism.”6
US senators Ron Wyden and Mark Udall, who are sponsoring a bill on this issue, say that some of the NSA’s statements are inaccurate and misleading: “In our judgement this inaccuracy is significant, as it portrays protections for Americans’ privacy as being significantly stronger than they actually are.”7 For example, the NSA guideline which states, “Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorised purpose nor evidence of a crime” is thought to be not worth the paper it is written on. The Obama administration is certain to face more internal as well as international criticism over this question.
Users beware
Although it would be foolish to think we can protect ourselves completely from this type of surveillance, we can, of course, take some basic steps to make life more difficult for the security services. For instance, it is not advisable to use mobile phones for searches made via Google, Yahoo and so on: better to use web browsers, where permissions can be set and cookies (pieces of data sent from the website and stored in our browser enabling it to retain information on a website or activity we have undertaken) can be deleted.
We can use aliases in emails and on Facebook, but security forces are likely to be able identify users from their IP addresses. It is possible to conceal an IP address using a virtual private network, which provides public wifi networks with some security ...
But increasingly none of it matters. If a device is connected to the internet, even if that connection lasts just a few seconds, data on it is vulnerable. British Aerospace and other military research institutions have strict rules about internet connections: basically computers holding sensitive data are never connected to the web.
So for those fearful of the “dark side of the internet”, the message is clear: anything that appears anywhere on Facebook or Twitter, in an email or on a blog, can be accessed. As the title of an article in the business pages of the New York Times implies, “Trying to keep your emails secret when the CIA chief couldn’t” is just - well - impossible.8
Notes
1. The Guardian June 16. www.guardian.co.uk/uk/2013/jun/16/gchq-intercepted-communications-g20-summits.
2. www.theatlantic.com/technology/archive/2012/02/im-being-followed-how-google-151-and-104-other-companies-151-are-tracking-me-on-the-web/253758.
3. Priest, Dana and Arkin, William, A hidden world, growing beyond control, Washington Post: http://projects.washingtonpost.com/top-secret-america/articles/a-hidden-world-growing-beyond-control/3.
4. www.nsa.gov/public_info/_files/Untangling_the_Web.pdf.
5. www.nsa.gov/public_info/_files/press_releases/section_702_protections.pdf.
6. www.spiegel.de/international/world/europe-must-stand-up-to-american-cyber-snooping-a-906250.html.
7. http://theatlantic.datinggroud.com/politics/archive/2013/06/2-senators-say-the-nsa-is-still-feeding-us-false-information/277187.
8. www.nytimes.com/2012/11/17/technology/trying-to-keep-your-e-mails-secret-when-the-cia-chief-couldnt.html?pagewanted=all&_r=0.