Saturday, 8 June 2013

PRISM, Metadata and Unwarranted Spying

With my strong interest in cryptography and cryptanalysis I also follow closely what is happening in the signal intelligence fields and I am especially interested in what the big players, NSA and GCHQ, are doing. I have therefore found this week's revelations about NSA's PRISM program, their collection of phone companies so-called metadata and the Offensive Cyber Effects Operations (OCEO) to be both interesting and deeply disturbing. 

None of these programs really surprises me. I have seen it coming for a long time and there were sufficient indications over the years to fully expect such programs to be already running. However, that surprised me more was the scope of these programs. I have always expected that they would go after the bad guys and those under serious and warranted suspicion of being terrorists or national security risks. Now we learn that we are all suspects and that you are regarded as guilty until proven innocent. The problem is that as you do not know what they do with the data related to your modern, digital life and you have no idea of what tag they apply to you, terrorist, suspected terrorist, terrorist connections etc., you are not able to put up any defence to prove your innocence. You have just become a number, a pointer, a link in their anti-terrorist network and if your number, pointer value or link happen to reach any of the magic thresholds they have in their algorithms you will find that your life suddenly changes. You will suddenly receive extra attention in your daily life, traffic police will flag you down to check your papers and your car, when you fly it is always you that are pulled aside for extra screening etc. Some might fancy such attention but I do not. Because it might not just stop there, if you are really unlucky you might no longer be able to buy any airline tickets, your number has been elevated to inclusion in the very exclusive set, the no-fly list.

You will say it is very unlikely anything like this will happen to you. If you do nothing illegal you will not be targeted. The problem with this argument is that I don't know if I do something "illegal" when I am living my daily digital life, blogging like now, twittering like I did a moment ago and added a few new connections to my Facebook page yesterday evening. Today we make connections and new acquaintances by the dozen every week, how do you know that not one of them is a terrorist or has terrorist connections. In the last 20 years I have corresponded with a lot of people I don't know. I have been helping students in Pakistan, India, Irak and Egypt with information about cryptography for their school work. Were any of them connected with terrorists or criminals in any way? I don't know. To me they were just young students that I felt I should help with the same open door policy that I have given those coming from USA, Germany and England. Perhaps they were bad girls too, (yes surprisingly enough girls are also interested in cryptology). I don't know. But somebody knows and this somebody is sitting in front of a computer screen in an operation room at NSA. There they have just elevated my number, my name, onto one of the watch lists. The next wrong move and I creep a little higher until I hit one of the dreaded thresholds. Then the bell rings, the e-mails to the national security services are sent and the circus starts. And when it is started it might never stop. We all know how difficult it is to get removed from an electronic database, it is a never ending uphill struggle; and when those databases are secret ...

Now Obama and Mr. Clapper, his Director of National Intelligence, say it is only metadata we don't listen to your calls. Well, I think that is the real problem. If they had listened to my many calls to the "supposed terrorist" who has just sold me a used car, they would quickly understand that I am arguing about the price, especially after the transmission broke the week after I bought it. Instead my many and increasingly angry calls to the "terrorist" increases the connection counter on every call and the longer the calls are, the higher the weight they get. At then at the end of the week I am on the suspected terrorist watch list. You don't believe me; well try buying a used car from a terrorist and you will see the fun you will get. To get a better feeling for metadata have a look at this.

Am I paranoid? No, I don't think so, just worried. I don't like this way of collecting intelligence. Just because it is possible to do so now it does not mean it is should be done. 50 years ago all this would have been unthinkable. The only way the intelligence services then could have collected this kind of information would have been for every telephone switchboard to log all possible connections, all post offices taking notes of the addresses of all letters, parcels and postcards passing through their doors. The local police would have to visit everybody's home to search through their belongings, listing all the books on their shelves, all their records they own and carefully go through their diaries, agendas and photo albums. I doubt very much the population 50 years ago would have accepted this. It would have been a revolt and that is why there now has to be a revolt against this kind of unwarranted dragnet intelligence that sweeps up all and everybody in their nets. President Obama claims all this is legal because there is something called the Patriot Act. Perhaps it is time to look closer at this Patriot Act and see if it is as constitutional as it claims to be. To me it seem like the Patriot Act surreptitiously has rewritten the United States' Constitution.

I am not against intelligence collection, even when I am the target, as long as there is a very good and lawful reason for the collection. And when I say lawful I don't mean any quickly cooked up anti-terrorist laws, but laws that respect international law and Human Rights. Anything else I would regard as unwarranted and unlawful. President Obama, I think you will have your hands full the next few months as this simply will not go away. Neither should it. It is too important for that. At the moment we are on a very dangerous and slippery slope. At then end is the horrors of 1984 and Dystopia. Some will say this is the just price to pay for eradicating terrorism. I think not, because terrorism can not be eradicated, only controlled and I am convinced Dystopia would just create more terrorism and this time of the homegrown sort. Take your pick, it will be hell either way.

So please high priests in the governments around the world don't push your intelligence agencies into this kind of quagmire. I have met many intelligence officials over the years and several I consider as very good friends. There are very few I have ever met who I think would enjoying targeting innocent people in the way it is done today. I think many intelligence officials are living increasingly difficult lives with their conscience bothering them for the rest of their lives. It was easy as long as the targets were Nazi Germany, the Soviet Union and North Vietnam. When the target is the family down the street it quite another game. 

We need good and just intelligence to protect our democracies but we should be very careful not to undermine our democracies with unwarranted spying just because the tools are there. Today a major part of our lives are in the digital world. Any responsible government should do its utmost to protect and guard our digital souls and not trample on  them. We expect nothing else. Good and strong encryption should be mandatory for everybody in the same way as vaccination is a part of our health protection programs.

President Obama you have some serious work to do if you want to remain credible.


As I expected this has now developed into a serious debate both in the USA and abroad. I am extremely happy about this turn of the events because I think it is very important that we are aware of what is happening in the surveillance fields and the directions it now takes. Previously the targets were governments and states. We, the citizens of these states, were nothing more than spectators to the spying games. When revelations would appear in the media from time to time it would only bring us some degree of awe or excitement in our daily life. Unfortunately, the targets are no longer only government and states, now also YOU are in the cross-hairs. The surveillance net has tightened its masks to catch also the single individuals all over the world.

The amount of information that is in the press at the moment is staggering and it is not at all easy to find your way between the truths, half-truths and the clearly wrong information. However, I have just found one article that I think is very well balanced and which I think is getting closer to the real situation. Therefore have a look at Marc Ambinder's article "NSA: Sucks in data from 50 companies."

I will quote one paragraph that I found illustrates the problem for us non-US citizens:
And the government insists that the rules allowing the NSA or the FBI to analyze anything relating to U.S. persons or corporations are strict, bright-line, and are regularly scrutinized to ensure that innocents don't get caught up in the mix. The specifics, however, remain classified, as do the oversight mechanisms in place.
At least the way it is presented here seems to suggest that non US persons or corporations will a priori not have the same protection with regard to innocence. I think we are regarded as fair game, which means that we can freely be scrutinised to whatever extent necessary to see if we are a security threat or not. We are all guilty until proven innocent. With a few strokes of the pen we have been stripped of all our privacy and rights.

Here is a great timeline: Timeline of NSA Domestic Spying


Carvin' Tom said...

My concern is that while everything they do and say *today* may be "by the book" who knows what some individual/group/agency might chose to do with the overall collection of "data" (I am somewhat hesitant to use that word) will do with it *tomorrow*.

I, too, am somewhat anxious about all of this.

Carvin' Tom said...

I should have proof-read that a bit before I hit return. There are a couple of extra words in here. Someday someone may wonder what I was *encoding* there and that will elevate my *status*:-)

Frode Weierud said...

Yes, that is also one of my worries. You don't even know what kind of government you will get tomorrow.

I think the intelligence agencies should have the tools they need to do the job they have to do, and the tools should be sufficiently sharp to do the job properly. But when they are not needed they should be kept locked in their toolboxes. The tools should be treated more or less like nuclear weapons; strictly controlled.

Christos T. said...

‘I have always expected that they would go after the bad guys and those under serious and warranted suspicion of being terrorists or national security risks. Now we learn that we are all suspects and that you are regarded as guilty until proven innocent.’

Frode, collecting and analyzing internet data is easy and cheap and apparently many countries/organizations have the capability to intercept vast amounts of data on all of us. Breaking passwords is also getting easier and easier. Bureaucratic organizations aren’t interested in catching the bad guys. They’re interested in expanding their budgets, their authority and hiring more personnel.

Personally I’m surprised that people are surprised that this was going on. Haven’t you seen ‘Person of interest’? :)

Frode Weierud said...

Hello Chris,

I know it is cheap and easy but in my eyes that does not make it neither legal nor appropriate to indiscriminately collect data on people who has not done anything wrong. Living a normal life was until now something that I expected to be able to do without having Big Brother breathing down my neck. But it seems that what previously was the Commie Red scare now has become the Terrorist scare. We seem to be living in an era of New McCarthyism. History is repeating itself.

Randy Rezabek said...


What also frightens me is that all these technologies were prototyped by the private sector for marketing purposes. The ability to identify, categorize, slice and dice millions of people and manipulating them for profit is as dystopian an image of society as anything the government threatens. A for profit bureaucracy has even less restraint than a government in abusing their power.

Another fine point of your commentary is that these issues about American security (or perceived lack of security) that encourage this abuse effects everyone on the planet, not just Americans.

Frode Weierud said...

Hello Randy,
Many thanks for your comments. The use of the private sector to develop, prototype and probably also test live these tools is very worrying. I probably will post something on that later. These firms seems largely outside any governmental control, a kind of grey market, peddling their wares in the same way arms dealers do.

Now the American government is not alone in having this kind of massive surveillance but due to the way the Internet and the telecommunications networks are built a very large part of the traffic passes over American territory. And as we know, the large IT companies are mainly American, so almost by design it scoops up a large part of the rest of the world too.

Dirk Rijmenants said...

Hi Frode,

excellent piece! Here's my suggestion: what if, from now on, everyone around the world includes a footer in all his e-mails, chats and text messaging, that contains a list of flag words like U.S., bombe, ricine, obama, kahlid sheik mohamed, al qaida, missile, airplane, hijacking, nuclear, gay, muslim, catholic, constitutional rights and a few hundred other indecent words. Wouldn't that make their PRISM going bezirk, and overload the NSA data centre in Utah :-) Ha!

PS: oups, I'm afraid you now might have gone up some places in the black list.

Dirk Rijmenants said...

Wait, someone knocking on my door...

Unknown said...

Excellent piece! Thanks...

Frode Weierud said...

Hello Anil,

Pleased to see that you liked it. I hope to write something more on this topic later but at the moment I am rather busy on other fronts. This kind of surveillance has many aspects and it cannot outright be condemned, but the form it has taken now scares me. What they do is to create an enormous pond of intercepts where they can go fishing for any fish they like to catch, small, medium, big and ugly, and using whatever tool they like. It seem to be very little control of their activities. Dystopia seem very close indeed.