Saturday, 8 June 2013

PRISM, Metadata and Unwarranted Spying

With my strong interest in cryptography and cryptanalysis I also follow closely what is happening in the signal intelligence fields and I am especially interested in what the big players, NSA and GCHQ, are doing. I have therefore found this week's revelations about NSA's PRISM program, their collection of phone companies so-called metadata and the Offensive Cyber Effects Operations (OCEO) to be both interesting and deeply disturbing. 

None of these programs really surprises me. I have seen it coming for a long time and there were sufficient indications over the years to fully expect such programs to be already running. However, that surprised me more was the scope of these programs. I have always expected that they would go after the bad guys and those under serious and warranted suspicion of being terrorists or national security risks. Now we learn that we are all suspects and that you are regarded as guilty until proven innocent. The problem is that as you do not know what they do with the data related to your modern, digital life and you have no idea of what tag they apply to you, terrorist, suspected terrorist, terrorist connections etc., you are not able to put up any defence to prove your innocence. You have just become a number, a pointer, a link in their anti-terrorist network and if your number, pointer value or link happen to reach any of the magic thresholds they have in their algorithms you will find that your life suddenly changes. You will suddenly receive extra attention in your daily life, traffic police will flag you down to check your papers and your car, when you fly it is always you that are pulled aside for extra screening etc. Some might fancy such attention but I do not. Because it might not just stop there, if you are really unlucky you might no longer be able to buy any airline tickets, your number has been elevated to inclusion in the very exclusive set, the no-fly list.

You will say it is very unlikely anything like this will happen to you. If you do nothing illegal you will not be targeted. The problem with this argument is that I don't know if I do something "illegal" when I am living my daily digital life, blogging like now, twittering like I did a moment ago and added a few new connections to my Facebook page yesterday evening. Today we make connections and new acquaintances by the dozen every week, how do you know that not one of them is a terrorist or has terrorist connections. In the last 20 years I have corresponded with a lot of people I don't know. I have been helping students in Pakistan, India, Irak and Egypt with information about cryptography for their school work. Were any of them connected with terrorists or criminals in any way? I don't know. To me they were just young students that I felt I should help with the same open door policy that I have given those coming from USA, Germany and England. Perhaps they were bad girls too, (yes surprisingly enough girls are also interested in cryptology). I don't know. But somebody knows and this somebody is sitting in front of a computer screen in an operation room at NSA. There they have just elevated my number, my name, onto one of the watch lists. The next wrong move and I creep a little higher until I hit one of the dreaded thresholds. Then the bell rings, the e-mails to the national security services are sent and the circus starts. And when it is started it might never stop. We all know how difficult it is to get removed from an electronic database, it is a never ending uphill struggle; and when those databases are secret ...

Now Obama and Mr. Clapper, his Director of National Intelligence, say it is only metadata we don't listen to your calls. Well, I think that is the real problem. If they had listened to my many calls to the "supposed terrorist" who has just sold me a used car, they would quickly understand that I am arguing about the price, especially after the transmission broke the week after I bought it. Instead my many and increasingly angry calls to the "terrorist" increases the connection counter on every call and the longer the calls are, the higher the weight they get. At then at the end of the week I am on the suspected terrorist watch list. You don't believe me; well try buying a used car from a terrorist and you will see the fun you will get. To get a better feeling for metadata have a look at this.

Am I paranoid? No, I don't think so, just worried. I don't like this way of collecting intelligence. Just because it is possible to do so now it does not mean it is should be done. 50 years ago all this would have been unthinkable. The only way the intelligence services then could have collected this kind of information would have been for every telephone switchboard to log all possible connections, all post offices taking notes of the addresses of all letters, parcels and postcards passing through their doors. The local police would have to visit everybody's home to search through their belongings, listing all the books on their shelves, all their records they own and carefully go through their diaries, agendas and photo albums. I doubt very much the population 50 years ago would have accepted this. It would have been a revolt and that is why there now has to be a revolt against this kind of unwarranted dragnet intelligence that sweeps up all and everybody in their nets. President Obama claims all this is legal because there is something called the Patriot Act. Perhaps it is time to look closer at this Patriot Act and see if it is as constitutional as it claims to be. To me it seem like the Patriot Act surreptitiously has rewritten the United States' Constitution.

I am not against intelligence collection, even when I am the target, as long as there is a very good and lawful reason for the collection. And when I say lawful I don't mean any quickly cooked up anti-terrorist laws, but laws that respect international law and Human Rights. Anything else I would regard as unwarranted and unlawful. President Obama, I think you will have your hands full the next few months as this simply will not go away. Neither should it. It is too important for that. At the moment we are on a very dangerous and slippery slope. At then end is the horrors of 1984 and Dystopia. Some will say this is the just price to pay for eradicating terrorism. I think not, because terrorism can not be eradicated, only controlled and I am convinced Dystopia would just create more terrorism and this time of the homegrown sort. Take your pick, it will be hell either way.

So please high priests in the governments around the world don't push your intelligence agencies into this kind of quagmire. I have met many intelligence officials over the years and several I consider as very good friends. There are very few I have ever met who I think would enjoying targeting innocent people in the way it is done today. I think many intelligence officials are living increasingly difficult lives with their conscience bothering them for the rest of their lives. It was easy as long as the targets were Nazi Germany, the Soviet Union and North Vietnam. When the target is the family down the street it quite another game. 

We need good and just intelligence to protect our democracies but we should be very careful not to undermine our democracies with unwarranted spying just because the tools are there. Today a major part of our lives are in the digital world. Any responsible government should do its utmost to protect and guard our digital souls and not trample on  them. We expect nothing else. Good and strong encryption should be mandatory for everybody in the same way as vaccination is a part of our health protection programs.

President Obama you have some serious work to do if you want to remain credible.


UPDATE.

As I expected this has now developed into a serious debate both in the USA and abroad. I am extremely happy about this turn of the events because I think it is very important that we are aware of what is happening in the surveillance fields and the directions it now takes. Previously the targets were governments and states. We, the citizens of these states, were nothing more than spectators to the spying games. When revelations would appear in the media from time to time it would only bring us some degree of awe or excitement in our daily life. Unfortunately, the targets are no longer only government and states, now also YOU are in the cross-hairs. The surveillance net has tightened its masks to catch also the single individuals all over the world.

The amount of information that is in the press at the moment is staggering and it is not at all easy to find your way between the truths, half-truths and the clearly wrong information. However, I have just found one article that I think is very well balanced and which I think is getting closer to the real situation. Therefore have a look at Marc Ambinder's article "NSA: Sucks in data from 50 companies."

I will quote one paragraph that I found illustrates the problem for us non-US citizens:
And the government insists that the rules allowing the NSA or the FBI to analyze anything relating to U.S. persons or corporations are strict, bright-line, and are regularly scrutinized to ensure that innocents don't get caught up in the mix. The specifics, however, remain classified, as do the oversight mechanisms in place.
At least the way it is presented here seems to suggest that non US persons or corporations will a priori not have the same protection with regard to innocence. I think we are regarded as fair game, which means that we can freely be scrutinised to whatever extent necessary to see if we are a security threat or not. We are all guilty until proven innocent. With a few strokes of the pen we have been stripped of all our privacy and rights.

Here is a great timeline: Timeline of NSA Domestic Spying