Archive for the 'Privacy' Category

So what will it take to wake people up?

[link] Thursday, December 11th, 2014

At dinner last night I had a long talk with one of my Masters students who is as baffled as I am about why people seem to be so complacent about online surveillance. This morning a colleague sent me a link to this TEDx talk by Mikko Hypponen, a well known Finnish security expert. It’s a terrific lecture, but one part of it stood out especially for me in the context of last night’s conversation. It concerned an experiment Hypponen and his colleagues ran in London, where they set up a free wi-fi hot-spot that anyone could use after they had clicked to accept the terms & conditions under which the service was offered. One of the terms was this:

First_born_child_EULA

Every user — every user! — clicked ‘Accept’.

Why ‘cybersecurity’ is such a flawed term

[link] Monday, December 8th, 2014

In a sentence: it lumps three very different things — crime, espionage and warfare — under a single heading. And, as I tried to point out in yesterday’s Observer column, instead of making cyberspace more secure many of the activities classified as ‘cyber security’ make it less so.

Bruce Schneier has a thoughtful essay on the subject.

Last week we learned about a striking piece of malware called Regin that has been infecting computer networks worldwide since 2008. It’s more sophisticated than any known criminal malware, and everyone believes a government is behind it. No country has taken credit for Regin, but there’s substantial evidence that it was built and operated by the United States.

This isn’t the first government malware discovered. GhostNet is believed to be Chinese. Red October and Turla are believed to be Russian. The Mask is probably Spanish. Stuxnet and Flame are probably from the U.S. All these were discovered in the past five years, and named by researchers who inferred their creators from clues such as who the malware targeted.

I dislike the “cyberwar” metaphor for espionage and hacking, but there is a war of sorts going on in cyberspace. Countries are using these weapons against each other. This affects all of us not just because we might be citizens of one of these countries, but because we are all potentially collateral damage. Most of the varieties of malware listed above have been used against nongovernment targets, such as national infrastructure, corporations, and NGOs. Sometimes these attacks are accidental, but often they are deliberate.

For their defense, civilian networks must rely on commercial security products and services. We largely rely on antivirus products from companies such as Symantec, Kaspersky, and F-Secure. These products continuously scan our computers, looking for malware, deleting it, and alerting us as they find it. We expect these companies to act in our interests, and never deliberately fail to protect us from a known threat.

This is why the recent disclosure of Regin is so disquieting. The first public announcement of Regin was from Symantec, on November 23. The company said that its researchers had been studying it for about a year, and announced its existence because they knew of another source that was going to announce it. That source was a news site, the Intercept, which described Regin and its U.S. connections the following day. Both Kaspersky and F-Secure soon published their own findings. Both stated that they had been tracking Regin for years. All three of the antivirus companies were able to find samples of it in their files since 2008 or 2009.

Yep. Remember that the ostensible mission of these companies is to make cyberspace more secure. By keeping quiet about the Regin threat they did exactly the opposite. So, as Schneier concludes,

Right now, antivirus companies are probably sitting on incomplete stories about a dozen more varieties of government-grade malware. But they shouldn’t. We want, and need, our antivirus companies to tell us everything they can about these threats as soon as they know them, and not wait until the release of a political story makes it impossible for them to remain silent.

RIPA, the super-elastic statute

[link] Thursday, November 6th, 2014

When RIPA was going through Parliament in 1999, one of the things critics pointed out was the latitude it provided for mission creep. And so it proved — to the point where local authorities were using it to snoop on parents who were suspected of not living in the catchment area of the schools to which they wanted to send their kids.

Now, more evidence of the extent of the mission creep: Documents released by human rights organisation, Reprieve show that GCHQ and MI5 staff were told they could target lawyers’ communications. This undermines legal privilege that ensures communications between lawyers and their clients are confidential.

The news that legal privilege is being violated comes weeks after it was revealed the Met police have used RIPA to circumvent journalistic privilege that protects journalists’ sources.

The only thing that remains is the (Catholic) Confessional.

After Snowden, what?

[link] Sunday, October 19th, 2014

This morning’s Observer column.

Many moons ago, shortly after Edward Snowden’s revelations about the NSA first appeared, I wrote a column which began, “Repeat after me: Edward Snowden is not the story”. I was infuriated by the way the mainstream media was focusing not on the import of what he had revealed, but on the trivia: Snowden’s personality, facial hair (or absence thereof), whereabouts, family background, girlfriend, etc. The usual crap, in other words. It was like having a chap tell us that the government was poisoning the water supply and concentrating instead on whom he had friended on Facebook.

Mercifully, we have moved on a bit since then. The important thing now, it seems to me, is to consider a new question: given what we now know, what should we do about it? What could we realistically do? Will we, in fact, do anything? And if the latter, where are we heading as democracies?

I tried to put some of these questions to Snowden at the Observer Ideas festival last Sunday via a Skype link that proved comically dysfunctional. The comedy in using a technology to which the NSA has a backdoor was not lost on the (large) audience — or on Snowden, who coped gracefully with it. But it was a bit like trying to have a philosophical discussion using smoke signals. So let’s have another go.

First, what could we do to curb comprehensive surveillance of the net?

Read on…

Bruce Schneier’s next book

[link] Wednesday, October 15th, 2014

Title: Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World

Publisher: WW Norton

Publication date: March 9, 2015

Table of Contents

Part 1: The World We’re Creating
Chapter 1: Data as a By-Product of Computing
Chapter 2: Data as Surveillance
Chapter 3: Analyzing our Data
Chapter 4: The Business of Surveillance
Chapter 5: Government Surveillance and Control
Chapter 6: Consolidation of Institutional Surveillance

Part 2: What’s at Stake
Chapter 7: Political Liberty and Justice
Chapter 8: Commercial Fairness and Equality
Chapter 9: Business Competitiveness
Chapter 10: Privacy
Chapter 11: Security

Part 3: What to Do About It
Chapter 12: Principles
Chapter 13: Solutions for Government
Chapter 14: Solutions for Corporations
Chapter 15: Solutions for the Rest of Us
Chapter 16: Social Norms and the Big Data Trade-Off

Something to be pre-ordered, methinks.

Even if you’re not on Facebook, you are still the product

[link] Sunday, October 5th, 2014

This morning’s Observer column:

The old adage “if the service is free, then you are its product” needs updating. What it signified was that web services (like Facebook, Google, Yahoo et al) that do not charge users make their money by harvesting personal and behavioural data relating to those users and selling that data to advertisers. That’s still true, of course. But a more accurate version of the adage would now read something like this: if you use the web for anything (including paying for stuff) then you are also the product, because your data is being sold on to third parties without your knowledge.

In a way, you probably already knew this. A while back you searched for, say, a digital camera on the John Lewis site. And then you noticed that wherever you went on the web after that John Lewis ads for cameras kept appearing on the site you were visiting. What you were witnessing was the output of a multibillion-dollar industry that operates below the surface of the web. Think of it as the hidden wiring of our networked world. And what it does is track you wherever you go online…

Read on

After Snowden…

[link] Thursday, September 25th, 2014

Watch more videos on iai.tv

A few months ago I took part in a debate about the implications of the Snowden revelations with Chris Huhne, the former Lib-Dem Cabinet minister, and Sir David Omand, the former Director of GCHQ. Here’s the video of the session.

In a national surveillance state, privacy is seen as “a luxury of the guilty”

[link] Friday, September 19th, 2014

Terrific piece by Andrew O’Hagan on Edward Snowden and Glenn Greenwald in the London Review of Books.

Sample:

Surveillance in the UK is an implicitly sanctioned habit that has smashed the moral framework of journalism. Protection of sources is not an adornment, not some optional garment worn only when it suits, but a basic necessity in the running of a free press in a fair democracy. Snowden proved that, but not to the satisfaction of Britain’s home affairs establishment, or the police, who like to behave as if all freedoms are optional at the point of delivery. [Alan] Rusbridger recently made the point that source confidentiality is in peril, after the revelation that the Metropolitan Police had spied on the phone records of the political editor of the Sun, Tom Newton Dunn. Snowden might have taught us to expect to be monitored, but his message, that our freedom is being diluted by a manufactured fear of the evil that surveillance ‘protects’ us from, is not being heard. Louder and clearer to many is the message that comes from the security state mind, a suspicion carried on the air like a germ, that certain kinds of journalism, like certain aspects of citizenship, are basically treacherous and a threat to good management. This germ has infected society to such a degree that people don’t notice, they don’t mind, and a great many think it not only permissible but sensible and natural, in a culture of ‘threat’, to imagine that privacy is merely a luxury of the guilty.

And this:

The first thing that amazed me about Julian Assange was how fearful he was – and how right, as it turned out – about the internet being used as a tool to remove our personal freedom. That surprised me, because I’d naively assumed that all hackers and computer nerds were in love with the net. In fact, the smarter ones were suspicious of it and understood all along that it could easily be abused by governments and corporations. The new technology would offer the chance of mass communication and networking like never before, but lurking in all those servers and behind all those cameras was a sinister, surveilling machine of ever growing power. The US government sought omniscience – ‘a system that has as its goal the complete elimination of electronic privacy worldwide’ – and showed by such actions that it considers itself above the prospectus set out in its own constitution. The leaders of the NSA said, ‘collect it all,’ and the people put up with it.

So who still believes that collecting metadata is harmless?

[link] Friday, September 12th, 2014

Interesting snippet in the latest newsletter from the Open Rights Group:

It was revealed last week that the Met police accessed the telephone records of The Sun’s Political Editor, Tom Newton Dunn, using a RIPA request.

The case should end any discussion about whether or not metadata reveals anything personal about us: Newton Dunn’s calls and when and where they were received, were seen as enough to identify a whistleblower, who contacted him over the Plebgate scandal.

Journalistic privilege, protected by the Police and Criminal Evidence Act, was circumvented by the use of RIPA. Newton Dunn was not even aware that his records had been accessed until the Met published their report into the Plebgate affair.

When DRIP was announced, Newton Dunn wrote in The Sun, that the new powers would give MI5 and cops, “crucial access to plotters’ mobile phone records”. UK public authorities use RIPA over 500,000 a year to access private data. The police refused to answer questions as to how many times they have have accessed journalists’ data. When this is happening without our knowledge, we cannot ignore the threat to our civil liberties that data retention poses.

The interesting bit is the fact that the metadata were sufficient to identify a whistleblower. We all knew that, of course, but the official line is still that bulk collection of metadata does not infringe on privacy.

Dave Eggers has seen the future. Well, a possible future anyway…

[link] Monday, September 1st, 2014

Yesterday’s Observer column.

Fifteen months have passed since Edward Snowden began to explain to us how our networked world works. During that time there has been much outrage, shock, horror, etc expressed by the media and the tech industry. So far, so predictable. What is much more puzzling is how relatively relaxed the general public appears to be about all this. In Britain, for example, opinion polling suggests that nearly two thirds of the population think that the kind of surveillance revealed by Snowden is basically OK.

To some extent, the level of public complacency/concern is culturally determined. Citizens of Germany, for example…

Read on