So who’s lying — the NSA or the tech companies?

Posted on by

From the outset of the furore over the Snowden revelations it’s been obvious that either the NSA or the tech companies must have been lying about whether the agency did or did not have access to the companies’ communications. This statement by the NSA’s lead counsel asserts that the companies knew all along about the agency’s data collection practices.

The senior lawyer for the National Security Agency stated unequivocally on Wednesday that US technology companies were fully aware of the surveillance agency’s widespread collection of data, contradicting months of angry denials from the firms.

Rajesh De, the NSA general counsel, said all communications content and associated metadata harvested by the NSA under a 2008 surveillance law occurred with the knowledge of the companies – both for the internet collection program known as Prism and for the so-called “upstream” collection of communications moving across the internet.

Asked during a Wednesday hearing of the US government’s institutional privacy watchdog if collection under the law, known as Section 702 or the Fisa Amendments Act, occurred with the “full knowledge and assistance of any company from which information is obtained,” De replied: “Yes.”

They can’t both be right: so who’s lying?

One-hit wonders

Posted on by

Readers who have been playing a strange game called Candy Crush Saga on their smartphones may be interested to know that — according to the New Yorker — has been downloaded more than half a billion times. More interesting still is the news that King Digital Entertainment, the Irish company that created it, earned almost $2B in sales, of which $567m was pure profit.

Last month, King Digital filed for a US IPO with a putative valuation of “up to $7.6 billion”.

The phrase “money from old rope” comes to mind. But it’s soooo old-fashioned.

On being a partly-boiled frog

Posted on by

I’m an Amazon Prime customer, because it looked like a no-brainer for a household that buys quite a lot of stuff online. But now the cost of Prime has suddenly gone up from £49/year to £79.

That’s a huge hike. To conceal it, Amazon tells me that my Prime subscription will now include a subscription to Lovefilm. Big deal! I watch very few movies and have never contemplated subscribing either to Lovefilm or Netflix. A subscription to Lovefilm is completely useless to me.

So the question is: will I stick with Prime at £79?

Answer: maybe — for now. But it’s clear that this is part of a bigger strategy: capture->lock-in->exploit. Or, as the always-perceptive Jason Calcanis puts it:

Does anyone know the actually number of @amazon prime subscribers? Can anyone with Prime imagine life without it? Would you cancel Prime over the $20 a year increase?

Note: Amazon is starting to boil us frogs. Prime goes up 25% and none of us notice. Up another $25 in two years–no one will notice. Eventually it will be $20 a month and have 100m subscribers.

Amazon says it has at least 20M prime subscribers as of Jan ’14, according to [Macquarie] (http://launch.co/story/amazon-prime-has-20m-subs-macquarie-analyst-ben-schachter-reportedly-confirme)

Snooping is a public health issue

Posted on by

This morning’s Observer column.

One of the things that baffles me is why more people are not alarmed by what Edward Snowden has been telling us about the scale and intrusiveness of internet surveillance. My hunch is that this is partly because – strangely – people can’t relate the revelations to things they personally understand.

In the past two weeks, two perceptive commentators have been trying to break through this barrier. One is Cory Doctorow, the science-fiction novelist, who had a terrific essay in the Guardian arguing that instead of increasing our security, government agencies such as the NSA, GCHQ and others are actually undermining it. The essay is worth reading in full, but one part of it stood out for me. It’s about the thriving, underworld online market in malicious software. Nowadays, if some hacker discovers a previously unknown vulnerability in widely used software, that discovery can be very valuable – and people will pay large sums for such “zero-day” exploits. But here’s the creepy bit: sometimes, the purchasers are government agencies that buy these pieces of malware to use as weapons against their enemies.

To most people, this will seem pretty abstruse. But with the imaginative skill of a good writer, Doctorow nails it: “If you discovered,” he writes, “that your government was more interested in weaponising typhus than they were in curing it, you would demand that your government treat your water supply with the gravitas and seriousness that it is due.”

Read on

LATER: Right on cue, another great blog post by Bruce Schneier, putting this stuff in an everyday context:

Imagine that you hired a private detective to eavesdrop on a subject. That detective would plant a bug in that subject’s home, office, and car. He would eavesdrop on his computer. He would listen in on that subject’s conversations, both face to face and remotely, and you would get a report on what was said in those conversations. (This is what President Obama repeatedly reassures us isn’t happening with our phone calls. But am I the only one who finds it suspicious that he always uses very specific words? “The NSA is not listening in on your phone calls.” This leaves open the possibility that the NSA is recording, transcribing, and analyzing your phone calls — and very occasionally reading them. This is far more likely to be true, and something a pedantically minded president could claim he wasn’t lying about.)

Now imagine that you asked that same private detective to put a subject under constant surveillance. You would get a different report, one that included things like where he went, what he did, who he spoke to — and for how long — who he wrote to, what he read, and what he purchased. This is all metadata, data we know the NSA is collecting. So when the president says that it’s only metadata, what you should really hear is that we’re all under constant and ubiquitous surveillance.

What’s missing from much of the discussion about the NSA’s activities is what they’re doing with all of this surveillance data. The newspapers focus on what’s being collected, not on how it’s being analyzed — with the singular exception of the Washington Post story on cell phone location collection. By their nature, cell phones are tracking devices. For a network to connect calls, it needs to know which cell the phone is located in. In an urban area, this narrows a phone’s location to a few blocks. GPS data, transmitted across the network by far too many apps, locates a phone even more precisely. Collecting this data in bulk, which is what the NSA does, effectively puts everyone under physical surveillance.

This is new. Police could always tail a suspect, but now they can tail everyone — suspect or not. And once they’re able to do that, they can perform analyses that weren’t otherwise possible. The Washington Post reported two examples. One, you can look for pairs of phones that move toward each other, turn off for an hour or so, and then turn themselves back on while moving away from each other. In other words, you can look for secret meetings. Two, you can locate specific phones of interest and then look for other phones that move geographically in synch with those phones. In other words, you can look for someone physically tailing someone else. I’m sure there are dozens of other clever analyses you can perform with a database like this. We need more researchers thinking about the possibilities. I can assure you that the world’s intelligence agencies are conducting this research.

Schneier is one of the very best commentators on this stuff. Everything he writes about it is worth reading.

Ivory towers in late afternoon light

Posted on by

Ivory towers in late afternoon light, originally uploaded by jjn1.

Having written the heading I suddenly wondered where the term “ivory towers” comes from. Wikipedia says it has a Biblical origin (from the Song of Solomon) but,

From the 19th century it has been used to designate a world or atmosphere where intellectuals engage in pursuits that are disconnected from the practical concerns of everyday life. As such, it usually carries pejorative connotations of a willful disconnect from the everyday world; esoteric, over-specialized, or even useless research; and academic elitism, if not outright condescension. In American English usage it is also used as shorthand for academia or the university, particularly departments of the humanities.

Casuistry, algorithms and surveillance

Posted on by

One of the reasons the political establishment and intelligence community are so unapologetic about the bulk collection of metadata and other personal information is because they cling to a particular interpretation of what “collecting” means. In this interpretation, hoovering up data and storing it in data-centres does not constitute “collecting”. Only when a human looks at a particular data point is it actually “collected”.

Here’s how Brice Schneier puts it:

And the word “collect” has a very special definition, according to the Department of Defense (DoD). A 1982 procedures manual (pdf; page 15) says: “information shall be considered as ‘collected’ only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties.” And “data acquired by electronic means is ‘collected’ only when it has been processed into intelligible form.”

Director of National Intelligence James Clapper likened the NSA’s accumulation of data to a library. All those books are stored on the shelves, but very few are actually read. “So the task for us in the interest of preserving security and preserving civil liberties and privacy,” says Clapper, “is to be as precise as we possibly can be when we go in that library and look for the books that we need to open up and actually read.” Only when an individual book is read does it count as “collection,” in government parlance.

So, think of that friend of yours who has thousands of books in his house. According to the NSA, he’s not actually “collecting” books. He’s doing something else with them, and the only books he can claim to have “collected” are the ones he’s actually read.

This is why Clapper claims — to this day — that he didn’t lie in a Senate hearing when he replied “no” to this question: “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”

If the NSA collects — I’m using the everyday definition of the word here — all of the contents of everyone’s e-mail, it doesn’t count it as being collected in NSA terms until someone reads it. And if it collects — I’m sorry, but that’s really the correct word — everyone’s phone records or location information and stores it in an enormous database, that doesn’t count as being collected — NSA definition — until someone looks at it. If the agency uses computers to search those emails for keywords, or correlates that location information for relationships between people, it doesn’t count as collection, either. Only when those computers spit out a particular person has the data — in NSA terms — actually been collected.

There’s a word for this: casuistry. And it’s not just the preserve of politicians and intelligence agencies. Google & Co are just as bad — as when the Google executive quoted by Schneier says “”Worrying about a computer reading your email is like worrying about your dog seeing you naked.”

To which Schneier replies:

when you’re watched by a dog, you know that what you’re doing will go no further than the dog. The dog can’t remember the details of what you’ve done. The dog can’t tell anyone else. When you’re watched by a computer, that’s not true. You might be told that the computer isn’t saving a copy of the video, but you have no assurance that that’s true. You might be told that the computer won’t alert a person if it perceives something of interest, but you can’t know if that’s true. You do know that the computer is making decisions based on what it receives, and you have no way of confirming that no human being will access that decision. When a computer stores your data, there’s always a risk of exposure. There’s the risk of accidental exposure, when some hacker or criminal breaks in and steals the data. There’s the risk of purposeful exposure, when the organization that has your data uses it in some manner. And there’s the risk that another organization will demand access to the data. The FBI can serve a National Security Letter on Google, demanding details on your email and browsing habits. There isn’t a court order in the world that can get that information out of your dog.

Yep.