You are being watched!

Interesting TEDx talk from 2012 on surveillance (thanks Dave Eddey down under ;-)). What Christopher Soghoian basically says is that you are being watched. Internet companies hang on to our personal information for as long as is practicable. When they receive a request from government requesting information on users, they have no choice but to comply. There is a couple of the Internet companies that have tried to inform users of these orders, one of these was Twitter. Want more info? Then grab a coffee and take 5 😀

[youtube http://www.youtube.com/watch?v=esA9RFO1Pcw&w=560&h=315]

More on Snowden

There has been another Guardian exclusive – online access to Snowden Q&A that is worth a look if you’re just a little intrigued by all the excitement. Make yourself a cup of coffee first though 😉

What seems to be clear is that when Snowden says NSA has direct access to the 9 main Internet services, he means direct access. When questioned about denials made by Google, Facebook, Apple, etc., his response was that they had no choice. It seems they have some sort of ‘gagging’ order and break the law by admitting to these top-secret operations.

UK Citizens! Does the Protection of Freedom Act 2012 really protect you?

Sorry I’ve been so verbose today, but there is just so much going on right now!

Here I am again, popping online to check, when this pops up on the Panopticon blog. This blog is cool because it is seriously legal. You know real legal experts writing about threats to our personal privacy. I wish my legal expertise was more seriously legal 😉

Well now they are talking about new legislation going through in the UK, CCTV, surveillance stuff, with all this Snowden excitement.

It is about the the Protection of Freedoms Act 2012 expressed the incoming Coalition Government’s commitment to keeping in check the state’s surveillance of ordinary citizens. By that Act (sections 29-36), the Home Secretary was to present to Parliament a Code of Practice governing the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR). Now go and visit this site. They summarize this Act. I haven’t looked in detail yet, but what I have read it looks more that it is protecting the rights of the citizen rather than vise-versa.

The Code sets out 12 guiding principles which systems operators should follow:

(1) Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
(2) The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
(3) There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
(4) There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
(5) Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
(6) No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
(7) Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
(8) Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
(9) Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
(10) There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
(11) When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
(12) Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

The Next Web?

How about this for transparency, it is called Uchaguzi? In Kenya the government have implemented an infrastructure that surfaces everything that is going on in the country. It is the Kenyan citizens that report into this using their social media, e.g. SMS, twitter, email, etc.

The interface is simple to understand. It has in red colour the negative disturbances and in green the peaceful events for example.

I love it!
I wonder what Uchaguzi means? It is Swahili apparently.

MSIPR, SIPRM, PIRMS, IPMSR? No it’s PRISM!

Yes so in whatever form PRISM does exist. I talked about it… well more rolled over this in previous posts. Now everything that you may want to know about PRISM to date, that is by 12 June can be found here.

Now there are two parts here, or maybe three.

1) collection of communications that happens to be passing over the wires
2) collection of social, other online activities of US citizens
3) collection of a) communications, b) social, other online activities; of non-US citizens.

Now PRISM is about (2) and (3b). PRISM is a system the NSA uses to gain access to the private communications of users of nine popular Internet services including Google, Facebook and Apple. It seems to be that an official request for information of a particular individual can be made to any of these services, and they will comply if the request is legally valid. These Internet service deny strongly that NSA has direct access to their servers.

So apparently NSA does not have direct access to the 9 most popular Internet Services, but what is the breath of their power to collect data on US-citizens?

Well the FISA Amendments Act (Section 702) does not require the government to show probable cause to believe that the target of surveillance has committed a crime. This is only for non-US citizens. Instead of showing probable cause to a judge, Section 702 of FISA allows senior Obama administration officials to “authorize” the “targeting of persons reasonably believed to be located outside the United States.” The surveillance may not “intentionally target” an American, but the NSA can obtain the private communications of Americans as part of a request that officially “targets” a foreigner. There is some use of the Patriots Act for this. I am not sure how the FISA Section 702 and the Patriots Act overlap though.

Ha! So if you as a US-citizen are communicating with an individual that is outside of the US and deemed as a threat to national security, your data is being collected. You could be a supporter of Greenpeace for example, they were targeted for surveillance in the past.

So what is my take on PRISM. It seems perfectly reasonable that in the name of national security requests for data on individuals can be collected by government intelligence. Same as officials upholding the law would request for a search warrant. However, PRISM should not be secret. That this is happening should be transparent to all US citizens and non-citizens. Why keep a secret? The supermarkets are pretty transparent about collecting our personal buying habits, maybe the package the justification in fancy packaging, but the reason is clear, to make money. So why does the government have to go around pretending still that it does not do these things? Has it not yet realized that the Cold War is over, and has been for quite some years now?

Dilemmas concerning privacy

There’s a really fun article written by Daniel Sandström in the Svd Culture section (16 June). SvD is one of the two main Swedish national newspapers. It is in main about the dilemmas we face as 1) a citizen and, 2) consumer. It is about how our selfish choices made in the guise of (2) are in fact contrary to what we demand as (1).

For you non-Swedish speakers – The first paragraph talks about how Amazon dealt with the news that they had illegally allowed an e-book to be on their site. They removed it from all devices. It is quite funny because it was George Orwell’s 1984 😀

He discusses briefly PRISM, this I mention at the end of my previous post. This is an agreement between the main cloud, social networking spaces on logging/tracking. Main companies included are: Google, Facebook, Apple….. yep, all those places you share your personal information, including who is your family, who is your close friends vs. FB friends, maybe who you are drinking, sleeping with… oh my what a gold mine for our governments! And we share this information with pleasure. It really is irrelevant on your privacy settings here because the US government via the Patriot Act can request this personal information about you. He doesn’t mention this last part though.

Daniel talks about the choices he has made, i.e. he purchased a digital reader, after he forgot the ethical implications of what Amazon had done a couple of years ago. He states he placed his personal comfort over his principles.

He then continues to discuss how we as citizens want the cheapest food and share our buying habits for this privilege, but then complain that the government is tracking our communications! He says how we want cheap clothes for our children, but then protest at the atrocities going on in the sweat houses in India, etc., to produce these products. We still continue to purchase cheap clothes

Daniel’s leaving point is potent and true. He says that for himself he needs to think more seriously if he really will live for his comfort, or live as he has learnt, i.e. by principles. Clearly Snowden’s name popped up in this article, as he lived as a citizen and for freedom of the citizen.

More on wire-tapping worldwide!

I thought given the wire-tapping excitement going on now, that I’d post some of the practices going on world-wide that maybe you are not aware of, all excepts from Virtual Shadows (2009), so there could be some updates since, I haven’t checked. If there are updates it will surely include social media as per USA with PRISM.

ILETS
Many of the international laws on wiretapping date back to a series of seminars hosted by the FBI in the United States in 1993 at its research facility in Quantico, Virginia, called the International Law Enforcement Telecommunications Seminar (ILETS) together with representatives from Canada, Hong Kong, Australia and the EU. The product of these meetings was the adoption of an international standard called the International Requirements for Interception that possessed similar characteristics to CALEA from the United States. In 1995 the Council of the European Union approved a secret resolution adopting the ILETS. Following its adoption and without revealing the role of the FBI in developing the standard, many countries have adopted laws to this effect. Following adoption of the standard the European Union and the United States offered a Memorandum of Understanding (MoU) for other countries to sign to commit to the standards. All participating countries were encouraged to adopt the standards so it was natural that international standards organisations, such as the International Telecommunications Union (ITU) and the European Telecommunication Standardization Institute (ETSI), would adopt the standards.

Adoption of wire-tapping laws
Australia was one of the first countries to sign the MoU along with Canada. In Australia the Telecommunications Act expects the telecommunications operators to proactively assist law enforcement by providing an interception capability.

In the UK RIPA requires that telecommunications operators maintain a ‘reasonable interception capability’ in their systems and be able to provide on notice certain ‘traffic data’.
In the Netherlands all ISPs have to have the capability to intercept all traffic with a court order and maintain users’ logs for three months.

In New Zealand the Telecommunications (Interception Capabilities) Act 2004 obliges telecommunications companies and ISPs to intercept phone calls and emails on the request of the police and security services.
In Switzerland ISPs are required to take all necessary measures to allow for the interception of mail and telecommunications.

In June 2008 Sweden’s parliament approved controversial new laws (FRA-lagen) allowing authorities to spy on cross-border email and telephone traffic. The Swedish press claim that this will make Sweden the most surveyed country in Europe. This wiretapping law enables the intelligence authorities to ‘listen’ to all traffic, Hotmail, MSN, SMS etc., across Sweden’s borders. The law becomes effective at the end of 2009. Given Sweden’s stance on human rights the passing of this law is quite remarkable. It was following some pretty heated dis- cussions in parliament that the law was passed on a very fine majority (47 against and 52 for). The argument for tapping of international lines is ‘terrorism’. Of course any ‘terrorists’ will encrypt their communications and there is nothing that the Swedish authorities can do about this. Of course one can always monitor ‘traffic patterns’ on identified suspect com- munication which can be as revealing as the communications’ contents themselves in certain situations. However the use of the contents of such communications in a court of law will be impossible without the decryption key and they cannot obtain this unless there is a law enacted similar to the RIPA in the UK, which forces the key-holder to give the encryption or decryption key to the authorities on request and if they refuse they can be convicted for concealing evidence.

There was also a telecommunications driven incentive in 2008 called Phorm. I have not checked out the present status in 2013.

NSA leak scandal and Snowden

What a mess with all these emotions flying around on Ed Snowden and his actions. In the one camp are those proclaiming Snowden as a traitor, and in the other extreme camp, he is a hero, a whistleblower!

The fact that the US are wire-tapping has been known for years, it’s just that the fact has never been made official. In my book Virtual Shadows published quite some time ago in 2009, there is a section just on this

“US wiretapping practices
The US government has led a worldwide effort to limit individual privacy and enhance the capability of its police and intelligence services to eavesdrop on personal conversations. The Communications Assistance for Law Enforcement Act (CALEA) sets out legal requirements for telecommunications providers and equipment manufacturers on the surveillance capabilities that must be built into all telephone systems used in the United States.” (Virtual Shadows, 2009)

Then there is “another program, known as PRISM, has given the NSA access since at least 2007 to emails, video chats and other communications through U.S. Internet companies to spy on foreigners. American emails inevitably were swept up as well.”

There have been some embarrassing exposure before the Snowden escapade, for example “Mathematician William Binney worked for the National Security Agency for four decades, and in the late 1990s he helped design a system to sort through the digital data the agency was sucking up in the exploding universe of bits and bytes. When the agency picked a rival technology, he became disillusioned. He retired a month after the terrorist attacks of Sept 11, 2001, and later went public with his concerns.” As reported by the Los Angeles Times. Blinney called this a “digital dragnet”.

My opinion?
So what’s my take on all this. Well you should know me by now, I am a fervent believer in transparency. I believe that trust can only be built on a foundation of transparency. Clearly although the governments around the world need to ‘protect’ their citizens. But why can’t they just tell them what they are doing? “We are tracking your communications”. We are pulling information from your Facebook profile if a threat to national security is felt. Just as in the EU, data subjects should have a right to know when their personal information is being accessed. They should be informed… period.
This means they continue with their activities, but are transparent in their operations. The fact is most people don’t really seem to care. They most are selling their buying habits today for a free chicken in their shopping trolley 😉

Am I a supporter of Snowden’s actions as whistle-blower. Yes I am!