IPC on TwitterMy Tweets
The (unofficial) blog of the BCLA Information Policy Committee
This week we learned that Glenn Greenwald was not exaggerating when he said that there was more in Edward Snowden’s leaked info than we had seen thus far. It turns out the NSA (and the GCHQ, its UK equivalent) has been using many methods to attack ubiquitous encryption on the internet:
Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with “brute force”, and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.
Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.
This is different from saying that the NSA had cracked everyone’s encryption, but it appears that they’ve been undermining everyone’s privacy and security with the complicity of major technology companies.
This is a big fucking deal.
Part of the reason is because putting in secret vulnerabilities means that dedicated non-governmental agents can find those vulnerabilities and exploit them.
There are ways to protect your security online, but seriously, if the NSA really wanted something about you (and I’m assuming here that most of this blog’s readers are Canadians, thus foreigners to the NSA and fair game for spying on their information conveniently passing through US data-centres) they can get it. From Bruce Schneier:
This kind of thing is done by its TAO – Tailored Access Operations – group. TAO has a menu of exploits it can serve up against your computer – whether you’re running Windows, Mac OS, Linux, iOS, or something else – and a variety of tricks to get them on to your computer. Your anti-virus software won’t detect them, and you’d have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.
In Wired Kim Zetter lays out a bit of the history of this program, called Bullrun:
The ten-year Bullrun program began after the U.S. government failed in its pla to place a backdoor, the so-called Clipper chip, into encryption that would have allowed it to eavesdrop on communications at will. Without the Clipper chip, the government launched a systematic plan using trickery and other methods to circumvent encryption and achieved an unspecified breakthrough in 2010. In the wake of this, according to one document, “vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”
Some of the methods involved the deployment of custom-built, supercomputers to break codes in addition to collaborating with technology companies at home and abroad to include backdoors in their products. The Snowden documents don’t identify the companies that participated.
Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it’s explained away as a mistake.
We don’t have a secure internet. Major corporations have joined up with security agencies to make it that way.
One thing we can and probably should be doing as information professionals is calling for our libraries and other institutions to be using more Free and Open Source Software. These independent, community-based technologies allow us to see inside the code and make it much more difficult for nefarious shadowy agents (governmental or non-) to add in holes specifically to spy on us and our members we’re providing services to.
I work in a public library in a community that isn’t on the cutting edge of technology. For many of our members I’m the public tech support person, and people ask me about using things like online banking and whether it’s safe to do. It’s important for anyone in this kind of position to know about the tradeoffs being made by technology titans, and how we’re selling our members to companies that, even though the language of the internet is cute (“like” “friend” even “google”), those companies don’t have our members’ best interests at heart.
Schneier suggests techniques like using Tor, and encrypting communications with public-domain encryption that’s cross compatible (this makes it less likely to have been NSA compromised). These won’t keep everything you do secret from a determined, well-funded attacker, but it does make you more expensive to target.
Most members of my library probably don’t need to be paranoid about encryption. They’re looking up recipes and sending messages to their kids and reading romance novels or whatever. But our individual uses of the internet shouldn’t really matter. As Byron Holland says in his post NSA Internet surveillance where’s the outrage?:
It’s not that governments should not have the power to monitor citizens under certain circumstances and with the appropriate oversight – it’s an unfortunate necessity to maintain law and order. But we’re not talking about surveillance with appropriate oversight. We’re talking about an opaque and deliberate system to gather and monitor the activities and communications of potentially everyone who is online.
Why should a government feel it is above judicial oversight to monitor its citizens’ activities, just because they’re online?
Because apparently, we’re fine with it. At the very least, we’re complacent with it.
As information professionals we need to be aware of, and ensure our communities have the chance to be learn about the consequences of these surveillance and broken security technologies. That is our way to help fight complacency.
OpenCanada.org has done a bang-up post about NSA-style surveillance in Canada by CSEC entitled Canadian Surveillance 101. Here’s their preamble:
The information leaked by Edward Snowden about the U.S. National Security Agency (NSA)’s data collection programs is driving a nation-wide debate in America over the future of privacy and national security. Americans, however, are not the only ones who should be considering the consequences the NSA’s activities. Other countries, including Canada, operate similar surveillance programs and participate in national security data sharing partnerships that crisscross the globe. Given this reality, and the fact that much of Canadians’ online data flows though servers located in the U.S. where it is not subject to any Fourth Amendment protection, we think the tenor of the privacy-security debate within Canada is too quiet. Expanding the debate will require engaging more Canadians with what we know and don’t know about surveillance in Canada. To this end, here is a modest exploration of what we’ve learned since the Snowden story broke.
As it stands right now, there are three biggish stories going on in the information policy world right now. As is usual with the IPC, access to information is our unifying thread.
First the World Intellectual Property Organization’s treaty that wants to ensure print-disabled citizens can’t have access to materials for them. That’s going on right now. In Canada library organizations are urging Canada’s negotiating team to argue for certain positions:
CULC’s full letter is available here. One of the issues with these treaties and negotiations has to do with our old friend Digital Rights Management (or TPM in Canada) and how the language of these agreements (and Canadian laws) are set up to benefit well-resourced lobbying groups even while there’s some reasonable lip-service paid. So this is an issue.
There’s also rumbling about Library and Archives Canada putting up paywalls on digitized materials. This one doesn’t have anything official out there yet, so we’ll just link to some preparatory ire.
And then thirdly there’s the big American news about the NSA keeping databases of phone calls and the program PRISM that gives the NSA access to internet companies’ information and just today Edward Snowden came forward as the leaker of that NSA information.
There’s a lot out there on these things to read. David Simon (of The Wire fame) wrote about how this PRISM thing isn’t a scandal because this is how the law works. Warrants are still necessary, and do you really want to take these tools out of law enforcement’s hands?
Frankly, I’m a bit amazed that the NSA and FBI have their shit together enough to be consistently doing what they should be doing with the vast big-data stream of electronic communication. For us, now — years into this war-footing and this legal dynamic — to loudly proclaim our indignation at the maintenance of an essential and comprehensive investigative database while at the same time insisting on a proactive response to the inevitable attempts at terrorism is as childish as it is obtuse. We want cake, we want to eat it, and we want to stay skinny and never puke up a thing. Of course we do.
Others are talking about what shoddy journalism these leaked stories are since all the tech companies are denying that they’re participating. And there’s some indication that all these companies are doing is just making the NSA’s job easier within the bounds of the law.
I have some sympathy with David Simon (and John Scalzi, for that matter) when they say that this whole thing is just how the world works and pretending to be surprised now is bullshit. Money and Power and all that. These are the laws we made to create a legal surveillance state. But that doesn’t make it right. (It’s also impossible to feel any sympathy for (and infuriating to see) a government who is trying to make itself out as the gut-wrenched victim though.)
There’ll be more coming. But one of the things to be aware of here is that even though it’s possible the only person who did anything illegal in regards to this whole NSA program is Edward Snowden for leaking it (and it is very interesting that Hong Kong is where he’s hoping to avoid being extradited; the Chinese probably have more clout on that than they were portrayed as in The Dark Knight) that’s a huge problem. We wouldn’t be able to talk about what these surveillance laws hath wrought if someone hadn’t snuck them out. This just highlights the importance of challenging and changing laws to fit the needs of citizens instead of law-enforcement and spy agencies.
Of course, it is possible to talk about these policies even without a scandal of illegality. Michael Geist has a great post (filled with links and analysis) talking about how the issues raised by PRISM apply in Canada:
Does this mean Canadian authorities are engaged in similar forms of surveillance? That phone companies such as Bell and Telus are subject to warrants similar to those faced by Verizon? That Internet companies co-operate with Canadian authorities? That Canadian and U.S. authorities share information obtained through programs such as the Verizon meta-data program or PRISM? That Canadians are targeted by the U.S. programs?
The law would suggest that all of these things are entirely possible. Given the integrated communications networks and the increased information sharing, it seems very likely. Yet since virtually everything remain shrouded in secrecy, Canadians don’t know for sure.
That “shrouded in secrecy” is the problem in all three of these issues we’re talking about today. As information professionals we need to push for more transparency in our laws. We also need to be working with organizations pushing for more privacy for individuals and more openness for governments (and other powerful organizations). This is one of those times we need to be supporting OpenMedia and the Electronic Frontier Foundation.
Last word for today comes from Edward Snowden:
The primary lesson from this experience was that “you can’t wait around for someone else to act. I had been looking for leaders, but I realised that leadership is about being the first to act.”
What do you think we should do?