It’s us against the spook world

It’s us against the spook world

Presentation, by Tim Vines*

Click here for accompanying slide presentation

Good morning ladies and gentlemen, speakers, tweeters, facebookers and all of you who have, in one way or another, voluntarily or not, broadcasted your attendance at today’s talk.

Because, we had better face it: anyone who wanted to know, knows you’re here.

In 1930, Edmond Locard showed how 12 points on a fingerprint were needed to uniquely identify it.[i] With DNA profiling we can identify a person from just 10 genetic points or loci.

But online, your identity can be revealed with just a few pieces of digital pocket lint.

And, even if you’ve got nothing to hide, you’re being watched but maybe not just by whom you think.

Welcome to the world of Total Information Awareness,[ii] Frictionless Sharing,[iii] or, as the Vice-President of the European Commission recently called it: “the world of total information”.[iv]

My name is Tim Vines and I am a Director with Civil Liberties Australia and today I have been invited to talk about the small matter of online anonymity and how in the rush to capture our data, governments and business place us at risk.

 [SLIDE -2]

Civil Liberties Australia is a national organization which works to keep Australia a free and open society, where you can be yourself without undue interference from ‘authority’.

It would be impossible to talk about online privacy at the moment without first mentioning the $10 Billion elephant in the room – and (quite possibly) in your pockets – the National Security Agency and Prism.

[Slide-3]

Most, if not all of us are aware of the recent release of classified details around the National Security Agency’s Prism program and the associated databases, analytical tools and surveillance capabilities of the NSA.

Thanks to recent leaks and subsequent actions by the US White House, many people are aware that the NSA has been collecting detailed records from foreigners and any Americans who speak with them for at least 5 to 10 years.

We know that the NSA, working with the complicity of many of the largest and most recognizable companies, has undertaken mass, global surveillance.

Assurances provided to Americans by their President that “we only spy on foreigners” provide little comfort to the Australian population, as have revelations that our personal data is Hoovered up, or provided by Australian telcos.

 [Slide-4]

Prism has ripped back the curtain on the sometimes cozy, sometimes frosty, but usually compliant relationship between Silicon Valley and the intelligence community, where software and hardware backdoors, limp resistance to warrantless search requests and the revolving-door recruitment between the sectors place consumer protection a distant third to profit and self-interest.[v]

Intelligence analytical tools, such as XKeyScore and Boundless Informant, reveal that essentially all electronic data, including emails and VoIP traffic that is routed through US infrastructure (including that belonging to Google, Facebook, Microsoft/Skype) can be searched, analyzed and stored in faculties soon to include the multi-billion dollar, million-square-foot, NSA datacentre buried beneath a mountain in Utah.[vi]

Efforts to try to hide from this omni- surveillance by using encryption, Virtual Private Networks or anonymising services like ToR allow the NSA to presume a hostile intent and retain a copy of the communication indefinitely.

[Slide-5]

As an organization the NSA wouldn’t seem out of place in a Bond film. Its budget is secret – but estimated at about $10 Billion per year.

It has 30-40,000 staff, a mix of public employees and private contractors, in locations around the world.

It has underground lairs and secret rooms inside major telecommunication buildings. In these offices, user data is ‘split’, with one copy allowed to pass through to the intended recipient, while the other is run through a data analytical tool to search for key words and phrases.

It seeks permission for its work from a secret court, the Foreign Intelligence and Surveillance Court, which provides it with secret orders, obtained ex parte…or without any opposing viewpoint. The US Government has a pretty good strike rate in this Court. Over 35 years the Court has denied 11 requests…out of more than 34,000.

The NSA, alone or in conjunction with others, creates sophisticated computer viruses and “Trojans”, which can shut down anything from your computer to uranium enriching plants in Iran.

It regulates and monitors the export of encryption tools and hires the smartest cryptographers to crack the encryption of others.

 [Slide-6]

Australia, as a member of the ‘Five Eyes’ (the US, UK, Canada and NZ) shares intelligence with the NSA and hosts a number of listening posts, including Pine Gap in the NT.

 Though shocking to many, the Prism revelations are nothing new. Our history of working with US signals intelligence goes back 70 years and the NSA’s [often illegal] domestic US programs have been the subject of debate and scandal since at least 2005.

 [Slide-7]

That does not mean, however, that recent events don’t demand action – they do. Programs like Prism that collect everything, from everyone, destroy the right to privacy, they chill free speech and place dissidents and whistleblowers at risk.

In treating us all as suspects, these programs undermine the rule of law and the presumption of innocence.

And when we grant the heads of these agencies impunity after they lie to Congress and democratic oversight bodies, we encourage corruption and abuse of power.

Moreover, what are the consequences for American companies like Amazon, Google, Facebook and Microsoft, whose cloud-based services are being rejected by companies, governments and individuals concerned about the apparent ease with which US authorities can access user data.

[Slide-8]

Finally, we are forced to think again about how we view individuals like Manning, Assange and Snowden, who risk much to shine light on the details of these programs.

And while we might welcome leaks in this area, what about when it is a leak of a population’s personal health information – released by a former, private contractor engaged by the Department of health?

The threat to anonymity and online privacy comes not only from massive government surveillance programs with names such as PRISM, MAINWAY and NUCELON; but also from our own day-to-day transactions: signing up for newsletters, sending emails, using our phones for calls, photographs, twitter, or even visiting a website.

These activities generate a trail, not just through the words you enter, but from the data your browser and computer reveal without your knowledge – meta-data.

 [Slide-9]

What do I mean by meta-data? It is easiest to think about meta-data as the stuff you would write on the outside of an envelope – information about the parties to the communication (to, from, date, time posted etc…).

On the internet, it can also include the internet, or IP address, of the websites you visit, when and where you login to Facebook and also certain business information (your phone number, address etc…).

In Australia meta-data can often be accessed by the authorities without a warrant. In fact there were almost 300,000 requests last year. None required a judge’s order.[vii]

This is opposed to ‘content’ which is what’s inside the envelope. It includes the subject and contents of emails, what you say over the phone, your Instagram selfies and the content of websites you visit.

 One of the most important public policy debates in Australia is whether your ISP and telcos should be forced to collect your ‘meta-data’ for a 2 year period. This information could subsequently be requested by police.

 [slide-10]

This proposal was one of several considered in last year’s inquiry into proposals to reform National Security Laws.

Ozlog, or mandatory data-retention, was in the news. We were told by heads of the AFP, Attorney-General’s and others that we had nothing to fear: they just wanted the meta-data – not to open the envelopes of our communications and read the contents.

[Slide-11]

But here’s the rub: meta-data shows as much, if not more, about you than what you say. Thoughtlessly collected and compiled it can do much damage to your real world reputation. And sometimes it’s just misleading.

 Despite this, we have been told by governments and businesses that existing safeguards are enough. That access to meta-data doesn’t, shouldn’t need a warrant. Meta-data is just pocket lint, digital dust.

This is just wrong.

Meta-data has two advantages over content. First, it is small (compare the file size of a short document vs a photo taken on a smart phone). Second, and more importantly, it is a machine readable. Able to be modeled, plotted and analyzed by computers.

 [Slide-12]

Here are my email contacts, and the networks of contacts represented, pulled together using just the To, From, CC and Time information.

It’s a powerful way to see who someone talks to, when they began their correspondence and who that 2^nd person introduced them to.

[slide-13]

Meta-data and anonymised data such as past search results, can reveal who you are, what you like and what you think.

 [slide-14]

Even when our meta-data is “de-identified” it is frequently insufficient to protect us from being identified.

[Slide-15]

Most people can be uniquely identified from just 4 spatio-temporal points recorded by their cell phone.

[Slide-16/17]

Once you put meta-data together you can get a detailed look at people’s lives. Use a smartphone, and your movements can be tracked down to the street level.

 The collation and analysis of metadata can reveal the identity of a journalist’s source. It can show who suspected whistleblowers are meeting at particular times, or whether you are attending a conference today on the privatization of intelligence.

In short, it kills anonymity.

Anonymity allows individuals to express themselves freely without fear of retribution or condemnation. Allowing dissenters to shield their identities frees them to express critical minority views. [it] is a shield from the tyranny of the majority.

In the US anonymous speech is protected under the First Amendment and has been held to “protect unpopular individuals from retaliation . . . at the hand of an intolerant society.”[viii]

The UN Human Rights Council Special Rapporteur writes that “restrictions of anonymity in communication, … have an evident chilling effect on victims of all forms of violence and abuse, who may be reluctant to report for fear of double victimization.”

Unfortunately we have no national Bill of Rights in Australia and only marginal implementation of UN human rights instruments. So our right to anonymous speech is not protected by law.[ix]

[Slide-18]

Moreover, because metadata is increasingly being collected by private organizations, its use and disclosure is governed not simply by law but by those impenetrable Terms and Conditions we sign.

[Slide-19]

And sometimes these businesses sell your so-called anonymised data to advertises, or turn it over on request to law enforcement agencies (no warrant needed), or simply release it – deliberately or accidently.

[Slide-20]

As intelligence, meta-data can be abused or incorrectly used with devastating impact. It can incorrectly tar someone as a criminal, or could be used to prosecute a person in a foreign jurisdiction for undertaking actions lawful in Australia.

It’s bad enough when meta-data is right but is used poorly.

But one significant problem with meta-data…is that it can be wrong.

 Take, for example one of the most contentious pieces of data – a website’s URL. Behind the words in a URL is a string of numbers which constitute the real Internet address of the website.

The name of a URL might be sensitive, access to it might even be restricted and require a warrant. But the Australian Government has argued that the IP address – but not the words – are meta-data.

[Slide-21]

So, for example they just want these.

But these don’t make much sense. It took me a minute to use a free service online to translate these into….

[click]

Hmmm. What would this internet history suggest to you about the user?

What would you do if they worked in ASIO? Or if they worked in a Catholic school?

Can we trust this information enough to make an informed judgment? The simple answer is: no. Because IP addresses are often shared.

[Slide-22]

For example, the CEPS site shares its IP address with over 170 other websites and if you only have an IP address you are unlikely to know which site the person visited.

Now suppose a terrorist group, or bikie gang member, owned a web-domain that shared the same IP address. What does your record look like now?

 [Slide-23]

This problem led to ASIC banning a Melbourne online education institution in April this year. The institution had the misfortune to share an IP address with a website that ASIC believed was engaging in illegal behavior.

It wasn’t the only innocent partner.

[Slide-24]

And what if this incorrect information is shared with your boss, or with another government?

Anyway you cut it, meta-data is just as important as content when it comes to building intelligence on a person, whether they are a user, consumer or suspect.

The challenge for groups such as Civil Liberties Australia is to raise awareness of the value of our digital pocket-lint. Snowden and Manning have made this work easier and the public is finally engaging with issues including mandatory data retention.

The next step is for our Parliamentarians to demand greater oversight of existing programs, to limit the amount of data collected on innocent Australians that is shopped to foreign jurisdictions – even allies – and to take concrete steps to reestablishing the rule of law to the online frontier.

In the meantime, it’s us against the might of the US intelligence-industrial complex and we’re fighting for our right to remain unknown.

---