CAT | Surveillance
Turkey already requests more takedowns from Google than any other country in the world, almost 1700 in the first half of 2013. They have a history of blocking popular websites like Youtube, and Vimeo, and Prime Minister Erdogan lashes out against Twitter at every opportunity.
Now the government is about to enact sweeping new powers to force providers to keep complete records of all user activity for 2 years, and give the government total access to that information.
This appears to be a reaction to citizen use of social media to coordinate protests and spread information about Turkish government corruption.
Unless they implement a ban on privacy technologies, VPN services like Anonymizer Universal will provide a way of getting around this kind of logging. I would strongly suggest that people in Turkey make a habit of always using VPNs, and moving to search engines, email, and social media platforms located outside of the country.
Google has adopted a privacy protecting policy of banning facial recognition apps from the Google Glass app store. I appreciate the effort to protect my privacy but facial recognition is probably the ONLY reason I would wear Google Glass.
I am hopeless at parties or networking events. I have no ability at all to remember names, and I know I am far from alone in this. The ability to simply look at someone and be reminded of their name, our past interactions, and any public information about their recent activities, would be absolute gold.
Obviously I am less enthusiastic about having third party ratings of my intelligence, integrity, hotness, or whatever, popping up to the people looking at me. As usual, humans are in favor of privacy for themselves but not for others.
A new app is coming out soon called Nametag, which is planned to do exactly this. On iOS, Android, and jail broken Glass, you will be able to photograph anyone and, using facial recognition, pull up all available social media information about them.
To opt out you will need to set up an account with NameTag, and I presume you will also need to upload some high quality pictures of yourself so they can recognize you to block the information. Hurm…..
Whatever we all think about this, the capability is clearly coming. The cameras are getting too small to easily detect, high quality tagged photos are everywhere, and the computing power is available.
While citizens have some ability to impact government surveillance cameras and facial recognition, it will be much harder to change course on the use of these technologies with private fixed cameras, phones, and smart glasses. Even if we convince device makers to block these applications, the really creepy people will jailbreak them and install them anyway.
For years I have said that the Internet is the least anonymous environment we inhabit. With this kind of technology, it may soon be much easier to hide yourself online than off. Police really don’t like you wearing masks.
In March of 2013 the Bureau of Diplomatic Security at the US State Department issued a travel advisory for Americans planning to attend the 2014 winter Olympics in Sochi, Russia.
As I blogged before, this is expected to be one of the most aggressively surveilled events ever.
The advice for cyber protection in the advisory is interesting:
Consider traveling with “clean” electronic devices—if you do not need the device, do not take it. Otherwise, essential devices should have all personal identifying information and sensitive files removed or “sanitized.” Devices with wireless connection capabilities should have the Wi-Fi turned off at all times. Do not check business or personal electronic devices with your luggage at the airport. … Do not connect to local ISPs at cafes, coffee shops, hotels, airports, or other local venues. … Change all your passwords before and after your trip. … Be sure to remove the battery from your Smartphone when not in use. Technology is commercially available that can geo-track your location and activate the microphone on your phone. Assume any electronic device you take can be exploited. … If you must utilize a phone during travel consider using a “burn phone” that uses a SIM card purchased locally with cash. Sanitize sensitive conversations as necessary.
Obviously this is not just good advice for attending the Olympics, but would also apply to China, or any other situation where it is important to protect your electronic information.
The ability to conduct sophisticated surveillance and cyber attack is widespread. If you are engaged in business that is a likely target of economic espionage, then you should be following these kinds of practices any time you travel anywhere, and perhaps even at home.
The Internet has been buzzing with reports of the recently leaked NSA exploits, backdoors, and hacking / surveillance tools. The linked article is good example.
None of this should be news to anyone paying attention. Many similar hacking tools are available from vendors at conferences like BlackHat and DefCon.
We all know that zero-day exploits exist, and things like Stuxnet clearly show that governments collect them.
Intentionally introducing compromised crypto into the commercial stream has a long history, perhaps best demonstrated by the continued sales of Enigma machines to national governments long after it had been cracked by the US and others.
This reminds me of a quote I posted back in March. Brian Snow, former NSA Information Assurance Director said “Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents.”
One can focus on making this difficult, but none of us should be under the illusion that we can make it impossible. If you have something that absolutely must be protected, and upon which your life or liberty depends, then you need to be taking drastic steps, including total air gaps.
For the rest of your activities, you can use email encryption, disk encryption, VPNs, and other tools to make it as difficult as possible for any adversary to easily vacuum up your information.
If you are of special interest, you may be individually targeted, in which case you should expect your opponent to succeed. Otherwise, someone hacking your computer, or planting a radio enabled USB dongle on your computer is the least of your worries. Your cell phone and social media activities are already hemorrhaging information.
India is preparing to deploy a comprehensive Internet content monitoring system. They claim that it will be able to trigger on messages containing specific words. There is also mention of capturing “dubious voice traffic” over Skipe and other voice channels.
Use of VPNs like Anonymizer Universal will allow traffic to pass through these systems unanalyzed, but the fact that you are using a VPN will be visible.
There is a good analysis of the nature and implications of the latest “Bullrun” leaks over at A Few Thoughts on Cryptographic Engineering. It is worth reading.
Welcome to Episode 11 of The Privacy Blog Podcast, brought to you by Anonymizer.
In this episode, I’ll discuss the shutdown of secure email services by Lavabit and Silent Circle. In addition, we’ll dive into the problem with hoarding Bitcoins and how you can protect yourself while using the increasingly popular online currency. Lastly, I’ll chat about whether teens actually care about online privacy and an ad agency’s shocking decision to use high-tech trash cans to measure Wi-Fi signals in London.
Please leave any questions or feedback in the comments section. Thanks for listening.
There has been a lot of chatter about implications of first Lavabit and then Silent Circle’s Silent Mail being shut down by their operators.
In both cases, it appears that there was information visible to the services which could be compelled by search warrants, court orders, or national security letters.
I want to assure Anonymizer users that we have no such information about Anonymizer Universal users that could be compelled. While we know who our customers are, for billing purposes, we have no information at all about what they do.
This has been tested many times, under many different kinds of court orders, and no user activity information has ever been provided, or could be provided.
ArsTechnica has a nice article on a recent ruling by the US Fifth Circuit court of appeals.
In this 2-1 decision, the court ruled that cellular location information is not covered by the fourth amendment, and does not require a warrant. The logic behind this ruling is that the information is part of business records created and stored by the mobile phone carriers in the ordinary course of their business.
Therefor, the data actually belongs to the phone company, and not to you. The Stored Communications Act says that law enforcement must get a warrant to obtain the contents of communications (the body of emails or the audio of a phone call) but not for meta-data like sender, recipient, or location.
The court suggests that if the public wants privacy of location information that they should demand (I suppose through market forces) that providers delete or anonymize the location information, and that legislation be enacted to require warrants for access to it. Until then, they say we have no expectation of privacy in that information.
The Fifth Circuit covers Louisiana, Mississippi, and Texas.
This ruling conflicts with a recent New Jersey Supreme Court, which unanimously ruled that law enforcement does not have that right, which ruling only applies in New Jersey.
Montana has a law requiring a warrant to obtain location information, while in California a similar bill was vetoed.
It seems very likely that one or more of these cases will go to the supreme court.
Welcome to the June edition of the Privacy Blog Podcast, brought to you by Anonymizer.
In June’s episode, I’ll discuss the true nature of the recently leaked surveillance programs that has dominated the news this month. We’ll go through a quick tutorial about decoding government “speak” regarding these programs and how you can protect yourself online.
Later in the episode, I’ll talk about Facebook’s accidental creation and compromise of shadow profiles along with Apple’s terrible personal hotspot security and what you can do to improve it.
Thanks for listening!