Digital Insurgency

Where Surveillance, Encryption & Privacy Collide

Remember that scene at the end of The Bourne Identity where Brian Cox is testifying before the Intelligence Committee about Treadstone and Black Briar and describes the former as a training op and the second as a communications program despite both being covert death squads? It’s easy enough to think that stuff like that doesn’t happen in the real world, but don’t be too sure. The FBI has been running a “pilot project” to test iris scanning technology whose original stated objective was just to evaluate the technology available at the time. That started in 2013.

Now it’s easy enough to assume that the government moves REALLY slowly and that they simply haven’t gotten very far.  Unfortunately, there ability to gather scanned irises hasn’t ben quite so slow. The iris database now contains more than 430,000 iris scans, with almost half coming from San Bernardino, California. San Bernardino has become so proficient at obtaining iris scans that over the last two and a half years they have snapped up almost ten percent of the city’s population of 2 million.

That a database of nearly a half million people has been amassed by the FBI is perhaps not too surprising, but what might be shocking is the fact that as a pilot project, there has been no oversight and no privacy disclosure or assessment. As Colin Lecher at The Verge describes it, “The result amounts to a new national biometric database that stretches the traditional boundaries of a pilot program, while staying just outside the reach of privacy mandates often required for such data-gathering projects.” What is worse the gathering of iris data may be for minor offenses and is often taken pre-trial and submitted in near real-time to the FBI.

The California Justice Department, like other agencies the FBI has partnered with, can log a scan as part of the booking process, even for low-level crimes, and well before a conviction. When the scans are sent to the national database, the FBI says, they are bundled with fingerprints and mug shots.

Had you been arrested in California for a minor offense and ultimately released without charges, your iris may still be on file with the feds. Because this is ostensibly a pilot project, and not a fully functioning identification system, a complete privacy assessment was not done. It’s not even clear if one will be done as the project is part of the FBI’s Next Generation Identification database and the FBI is looking to exempt that from privacy laws.

 

I’m just an average man, with an average life
I work from nine to five; hey hell, I pay the price
All I want is to be left alone in my average home
But why do I always feel like I’m in the Twilight Zone?

When I come home at night
I bolt the door real tight
People call me on the phone I’m trying to avoid
Well, can the people on TV see me
Or am I just paranoid?

Rockwell’s “Who’s Watching Me?” tells the story of a man who feels like he is under constant surveillance by some unknown entity. Two stories out of the world of tech privacy and surveillance today would likely make Rockwell think those lyrics didn’t go far enough. Or, as Max said in the cult classic movie Strange Days:

The issue’s not whether you’re paranoid, Lenny, I mean look at this shit, the issue is whether you’re paranoid enough.

It was revealed today that hacker-turned-Facebook-founder Mark Zuckerberg tapes over the camera on his laptop, as does FBI Director James Comey. That latter part is particularly ironic given that its quite likely the FBI that may be spying on you. As I mentioned yesterday, the FBI is already using software to scan almost a half billion images of Americans (despite few privacy protections). It’s also no secret that the FBI is pushing for massive new surveillance powers under the guise of “keeping us safe”.

It’s good, then that a coalition of internet companies have come together to create a public awareness and advocacy campaign. No Global Warrants is pushing to raise awareness and has a petition up to contact Congress to make your voice heard. While that is unlikely to prevent government from further suppressing your rights, it should, hopefully, make people aware of the issue and aware of how extensive the government’s expansion of its surveillance capability is.

In the meantime, there are some steps you can take to protect yourself. First, you can follow Zuckerberg’s lead and secure your cameras. Amazon sells these handy little slides for laptops and tablets that slide open and closed easily and avoid the tape residue. These cell phone camera covers are also handy and better looking than tape. You also might think twice about sharing a ton of photos of yourself. I realize that is probably unheard of in our selfie obsessed culture, but it makes facial recognition much more accurate if they have snaps of you from every angle.

There are steps you can take to secure your physical devices like ensuring your hard drive and all external storage are encrypted (I like VeraCrypt). Apple has encryption built in through FileVault, but you have to enable it through System Preferences -> Security & Privacy -> FileVault.

You should also, under NO circumstances, be using the same password on every website. I’ll be covering that soon, but there are a lot of password lockers that a) keep all of your passwords securely and b) make it so that you don’t need to remember passwords at all. They’re easy to setup, and enable you to have different, unique, and strong passwords for every site you visit. With free services like Dropbox to store the encrypted password files, you can also use them on every device.

While many of these steps will help protect you from hackers and identity thieves, the FBI has also been known to illegally hack computers. While much of the evidence stemming from that investigation has been tossed by several courts, the FBI is pushing to address that problem through these expanded powers. So you really want to get comfortable with protecting your information from actors both good and bad.

 

Following news last week that the Government Accountability Office found the FBI in possession of 412 million images of Americans, and was doing precious little to honor the privacy (or Constitutional) rights of the citizens, the news just keeps getting better. The GAO had announced that the system was not properly tested and that it did not protect our civil liberties.

Now comes news that those images probably include you, and me, and pretty much every other American, regardless of whether they have ever committed, or even been suspected of committing, a crime.

The report says the bureau’s Facial Analysis, Comparison, and Evaluation Services Unit contains not only 30 million mug shots, but also has access to driver license photos from 16 states, the State Department’s visa and passport database, and the biometric database maintained by the Defense Department.

 

The system contains the mugshots of convicted criminals (which you would probably expect it to), but also connects to systems not owned by the FBI, but containing your personal information. But surely all of this is being done in a way to maximize effectiveness and minimize the exposure of the innocent, right? Well, not so much. From the GAO report:

“[U]ntil FBI officials can assure themselves that the data they receive from external partners are reasonably accurate and reliable, it is unclear whether such agreements are beneficial to the FBI and do not unnecessarily include photos of innocent people as investigative leads.”

Um, yeah, so that data may not be all that useful. If you have ever noticed how fallible facial recognition is, you’ll understand the depth of the problem. Facebook’s facial recognition routinely identifies a high school friend of mine as my 82 year old mother. I have seen enough examples in both Apple’s facial recognition and Facebook’s to seriously question whether the FBI’s system is that much better, after all, government IT, especially in law enforcement, is significantly lacking. It wasn’t that long ago that the Department of Justice (home of the FBI) spent years and $170 million in taxpayer funds to completely fail to build something as basic as a case management system. Healthcare.gov, more recently, indicated that Uncle Sam’s IT systems hadn’t improved much ten years later.

Yet the same government that is demanding backdoors into our phones, building malware to hack and entrap criminals, and pushing continually for expansive powers to hack your devices, is somehow expected to show restraint when it wants to access your photos? We’re supposed to believe that the same inept government IT personnel are better able to ensure the face of the innocent will not match the face of the FBI’s suspect?

There is a need for massive, systemic overhaul of surveillance laws in the United States as our technology is significantly outpacing the basic tenets that citizens will not be the subject of investigation unless there is probable cause. These systems assume that, contrary to well established legal tenets, we are not innocent until proven guilty. Rather, every US citizen is considered guilty until proven innocent.

This facial analysis identifies people that COULD BE, but quite likely ARE NOT, the right person. Yet the FBI will investigate them in connection with crimes they likely had nothing to do with.

This is the state of surveillance in the US today.

Sometimes the intersection of surveillance and privacy looks a little odd. That’s certainly the case with the recent revelation that the FBI is looking at way’s to develop tattoo recognition systems.  (And yes, before you ask, I’m pretty sure the guy in the image attached to this is Hillary Clinton’s STD afflicted model)

It is no secret that law enforcement uses tattoos to help identify suspects. Anyone who has watched more than a few hours of Law and Order, has probably heard the questioning of a suspect include the question of identifying tattoos or facial features. There is a reason for that. They are pretty unique to the individual. So it’s probably not a stretch, as law enforcement ideas go, to catalog these (which they already do) and to figure out ways to do something with them.

Tattoos, which are usually elective (people choose their own tattoos), can reveal a person’s cultural, religious and political beliefs, the [Electronic Frontier Foundation (EFF)] says.

That all makes sense. However, as the article goes on to note, their are first amendment implications when tattoos that may be religious in nature are used for profiling. There is also a significant issue with the research into this effort.

The National Institute of Standards and Technology (NIST) has been conducting research into tattoo recognition technology since 2014, relying on a database of 15,000 tattoo images collected by the FBI from prisoners and arrestees without their consent, according to the EFF.

Yes, that’s right, the US government, which has had a long history of mistreating prisoners and other test subjects without their knowledge or consent) is using personally identifiable information taken from prisoners without their consent to build a system to track anyone else with a tattoo (also without consent, and likely with significant likelihood of misuse.)

EFF is leading an effort to call attention to the potential misuse of tattoos that may denote political or religious affiliations, but the effort will obviously have much larger implications to the estimated 20-40% of Americans with tattoos. You can read their full report on the effort here.

 

"The answer will come through public debate through unfortunate cases and a new batch of laws. And I can only see that in ending up in one place; because seeing what I have on security and how unacceptable it is in a modern society for the security of the mass of the population to be jeopardised, I can’t see that an absolute right to privacy can with stand the pressure of argument and events over the coming years," said Hague.

This is a UK Foreign Secretary speaking, but these exact sentiments have been expressed by law enforcement agencies at every level in the US. This is the single reason that THE FUNDAMENTAL DEBATE of the next 10-20 years will be encryption and privacy versus state surveillance.

Law enforcement will position this as ensuring that we do not have undetected conversations between nefarious actors, but we have those EVERY SINGLE DAY through face-to-face meetings, coded conversations, etc. The notion that banning encryption or requiring backdoors will end undetected conversations is nonsense.

In the meantime, there comes news that even without these backdoors someone is selling 32 million Twitter passwords on the dark web and a report from IBM that indicates 60% of cyber attacks were an inside job.

The constant drumbeat of hacked services and compromised personal data will be made FAR, FAR worse with government’s bungling ham-handed approach to surveillance as ‘malicious insiders’ (as IBM calls them) from government agencies will have access to personal conversations. And if you don’t think that will happen, just look at the 41 Secret Service agents being reprimanded for illegally accessing a Congressman’s personal data because they didn’t like what he had to say about their agency.