Digital Insurgency

Where Surveillance, Encryption & Privacy Collide

Sometimes the intersection of surveillance and privacy looks a little odd. That’s certainly the case with the recent revelation that the FBI is looking at way’s to develop tattoo recognition systems.  (And yes, before you ask, I’m pretty sure the guy in the image attached to this is Hillary Clinton’s STD afflicted model)

It is no secret that law enforcement uses tattoos to help identify suspects. Anyone who has watched more than a few hours of Law and Order, has probably heard the questioning of a suspect include the question of identifying tattoos or facial features. There is a reason for that. They are pretty unique to the individual. So it’s probably not a stretch, as law enforcement ideas go, to catalog these (which they already do) and to figure out ways to do something with them.

Tattoos, which are usually elective (people choose their own tattoos), can reveal a person’s cultural, religious and political beliefs, the [Electronic Frontier Foundation (EFF)] says.

That all makes sense. However, as the article goes on to note, their are first amendment implications when tattoos that may be religious in nature are used for profiling. There is also a significant issue with the research into this effort.

The National Institute of Standards and Technology (NIST) has been conducting research into tattoo recognition technology since 2014, relying on a database of 15,000 tattoo images collected by the FBI from prisoners and arrestees without their consent, according to the EFF.

Yes, that’s right, the US government, which has had a long history of mistreating prisoners and other test subjects without their knowledge or consent) is using personally identifiable information taken from prisoners without their consent to build a system to track anyone else with a tattoo (also without consent, and likely with significant likelihood of misuse.)

EFF is leading an effort to call attention to the potential misuse of tattoos that may denote political or religious affiliations, but the effort will obviously have much larger implications to the estimated 20-40% of Americans with tattoos. You can read their full report on the effort here.


In case you are curious, Ledgett also answered why the NSA didn’t help the FBI crack the San Bernardino shooter’s iPhone. “We don’t do every phone, every variation of phone. If we don’t have a bad guy who’s using it, we don’t do that.”

If you look at the medical devices from the same point of view, you might only need to worry about remotely having your pacemaker, insulin pump or other wirelessly-enabled medical device hacked or monitored if you happen to have the same model as some NSA target.

This is a rather matter-of-fact and simultaneously VERY creepy thought. Assassinations are a rather convenient way to force regime change in hostile nations, and hacking medical equipment would certainly be an efficient way to carry that out. The US is already alleged to have developed things like the Stuxnet virus to very specifically target a single system in a single environment (in that case a Siemens system in an Iranian nuclear facility). If the government could legitimately develop methods of hacking medical devices ostensibly for investigatory purposes, how long would it be until they were developing them for covert assassinations?

It seems like the stuff of fictional thrillers. Something Jason Bourne would have employed, perhaps. But the reality is these things eventually go rogue. In just the last few weeks, viruses similar in design to Stuxnet have been found that target industrial control systems for nefarious purposes. Would it take long for an industrious hacker group to develop their own (assuming they aren’t already)?

The rise of ransomware attacks on hospitals has recently seen exponential growth. What if these hackers turned their attention to high net worth individuals and threatened their very lives by demanding ransom or their medical equipment would be compromised?

Report after report indicates that companies making so-called “Internet of Things” devices are often running fast and loose with our privacy and security. Everything from children’s toys to automobiles have been hacked, and now we have the US government admitting that it wants to hack medical devices. If you aren’t getting nervous about connecting your whole life to the Internet, you haven’t been paying attention.

Until we have better controls and more secure systems, putting your pacemaker online seems like a terrible idea.

A bill that would expand personal privacy as it relates to your email, and one that looked likely to pass given its unanimous passage in the House, has hit a major snag due to a Republican Senator’s poison pill amendment. In a bill intended to make it harder for government to spy on you, Texas Senator John Cornyn introduced an amendment that would make it easier for the FBI to access your data without a warrant. The senator’s amendment would have greatly expanded the use of what are known as National Security Letters. Sponsors of the email privacy legislation have pulled it from consideration.

National Security Letters are issued without a warrant and would allow the Bureau to snarf up your browser history. Proponents of the Amendment portray it as fixing a typo in current law, but privacy advocates note that it would represent a dramatic increase in warrantless surveillance and gathering of personal data. The Senate has moved similar provisions in other bills hoping to expand the FBI’s surveillance capability, but the amendment was a step too far for supporters of the bill.

Senator Mike Lee suggested that the inclusion of the National Security Letter language would essentially negate many of the protections the bill sought to expand.

Many of the amendments offered to the bill the House passed include exceptions in the case of national security or “emergencies”, but opponents fear those vague exceptions could be abused.

"The answer will come through public debate through unfortunate cases and a new batch of laws. And I can only see that in ending up in one place; because seeing what I have on security and how unacceptable it is in a modern society for the security of the mass of the population to be jeopardised, I can’t see that an absolute right to privacy can with stand the pressure of argument and events over the coming years," said Hague.

This is a UK Foreign Secretary speaking, but these exact sentiments have been expressed by law enforcement agencies at every level in the US. This is the single reason that THE FUNDAMENTAL DEBATE of the next 10-20 years will be encryption and privacy versus state surveillance.

Law enforcement will position this as ensuring that we do not have undetected conversations between nefarious actors, but we have those EVERY SINGLE DAY through face-to-face meetings, coded conversations, etc. The notion that banning encryption or requiring backdoors will end undetected conversations is nonsense.

In the meantime, there comes news that even without these backdoors someone is selling 32 million Twitter passwords on the dark web and a report from IBM that indicates 60% of cyber attacks were an inside job.

The constant drumbeat of hacked services and compromised personal data will be made FAR, FAR worse with government’s bungling ham-handed approach to surveillance as ‘malicious insiders’ (as IBM calls them) from government agencies will have access to personal conversations. And if you don’t think that will happen, just look at the 41 Secret Service agents being reprimanded for illegally accessing a Congressman’s personal data because they didn’t like what he had to say about their agency.

It seems that almost every day there is another story of a company, website, or celebrity that has been hacked. Sensitive information – everything from banking details to naked selfies – gets posted online and embarrassment and financial devastation grows. Despite the constant flow of information about high-profile hacks and the commonplace occurrence of identity theft, people still don’t take basic precautions to protect themselves, and websites don’t take basic precautions to protect user data.

When a hacker breaches a site like MySpace, and compromise their user database, they can compromise your email/username and password combinations. If you reuse that same combination on other sites, it is very easy for hackers to write a script to compare those credentials against other popular sites, and identify which ones give them access. It is no surprise that the number of Twitter accounts hacked in the past few weeks is exploding, given that many or most of those people likely also had MySpace or LinkedIn accounts, and were likely using the same password on all of them.

Twitter acknowledged as much when discussing the announcement that 32 million user credentials were available on the dark web.

“The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we’re acting swiftly to protect your Twitter account.”

Many websites are now informing you when a login is attempted on your account from a new location, but this is still neither common or foolproof. Some sites still store user credentials in plain text, though encryption of user credentials is more common than not, these days. The strength of that encryption varies, however.

If you are using the same password across many websites, it is just a matter of time before you will be hacked. You really should be using a better method to keep yourself secure. Password locker systems (KeePass or KeePassX, for instance) allow you to keep an unlimited number of passwords stored in a single location and allow you to simply click to copy the correct password and paste it into login forms. You don’t need to remember them all, and most of these systems have a mobile app version that keeps a synchronized copy for logging in via your devices.

Whatever system you choose, it is well past time when you should be taking your personal information security much more seriously. If you are using the same password for your Facebook account and your online banking, you are dancing in a virtual minefield and it’s just a matter of time before something blows up.

We’ve launched this blog to look at developments in the area of cybersecurity, privacy, encryption, and government surveillance, because their intersection is the epicenter of the digital world. Discussions of the balance between security and privacy will drive most tech discussions for the next ten years. Much of this starts with you being better informed and empowered to take an active role in securing your personal data.