Digital Insurgency

Where Surveillance, Encryption & Privacy Collide

I’m just an average man, with an average life
I work from nine to five; hey hell, I pay the price
All I want is to be left alone in my average home
But why do I always feel like I’m in the Twilight Zone?

When I come home at night
I bolt the door real tight
People call me on the phone I’m trying to avoid
Well, can the people on TV see me
Or am I just paranoid?

Rockwell’s “Who’s Watching Me?” tells the story of a man who feels like he is under constant surveillance by some unknown entity. Two stories out of the world of tech privacy and surveillance today would likely make Rockwell think those lyrics didn’t go far enough. Or, as Max said in the cult classic movie Strange Days:

The issue’s not whether you’re paranoid, Lenny, I mean look at this shit, the issue is whether you’re paranoid enough.

It was revealed today that hacker-turned-Facebook-founder Mark Zuckerberg tapes over the camera on his laptop, as does FBI Director James Comey. That latter part is particularly ironic given that its quite likely the FBI that may be spying on you. As I mentioned yesterday, the FBI is already using software to scan almost a half billion images of Americans (despite few privacy protections). It’s also no secret that the FBI is pushing for massive new surveillance powers under the guise of “keeping us safe”.

It’s good, then that a coalition of internet companies have come together to create a public awareness and advocacy campaign. No Global Warrants is pushing to raise awareness and has a petition up to contact Congress to make your voice heard. While that is unlikely to prevent government from further suppressing your rights, it should, hopefully, make people aware of the issue and aware of how extensive the government’s expansion of its surveillance capability is.

In the meantime, there are some steps you can take to protect yourself. First, you can follow Zuckerberg’s lead and secure your cameras. Amazon sells these handy little slides for laptops and tablets that slide open and closed easily and avoid the tape residue. These cell phone camera covers are also handy and better looking than tape. You also might think twice about sharing a ton of photos of yourself. I realize that is probably unheard of in our selfie obsessed culture, but it makes facial recognition much more accurate if they have snaps of you from every angle.

There are steps you can take to secure your physical devices like ensuring your hard drive and all external storage are encrypted (I like VeraCrypt). Apple has encryption built in through FileVault, but you have to enable it through System Preferences -> Security & Privacy -> FileVault.

You should also, under NO circumstances, be using the same password on every website. I’ll be covering that soon, but there are a lot of password lockers that a) keep all of your passwords securely and b) make it so that you don’t need to remember passwords at all. They’re easy to setup, and enable you to have different, unique, and strong passwords for every site you visit. With free services like Dropbox to store the encrypted password files, you can also use them on every device.

While many of these steps will help protect you from hackers and identity thieves, the FBI has also been known to illegally hack computers. While much of the evidence stemming from that investigation has been tossed by several courts, the FBI is pushing to address that problem through these expanded powers. So you really want to get comfortable with protecting your information from actors both good and bad.

 

Following news last week that the Government Accountability Office found the FBI in possession of 412 million images of Americans, and was doing precious little to honor the privacy (or Constitutional) rights of the citizens, the news just keeps getting better. The GAO had announced that the system was not properly tested and that it did not protect our civil liberties.

Now comes news that those images probably include you, and me, and pretty much every other American, regardless of whether they have ever committed, or even been suspected of committing, a crime.

The report says the bureau’s Facial Analysis, Comparison, and Evaluation Services Unit contains not only 30 million mug shots, but also has access to driver license photos from 16 states, the State Department’s visa and passport database, and the biometric database maintained by the Defense Department.

 

The system contains the mugshots of convicted criminals (which you would probably expect it to), but also connects to systems not owned by the FBI, but containing your personal information. But surely all of this is being done in a way to maximize effectiveness and minimize the exposure of the innocent, right? Well, not so much. From the GAO report:

“[U]ntil FBI officials can assure themselves that the data they receive from external partners are reasonably accurate and reliable, it is unclear whether such agreements are beneficial to the FBI and do not unnecessarily include photos of innocent people as investigative leads.”

Um, yeah, so that data may not be all that useful. If you have ever noticed how fallible facial recognition is, you’ll understand the depth of the problem. Facebook’s facial recognition routinely identifies a high school friend of mine as my 82 year old mother. I have seen enough examples in both Apple’s facial recognition and Facebook’s to seriously question whether the FBI’s system is that much better, after all, government IT, especially in law enforcement, is significantly lacking. It wasn’t that long ago that the Department of Justice (home of the FBI) spent years and $170 million in taxpayer funds to completely fail to build something as basic as a case management system. Healthcare.gov, more recently, indicated that Uncle Sam’s IT systems hadn’t improved much ten years later.

Yet the same government that is demanding backdoors into our phones, building malware to hack and entrap criminals, and pushing continually for expansive powers to hack your devices, is somehow expected to show restraint when it wants to access your photos? We’re supposed to believe that the same inept government IT personnel are better able to ensure the face of the innocent will not match the face of the FBI’s suspect?

There is a need for massive, systemic overhaul of surveillance laws in the United States as our technology is significantly outpacing the basic tenets that citizens will not be the subject of investigation unless there is probable cause. These systems assume that, contrary to well established legal tenets, we are not innocent until proven guilty. Rather, every US citizen is considered guilty until proven innocent.

This facial analysis identifies people that COULD BE, but quite likely ARE NOT, the right person. Yet the FBI will investigate them in connection with crimes they likely had nothing to do with.

This is the state of surveillance in the US today.

Sometimes the intersection of surveillance and privacy looks a little odd. That’s certainly the case with the recent revelation that the FBI is looking at way’s to develop tattoo recognition systems.  (And yes, before you ask, I’m pretty sure the guy in the image attached to this is Hillary Clinton’s STD afflicted model)

It is no secret that law enforcement uses tattoos to help identify suspects. Anyone who has watched more than a few hours of Law and Order, has probably heard the questioning of a suspect include the question of identifying tattoos or facial features. There is a reason for that. They are pretty unique to the individual. So it’s probably not a stretch, as law enforcement ideas go, to catalog these (which they already do) and to figure out ways to do something with them.

Tattoos, which are usually elective (people choose their own tattoos), can reveal a person’s cultural, religious and political beliefs, the [Electronic Frontier Foundation (EFF)] says.

That all makes sense. However, as the article goes on to note, their are first amendment implications when tattoos that may be religious in nature are used for profiling. There is also a significant issue with the research into this effort.

The National Institute of Standards and Technology (NIST) has been conducting research into tattoo recognition technology since 2014, relying on a database of 15,000 tattoo images collected by the FBI from prisoners and arrestees without their consent, according to the EFF.

Yes, that’s right, the US government, which has had a long history of mistreating prisoners and other test subjects without their knowledge or consent) is using personally identifiable information taken from prisoners without their consent to build a system to track anyone else with a tattoo (also without consent, and likely with significant likelihood of misuse.)

EFF is leading an effort to call attention to the potential misuse of tattoos that may denote political or religious affiliations, but the effort will obviously have much larger implications to the estimated 20-40% of Americans with tattoos. You can read their full report on the effort here.

 

In case you are curious, Ledgett also answered why the NSA didn’t help the FBI crack the San Bernardino shooter’s iPhone. “We don’t do every phone, every variation of phone. If we don’t have a bad guy who’s using it, we don’t do that.”

If you look at the medical devices from the same point of view, you might only need to worry about remotely having your pacemaker, insulin pump or other wirelessly-enabled medical device hacked or monitored if you happen to have the same model as some NSA target.

This is a rather matter-of-fact and simultaneously VERY creepy thought. Assassinations are a rather convenient way to force regime change in hostile nations, and hacking medical equipment would certainly be an efficient way to carry that out. The US is already alleged to have developed things like the Stuxnet virus to very specifically target a single system in a single environment (in that case a Siemens system in an Iranian nuclear facility). If the government could legitimately develop methods of hacking medical devices ostensibly for investigatory purposes, how long would it be until they were developing them for covert assassinations?

It seems like the stuff of fictional thrillers. Something Jason Bourne would have employed, perhaps. But the reality is these things eventually go rogue. In just the last few weeks, viruses similar in design to Stuxnet have been found that target industrial control systems for nefarious purposes. Would it take long for an industrious hacker group to develop their own (assuming they aren’t already)?

The rise of ransomware attacks on hospitals has recently seen exponential growth. What if these hackers turned their attention to high net worth individuals and threatened their very lives by demanding ransom or their medical equipment would be compromised?

Report after report indicates that companies making so-called “Internet of Things” devices are often running fast and loose with our privacy and security. Everything from children’s toys to automobiles have been hacked, and now we have the US government admitting that it wants to hack medical devices. If you aren’t getting nervous about connecting your whole life to the Internet, you haven’t been paying attention.

Until we have better controls and more secure systems, putting your pacemaker online seems like a terrible idea.

A bill that would expand personal privacy as it relates to your email, and one that looked likely to pass given its unanimous passage in the House, has hit a major snag due to a Republican Senator’s poison pill amendment. In a bill intended to make it harder for government to spy on you, Texas Senator John Cornyn introduced an amendment that would make it easier for the FBI to access your data without a warrant. The senator’s amendment would have greatly expanded the use of what are known as National Security Letters. Sponsors of the email privacy legislation have pulled it from consideration.

National Security Letters are issued without a warrant and would allow the Bureau to snarf up your browser history. Proponents of the Amendment portray it as fixing a typo in current law, but privacy advocates note that it would represent a dramatic increase in warrantless surveillance and gathering of personal data. The Senate has moved similar provisions in other bills hoping to expand the FBI’s surveillance capability, but the amendment was a step too far for supporters of the bill.

Senator Mike Lee suggested that the inclusion of the National Security Letter language would essentially negate many of the protections the bill sought to expand.

Many of the amendments offered to the bill the House passed include exceptions in the case of national security or “emergencies”, but opponents fear those vague exceptions could be abused.