Tag Archives: Edward Snowden

Privacy will die, but not because of corporations or governments: Because of you

Edward Snowden used his alternative Christmas message to highlight the death of privacy, and he’s right that privacy as we’ve all known it will die. But he’s wrong to focus on what governments are doing. Governments aren’t the ones that are going to kill privacy.

Neither are corporations the ones to blame. Google, Amazon and the like will know more about us than any company has ever known about its customers, but they aren’t the ones who will kill privacy.

No: the ones responsible for the death of privacy will be you and me.

What happens when the technology of surveillance - surreptitious cameras, tiny drones,  spyware – becomes available to every individual on the planet? What happens when every parent can follow their children’s activities 24/7, online and offline?

History tells us that technology starts off expensive and big, the domain of governments and corporations, and ends up small and cheap, available to every individual. Surveillance tech is going to follow the same pattern. And that, not corporations and governments, will be what kills privacy.

tumblr_m9638e2X3c1qcdc4q

Did the NSA pay RSA $10m to weaken encryption?

According to a story by Reuters, the NSA paid encryption company RSA $10m to deliberately weaken one of its products by using an encryption algorithm which, presumably, the NSA had already cracked.

Sounds plausible. After all, we know the NSA at least attempted to influence standard-setting bodies to adopt weaker levels of encryption.

But there’s something about this story which doesn’t add up. Once you begin to think about it, this kind of deal doesn’t make sense for either the NSA, or for RSA.

For RSA, doing something like this would be a brain-dead move. Yes, as the Reuters report says, $10m looks big in the context of the $27m made by the division of RSA which allegedly received it. But for the company as a whole, it amounts to less than 2% of its annual revenue of $525m in 2007. And a decision to accept that money would almost certainly have to have been board-level: so why would they have accepted it? Would they undermine their own product – and in a way which they must have known would almost certainly leak at some point? It just looks unlikely.

For the NSA, why bother when there are more effective and secretive ways of achieving the same goal? Why not simply plant an employee in RSA with access to the code? Why not quietly pay a very senior individual (or individuals) to buy their compliance? Why not hack into the company and plant your own back door? After all, this is an organisation capable of planting malware in top secret nuclear facilities of another country – breaking into a commercial organisation, by comparison, is trivial. And using methods like bribery, “human intelligence” or hacking gives you a level of plausible deniability that no direct deal with a company could.

Paying the company money – money which would have to be accounted for somehow “through the books” – is the least secure, most probable to leak and thus least-effective option. It seems pretty unlikely to me that an organisation like the NSA would choose to do that, rather than use one of the more covert (and effective) options at its disposal.

UPDATE: RSA has “categorically denied” it was paid to weaken its security. It’s worth reading this post in its entirety, because it includes some details about its decisions.

Something doesn’t add up in the lastest Washington Post PRISM story

The Washington Post has released additional slides from the PRISM deck, which it has annotated and which have resurrected the “equipment installed at company premises” claim. Some – notably Glenn Greenwald – have claimed this proves the “direct access to company databases” claim from the original story has been verified, despite the vociferous denials of all the companies involved.

But does it? Dig a little deeper, and I think it becomes clear that the WaPo hasn’t got the story it thinks it has.

First, there’s nothing in the released slides themselves which directly corroborates the “installed at company premises” claim, which exists only in the annotations that the reporter, Barton Gellman, has added to the slides. Here’s how the process is described by Gellman:

The search request, known as a “tasking,” can be sent to multiple sources — for example, to a private company and to an NSA access point that taps into the Internet’s main gateway switches. A tasking for Google, Yahoo, Microsoft, Apple and other providers is routed to equipment installed at each company. This equipment, maintained by the FBI, passes the NSA request to a private company’s system.

The slides themselves, though, make no mention of much of this. In particular, there’s no reference to company premises in anything on the slides. 

Given that the slides don’t say that equipment is installed at the company, where has this point come from? I think there’s three options:

  1. It’s featured in other, as-yet unreleased slides.
  2. It comes from verbal or written testimony from Edward Snowden or another intelligence source.
  3. It’s an interpretation of something in the released slides.

The first option is possible, but I think we can rule it out. If there was a clear, unambiguous statement that the FBI had equipment installed in company premises on another slide, I can’t see why the WaPo wouldn’t publish that slide, even if it had to do so in heavily redacted form. So that leaves us with the other options.

Is the WaPo relying on unknown third-party sources? If it was, I can’t see why it wouldn’t add an “intelligences sources confirmed…” in the story. It would be a stronger story for it, so why not say? If, on the other hand, it’s Snowden, I can understand why it might avoid naming him as the source. Snowden’s direct testimony has proved to be occasionally exaggerated and sometimes even unreliable – but the WaPo could use “a source familiar with the whole presentation” instead of naming him, which would again strengthen the story.

At this point, I think the onus is on the WaPo be a little transparent and clear this up. If there’s additional evidence, show it – or at least note you’re relying on it.

Which leaves us with the third option: interpretation. And I think this is where WaPo has, at the very least, produced something that’s an epic muddle. The muddle occurs around the box labelled “FBI Data Intercept Technology Unit (DITU)”.

A DITU sounds like a piece of technology. It sounds like the kind of thing that you would install somewhere to do intercepts, and, given the way the diagram is structured, you might well surmise that it was installed on company premises.

 

But it’s not. In fact, the Data Intercept Technology Unit isn’t a piece of technology, something which would sit at the premises of a company. In fact, it’s a department of the FBI, formed several years ago, tasked with data interception of the “packet sniffing” variety (it even has its own Challenge Coin). It’s known to use a suite of packet inspection tools which allow it, from TCP/IP data, to recreate emails, IM, images, web pages and more. Essentially, it specialises in snooping tools which let you find out what someone is doing online without having access to the original servers. Essentially, it will tap data at the ISP level, rather than the server level.

The annotation on the second new is where the waters get really muddy. In a note attached to the box for the DITU, Barton adds:

From the FBI’s interception unit on the premises of private companies… [my emphasis]

Does Gellman think that DITU is the “interception unit”? I emailed him to ask, and initially he confirmed that the “interception unit” referred to in the annotation was the DITU – which would be a fairly major error. However, when I pointed out that this made no sense, he clarified, claiming that by “interception unit” he was referring to the organisation within the FBI, not the equipment. All clear on that?

WaPo DITU

This, though, makes the annotations even more puzzling. Why would you use the phrase “interception unit on the premises” to refer to the organisation within the FBI? Clearly, the organisation isn’t on the premises – the equipment (supposedly) is.

The other option is that Gellman is using “interception unit” to mean both the DITU and the equipment, which would be – at the very least – pretty poor writing. So what exactly does Gellman mean? Perhaps understandably, he declined to answer further questions.

None of this means that the WaPo doesn’t have a story. We now know that the FBI’s DITU can be tasked by the NSA to conduct live surveillance on the data of identified (and 51%-certain-foreign) targets. The NSA can also request data from previous FBI DITU surveillance. These specifics weren’t known before, so Gellman and the WaPo should get credit for a scoop.

But it isn’t the scoop they think it is, because the slides don’t confirm either the direct server access that Greenwald is crowing about or the presence of on-premise equipment at Google, Apple, and the rest. There’s simply nothing in the slide which states that equipment is on-site, and there’s no alternative source for this claim. There’s no way I can see to interpret anything on the slides as putting that “interception unit” inside the premises, accessing data on demand without any company oversight. 

A more likely scenario, particularly given the DITU’s heritage as data tappers, is that the equipment taps into Internet backbones – something that’s supported by one of the original slides, which referred to how much of the world’s comms data flowed through the US. Why bother with a slide like that if you’re tapping directly into Google’s servers?

The WaPo story isn’t proof of mass warrantless surveillance of US citizens, or (as it stands) of in-house equipment at Google, Apple, Microsoft and the rest. Unless it has more evidence which hasn’t been published that explicitly shows this, not much new controversial information has been added to what we know about the NSA and its activities.