|
|
Subscribe / Log in / New account

NSA surveillance and "foreigners"

By Jake Edge
July 17, 2013
Akademy 2013

A keynote that is not directly related to KDE and the work that it does is a tradition at Akademy. While that tradition was upheld again this year, Eva Galperin of the Electronic Frontier Foundation gave a talk that was both timely and applicable to everyone in the room: US National Security Agency (NSA) surveillance and what it means for non-US people. There was plenty of interest in her talk for the largely European audience, but the overview of the NSA "surveillance state" was useful to those from the US as well.

[Eva Galperin]

The US government, in conjunction with the telecommunications carriers and large internet companies like Facebook, Yahoo, Google, and Microsoft, has been carrying out "illegal surveillance" on internet and other communication for quite some time, Galperin said. We started hearing about it in 2005 from news reports that AT&T had allowed the NSA access to its network. The collection of records of phone calls was being done at an AT&T facility that is, coincidentally, just blocks from her house in San Francisco.

That led the EFF to file lawsuits against AT&T and, eventually, the NSA, over this warrantless wiretapping. The AT&T lawsuit was dismissed on national security grounds, but the other case EFF filed, Jewel v. NSA, is still ongoing. In fact, in the week prior to her talk, the courts rejected the US government request that the suit be dismissed because of national security issues. The Jewel case moving forward is "great news", she said.

The "rest of us"

But, "what about the rest of us?", she asked. For people outside of the US, whose data traverses the US or is stored there, what protections exist? The surveillance is governed by the US Foreign Intelligence Surveillance Act (FISA), which created a secret court (FIS Court, or FISC) to oversee the surveillance operations. Since it targets "foreign intelligence", FISA has "zero protections" for foreigner's data in the US. It contains "slim protections" for those in the US, but those outside are "out in the cold".

The recently released PRISM information (by way of Edward Snowden) shows that these agencies talk of the US "home field advantage" in that much of the internet's information passes through US facilities. The data stored by US cloud storage facilities as well as internet services, such as Twitter, Facebook, Skype, and those from Google, are all fair game for "extra-territorial" people.

It is not just the US that is doing this kind of surveillance, she said; "lots of countries" are doing it. There are various malware-based attacks that we know about, which have not been proved to be state-sponsored but are strongly suspected to be. She mentioned China, Libya, and Syria as countries suspected of targeting both citizens and foreigners. The German government is known to have an email-based malware attack that targets foreigners. Increasingly, domestic laws are allowing this kind of extra-territorial surveillance and those laws are increasing their reach.

FISA is cloaked in secrecy, such that internet companies like Google and Microsoft can't even report on the kinds of information they have been required to produce. Some of the most recent Snowden leaks (as of the time of Galperin's talk) have shown a great deal of cooperation between Microsoft and the NSA.

"Just" metadata

In addition, US phone carrier Verizon has reportedly turned over seven years worth of "metadata" on all calls that it handled which started or ended in the US. Metadata is defined "quite broadly" to include routing information, phone numbers, call durations, and so on, but not the actual contents of the calls. That it is "only metadata" is the justification used by the NSA, but it is no real protection, she said, noting that US Central Intelligence Agency chief David Petraeus resigned based on evidence gathered from metadata. As an example, Galperin said: "We know you called the phone sex line, and we know you talked for 30 minutes, but we don't know what you said."

The PRISM surveillance was initially suspected of being a "back door" for the NSA into various internet services. It still is not clear if any exist, but internet services do have to respond to FISA orders and may do so via these back door portals—possibly in realtime. Even without realtime access, PRISM targets email, online chats (text, audio, and video), files downloaded, and more. It only requires 51% confidence that the target is not a US citizen, which is quite a low standard.

The NSA is building a data center "the size of a small village" to analyze and store this information. In one recent month, it collected some 97 billion intelligence data items; 3 billion for US citizens, the rest is for people in the rest of the world. This data isn't only being used by US agencies, either. The UK GCHQ signals intelligence agency made 197 requests for PRISM data (that we know of). It's not clear that GCHQ is allowed to set up its own PRISM system, but it can access US PRISM data. And, as Galperin noted, it is not at all clear that the US can legally set up a system like PRISM.

FISA basics

FISA was enacted in the late 1970s in reaction to a US Supreme Court ruling in 1972 that required a warrant to do surveillance even for national security reasons. The "Church committee" of the US Senate had found widespread abuse of surveillance within the US. It illegally targeted journalists, activists, and others during the 1960s and 1970s. Initially, there were fairly strong provisions against domestic surveillance, but these have been weakened by amendments to FISA over the years.

There are two main powers granted to agencies under FISA: the "business records" and "general acquisition" powers. The business records power allows the government to compel production of any records held by a business as long as it is in furtherance of "foreign intelligence". That has been secretly decided to cover metadata. The general acquisition power allows the government to request (and compels anyone to produce) "any tangible thing" for foreign intelligence purposes.

One of the biggest problems is the secretive way that these laws and powers are interpreted. Because there is a non-adversarial interpretation process (i.e. no one is empowered to argue against the government's interpretation) the most favorable reading is adopted. The request must be "reasonably believed" to be related to foreign intelligence, which has been interpreted to mean a 51% likelihood, for example. Beyond that, the restrictions (such as they are) only apply to US citizens. The safeguards are few and it is unlikely that a foreigner could even take advantage of any that apply.

FISC is required to minimize the gathering and retention of data on US citizens, but the government "self-certifies" that any data is foreign-intelligence-oriented. The general acquisition power allows the government to request "just about anything" with low standards for "reasonable grounds" and "relevance". To challenge any of this surveillance, one must show that they have been actively targeted. With these low standards, the requests made to FISC are rarely turned down; of the 31,000 requests over the last 30 years, eleven have been declined, Galperin said.

The "tl;dr" of her talk is that there is a broad definition of intelligence, and the laws apply to foreigners differently than to US citizens. The fourth amendment to the US Constitution (which covers searches and warrants) may not apply to foreigners, for example. The congressional oversight of FISA is weak and the executive branch (US President and agencies) handles it all secretly so the US people (and everyone else) are in the dark about what is being done. Galperin mentioned a US congresswoman who recently said that everything that has been leaked so far is only "the tip of the iceberg" in terms of these surveillance activities.

What can be done?

A group of foreign non-profits has gathered together to ask the US Congress to protect foreign internet users. They also expressed "grave concern" over sharing the intelligence gathered with other governments including the Netherlands, UK, and others. Human rights include the right to privacy, Galperin said, and standing up for that right is now more important than ever. The US government was caught spying in the 1960s and 1970s, so Congress had a committee look into it and curb some of the abuses; that needs to happen again, she said.

For individuals, "use end-to-end encryption", she said. It is rare that she speaks to a group where she doesn't have to explain that term, but Akademy is one of those audiences. Encryption "does not guarantee privacy", but it makes the NSA's job much harder.

The most useful thing that people in the audience could do is to make tools that are secure—make encryption standard. The EFF is making the same pitch to Silicon Valley companies, but it is counting on free software: "Help us free software, you are our last and only hope". Please build new products, and "save us", she concluded.

[Thanks to KDE e.V. for travel assistance to Bilbao for Akademy.]

Index entries for this article
SecurityPrivacy
ConferenceAkademy/2013

to post comments

*cough* Right To Serve *cough*

Posted Jul 18, 2013 2:35 UTC (Thu) by filteredperception (guest, #5692) [Link] (3 responses)

I think it would help profoundly if the FCC interpreted Network Neutrality as protecting all of our home servers from ISP blocking as well as the servers of the companies listed on the PRISM power point slides. $0.02...
(for more details on the issue the FCC has demanded Google respond to me about on July 29th, just stumble down this bunny trail- http://slashdot.org/comments.pl?sid=3929983&cid=44170993 )

*cough* Right To Serve *cough*

Posted Jul 19, 2013 9:10 UTC (Fri) by drag (guest, #31333) [Link] (2 responses)

> Neutrality as protecting all of our home servers from ISP blocking as well as the servers of the companies listed on the PRISM power point slides. $0.02...

Why the hell would the FCC do that?

The NSA and FCC are just smaller parts of the same larger organization. Effectively they work for one another. The FCC isn't going to do a single thing that will prevent or limit the ability for the government to carry out investigations or monitor the citizens. To even think otherwise is completely laughable.

It's like saying 'I wonder if the the Microsoft Office team will help users thwart the WPA to make it easier for users to violate Microsoft's copyright'.

The point of 'Network Neutrality', as others have pointed out from the beginning is to establish direct governmental controls over your connection to the internet. Network Neutrality is just a way that these people are trying to couch it in manner that makes it palatable and even desirable for people like you. It's propaganda and it's a lie. It's just a first step, however.

The specific goal of 'Network Neutrality' goal is to set up a precedent for internet regulation with the ultimate goal of having the ability to monitor user's activity at the ISP level and to control what corporations are allowed to operate as ISPs for the purposes of political power. Direct control and monitoring of the 'last mile' from the ISP to your house is the only full proof way to monitor your activities on the internet. Otherwise network traffic is far to easy to obfuscate through a variety of techniques. The government can't legally prosecute you without eliminating the 'plausible deniability' factor. The biggest first step to doing that is having the ability to directly record and analyze the specific traffic coming in and out of your house and criminalize the sharing of internet connections with unregistered users.

I'd rather deal with a hundred companies like Comcast then deal with the Federal government regulating my internet access. The difference is that I can tell Comcast or Cox or whoever to 'go f*k themselves' and refuse to pay them money even if they say that I owe it to them if they piss me off. Worst thing that could possibly happen is I'd have to get DSL or satellite internet or cell phone internet or whatever and get a occasional nastigram from some collections agency. If I try to do that with the feds I go to jail.

*cough* Right To Serve *cough*

Posted Jul 19, 2013 17:19 UTC (Fri) by filteredperception (guest, #5692) [Link]

Wow, good FUD dude. Of course I still blame LWN for not giving my issue more coverage, and better explaining the real pros, cons, and selective interpretations and enforcements going on with Network Neutrality. The key issue relating to NN that makes me favor it, instead of libertarianly opposing it, is Global Human Free Speech. Something your little rant didn't even graze even though you seem to have flailed all over the place with your rant (it's OK, coming from me, that's almost a compliment :)

*cough* Right To Serve *cough*

Posted Jul 19, 2013 20:02 UTC (Fri) by filteredperception (guest, #5692) [Link]

OK, and away down the rabbit hole we go-

"
> Neutrality as protecting all of our home servers from ISP blocking as well as the servers of the companies listed on the PRISM power point slides. $0.02...

Why the hell would the FCC do that?
"

Answer: your gut instinct is 100% right, they completely ignored me for 9 months... until SnowdenCrash.

"
The NSA and FCC are just smaller parts of the same larger organization.
"

Yeah, but they are also composed of lots of individual human beings. With a wide variety of motives, agendas, personalities, etc, etc, etc...

"
Effectively they work for one another.
"

It's turtles all the way down buddy. In some sense you can view Gaia as a living organism. Myself, I assume with the energy and mass of our Sun, that life exists and thrives within it as much or more so than it does in the high energy core of the earth. It's all one large dynamic system. Just because it's all interdependent, doesn't mean the subsets can't be in conflict or have differing motives, agendas, personalities, etc, etc, etc...

"
The FCC isn't going to do a single thing that will prevent or limit the ability for the government to carry out investigations or monitor the citizens.
"

You lost me with "or limit" there. I do believe, now that I've beaten them over the head for 9 months with a 53 page manifesto and more, that they might see that the limitations on authoritarian internet architecture that I advise, are worth fighting for, given the big picture. Again, they most certainly did not see this, or take any action, prior to SnowdenCrash. Now they seem to have taken some action. It could be distraction, and a strategy to do nothing about my complaint in the long run, but, for 10 more days, I get to have hope.

"
To even think otherwise is completely laughable.
"

Ad hominem much? (I'm no hypocrite, I hope anybody who sees me do it calls me out on that particular information warfare tactic)

"
It's like saying 'I wonder if the the Microsoft Office team will help users thwart the WPA to make it easier for users to violate Microsoft's copyright'.
"

Not really. As a government agency allegedly "serving" the democratic will of the people instead of "the increase of shareholder value", the FCC is perhaps exposed to different influences. Perhaps those that value Global Human Free Speech, more than the crucifixion of pirates.

"
The point of 'Network Neutrality', as others have pointed out from the beginning is to establish direct governmental controls over your connection to the internet.
"

That is apparently your view. Another view is that... The point of 'Network Neutrality', as the FCC in 10-201 themselves has pointed out, is to establish direct governmental controls over *the entire internet* (ftfy) such that the network operators do not become the gatekeepers limiting Global Human Free Speech, or becoming the shapers of the internet services and devices marketplace.

"
Network Neutrality is just a way that these people are trying to couch it in manner that makes it palatable and even desirable for people like you.
"

I'm paranoid enough to wonder if that might be true. But politically and strategically, I think my best bet for now is to assume better intentions on their part than that. And by my own threat estimate, I do believe currently in the better intentions theory than yours. Though I do believe plenty of people with intentions as negative as you portrayed do pervade positions of power in our(and probably all) governments.

"
It's propaganda and it's a lie. It's just a first step, however.
"

If that is true, they've done a pretty good job. But I don't think it's true (certainly not like you suggest)

"
The specific goal of 'Network Neutrality' goal is to set up a precedent for internet regulation with the ultimate goal of having the ability to monitor user's activity at the ISP level and to control what corporations are allowed to operate as ISPs for the purposes of political power. ... (rest of your comment is reasonable support for this point)
"

OK, this is highly inflammatory, but I do start to get your point, and I think I have come up with a hypothetical scenario that can better express your point to others like myself that wouldn't otherwise see it at first glance based on what you said...

So the pathological example of the libertarian freedom you want for your residential internet, applied to a hypothetical pedophilia conspiracy, is this-

Imagine a group of religious zealots living in some county in the U.S. more or less centered on a population density minima, to minimize their exposure to and pressure against radically differing surrounding society. Suppose they believe in selling 10 year old daughters to neighbors as child-brides in exchange for business deals and whatnot. Say they think it's ok to keep these kids tied up in the basement, ala 'the gimp' of the Quentin Tarantino film "Pulp Fiction". Say they even entertain themselves with the exchange of video of these child slaves over the internet, both to nearby local endpoints, and to a network of sympathetic cells/churches around the world. So given that gedanken situation, you would rather have the gubernment prevented from using metadata analysis as part of dismantling that network. Because you probably believe that protecting anonymous speech is the only way a democracy can actually preserve liberty and free speech generally. Actually I think we've just overcomplicated what I think was actually a much simpler issue of my complaint- I.e. putting residential server hosters on parity WRT NN protections to Microsquish and Oodle. But if enough people agree with you, and the world is dead set against grassroots residential server operator competitors to the established(ly corrupted) big cloud players, then so be it.

Distraction

Posted Jul 18, 2013 3:47 UTC (Thu) by ncm (guest, #165) [Link] (2 responses)

We can derive wry amusement from various US agencies' repetitive insistence that PRISM etc. log only call metadata and not "what was said". What they don't say is that NSA already log "what was said" directly off the fiber, and they only need Verizon's metadata to discover who said it. What makes it amusing is that to collect "what was said", they use a (lower-case) prism to split each fiber's light beam into two.

As a general rule, when a wide variety of unelected officials and their various press and elected mouthpieces repeat an assertion ad nauseum, it might or might not be technically accurate, but its purpose is always to distract our attention from a truth that, come to light, is much, much worse.

The overarching truth in this case is that whatever use surveillance may have for foiling nefarious plots, its chief value, everywhere and always, is in support of extortion. It's the basic currency of corruption. Extortion can force court judgments, congressional votes, cabinet and judicial appointments, bid selections, and resignations from elected office. Any discussion of pervasive surveillance that doesn't mention extortion is another distraction.

extortion isn't the only misuse

Posted Jul 18, 2013 10:26 UTC (Thu) by copsewood (subscriber, #199) [Link] (1 responses)

Extortion isn't needed for wiretapped data to be misused and this misuse to have damaging effects. Any non UK business surveilled by GCHQ will want to know whether data collected is made available to UK based competitors for example, but if it is misused to give unfair advantage, the disadvantaged party is likely never to know. UK citizens and businesses can now attempt to challenge data protection standards in the US in our courts to prevent US contractors taking on UK business which could involve loss of data protection rights and so on. This is all very corrosive to competition across borders.

chief use

Posted Jul 18, 2013 20:08 UTC (Thu) by ncm (guest, #165) [Link]

It is true that interception enables unfair commercial advantage for those who have access to the results. We have documentary evidence of France and the US using their apparatus in precisely this way. It's easy to find arguments that any government that can do so, should, to "help its people compete". Once such access exists -- and it is even more useful against less well-connected domestic competition -- offering it amounts to bribery, and threatening to withhold it is (again) extortion.

I say "use", not "misuse", because the latter assumes what has not been established.

Human rights, not civil rights.

Posted Jul 18, 2013 11:22 UTC (Thu) by k3ninho (subscriber, #50375) [Link] (3 responses)

It seems self-evident to me that it's time for the topic to change from Civil Rights to Human Rights in the USA.

K3n.

Human rights, not civil rights.

Posted Jul 19, 2013 9:20 UTC (Fri) by drag (guest, #31333) [Link] (2 responses)

The only real topic that is valid is 'How do the USA citizens get rid of the USA government'.

These people are dangerous and operate in secret. They operate without controls and oversight and not only does the USA president and Congress fully support these activities, they depend on groups like the CIA and NSA to maintain political power. All though the 50's, 60's, etc etc... through this current day they use these agencies for political and economic purpose both domestic and abroad.

I don't really see the point in pissing and moaning about civil rights or human rights or any such thing when the people you are trying to depend on to protect those rights are the biggest, best funded, most powerful, done the most damage, and have the most to gain from working to undermine them.

The wolves are waiting

Posted Jul 19, 2013 14:32 UTC (Fri) by man_ls (guest, #15091) [Link]

Because... we want to have fair governments? Not wanting to delve into your libertarian delusions too much, you can ask yourself the best way to achieve freedom and justice. Too many people put emphasis on the former but disregard the latter, which makes little sense; I guess they are not too fond of Socrates and Plato.

Human rights, not civil rights.

Posted Jul 21, 2013 21:01 UTC (Sun) by nix (subscriber, #2304) [Link]

The only real topic that is valid is 'How do the USA citizens get rid of the USA government'.
Thomas Hobbes identified the flaw in your reasoning centuries ago. You can, indeed, get rid of the government. In exchange, you can expect substantial violence. Personally, I prefer governmental authority to a violent free-for-all.

Strong government, particularly responsive government that individuals trust to some degree, has always and likely will always served to reduce intrapersonal violence. (Responsive governments also tend to use minimal force against their own citizens themselves: the ideal situation.)

Your end-state no-government civilization will be stable only in a situation in which there are no bad actors and all people are saints. In practice, it will decay almost immediately into warlordism and then, likely, authoritarian dictatorship. (This is exactly the same failure mode as communism as implemented in Russia in the 1910s, for much the same reason: both assume that bad actors are nonexistent or that coping strategies against them need not be considered. Classical communism believes that bad actors are simply nonexistent: your fantasy assumes that all bad actors are concentrated exclusively in government, that outside of government all is perfect competition in a perfect market, and that if government is eliminated the bad actors will just... disappear or be converted to good actors by the mystic powers of the market. Both positions fly in the face of history.)

NSA surveillance and "foreigners"

Posted Jul 18, 2013 12:42 UTC (Thu) by danpb (subscriber, #4831) [Link]

There's a interesting list of alternative software solutions, a number of which I didn't know about before...

"Opt out of PRISM, the NSA’s global data surveillance program. Stop the
American government from spying on you by encrypting your communications
and ending your reliance on proprietary services"

https://prism-break.org/

Of course there's a problem with social media alternatives, that you'd be switching to something that's basically an empty echo chamber, if none of your friends want to switch. There's certainly plenty more software development work possible and/or required to offer protection against PRISM & similar programs run by other governments.

Pervasive encryption

Posted Jul 18, 2013 15:08 UTC (Thu) by jmorris42 (guest, #2203) [Link] (9 responses)

In light of these recent revelations it is pretty clear why the major commercial software houses have never made encryption standard but what baffles is why every Free/Open package does likewise.

Think about it. Thunderbird, Evolution, Pine, should all have been encouraging encryption for years now. Imagine how that would work.

When you do initial setup it would look for a gpg key and strongly encourage you to create one if it couldn't find one. Then by default it would begin to sign all outbound mail and attempt to locate public keys for any inbound mail with a signature. Once it acquired a key it would default to encrypted transmission to those receipents. Almost entirely transparently, the quantity of encrypted email would rise a couple of percent. Throwing tons of chaff into the NSA's current (almost likely) policy of assuming any encrypted traffic between endpoints[1] is worthy of additional attention.

A week's effort by a couple of developers, at most, would add the capability above to every major Open Source email package. And yet it hasn't happened and won't happen. Only when you understand the implications of that simple statement will you achieve enlightenment.

[1] Not I said endpoints. We are seeing a fair amount of client-server crypto but now we know the feds don't mind that since they are sitting on the server side anyway so can real everything in the clear.

Pervasive encryption

Posted Jul 18, 2013 17:12 UTC (Thu) by filteredperception (guest, #5692) [Link]

"In light of these recent revelations it is pretty clear why the major commercial software houses have never made encryption standard but what baffles is why every Free/Open package does likewise."

I think you have a point here, though I am going to morph it quite a bit for my own agenda. First, the clear reason why the commercial software houses never made encryption standard is only at most half due to the recent revelations. The other half (and more), is because *their* algorithms were happily parsing and mining the plaintext content of everyone's communications so they could make dumptrucks full of money using that to brainwash... er... psychologically target advertising better. So regardless of what the NSA and other organized criminal outfits were doing that has recently been revealed, the existing big players would never go for pervasive encryption that cuts off that revenue supply for them.

Second, it's not baffling (to me) why FOSS alternative solutions have not been developed in the market. My crusade is about establishing a "Right To Serve"[1] for residential ISP end-users. With the routine persecution that residential server operators have faced from their broadband providers, either via actual blocking/throttling, or just chilling language in terms of services, there is no fertile "field of dreams" for developers of home-server based alternatives to, e.g. yahoo mail and gmail, that would obviously include pervasive encryption to thwart both the advertisers, spooks, and mafiosos. If we can establish that free speech on the internet, including the use of cryptography and serving, is a human right, and not a weak privelege granted by the sleazy ISPs and governments, then I think we would see a fertile development environment for FOSS solutions that could give us back a semblance of a chance of privacy against the thugs.

[1] http://slashdot.org/comments.pl?sid=3929983&cid=44170993

Pervasive encryption

Posted Jul 18, 2013 17:12 UTC (Thu) by njwhite (subscriber, #51848) [Link] (6 responses)

I do agree, but pervasive encryption like GPG still leaves plenty of interesting metadata around, which is most interesting for establishing guilt by association, targeting associates, drawing pretty network graphs, and other such things that the spy agencies seem to get great satisfaction from.

Encryption is one thing, but the leaks to me speak more of the inadequacy of anonymity in our tool set. Sending an email that you can be confident is anonymous is much more difficult than sending an encrypted email.

In one of Eben Moglen's talks a few years ago he told an anecdote about a conversation with a NSA guy after the clipper debacle was over, who basically said (paraphrasing a paraphrase) "sure, you can have encryption, it's anonymity that we can't abide."

Pervasive encryption

Posted Jul 18, 2013 17:20 UTC (Thu) by renox (guest, #23785) [Link] (1 responses)

Sure and steganography is a much, much more difficult problem than encryption.

Pervasive encryption

Posted Jul 18, 2013 19:49 UTC (Thu) by filteredperception (guest, #5692) [Link]

in my off the cuff opinion, steganography *is* encryption, just with an emphasis on the obscurity/obfuscation factor. Hell, ultimately most good artwork (all mediums) is really just low bitrate steganography, transmitting to the public what can't be said (or wouldn't be listened to) given the current state of the powers that be.

Pervasive encryption

Posted Jul 18, 2013 18:16 UTC (Thu) by jmorris42 (guest, #2203) [Link]

> I do agree, but pervasive encryption like GPG still leaves plenty of
> interesting metadata around..

True enough. But pervasive encryption of the sort I described is low hanging fruit that by any sensible reasoning should have happened at least a decade ago. Yet there are zero Free/Open Source email clients that implement the nearly frictionless encryption I described. Not even the one in emacs.

When you see something that makes zero sense you must are generally safe to assume you don't have all of the facts, and that it would make sense if you had them. Which leads to the next step of trying to guess which facts would best fit the observed data. Someone or something is very quietly but very forcefully suppressing the technology. Since US restrictions on things like libdvdcss and PGP/GPG have had little impact it has to be bigger than the US government.

> Sending an email that you can be confident is anonymous is
> much more difficult than sending an encrypted email.

Actually... that is a pretty trivial problem. Make regular broadcasts to Usenet of on topic (to ensure wide propagation and retention) binary posts into high volume newsgroups with encrypted text included. Good luck figuring out who the 0-n persons in the world who has the right key to read it are.

Pervasive encryption

Posted Jul 18, 2013 20:47 UTC (Thu) by zlynx (guest, #2285) [Link] (2 responses)

To avoid traffic analysis you need to do what some very paranoid people have been doing with remailers since at least 1993.

You set your email system to hold email and send it in batches with randomized multiple remailer envelopes. Each batch is padded to exactly the same size and is sent at the same time interval whether or not you had any actual email to send.

This works much less well with interactive traffic like web browsing but could be done with something like Tor by sending and receiving a continuous bandwidth stream of null packets with real data occasionally inside there.

Another downside to that is of course the waste of network resources.

Pervasive encryption

Posted Jul 21, 2013 14:45 UTC (Sun) by mathstuf (subscriber, #69389) [Link] (1 responses)

Do you have any pointers to software and/examples for making a setup which does this?

Pervasive encryption

Posted Jul 21, 2013 20:14 UTC (Sun) by njwhite (subscriber, #51848) [Link]

In general you want to read up on remailers: https://en.wikipedia.org/wiki/Remailer
http://crypto.is/blog/what_is_a_remailer

IIRC the dummy traffic stuff is only present in the mixminion remailer setup: https://en.wikipedia.org/wiki/Mixminion

It isn't something I've done much with except play around, but that should give you some fun reading material.

Pervasive encryption & secure social desktop

Posted Jul 28, 2013 10:47 UTC (Sun) by kragil (guest, #34373) [Link]

Keys for email are a good start.

But nowadays people want their computer communication be a lot more featureful than just email.

I pitched the idea of a social desktop, that provide mail, chat, file transfer, forums and maybe even a wall to post too. Retroshare.sf.net is really close and I tried to have KDE take a look http://forum.kde.org/viewtopic.php?f=83&t=62450 (because they are also Qt based like retroshare), but in 2009 it didn't go anywhere.

Desktops from 2008 to 2013 where chasing mobile dreams predominately, freedom, privacy, anonymity and encryption, which should be the defacto differentiators for a free desktop were not interesting.

Maybe the NSA made things change ..

OT: Free software should give "privacy by default"

Posted Jul 18, 2013 17:35 UTC (Thu) by debacle (subscriber, #7114) [Link] (2 responses)

Free software could make a difference. Why not attract users with "privacy by default"?

E.g. Debians Iceweasel has the so-called "safe-browsing" activated, which, AFAIK, sends all URLs I type into my browser, copies to Google, Mozilla or whoever. Such kind of behaviour should be opt-in.

Some music players send information about every song you are listening to, to Amazon, just to grab "album art". Nice feature, but again, it should be opt-in.

With more awareness for privacy on side of free software programmers and distributors such as Debian, more users could be attracted.

OT: Free software should give "privacy by default"

Posted Jul 18, 2013 21:02 UTC (Thu) by anselm (subscriber, #2796) [Link] (1 responses)

E.g. Debians Iceweasel has the so-called "safe-browsing" activated, which, AFAIK, sends all URLs I type into my browser, copies to Google, Mozilla or whoever.

AFAIK the safe-browsing feature does not send URLs elsewhere. It hashes them and checks the hashes against a local database which is refreshed every so often.

OT: Free software should give "privacy by default"

Posted Jul 18, 2013 23:57 UTC (Thu) by debacle (subscriber, #7114) [Link]

> AFAIK the safe-browsing feature does not send URLs elsewhere. It hashes them and checks the hashes against a local database which is refreshed every so often.

Thanks for explaining this! Maybe I confused the different APIs and services: There seems to be one Google API, that supports a local hashes cache and another API ("lookup") which is not so privacy-friendly. Maybe the second one is related to the "Enhanced Protection Feature"?

(Anyway, both mechanism are a good thing to have, as they might help to fight phishing and malware.)

End to End Encryption doesn't protect the "metadata"

Posted Jul 19, 2013 23:28 UTC (Fri) by dlang (guest, #313) [Link] (3 responses)

End to End Encryption only protects the contents of the message, which the NSA claims they aren't gathering anyway (how much you believe that is up to you, but from a simple practical point of view, duplicating all that data and sending it somewhere to be stored would be insanely expensive in bandwith and storage)

The "metadata" cannot be encrypted, because it's needed for the connection to work.

End to End Encryption doesn't protect the "metadata"

Posted Jul 20, 2013 6:46 UTC (Sat) by filteredperception (guest, #5692) [Link] (2 responses)

"from a simple practical point of view, duplicating all that data and sending it somewhere to be stored would be insanely expensive in bandwith and storage"

As far as bandwidth goes, Network Neutrality may help them there the same way it helps Google flood the internet with cookies and advertising without having to pay (purely) bit for bit. As far as storage goes, I recall an lwn or slashdot commenter doing back of the envelope math on Keith Alexander's budget and coming up with about 2G per person. One can I think safely presume that the kind of mechanism they would use for metadata and/or data would involve a quota/window. And no doubt that window *on average* of 2G per person, would be adjusted based on your gender, race, associations, words you've used in public and private emails, etc. I'm sure most people are boring, and their windows get scaled down to a few megabytes. While a few people are more interesting, and their windows get scaled up to perhaps a terabyte or more ($100+ worth). Personally I'm trying to get the NSA to be my lifelong permanent backup storage. :) (Please people, realize that I only exagerate and mislead for good purposes. Or rather, I try to, but I'm only human)

End to End Encryption doesn't protect the "metadata"

Posted Jul 20, 2013 7:02 UTC (Sat) by dlang (guest, #313) [Link] (1 responses)

2G per person is a lot for metadata, but if it's trying to store the content of everything, 2G is _very_ little.

End to End Encryption doesn't protect the "metadata"

Posted Jul 20, 2013 17:25 UTC (Sat) by filteredperception (guest, #5692) [Link]

Ok, _today_... (and that's just one of half a dozen somewhat funny and somewhat true and somewhat misleading ways I could have answered. But I genuinely fear if I have too much fun with my answers, I'd be helping my victimizers engineer the next level of their victimization apparatus)


Copyright © 2013, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy