Tuesday, August 13, 2013

The growing machine of state surveillance

While there has been much furore over the NSA's surveillance of US citizens and those around the world since fugitive Edward Snowden made details about PRISM and other projects public, there is also a sense of pragmatism that such surveillance is perhaps necessary in the wake of 9/11 and the ongoing threat of terrorism.

Internet giant denials

There have of course been denials by major Internet giants concerning the assertion by the Guardian that the NSA, under the umbrella of PRISM, had access to the vast data bases belonging to the likes of Google, Facebook and Microsoft.

These companies have denied giving access to the NSA or any other governmental body except in clear cases where a warrant or subpoena is submitted.

Scepticism

In fact since the first reports, published in the Guardian, emerged, there has been some scepticism as to how deeply the NSA can probe into people's online activity.

An article published by The Week suggested the claims were somewhat over-egged. The revelations about the NSA had been published by The Guardian and the Washington Post. However within days the Washington Post had quietly revised the story, backing down from the sensational claims it made originally. The Guardian meanwhile maintained its line that the US government was spying on everyone's online activity.

ZDNet went so far as insinuating that the stories were a fall in standards of proper investigative journalism, publishing the story before facts were clearly established. The story did not start with the PRISM revelations. In February 2013 The Guardian published a story about how defence firm Raytheon had designed software, called Riot, that allowed authorities to track people on social media. Then in early June The Guardian reported that Verizon, one of the United States' largest telecoms companies, had handed over mountains of data to the NSA having been obliged to do so by a court order.

It went on to publish an 18 page dossier outlining President Obama's order to draw up a list of cyber targets. And following the PRISM allegations the paper asserted that the United Kingdom was also complicit in storing, analysing and collecting data [Guardian]. Cyber tracking is nothing new. In 2011 German politician Malte Spitz made public his findings that Deutsche Telekom was gathering and storing data from his mobile phone, logging his whereabouts, text messages sent and phone calls made. His findings were published online by Zeit with an informative interactive map, though at the time the story gained little attention [NY Times].

Damage control

While the Washington Post toned down its articles, the US government and its politicians were engaged in a process of damage control. Libertarians, and those in defence of free speech, felt they were being dragged further into a police state.

However, politicians insisted that the reports were highly exaggerated. Representative. Mike Rogers (R-Mich.), chairman of the House Intelligence Committee, said that Snowden and Greenwald had no idea what they were talking about [YouTube].

PRISM merely a GUI

From some people's assessment, PRISM was no more than a graphic indicating how data is cross checked and analysed, and made no indication that it had 'back-door access'.

"PRISM is a kick-ass GUI [graphical user interface] that allows an analyst to look at, collate, monitor, and cross-check different data types provided to the NSA from internet companies located inside the United States," Marc Ambinder at The Week said. The data is stored on US servers, but "a lot of foreign intelligence runs through American companies and American servers."

Targeting individuals

Under the FISA Amendments Act of 2008, the NSA and the attorney general can apply for an order allowing them to access some of the material that a company such as Facebook stores on its servers. Such an order could apply to all Facebook accounts opened up in Abbottabad, Pakistan. These accounts are being updated in real-time and Facebook may be obliged to create a mirror of this data that only the NSA can access. The selected/court-ordered accounts would thus be updated in real-time on both the Facebook server and the mirrored server. PRISM is the tool that puts this all together. Facebook would have no idea what the NSA is doing with the data, and the NSA would not inform them. Similar situations might apply to other companies such as Microsoft, which also has Skype in its portfolio, Google, and others.

But selective monitoring of certain accounts is a far cry from the monitoring of every Facebook, GMail and Skype account. Indeed to monitor and sift through such large amounts of data would be cumbersome to the point of impossible. To suggest as such would be like putting individuals under constant surveillance with an undercover policeman following them and monitoring their every move. Such surveillance does indeed happen, but it is targeted, and initiated after receiving other intelligence such as tip-offs [Daily Banter].

Much of what PRISM and other surveillance technologies applied by the NSA and other bodies does is almost certainly automated. Data from targeted accounts will be sifted through by computer programs, looking for patterns and key words. And while technology has certainly advanced, it is a far easier job to sift through a series of targeted accounts than to wade through millions of accounts belonging to ordinary, and likely law-abiding, citizens.

Fears of a Police State

Of course, this should not distract from the fact that the state, be it the United States government or others in the west, may possibly spying on many innocent citizens. The US and western countries are hardly police states, but one should nonetheless be on guard for any shift away from an accountable democracy.

What is more disquieting is the the fact that many countries' citizens are under far greater surveillance. In Iran, China, Russia and North Korea, the state monitors or obliges companies to monitor Internet and telecommunications traffic. This is less to do with keeping the country sagfe than it is to do with keeping its citizens in line.

Foreign monitoring

For an average westerner, it has been of little concern that China, for example, monitors its citizens online activity, telephone calls and other movements. But the situation is changing with the advent of VoIP [Voice over Internet Protocol] and other Internet based communications.

While many social networks are blocked in China, there are other methods through which those outside the country can communicate to those living inside. Weixin, more well known as WeChat, has become increasingly popular, not just amongst the Chinese but also for those outside China's borders.

WeChat is a cross platform application somewhat similar to WhatsApp, whereby users join by registering their mobile phone number, connect to other people and send message, pictures and even voice recordings for free, given they have an available Internet connection.

But herein lies the catch. Every Internet company in China, both foreign and domestic, is held legally liable for all content shared through their various platforms, as are telecom operators, on grounds related to guarding state secrets [CECC].

Censorship & data mining

As such Tencent does and must censor WeChat messages shared within China. It claims rules are different for content exchanged outside of China. But in January, reports indicated certain Chinese characters in WeChat's international messages were being censored, too. Within 24 hours, the company put out a statement that the "glitch" was being resolved, but the news highlighted the problems associated with using an app created and run by a company constrained by a totalitarian dictatorship [BBC / Tech in Asia / Tech President / Motherboard / RNW].

The prospect of a foreigner's data "being processed and monitored on China-based servers," as PandoDaily put it, could be rather unappetizing to many.

"The Chinese government could in theory gain access to anything stored on a server in China," says Jeremy Goldkorn, founder and director of Danwei, a research firm that tracks Chinese media and Internet. "Furthermore, the Chinese government could in theory apply pressure on a company whose major operations and revenue are in China to hand over data stored outside China."

With WeChat facilitating the linking up of Facebook accounts and the scanning of address books in order to check for others using WeChat and provide suggestions of other users, this is particularly unnerving.

Risks

One could theoretically find oneself barred from visiting China because data collected by such means could be cross-referenced with other information provided on a visa application. A post on WeChat about the Dalai Lama, Falun Gong or other sensitive subject may or may not be deleted for a western user, but would nonetheless be stored. Even if using a pseudonym, WeChat might have a list of that user's contacts, their Facebook name and other details as well as their mobile phone number. One is of course obliged to provide a phone number when applying for a visa, and perhaps an email address. These could easily be entered into a database whereby the Chinese state could swiftly make a decision as to whether the individual applying should be allowed to visit.

This is of course pure speculation. There are, as yet, no recorded or substantiated cases to show that such methods are being employed to vet visa applications. But historically China has proved that it is capable of using its powers to subpoena information in order to target and apprehend undesirables. In 2006, Yahoo, an American company, came under fire for handing over data to the Chinese government, which resulted in the jailing of several dissidents.

Yahoo!, as well as other search engines, had cooperated with the Chinese government in censoring search results. In April 2005, dissident Shi Tao was sentenced to 10 years in prison for "providing state secrets to foreign entities" as a result of being identified by IP address by Yahoo! The extent of Yahoo!'s foreknowledge of Shi's fate was disputed by the company's General Counsel and human rights organizations. Human rights groups also accused Yahoo! of aiding authorities in the arrest of dissidents Li Zhi and Jiang Lijun.

In September 2003, dissident Wang Xiaoning was convicted of charges of "incitement to subvert state power" and was sentenced to ten years in prison. Yahoo! Hong Kong connected Wang's group to a specific Yahoo! e-mail address. Both Xiaoning's wife and the World Organization for Human Rights sued Yahoo! under human rights laws on behalf of Wang and Shi [Wikipedia].

Skype surveillance

It is not just WeChat that has the potential to hand over foreigner's data. Users of Skype in China have long been monitored as Skype tracks politically sensitive text messages on its Chinese videophone and texting service, known as TOM-Skype, a joint venture formed in 2005 with majority owner TOM Online, a Chinese wireless Internet company.

Any attempt to access the international Skype web address in China results in the user being redirected to the TOM-Skype page. As such it is virtually impossible for Internet users in China to download a clean unmonitored version of Skype.

All well and good, except that for any foreign user calling or receiving a call from one based in China runs the risk of themselves too being monitored by the Chinese state. While address books might not be accessed, the Chinese authorities could nonetheless compile any written conversations between users as well as creating a log of parties who communicate with each other. With Microsoft having tied in its new Outlook mail service into Skype, and also having to play ball with the Chinese government, should information be requested, the risks to those using such programs could be significant [Greatfire.org].

Differing risks

For non-Chinese citizens the risk is perhaps less, though one could, as suggested, find oneself under greater scrutiny and even banned from entering China. The risk to Chinese citizens is of course much greater.

Tencent, the makers of WeChat, and Microsoft and its Skype offering, might have more to worry about concerning their complicity in Chinese state surveillance than Google, Facebook and others do concerning the possibly spurious links to NSA surveillance.

State surveillance is no doubt increasing. Mobile phones can be tracked through GPS or GSM triangulation, though they can of course be switched off. Text messages and call logs can be stored and the data handed to governments. Internet usage can be monitored with IP addresses stored and the data made available to authorities. And as discussed there are programs which can monitor social network activity. Only this week there were reports that there would be greater monitoring of Internet and telecoms traffic in Thailand an indication that surveillance is not just something conducted by the big players [Tech in Asia].

But being monitored by a democratic state, in order to protect its citizens from a terror attack, is one thing. Being monitored by a one-party dictatorship which is calling for a return to Maoist principles is another [SCMP / India Today / LA Times / Workers.org]. The real threat comes when states become less democratic, and laws are tightened such that what was once a misdemeanour becomes a capital offence. With the machine of state surveillance already in place, escaping from the law might prove less easy.

tvnewswatch, Kunming, Yunnan, China

No comments: