Showing posts with label spying. Show all posts
Showing posts with label spying. Show all posts

26 July 2014

European Court Of Human Rights Fast-tracks Case Against GCHQ; More Organizations Launch Legal Challenges To UK Spying

Back in December, we wrote about a legal action that a group of digital rights activists had brought against GCHQ, alleging that the UK's mass online surveillance programs have breached the privacy of tens of millions of people across the UK and Europe. In an unexpected turn of events, the court involved -- the European Court of Human Rights -- has put the case in the fast lane

On Techdirt.

02 February 2014

Interview: Eben Moglen - "surveillance becomes the hidden service wrapped inside everything"

(This was original published in The H Open in March 2010.)

Free software has won: practically all of the biggest and most exciting Web companies like Google, Facebook and Twitter run on it.  But it is also in danger of losing, because those same services now represent a huge threat to our freedom as a result of the vast stores of information they hold about us, and the in-depth surveillance that implies.

Better than almost anyone, Eben Moglen knows what's at stake.  He was General Counsel of the Free Software Foundation for 13 years, and helped draft several versions of the GNU GPL.  As well as being Professor of Law at Columbia Law School, he is the Founding Director of Software Freedom Law Center.  And he has an ambitious plan to save us from those seductive but freedom-threatening Web service companies.  He explained what the problem is, and how we can fix it.

GM: So what's the threat you are trying to deal with?

EM:  We have a kind of social dilemma which comes from architectural creep.  We had an Internet that was designed around the notion of peerage -  machines with no hierarchical relationship to one another, and no guarantee about their internal architectures or behaviours, communicating through a series of rules which allowed disparate, heterogeneous networks to be networked together around the assumption that everybody's equal. 

In the Web the social harm done by the client-server model arises from the fact that logs of Web servers become the trails left by all of the activities of human beings, and the logs can be centralised in servers under hierarchical control.  Web logs become power.  With the exception of search, which is a service that nobody knows how to decentralise efficiently, most of these services do not actually rely upon a hierarchical model.  They really rely upon the Web  - that is, the non-hierachical peerage model created by Tim Berners-Lee, and which is now the dominant data structure in our world.

The services are centralised for commercial purposes.  The power that the Web log holds is monetisable, because it provides a form of surveillance which is attractive to both commercial and governmental social control.  So the Web with services equipped in a basically client-server architecture becomes a device for surveilling as well as providing additional services.  And surveillance becomes the hidden service wrapped inside everything we get for free.

The cloud is a vernacular name which we give to a significant improvement in the server-side of the web side - the server, decentralised.  It becomes instead of a lump of iron a digital appliance which can be running anywhere.  This means that for all practical purposes servers cease to be subject to significant legal control.  They no longer operate in a policy-directed manner, because they are no longer iron subject to territorial orientation of law. In a world of virtualised service provision, the server which provides the service, and therefore the log which is the result of the hidden service of surveillance, can be projected into any domain at any moment and can be stripped of any legal obligation pretty much equally freely.

This is a pessimal result.

GM:  Was perhaps another major factor in this the commercialisation of the Internet, which saw power being vested in a company that provided services to the consumer?

EM:  That's exactly right.  Capitalism also has its architectural Bauplan, which it is reluctant to abandon.  In fact, much of what the network is doing to capitalism is forcing it to reconsider its Bauplan via a social process which we call by the crappy name of disintermediation.  Which is really a description of the Net forcing capitalism to change the way it takes.  But there's lots of resistance to that, and what's interesting to all of us I suspect, as we watch the rise of Google to pre-eminence, is the ways in which Google does and does not - and it both does and does not - wind up behaving rather like Microsoft in the course of growing up.  There are sort of gravitational propositions that arise when you're the largest organism in an ecosystem. 

GM:  Do you think free software has been a little slow to address the problems you describe?

EM:  Yes, I think that's correct.  I think it is conceptually difficult, and it is to a large degree difficult because we are having generational change.  After a talk [I gave recently], a young woman came up to me and she said: I'm 23 years old, and none of my friends care about privacy.  And that's another important thing, right?, because we make software now using the brains and hands and energies of people who are growing up in a world which has been already affected by all of this.  Richard or I can sound rather old-fashioned.

GM:  So what's the solution you are proposing?

EM:  If we had a real intellectually-defensible taxonomy of services, we would recognise that a number of the services which are currently highly centralised, and which count for a lot of the surveillance built in to the society that we are moving towards, are services which do not require centralisation in order to be technologically deliverable.  They are really the Web repackaged. 

Social networking applications are the most crucial.  They rely in their basic metaphors of operation on a bilateral relationship called friendship, and its multilateral consequences.  And they are eminently modelled by the existing structures of the Web itself. Facebook is free Web hosting with some PHP doodads and APIs, and spying free inside all the time - not actually a deal we can't do better than. 

My proposal is this: if we could disaggregate the logs, while providing the people all of the same features, we would have a Pareto-superior outcome.  Everybody – well, except Mr Zuckenberg - would be better off, and nobody would be worse off.  And we can do that using existing stuff.

The most attractive hardware is the ultra-small, ARM-based, plug it into the wall, wall-wart server, the SheevaPlug.  An object can be sold to people at a very low one-time price, and brought home and plugged into an electrical outlet and plugged into a wall jack for the Ethernet, or whatever is there, and you're done.  It comes up, it gets configured through your Web browser on whatever machine you want to have in the apartment with it, and it goes and fetches all your social networking data from all the social networking applications, closing all your accounts.  It backs itself up in an encrypted way to your friends' plugs, so that everybody is secure in the way that would be best for them, by having their friends holding the secure version of their data.

And it begins to do all the things that we assume we need in a social networking appliance.  It's the feed, it maintains the wall your friends write on - it does everything that provides feature compatibility with what you're used to. 

But the log is in your apartment, and in my society at least, we still have some vestigial rules about getting into your house: if people want to check the logs they have to get a search warrant. In fact, in every society, a person's home is about as sacred as it gets.

And so, basically, what I am proposing is that we build a social networking stack based around the existing free software we have, which is pretty much the same existing free software the server-side social networking stacks are built on; and we provide ourselves with an appliance which contains a free distribution everybody can make as much of as they want, and cheap hardware of a type which is going to take over the world whether we do it or we don't, because it's so attractive a form factor and function, at the price. 

We take those two elements, we put them together, and we also provide some other things which are very good for the world.  Like automatically VPNing everybody's little home network place with my laptop wherever I am, which provides me with encrypted proxies so my web searching, wherever I am, is not going to be spied on.  It means that we have a zillion computers available to the people who live in China and other places where there's bad behaviour.  So we can massively increase the availability of free browsing to other people in the world.  If we want to offer people the option to run onion routeing, that's where we'll put it, so that there will be a credible possibility that people will actually be able to get decent performance on onion routeing networks.

And we will of course provide convenient encrypted email for people - including putting their email not in a Google box, but in their house, where it is encrypted, backed up to all their friends and other stuff.  Where in the long purpose of time we can begin to return email to a condition - if not being a private mode of communication - at least not being postcards to the secret police every day.

So we would also be striking a blow for electronic civil liberties in a way that is important, which is very difficult to conceive of doing in a non-technical way.

GM:  How will you organise and finance such a project, and who will undertake it?

EM:  Do we need money? Yeah, but tiny amounts.  Do we need organisation? Yes, but it could be self-organisation.  Am I going to talk about this at DEF CON this summer, at Columbia University? Yes.  Could Mr Shuttleworth do it if he wanted to? Yes.  It's not going to be done with clicking heels together, it's going to be done the way we do stuff: somebody's going begin by reeling off a Debian stack or Ubuntu stack or, for all I know, some other stack, and beginning to write some configuration code and some glue and a bunch of Python to hold it all together. From a quasi-capitalist point of view I don't think this is an unmarketable product.  In fact, this is the flagship product, and we ought to all put just a little pro bono time into it until it's done.

GM:  How are you going to overcome the massive network effects that make it hard to persuade people to swap to a new service?

EM:  This is why the continual determination to provide social networking interoperability is so important. 

For the moment, my guess is that while we go about this job, it's going to remain quite obscure for quite a while.  People will discover that they are being given social network portability.  [The social network companies] undermine their own network effect because everybody wants to get ahead of Mr Zuckerberg before his IPO.  And as they do that they will be helping us, because they will be making it easier and easier to do what our box has to do, which is to come online for you, and go and collect all your data and keep all your friends, and do everything that they should have done.

So part of how we're going to get people to use it and undermine the network effect, is that way.  Part of it is, it's cool; part of it is, there are people who want no spying inside; part of it is, there are people who want to do something about the Great Firewall of China but don't know how.  In other words, my guess is that it's going to move in niches just as some other things do.

GM:  With mobile taking off in developing countries, might it not be better to look at handsets to provide these services?

EM:  In the long run there are two places where we can conceivably put your identity: one is where you live, and the other is in your pocket.  And a stack that doesn't deal with both of those is probably not a fully adequate stack.

The thing I want to say directed to your point “why don't we put our identity server in our cellphone?”, is that our cellphones are very vulnerable.  In most parts of the world, you stop a guy on the street, you arrest him on a trumped-up charge of any kind, you get him back to the station house, you clone his phone, you hand it back to him, you've owned him.

When we fully commoditise that [mobile] technology, then we can begin to do the reverse of what the network operators are doing.  The network operators around the world are basically trying to eat the Internet, and excrete proprietary networking.  The network operators have to play the reverse if telephony technology becomes free.  We can eat proprietary networks and excrete the public Internet.  And if we do that then the power game begins to be more interesting.

23 November 2013

More NSA Spying Fallout: Brazilian President Snubs Obama Invitation, May Trigger Internet Balkanization

A couple of weeks ago, Techdirt noted that the Brazilian President, Dilma Rousseff, was angry that the NSA had been reading her private emails and text messages, and that as a result she was contemplating cancelling an imminent high-profile state visit to the US. That was before the recent revelations that the NSA had also engaged in industrial espionage at the biggest Brazilian company, Petrobras, which seems to have been the final straw: Rousseff has now formally "postponed" her trip to the US, according to the Brazilian news site O Globo (original in Portuguese.) 

On Techdirt.

26 October 2013

German Minister Calls Security A 'Super Fundamental Right' That Outranks Privacy; German Press Call Him 'Idiot In Charge'

One of the striking features of the Snowden story is that there has been no serious attempt to deny the main claims about massive, global spying. Instead, the fall-back position has become: well, yeah, maybe we did some of that, but look how many lives were saved as a result. For example, the day after the first leaks appeared, it was suggested that PRISM was responsible for stopping a plot to bomb the NYC subways. However, further investigation showed that probably wasn't the case. 

On Techdirt.

Controversial EU Data Protection Regulation May Be Negotiated In Secret In Breach Of Parliamentary Process

Today, the European Parliament held a three-hour long debate on PRISM, Tempora and what the EU response should be. Many wanted TAFTA/TTIP put on hold; others didn't. But one theme cropped up again and again: the need for strong data protection laws that would offer at least some legal protection against massive and unregulated transfer of Europeans' personal data to the US. 

On Techdirt.

Bolivian President's Jet Rerouted On Suspicions Snowden Could Be On Board; Multi-Country Outrage Ensues

The Snowden saga continues to deliver surprising twists and turns that may well have important geopolitical knock-on effects. The latest involves the President of Bolivia, Evo Morales, whose country is rumored to be willing to offer political asylum to Snowden. Here's what happened, as reported by The Guardian: 

On Techdirt.

Clear Thinking Needed in a Cloudy World

Last week I wrote about the perils of using proprietary software, where companies regularly hand over zero-day vulnerabilities to the US authorities who then go on to use them to break into foreign systems (and maybe domestic ones, too, but they're not owning up to that, yet....). Of course, cloud-based solutions are even worse, as we've known for some time. There, you are handing over all your data to the keeping of a company that may be on the receiving end of a secret US government order to pass it on to them - perhaps with necessary encryption keys too.

On Open Enterprise blog.

19 September 2013

Clueless Spanish Politicians Want To Join The Government Malware Club

As we've noted before, when it comes to the Internet, governments around the world have an unfortunate habit of copying each other's worst ideas. Thus the punitive three-strikes approach based on accusations, not proof, was pioneered by France, and then spread to the UK, South Korea, New Zealand and finally the US (where, naturally, it became the bigger and better "six strikes" scheme). France appears to be about to abandon this unworkable and ineffective approach, leaving other countries to deal with all the problems it has since discovered. 

On Techdirt.

Germany's Spies Have NSA Envy: Currently Working To Build Their Own Comprehensive Snooping System

One unfortunate knock-on effect of the revelations about the extent of NSA information gathering seems to be that the spies in other countries are starting to feel under-informed by comparison. Of course, many of them already knew about what was going on: in addition to the British and the Dutch, there are now reports that Germany was also kept informed at the highest levels (original in German.) That would probably explain the revelation by the news magazine Der Spiegel that Germany has been trying to beef up its own snooping capabilities for a while

On Techdirt.

GCHQ Revelations Destroy Case for Snooper's Charter

So the revelations from Edward Snowden keep on coming, exposing ever-more profound attacks on privacy and democracy in the UK and elsewhere. News that GCHQ is essentially downloading, storing and searching through the entire flow of Internet traffic that comes into and goes out of the UK without any specific warrant to do so is one side of that. That seems to be taking place through an extremely generous interpretation of the out-of-date RIPA law that is supposed to bring some level of accountability to just this sort of thing. The fact that it doesn't shows that we must reform RIPA and make it fit for the Internet age.

On Open Enterprise blog.

How Can Any Company Ever Trust Microsoft Again?

Irrespective of the details of the current revelations about US spying being provided by Edward Snowden in the Guardian, there is already a huge collateral benefit. On the one hand, the US government is falling over itself to deny some of the allegations by offering its own version of the story. That for the first time gives us official details about programmes that before we only knew through leaks and rumours, if at all. Moreover, the unseemly haste and constantly-shifting story from the US authorities is confirmation, if anyone still needed it, that what Snowden is revealing is important - you don't kick up such a fuss over nothing.

On Open Enterprise blog.

How Does Prism Change the Way We See Things?

The extraordinary revelations about the NSA's global spying programme Prism have only just started - was it really just last Thursday that things began? So it would be extremely rash to attempt any kind of definitive statement about what is going on. But that doesn't preclude a few preliminary comments, as well as initial thoughts on what action those of us in Europe might take in response.
 
On Open Enterprise blog.

Do Dutch Spies Also Have Access To PRISM's Data? And If So, Who Else Does?

In the wake of the leaks about NSA's spying activities around the world, one of the interesting subsidiary questions is: who else had access to this stuff? We know that the UK did, and now there are indications the Dutch did as well, according to this report on DutchNews.nl: 

On Techdirt.

NSA Spying Revelations Start To Cause Outrage In Europe; China Next?

News that the NSA has unfettered access to most of the leading Internet services inevitably has an international dimension. After all, Microsoft, Yahoo!, Google and the rest of the Naughty Nine all operate around the world, so spying on their users means spying on people everywhere. Indeed, as Mike explained earlier today, the NSA is actually trying to quell criticism by selling this news as something that purely concerns non-Americans (although that's clearly rubbish.) 

On Techdirt.

18 September 2013

Kiwis Want To Spy On All Communications, VPNs, And Be Able To Use Secret Evidence Against You

Although New Zealand's decision not to allow patents for programs "as such" was welcome, other moves there have been more problematic. For example, after it became clear that the New Zealand intelligence service, the Government Communications Security Bureau (GCSB), illegally wiretapped and spied on Kim Dotcom, the New Zealand government announced that it would change the law so as to make it legal in the future to snoop on New Zealanders as well as on foreigners. Judging by a major new bill that has been unveiled, that was just the start of a thoroughgoing plan to put in place the capability to spy on every New Zealander's Internet activity at any moment. Here's an excellent analysis of what the bill proposes, from Thomas Beagle, co-founder of the New Zealand digital rights organization Tech Liberty: 

On Techdirt.

Mozilla Sends Cease And Desist Letter To Commercial Spyware Company For Using Firefox Trademark And Code To Trick Users

Techdirt has written several times about the increasing tendency for governments around the world to turn to malware as a way of spying on people, without really thinking through the risks. One company that is starting to crop up more and more in this context is Gamma International, thanks to its FinFisher suite of spyware products, which includes FinSpy. A recent report by Citizenlab, entitled "For Their Eyes Only: The Commercialization of Digital Spying", has explored this field in some depth. Among its findings is the following: 

On Techdirt.

13 October 2012

Creepy Smartphone Malware Re-creates Your Home For Stalkers

It's become something of a cliché that anyone with a mobile phone is carrying a tracking device that provides detailed information about their location. But things are moving on, as researchers (and probably others as well) explore new ways to subvert increasingly-common smartphones to gain other revealing data about their users. Here's a rather clever use of malware to turn your smartphone into a system for taking clandestine photos -- something we've seen before, of course, in other contexts -- but which then goes even further by stitching them together to form a pretty accurate 3D model of your world: 

On Techdirt.

11 April 2012

Just Because It's Now Cheaper And Easier To Spy On Everyone All The Time, Doesn't Mean Governments Should Do It

Rick Falkvinge has another of his fascinating posts up on his Web site, but this one's slightly different from his usual insights into the dysfunctional nature of copyright and patents. It concerns some little-known (to me, at least) history of how Sweden went from being a beacon of freedom to a country under comprehensive surveillance

On Techdirt.

01 August 2011

Why the UK Cover-up of ISP Spying Proposal?

The documents obtained by FoI requests that I referred to in an earlier post today have proved richer than we expected:

Previously confidential documents detailing Universal Music’s meetings with the former UK government over the Digital Economy Act are revealing a whole lot more than the pair intended. Blacked-out sections now uncovered show that Universal believed that ISPs could spy on their users and hand over information to rightsholders in order for them to sue.

Here's the relevant paragraph that was blacked out in the supplied PDF:

LG: Universal have entered into an arrangement with the Internet Service Provider (ISP) Virgin to target legitimate broadband users with a £10 "all you can eat" offer. There is a commercial risk with this strategy, which could be like "putting a Coca Cola pipe in your house which would then supply the whole street". In return for a fixed fee revenue share Virgin have agreed to anti-piracy measures, including pop-up warnings on screens. As ISPs can monitor the amount of power used by specific users and the sites connected to, it is possible for ISPs to pass on any details to owners of particular rights, who could then get take legal action.

"LG" is Lucian Grainge (CEO, Universal Music Group International).

Now, the idea that he wanted ISPs to spy on users as a matter of course (using Deep Packet Inspection, presumably) is extraordinary, and I'm sure we'll be seeing some interesting legal analyses of that. But I want to consider another question here. By what right did the UK Government try to censor that embarrassing admission?

The FoI covering letter lists various possibilities for such censorship:

Please note that some material has been considered against the following exemptions:

Section 35 (1a) Formulation of government policy
Section 35 (1b) Ministerial communications
Section 40 Personal information
Section 43 Commercial interests

I presume that it was under the last of these that the material was redacted. Looking more closely at the conditions, as explained in the letter:

Section 43 sets out that information is exempted from the right to know if:

The information is a trade secret, or
Release of the information is likely to prejudice the commercial interest of any person (A person may be an individual, a company, the public authority itself, or any other legal entity

Moreover:

This is a qualified exemption. A public authority can only refuse to provide the information if it believes that the public interest in withholding disclosure, outweighs the public interest in disclosing it.

The public interest in knowing about plans to spy on its Internet connection certainly outweighs the public interest in not disclosing (which is zero).

So is this just another case of the UK Government taking the side of the recording industries again, and to hell with the public and their rights, including the right to know what is happening in meetings with their government?

Follow me @glynmoody on Twitter and identi.ca, or on Google+