3 Reasons To Hate Mass Surveillance; 3 Ways To Fight It 120
This site's "Your Rights Online" section, sadly, has never suffered for material. The revelations we've seen over the last year-and-change, though, of widespread spying on U.S. citizens, government spying in the E.U. on international conferences, the UK's use of malware against citizens, and the use of modern technology to oppress government protesters in the middle east and elsewhere shows how persistent it is. It's been a banner year on that front, and the banner says "You are being spied on, online and off." A broad coalition of organizations is calling today "The Day We Fight Back" against the growing culture of heads-they-win, tails-you-lose surveillance, but all involved know this is not a one-day struggle. (Read more, below.)
THREE REASONS TO HATE MASS SURVEILLANCE: 1) Because the Internet is nearly everywhere, it means the spying it makes possible has spread to match its footprint. 30 years ago, "on the internet" really was novel, because the public Internet simply wasn't. There were a few big military and academic sites around the world, and the concepts that make today's internet work were already embodied in running systems, but there was little reason for individuals to care about privacy invasion, or having their systems crippled by government malware, because their systems and their privacy weren't at issue. There wasn't a World Wide Web as a portal to nearly every resource online, no "Cloud," and no Blue Coat. Now, not only can individuals get on the internet, but the meaning of that phrase has moved, fast, over the last decade: now, getting on the internet is just a fact of modern life, a banal, automated background fact of the way we stay in touch with friends, deal with bills, find entertainment, get directions, and work. Online surveillance of all the signals we emit and receive (over home internet links, over cellular networks, on landline telephones, even on postcards) might be minimized and waved away as the collection of "mere" metadata, but in reality, if you're reading these words online, and even if you're doing your best to read them anonymously, it means you've almost certainly got a collection of data about you online already.
2) Because "online surveillance" is a slippery slope, and it will only get slipperier. Remember the Clipper chip's hardware-based encryption escrow scheme? Who and how often you email, chat with online, or call on the phone is the tip of the iceberg. Robert Bork didn't like having his video watching habits spied on, and that was before Netflix and competitors made the sorting and stacking of movie-watching habits not only possible but an never-ending exercise in deep data analysis. Maybe you don't care in particular about what the NSA, FBI, or anyone else thinks of your taste in entertainment, but you might prefer them to stay out not only of the information revealed by your current online activity, but also out of whatever things are revealed by future developments. Right now, a relatively small part of the online population uses crypto-currency like Bitcoin; a decade from now, it seems likely to be even more widespread than Netflix is today. Do you want your transactions to be public record, or even public-servant record? Beyond that, the era of ubiquitous, automated surveillance doesn't need you to mail an angry letter, or declare allegiance to an unpopular cause online: Just walking around means sooner rather than later you're likely to be captured on camera.
Access to your medical records almost certainly will be online, too, even more than it already is. Online and offline lives will only get blurrier: Your GPS (and increasingly, that means your phone, too) knows where you've been, and your should-be-private Google Maps page knows where you might have considered going. (Couple that with the cavalier attitude that dominates rules about data that you carry in your phone, laptop or USB data sticks, if you cross, or even come near, the U.S. border.) Think about the meta-data (or what the government might characterize that way) that your reading and viewing habits, your prescription medicine needs, your airline tickets, and your Amazon wishlist could reveal, and whether you'd want everyone's digital dossier to be up for ad-hoc scrutiny in 10 years any more than it already is. You don't want the equivalent of the TSA viewing rooms (for your own good, of course) attached to every stream of online communication.
3) Because you're paying for it. How much you're paying is hard to say, because of black budgets, overlapping programs, and the sheer number of systems that are or could be used to make widespread surveillance the new normal, but the mystery price tag starts out high. If you're an American, or an EU citizen, at least you can be grateful that you're likely only being spied on, rather than actively harmed in other ways; in other countries, the outcome can be far grimmer. How much do you want to pay to build an infrastructure for constantly surveilling yourself, your friends, and your family? Especially one that fails so miserably at even its stated aims?
THREE WAYS TO FIGHT IT:
The good news is, while you can't stop the entire octopus, you're not required to be a full-time victim of online surveillance or the offline surveillance that it seems to normalize. Instead, you can take some simple steps that at least fog the glass a bit. Readers will no doubt suggest better technologies and practices, but here's a short list to start with:
1) Encryption, more often and in more contexts. Encrypted hard drives are now easy to buy off the shelf, or to implement with software per-user. Use encryption when it makes sense, for documents, emails, file systems, or browsing; the more you do, the more normal this becomes — if it's perfectly normal to carry data encrypted, no matter how innocuous, it's hard for merely possessing encrypted data to be vilified. TrueCrypt might not be impregnable, but neither are the opaque envelopes you might put in a physical mailbox: making it harder to spy on you even in small ways beats indifference. Good news: not every layer of security takes much effort for you to take advantage of: Mozilla's move to HTTPS Everywhere is an example, as is the option that many OSes are embracing to offer the user full-disk or per-directory encryption.
2) Avoid standing in front of the biggest targets. If you don't yet, use an operating system like Linux or one of the modern BSDs, at least part of the time. The SCADA vulnerabilities exploited to cripple a key part of Iran's nuclear program exploited a well-known hole in a widespread operating system, and the same can be said of many attacks blandly characterized as "Advanced Persistent Threats." Even a cheap, adjunct laptop running an up-to-date Linux or OpenBSD could make you safer for some tasks online; cheaper yet, you can run an entire Linux system from a USB drive, and yank it when you're through. That doesn't stop a mid-stream listener (which is a very hard problem), but a compartmentalized system like that means you can do your online banking or anything else and be less vulnerable to common malware. (Besides, it's fun!)
3) Tell companies, politicians (for instance, by voting for or against), and the people around you, that you object to being spied on. You can't prevent malicious individuals, governments, (or Google, or Yelp, or your Facebook friends) from looking at some of the data that you emit; you might feel perfectly satisfied with lots of the transactions you take part in freely. But you can minimize the worst consequences by being mindful of what you do or don't mind putting out there, and spreading the word when you find abuses of trust that compromise your privacy.
Online spying didn't pop into existence with Edward Snowden's revelations about mass data gathering by the NSA on U.S. citizens. For Americans, having our communications tapped by government agents (even if by a government that has remained far more benign than have many others) extends as long as the history of the country; likewise for Europeans and others all over the world. It's much easier, now, though, for those agents to put an ear to your wall or an eye on your correspondence than it's ever been before. For those in many countries, taking practical steps to reduce your exposure is a sensible move for more than just aesthetic or philosophical reasons, though, and luckily the range of options for preserving privacy and private communications have advanced right along with the growth of the technologies that threaten them.
TMN (Score:5, Interesting)
I'm running the firefox plugin TrackMeNot which periodically runs random google queries with keywords like: "building bombs", "terrorist attacks", "nitroglycerine" ...
HTTPS Everywhere (Score:5, Interesting)
And develop a long term strategy to put crypto in all comms - e.g. use response headers from servers to push requests over to https where they are supported. Better yet produce an https+ which allows sites to use unsigned keys, CA signed keys, or even web of trust signed keys and present that info to the user in a meaningful way. Get rid of the CA tax and there would be far less reason for sites to use plain http any more.
But, This is Slashdot. (Score:5, Interesting)
This just isn't news for the folks who read here regularly.
Reaching Joe Six Pack is what this comes down to, and the cynic in me says that ship has already sailed.
Re:HTTPS Everywhere (Score:4, Interesting)
The crypto weenies over on metzdowd.com seem to think HTTPS is currently a badly broken security layer that gives users a false sense of security. There are a number of suggested fixes, however.
My own pet peeve is that we don't even protect our passwords properly. My ssh id_rsa password protection is a joke: literally a single round of MD5 by default. My TrueCrypt password is protected a bit better, but with custom ASICs, a thousand rounds or so of SHA-256 runs so fast it's not even a significant part of the password guessing latency. I got so POed over this issue ,that I've submitted my own password hashing entry in the Password Hashing Competition [password-hashing.net]. Fortunately, there are guys way smarter than me working on this specific problem, and in a couple of years we should have a far better password protection solution. In the meantime, someone should do friendly forks of TrueCrypt and OpenSSL and incorporate Scrypt as the default password hash for user-land encryption (as opposed to servers that may have to run thousands of hashes per second).
The advice to use more encryption seems sounds, but most of us geeks here on slashdot don't even know how weak our own password security really is.
Re:But, This is Slashdot. (Score:5, Interesting)
Reaching Joe Six Pack is what this comes down to, and the cynic in me says that ship has already sailed.
The trick is to word your platform in such a way that Joe Six Pack has an immediate and extreme emotional reaction, which will cause him to demand knee-jerk legislation to address the issue.
At least, that's how politicians manipulate people into supporting causes; high time we fight fire with fire.
Re:But, This is Slashdot. (Score:4, Interesting)
Joe Six Pack, who is most of the nation, doesn't care. He doesn't care if the government is listening to his phone calls or spying on his email because it doesn't affect his ability to put food on the table or a roof over his head or provide for his kids or pay for his car to get to work or pay his bills in retirement. Joe Six Pack thinks government collection of "metadata" is over his head and doesn't give two shits about it.
Joe Six Pack believes in having his gun. Let the government listen to his phone calls, but if he tries to take away his ability to defend himself, they should plan for return fire. Joe Six Pack believes in low taxes and less government intrusion, because the government sucks at just about everything.
Joe Six Pack believes in tangible threats to his person, his family, and his ability to make something for himself. Government surveillance of his phone call to check up on his mom is not tangible. This is an issue for the minority of tech people trying to do things under the government radar; it doesn't concern Joe Six Pack.
At some point Slashdot readers need to realize that in the standard distribution of American citizens and their values, Slashdot readers are not the median. They are the left tail end. The median folks don't care much about the values that you all think are universal, and as proponents of those values most Slashdot readers do a pretty poor job of communicating to the median of folks and convincing them of the importance of these issues.
Re:But, This is Slashdot. (Score:5, Interesting)
Well, use Joe Sixpack as your shield. As long as they get data from him, they are complacent and satisfied that they get enough data. Educate Joe Sixpack and the stream of data will dwindle to a trickle and they'll start using more invasive means to gather data.
Sorry to say it, but the days when I try to educate the masses are over. I use them as a shield for my privacy nowadays.
Re:But, This is Slashdot. (Score:2, Interesting)
Joe Six Pack believes in having his gun.
Yeah, isn't it funny how some people pretend to care about the constitution and rights, but actually only care about the 2nd amendment? Isn't it funny how people can be so profoundly ignorant as to believe that mass government surveillance is unimportant or even acceptable?
"The government is 100% incompetent and often malicious, but hey, why not let them spy on my communications? What could go wrong!?"
I find it funny people think the other way. Gun rights are a Constitutional right; clearly defined. Collection of meta-data on the internet which is semi-public is not so clear. And yet those opposed to government surveillance seem to be very ant-gun rights, anti-NRA etc.
But I find your post pointless because you divert from the point, ask a question and then fail to answer it. Why is mass government surveillance important or unacceptable? Why should it be important to, say, a 65 year old retiree who uses the internet to see pictures of their grandkids on Facebook, occasional internet research about knitting or woodcrafting, and emailing their other retired friends to meet up? Why should it matter to a 35 year old professional accountant who uses his phone to arrange his schedule with his wife so their babies are picked up and they know what groceries to get for the evening? Because there are far more of those two non-techie stereotypes who VOTE and make a difference than the techies who care about government surveillance.
Time and time again I see those opposed to government surveillance stating their reason they're against is because:
1) "it's immoral", but not defining why and therefore leaving it entirely subjective
2) "it's illegal", while failing to address the fact that these systems were created by laws passed via a Constitutional process
3) "it's unconstitutional" while failing to address what aspects of the Constitution apply (the 4th Amendment is unreasonable search and seizure but the data collected is metadata from searches which is quasi-public and phone conversations passing through non-private transmission stations and satellites; the 4th Amendment argument has been struck down many times for public surveillance (see the "plain view doctrine" and "open fields doctrine", particularly the case Oliver v. United States, 1984))
4) "it's important" while failing to address why it should be important to Americans.
Note, I'm all for the curbing of these programs, but guess what? The Government is not doing that. The new policies put in by the Obama Administration are extremely minor procedural speed-bumps to placate people through a show of change, but the programs are not being curtailed; they're too useful. If you want real change, those in favor of removing the programs need to address the 4 issues above, specifically to the average American who is not you, or nothing will. It's your cause, so be it's champion.
Re:TMN (Score:4, Interesting)
They can detect the "random" activity, and isolate it
Theoretically, but in reality, anything that looks too suspicious has to be investigated. Otherwise, if someone who actually wanted to build a bomb knew that fake data was discarded, they just run 10,000 random queries in the exact same manor as the few real ones they need and easily hide their intent. Or consider after a terrorism indecent, the report on why some beyond-obvious activity wasn't caught, "Well, they looked too much like terrorists, like they were some caricature perpetrated by someone trying to troll us so we ignored it."
Also, I know for a fact that once you check so many boxes, They have to come do an investigation. My random e-mailer pissed off the secret service right after 9-11*. Though in that case, my service provider passed on the unusual activity when they noticed I got their domain blacklisted by Yahoo for spam email; I wasn't caught by NSA spying.
The question you would be asking anywhere but slashdot would be: "why did you do that?" And the answer would be: in a course I was taking at college, internet monitoring came up, and I single handedly argued against the whole class and teacher that They would not show up for a few emails with the word bomb. So I went home to prove the class wrong and maybe the class was kinda right.
Your idea sounds really cool, kinda like what TOR does but more-so. I just wanted to point out that random activity does get noticed. Your welcome to try your own experiments though!