Tunisian Gov't Spies On Facebook; Does the US? 221
jfruhlinger writes "Tunisians logging into Facebook encountered extra JavaScript, probably a sign of their repressive government's attempt to spy on them. The question is: does the US government do the same thing, just more subtly? We're not talking about agents friending you on Facebook to get more information about you; we're talking monitoring your supposedly private information behind the scenes."
Of course not! (Score:5, Funny)
Re: (Score:2)
Checking facebook is neither an unreasonable search nor a seizure. It is publicly available information.
Re: (Score:2)
Whoops, didnt RTFS, disregard that
Re: (Score:2)
Re: (Score:3)
FTFY. [angryflower.com]
Re: (Score:2)
Maybe he's a Greengrocer's Guild member?
Re: (Score:2)
Checking facebook is neither an unreasonable search nor a seizure. It is publicly available information.
Perhaps the question is not 'are they' but really 'should they'?
I know the article linked below about an FBI tip off via Facebook was likely done by a member of the public and not FBI search spiders. Still if snooping could prevent this sort of thing, should they?
I expect any response to this question will be a very resounding 'NO' but I feel its a question that needs asked.
http://www.guardian.co.uk/world/2010/jun/16/fbi-gun-scare-merseyside-school [guardian.co.uk]
Re: (Score:2)
It's also not unconstitutional to stand on the sidewalk in front of my house, watching me with binoculars 24/7. But despite what it thinks, the government has no business doing that and I don't want it to.
If you haven't done anything wrong then you should have nothing to hide! Just like the government.
Re: (Score:2)
Re: (Score:3)
Constiwhatnow? Oh c'mon, that server's been hacked years ago. Root password is waronterror, in case you want to know.
Re: (Score:3)
What do you mean, "hacked"? We're talking about Facebook, aren't we? There never was any privacy there to begin with.
Tell that to... (Score:5, Insightful)
Tell that to the guy who has his cell phone rummaged through [slashdot.org] without a warrant. And tell it to the the guy who has a GPS tracker attached to his car [slashdot.org] without a warrant. Tell it to the guy who has his computer searched, with anything found being prosecutable [slashdot.org], whether it was what the warrant specified or not. Tell it to the people whose cars (and possibly even persons) have been subjected to airport "naked body" scanners from vans on the street [slashdot.org] without--you guessed it--a warrant. Tell it to the people whose Internet information is handed over [slashdot.org] to the government willy-nilly without any kind of warrant. Tell it to the guy whose cell phone signal is geo-located [slashdot.org] without a warrant. Tell it to 94 baseball players [slashdot.org] whose drug results that were obtained without a warrant.
The list goes on and on. The Fourth Amendment is a joke today. I know it, the government knows it, and apparently you didn't get the memo. It's at the point where we need to pass a new amendment that basically says, "Goddammit, we mean it." Realistically, it's probably never going to change because too many people stupidly think that 1) if you're innocent you shouldn't have anything to hide, and 2) it could never happen to them.
Re: (Score:2)
The Fourth Amendment is a joke today. I know it, the government knows it, and apparently you didn't get the memo.
Far from failing to get the memo, I'm pretty sure OP intended to use irony to make just that point. How else do you explain the clearly tongue-in-cheek "Of course not!" in the post title?
Re: (Score:2)
If any post could get something better then a +5 then this should be one of them.
Re: (Score:3)
Re:Tell that to... (Score:5, Informative)
According to recent news, not to mention speeches from politicians, the US seems to be soundly in the "ammo" stage now.
Re: (Score:3)
Although reading some of the posts on here I'm amazed some people still don't get that simple fact. Where have some of these
Re: (Score:2)
Amendment IV - The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Besides the fact that it probably doesn't quite apply to FB, I thought that the 4th was repealed in the last ten or so years... sure seems like it at times. ;-)
Re: (Score:2)
(Bitter)
Now we issue warrants upon Probable Correlation because Correlation is proportional to Causation.
(/Bitter)
(Some adjustment of the usual terms according to scientists have occurred. However, some adjustment to Amendment IV according to the Founders has also ocurred.)
Re: (Score:2)
Amendment IV - The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Score:5, Funny
That's just sad.
Maybe (Score:3)
Can they? No doubt.
Re:Maybe (Score:5, Interesting)
To shape, fake, twist, bait and id any and all that have exposed their operations in the past or might sway larger groups of people.
The real skill is to twist or change any statement of past fact or a projected path.
Also a good place just to watch what gets traction and what was never picked up by the herd.
In other parts of the world, getting a friend with the security emblem can send a clear and final message. The FBI would be looking for a way in to 'groom' a group for domestic press exposure.
Anyone into peace/anti war protests would be very fair game.
As twitter showed, they now seek the ip's, in US courts. The subtly aspect of past direct 'news' forming is now more a chilling 'we can find you' anytime.
Re: (Score:2)
Of course they aren't. They don't need to -- they get the data wholesale on request, just as they did from the telephone carriers when it were necessary.
Quite likely the US does... (Score:2)
If the link is right, then the CIA probably has direct access to the Facebook database.
If worked for the CIA and had direct access to the Facebook database, then I would prefer to mine the database, because page scripts can be found by users and can fail for a variety of reasons.
Re:Alternate Headline (Score:5, Funny)
Alternate Headline: Tunisian Gov't Spies on Facebook; Does Spain?
only if the US tells them to.
Re: (Score:2)
Why did my modpoints expire yesterday?
Re: (Score:2)
Obviously, the government took them.
Yeah, the Tunisian government. We know they do that sort of thing.
supposedly private information ? (Score:5, Insightful)
Clue:
If it were private, your information wouldn't be on facebook in the first place.
Have you been off planet for the last year or two?
Re:supposedly private information ? (Score:4, Insightful)
You give all of your private information to goohle if you use Gmail too but that doesn't mean that it's ok for the government to go fishing there either.
Re: (Score:2)
You give all of your private information to goohle if you use Gmail too but that doesn't mean that it's ok for the government to go fishing there either.
As opposed to your ISP?
Re: (Score:2)
Google is somewhat competent on privacy. Facebook explicitly wants to share your information with as many people as possible.
Never ever count on anything on Facebook being private. Do not share stuff you don't want the entire world to know. Not even as a private message.
Re:supposedly private information ? (Score:5, Interesting)
Why is that at all relevant?
What I say when I'm on the phone with my friends isn't private, but I still don't want the government snooping on all those calls. What I do while I'm out in public isn't private, but I don't want a cop following me every time I step out the door. The fact that it isn't private (and there are plenty of ways to communicate privately in facebook BTW,) doesn't mean it's OK for the government to secretly monitor everything you do there.
Re: (Score:3)
there are plenty of ways to communicate privately in facebook BTW
Don't count on it. Don't trust them to remain private. Facebook has a bad track record. Privacy is an afterthought at best. Facebook is only for information you want to be public.
Re: (Score:2)
Clue:
If it were private, your information wouldn't be on facebook in the first place.
Yeah, who in their right mind would give their Facebook password to Facebook? Clearly when you type it in the little box with the dots instead of letters it means you don't want it to be private anymore.
Re: (Score:2)
It doesn't use https, so that password is going over the net completely unencypted. Don't rely on it remaining secret. Do not use the same password that you also use for services that matter, like banking or private email.
Re: (Score:3)
It doesn't use https, so that password is going over the net completely unencypted. Don't rely on it remaining secret. Do not use the same password that you also use for services that matter, like banking or private email.
Firstly, I don't think failing to realize that non-https connections are vulnerable to hackers is the same as giving the government permission to spoof the site you were trying to log in to and steal your password. People should be blamed for being stupid, but that doesn't mean government deserves no blame for being shifty.
Secondly, false. Facebook uses https for sending passwords. You can see this by going to the FB front page and viewing page source, then look at the code for the login button.
Besides w
Re: (Score:2)
It's not about what ought to be.
It's about the abysmal track record of Facebook and the absurd level of trust ignorant people put in a site that's whole purpose is to share your information as far and as wide as possible.
The site doesn't even use https!!
Re:supposedly private information ? (Score:4, Insightful)
Could you explain how private messages on Facebook differ from email?
The former are on Facebook, the latter aren't. That is a huge difference.
Re: (Score:2)
Yes.
https://www.facebook.com (Score:2)
Any reason why the secure site wouldn't work for this?
Re: (Score:2)
Already, in-depth information is surfacing on how the hacks were committed. It appears that the Agence tunisienne d'Internet, a government agency which supervises all of Tunisia's ISPs, or someone with access to the agency committed them. Tunisian ISPs are running a Java script that siphons off login credentials from users of Facebook, Yahoo and Gmail.
I think what they are doing is injecting extra scripts into the Facebook login which compromises the site and then sends the password to a different site.
When you can't trust your ISP and that the site you are connecting to is genuine, I don't think HTTPS works that well.
Re: (Score:3, Informative)
Not true. HTTPS works quite well against a rouge ISP. Where it fails is with a rogue Certificate Authority willing to sign bogus certificates. If you can get a CA to sign your bogus certificate, then you can execute a main-in-the-middle attack against HTTPS.
Re: (Score:2)
Google has long recommended https for gmail for precisely this reason. If you sign in from a web secure page, you should be fairly safe. All the injected scripts should be caught.
Man in the middle with a bogus certificate? I donno. Spoze its possible. (Does anyone really sign Google's certificates?).
But Tunisia hardly seems the technological hotbed of the mid east.
Re: (Score:2)
Does anyone really sign Google's certificates?
You'd know if they didn't. I don't know about other browsers, but Firefox and Chrome both throw up a giant red page warning you that someone might be listening whenever it encounters an unsigned certificate.
And as far as I know, Google isn't a CA.
Re: (Score:3)
Firefox and Chrome both throw up a giant red page warning you that someone might be listening whenever it encounters an unsigned certificate.
But they don't give any warnings if say the www.citibank.com certificate turns out to be signed by CNNIC (a chinese CA), or any other CA installed in your browser, or signed by sub-CA certs that are signed by any CA in your browser!
So all the Tunisian gov would have to do is get a CA to sign some certs for them, or get them to sign a sub CA cert for them - so that they can sign any cert with that[1]
To handle this scenario you either have to rely on third party plugins like certificate patrol, or manually ch
Re: (Score:2)
Still, that means someone is signing Google's certs. It just might not be someone we should be trusting to sign them.
Re: (Score:2)
(Does anyone really sign Google's certificates?).
On a massive public site, an unsigned certificate wouldn't be very comforting to the masses right?
The CA for mail.google.com is:
Thawte Consulting (Pty) Ltd.
Re: (Score:2)
But Tunisia hardly seems the technological hotbed of the mid east.
They'll be glad to hear that, seeing as they're in North Africa.
Re: (Score:2)
So is Egypt.
The Middle East is a region, not a continent.
Re: (Score:2)
http://www.google.com/search?q=define:middle+east [google.com]
Read. It.
Re: (Score:2)
The middle east is a region, not a continent.
OK, so https is not secure (Score:2)
Re:https://www.facebook.com (Score:4, Funny)
HTTPS works well even when ISP's wear makeup?
Re: (Score:2)
Not true. HTTPS works quite well against a rouge ISP. Where it fails is with a rogue Certificate Authority willing to sign bogus certificates. If you can get a CA to sign your bogus certificate, then you can execute a main-in-the-middle attack against HTTPS.
So the problem is software/hardware vendors not vetting out which CA's they make their wares trust.
Or you for trusting the list of CAs some software vendor gives away for free.
Re: (Score:2)
Your ISP can't interfere with SSL connections without causing browser errors (because the cert won't match). They might have been able to back in the days when many users used a CD from their ISP to set up their computer; the ISP could slip an extra CA cert into the browser config. A government may be able to strong-arm a recognized certificate authority to sign a fake cert, which would allow them to pretend to be www.facebook.com (and they could distribute that cert to participating ISPs).
Re: (Score:3)
Re: (Score:3)
I don't think so. ...
When you can't trust your ISP and that the site you are connecting to is genuine, I don't think HTTPS works that well.
HTTPS sessions are verified by their SSL certificate, issued by a certificate authority. An ISP cannot tamper with traffic sent via HTTPS, and as long as its also encrypted (almost always) it can't read the traffic. (it CAN however see who you are talking with)
This here is a case of the ISP directing users to a different IP address (via faked DNS responses pointing to their spoofing server) and spoofing the login screen, and skimming the passwords. This would not be possible if the user was using HTTPS to
Re: (Score:2)
Re:https://www.facebook.com (Score:5, Informative)
Tunisia was blocking https connections to www.facebook.com.
echelon (Score:5, Insightful)
It should be assumed that any information you post on a system that doesn't belong to you (and even some that do...) is being peered at by someone that wants to put their nose where it doesn't belong.
We used to live in a society where a comment like 'Oh, but why would they look at you if you're unimportant?' would have been valid, but with the ever-encroaching nemesis of data mining and algorithmic analysis making itself part of our daily lives you have to assume that, at any moment, every transaction you make is being scrutinized.
Re: (Score:3)
Re: (Score:2)
Sure, if your tinfoil hat has the shiny side the wrong way 'round. But when you think about it, you're talking about 300 million Americans with the number of daily transactio
Re: (Score:2)
I'm not committing a crime at the moment, but who knows what will *become* a crime in the future? And at that point, just think about how useful all this logged data will be.
The best part is that in our media-washed modern society, you wouldn't even need to be accused of a crime. Some bit of data you once thought private can be aired and you'll face the prison of public opinion and hearsay.
Heh, (Score:4, Insightful)
Your Rights Online: Tunisian Gov't Spies On Facebook; Does the US?
Silly submitter, the government doesn't spy on Facebook, the government uses Facebook to spy on you. Now that the typical Slashdot pedantry is outta the way, isn't the whole point of Facebook to spy on people anyway?
Re:Heh, (Score:4, Insightful)
An entire record of your digital life, once you put all this out there, there's no getting it back. While it's probably not very available to governments now (merely advertisers can trawl this stuff to figure out how to sell you more shit) it's out there and it could fall into the hands of those who would do us harm, should laws change. You can bet in another awfully convenient 9/11 style terror attack the government rushes for more legislation to get access to this stuff real fast.
Does it matter? (Score:4, Insightful)
Re: (Score:3)
Well, if you wanted to, you could set up a social networking site for paranoid conspiracy theorists, which encrypts all information entered. Then, even the site itself would be incapable of spying or harvesting your information. Of course, that would necessitate some onerous passphrase being passed around to every single person on your white list. But for the privacy conscious out there, I'm sure they'd put up with it. If you trust the site itself, then I suppose you could get rid of the passphrase. Of
FUD for pageviews (Score:3)
Re: (Score:2)
You mean that my children might still live, even if I don't watch the special newscast tonight?
Re: (Score:2)
Heh.. I saw an ad for a TV program on last week, and part of the description was "and the tips you literally cannot live without!"
I missed the show, yet am still alive. I think the presenter may have been slightly over-zealous with his usage of the term "literally".
On Topic: Indeed, it is FUD as it's a non-issue in the first place, even if the government does "spy" on Facebook, it's not spying as you've given the information to a third party - namely, a third party with one of the most awful privacy records
Re: (Score:2)
Heh.. I saw an ad for a TV program on last week, and part of the description was "and the tips you literally cannot live without!"
I missed the show, yet am still alive. I think the presenter may have been slightly over-zealous with his usage of the term "literally".
On the contrary! Clearly, your continued animate existence just means that you already know all of those tips. You took a big risk though, man. If by chance there had been just one tip in there that you hadn't already been aware of, whoosh, curtains for you!
Big Files (Score:3)
I had a position that may have involved technology that was a little sensitive for several years. At one point a disgruntled employee burglarized the personnel files and spread information around about various people. As it turned out the investigation of employees went back quite a few years and some of the compiled information had to be garnered from neighbors long since passed away. I know that postal employees are sometimes asked about people on their route but apparently at least in some cases there are very large sums of data that go back for several decades kept and available. I can only imagine our government having the time or interest to do such a search of people's backgrounds. I have never had even a misdemeanor and can not fathom why such files were kept on me. I was not in the military at any time. Apparently some employers must feed the government information about their employees or perhaps even their customers.
As I had nothing in particular to hide I found the incident upsetting but not to the degree that I sought to file suit against the firm involved. But I'm not so sure how free people are when the government can compile information to that degree upon its citizens. I am also assuming it was the government that did the leg work. It is quite possible that other entities do the compilations. In some areas the police kept or keep "yellow sheets". They do it indirectly through a benevolent fund or some other straw man so that they can deny in court that they have such information. Often when a crime takes place they seem to know exactly where to go to snag the culprits. They also really do know about certain machinists that would have special abilities useful in committing certain crimes such as machining a weapon from scratch or the ability to cut through safes due to work in armaments. These days certain areas of electronics might draw a great deal of governmental attention.
Here's your answer (Score:5, Funny)
Re: (Score:2)
Is the bear Catholic?
Re: (Score:2)
Is the bear Catholic?
Do Priests shit in the woods?
Re: (Score:2)
Is the bear Catholic?
Do Priests shit in the woods?
Do fish molest altar boys in the water?
Re: (Score:2)
Too much Latin - I think he meant to say "Does the Pope shit in the woods? And if he did, would anyone hear it?"
I didn't know the pope was a bear - I'll have to keep an eye out for him at the next gay pride march.....
So turn javascript off (Score:5, Informative)
There's a reason that almost all browsers have controls to enable/disable java and/or javascript. Programmers who have used these languages normally understand why you don't want your browser to automatically execute code downloaded from strangers, and browse with "scripting" disabled. Maybe we can teach others to do the same. If you tell us here which browser(s) you use, we can probably tell you where the controls are to turn off the execution of outside code. If you browser doesn't allow this, you should probably use a different browser.
Some browsers, such as firefox, have the ability to enable/disable scripting selectively for specific sites. Those browsers are much safer than the others.
(And to the geeks here: Yes, I know you know all that. I'm talking to the large part of the population who don't seem to know it. This obviously includes whoever wrote TFA. ;-)
Re: (Score:2)
Programmers who have used these languages normally understand why you don't want your browser to automatically execute code downloaded from strangers,
Actually, I understand why I not only want to do so, but I would much rather do so in a browser than in a plugin, or manually in a native executable. I also want to tell others to do so, so that when I design something which requires it, I know it'll work.
Very rarely do we see a true design flaw in JavaScript. Much more often are security holes, but these can also affect pure HTML, CSS, external plugins, etc.
Re: (Score:3)
Facebook won't even let you view their site with javascript off (you can try for yourself if you like). They will tell you to enable javascript, or you can use their mobile site (which does not have the same functionality).
You aren't going to get Facebook users to turn off javascript.
In this case, what the actual problem is is that the users weren't using SSL. The ISP was injecting javascript directly into the HTTP response.... this can't happen if you are using SSL (properly).
Facebook doesn't default to
Re: (Score:2)
Opera has this built in, if you right click on a page and go to edit site preferences under scripting you can turn off javascript and under content, you can turn off plugins. Normally I turn off plugins for all sites and whitelist as I go and blacklist sites for js (since it can be harder to know if you're missing something useful on a site without js than it is with flash [you're usually not missing anything with flas
Re: (Score:2)
Rhetorical right? (Score:2)
Come on.... (Score:4, Insightful)
Re: (Score:2)
the US is the biggest spy in this age and has been for since wo2.
Only the biggest because they have the most resources. And even that, certainly not the best. (of course we are talking about western governments here; not the communists who had a rather amazing spy program).
Re: (Score:2)
After a while people wake up and just dont care. They understand they are on file, know the person next to them at a protest is an informant.
They can see the cameras at a funeral of a loved one who died in police custody/prison.
They turn out to protest, side by side, face the uniforms in public and the plain clothes in the shadows of their doorway.
Where the US wins at this point is the herd is kept so happy, distracted, poor,
Re: (Score:2)
There are dumb statements. This is one.
Fixed that for you.
My thoughts on anonymity (Score:3)
I try to post non-anonymously using my real name whatever possible, partly because ultimately I want the problems fixed. (Look at the polls I submitted for example) But I know in the real world that isn't always possible.
Supposedly Private? (Score:5, Informative)
We're talking monitoring your supposedly private information behind the scenes
Well, here's the thing about US law (for better or worse, I'm just explaining it as I understand how it actually operates) is that there is no constitutional reasonable expectation of privacy in Facebook stuff, since my assumption you have already shared it with others (if only Facebook Inc). This is called "the third party doctrine", since it covers only information that an individual has voluntarily disclosed some third (non-government) entity. See, e.g. United States v. Miller (1976):
The Fourth Amendment does not prohibit the obtaining of information
revealed to a third party and conveyed by him to Government authorities,
even if the information is revealed on the assumption that it will be used
only for a limited purpose and the confidence placed in the third party will
not be betrayed.
The long and short of this is that the act of transmitting to Facebook establishes that you have no REP in whatever you transmit. A lot of ink has been spilled in debating the doctrine, both legally and normatively but that's past the scope of this post so I'll just point you to an article criticizing [lexisnexis.com] the doctrine and one defending [michiganlawreview.org] it. Both contain excellent overviews of the law and the surrounding doctrinal argument.
More interestingly, however, Congress stepped in to provide even more protection than the Court when it passed the Stored Communications Act [wikipedia.org] that provides an intermediate level of scrutiny past the normal scrutiny that attaches to any criminal subpoena[1]. In the SCA, Congress requires the government to prove "specific and articulable facts" that the information is relevant and material to a criminal investigation. That would be the standard applicable to a subpoena to Facebook.
Of course, if Facebook wanted to disclose information voluntarily, that would be well covered by the Third Party Doctrine (as it exists) except to the extent prohibited by the Facebook TOS.
[1] That would be, approximately, 'reasonable possibility that the materials sought will produce information relevant to the investigation'. See, e.g. United States v. R. Enterprises (1991) and FRCP 17.
[2] 18 U.S.C. 2703(d) [cornell.edu].
In Soviet Russia... (Score:3)
In Soviet Russia, Facebook spies on you!
Wait a minute, that didn't come out right...
The same thing? (Score:5, Insightful)
Of course not. The US government isn't going to go through the trouble of having ISPs insert malicious Javascript, when they can just send a few agents over to Facebook (and/or the ISPs) and set up a tap sending all data directly to the NSA instead. A lot more reliable and less detectable by the victim.
Yakima data center (Score:5, Interesting)
This is why I quit FB... (Score:2, Insightful)
Re: (Score:2, Flamebait)
Yeah, man, because the government is spying on those private pictures of your cat, just like the Nazis did. Good thinking. Isolate yourself for safety. You know, they could be watching Slashdot, too...
Re: (Score:2, Insightful)
HTTPS (Score:2)
Javascript attacks have been ongoing (Score:3)
Does it matter? (Score:3, Interesting)
You are posting to a public gateway and then are afraid that someone is treating that data as public - how dare they!
Really, it isn't private communications and, as such, there is no need for a warrant or anything for anyone to get at it. This is data mining, not spying, and is done all the time. I bet there is a web crawler somewhere on this planet that is "spying" on this post on slashdot too - there is no fourth amendment rights to information you broadcast to everyone on the planet, indeed I do not even see how there could be.
This is Tunisia, remember (Score:2, Insightful)
Tunisia is a bit of an odd one.
They encourage tourism (and they're doing pretty well at that - it's a lot more built up than it was ten years ago - though perhaps at the expense of their own culture. It's rapidly becoming the sort of place Brits who want sun and sea but don't want to be exposed to any foreign food or culture might go. Think Gran Canaria but not quite as bad yet), it's much more progressive than most arabic nations and the official line is essentially that they're dragging themselves out o
Re: (Score:3)
Or more generally, anything you send to anyone on the Internet that isn't encrypted should be considered public. Your ISP is almost certainly mining it for commercial (e.g., advertising) purposes, and is probably also looking for keywords that your government is interested in. Anyone along the route that the packets take is capable of intercepting your packets and doing whatever they like with them.
One of the long-standing bits of advice from the security people is that nothing except end-to-end encryptio