Search This Blog

Monday, August 12, 2013

The surveillance mass hysteria, the right to privacy and professionalism

I had the intention to make a commentary about the Snowden case and the mass anti-surveillance hysteria it provoked. I will defend the use of the term 'hysteria' in latter paragraphs. But then I realized that the consequences of Edward Snowden's case were far greater than I previously thought. This is not in terms of the diplomatic and geopolitical consequences of his whistle blowing acts. Government surveillance has sustained the Assange/Wikileaks blow and it will continue to do so (thankfully, because I do not agree with the acts of Snowden and Assange, but keep reading, I assure you I do not do Government propaganda here). In contrast, the thing I feared the most, was that this Snowden induced hysteria would eventually turn against hard working US businesses in the area of privacy protection. 

Unfortunately, I was proven right. A few hours prior starting the composition of these lines, I read sad news that announced the closure of Lavabit, one of the most reliable encrypted email providers. It turns out that Snowden had used Lavabit's service and this created some sort of friction, pressure and eventually service collapse of the provider. In an attempt to gauge public opinion, I opened my Twitter account. One of the comments from an individual was "I will never entrust any of my data to a US business!". Of course, surveillance is not only a US phenomenon. In Europe, Asia, Australia, the Middle East, the games of cat and mouse between those who want to safeguard their privacy and those who want to break it is on. So, it is safe to assume that a business is the worst possible place to entrust your digital assets? I am raising this question, because Lavabit is not the only company that is in this sort of business.

Now that I raised the question, I want to step back a bit. I want you to picture Edward Snowden, an IT person that ended up somehow working for the tech/contractor sector that surrounds the NSA. Did you really think that when he joined the ranks, he had no idea of what was going on in there? Do you really need a "hero" like Snowden to tell you that Governments have surveillance capability? Really?

I have started working on the Internet in 1998, and I worked on core TCP/IP protocols and Ethernet device drivers, which is what drives today most of the corporate networks. Today, I am tasked with securing some digital assets for various scientific communities, and I want to believe that I have a healthy dosage of paranoia in relation to whether my infrastructure is secure or not.

The assumption that the guy who sits on NSA/GCHQ has the will to listen to your personal communications one morning and can under all conditions is wrong and unhealthy. If you are an intelligence analyst, you are looking for needles in a haystack and you have specific problems to solve. Yes, there is data mining. Yes, there are ways to tap into your personal communications. Yes, you could be a bystander and accidentally tapped into in an attempt to locate someone, but this is less probable than you being the victim of a phishing/zero day exploit of some bandit that wants your machine for a botnet, or is after your bank account, etc.

Yes, we all have the right to privacy and trusting a communication system to deliver a message from person A to person B is important.  Read Simon Singh's  "The Code Book" and  you will see that most European Governments were operating surveillance rooms from the very early history and form of human communication. He writes about the so called "black rooms", mentioning some of the earlier examples of such a service: the Geheime Kabinetskanzlei, the secret Austrian Service, operated such a room in Vienna on the 18th century. The personnel would open certain letters of interest with care, leaving very few traces on the open envelope, they would make an exact and even translated/decoded copy of the letter, they would reseal the envelope and let the letter reach its final destination. This is one of the earliest form of industrial grade Government surveillance and a very good analogue of what is happening in our age.

Am I trying to increase your paranoia? To the contrary. Do you really think that a black room had the capacity to open/decode/translate all letters? The obvious answer is no. Cryptographers and skilled envelope openers/resealers were finite and there was a very careful targeting/sampling of senders and recipients. Is the whole process easier on the 21st Century? Well, yes and no. It is an interesting question.

The era of computers, the falling CPU/GPU/MIC hardware costs, the increased connectivity of social media and the mobile wireless technologies, the plethora of web scraping techniques and Deep Packet Inspection (DPI) software solutions have made it easier to perform surveillance on a grander scale than the era of the good old post office. However, we are far from the era of pressing a few buttons, having an email address and knowing everything about the life of every individual, as Snowden claims.

One of the greatest problems for the era of modern surveillance is "noise". In the context of surveillance data mining, "noise" is a collective term for a range of factors that prevent a mining algorithm for achieving its target (to get its info or estimate whether something is true or false: for example, whether a particular individual is related to a group of people or not. These factors include:
  • a)Fuzzy or an incredibly large amount of info to mine, well beyond the capabilities of the data mining algorithm
  • b)Inability of the mining/surveillance techniques to keep up with the amounts of information transmitted over a digital network.
  • c)Susceptibility of the mining algorithm to false negatives/positives due to design inadequacies.
With respect to factor a) above, the Internet might be a great repository of information for data mining, however it is also "polluted" with redundant, false and distributed/incomplete information. The term information overload or information pollution should not only refer to the cognitive abilities of an individual to absorb, comprehend and act on the amount of information mined from the web. It also has a negative effect on surveillance data mining algorithms.

Lots of information means an ever increasing rate of information transfer (b). Modern data networking speeds increase all the time, especially large data backbones where we have speeds of even 100 Gigabits/sec at the time of writing. If one combines this fact with the use of encryption, as Bruce Schneier points out in this paper/article, it becomes evident that DPI techniques are falling behind. You will be surprised how difficult it is to silently decrypt traffic of an SSH tunnel with moderately adequate encryption. You can setup something like this between two cloud hosts, even amongst different cloud providers and protect your voice, ephemeral chat communication and everything else that is important to you.  No man in the middle will have an easy way into what your network packets really contain. This techniques have actually been employed successfully by knowledgeable individuals to bypass Government censorship and surveillance firewalls. Egypt, Iran and China are some notable examples.

For factor c), I am sure you must have had an example of false negative or positive in your anti-virus software. If not, you are an extremely lucky person. Are you a sysadmin of an IDS/IPS/firewall system? You should also be very lucky if you never dealt with a signature/rule that let bad traffic in or kept good/legitimate traffic out. It works the same way with surveillance mining algorithms. They are not perfect and they suffer from the same problems: wrong things are flagged up as dangerous and many dangerous things are not flagged at all. Associate Professor Gehan Gunasekara suggested that the public should try and test this susceptibility of the surveillance mining algorithms by polluting their Bayasian analysis modules and cause them to flood them with false negatives. I do not suggest that you do that, but I mention this as a sign of proof that the susceptibility is there and with or without disobedience, the problems exists.

Hopefully, you are convinced now that the claim of the "hero" Snowden is not exactly accurate and that if you take reasonable precautions and trust high stakes information to professionals, you can have a company protecting your digital assets. Not everything is point and click for a Government surveillance analyst and unless you do something really sinister, you can go and do your daily business without feeling threatened or be hysterical.

I would like to close with a statement which is even more serious than the previous ones. The closure of Lavabit is wrong. Innovative businesses that protect the privacy of individuals that have a non threatening interest to protect their private/business information is a core value of the information society. The US administration needs to understand that if they kill the trust of the public to privacy protecting businesses, they are going to strike a big blow at the heart of their digital economy. Whatever the issue was with Lavabit, it can be solved by

i)strengthening the admission requirements to such services and
ii)dealing more effectively within their own infrastructures with the problem of rogue insiders. Technologies to aid that process do exist!

After all, a stark contrast between Ladar Lavison and Edward Snowden is that the first complied with the law and offered a service to the people. Edward Snowden also offered a service to the people, but that is not his whistle blowing act. That was his personal choice. That's exactly why the first one is a professional and the second is a rogue insider. That is also why I would entrust my email data to Lavabit.