In the wake of revelations about PRISM and other programs, I asked information security and privacy solutions provider Stephen K. Gielda of Packetderm, LLC and Cotse.net if he might share his thoughts on surveillance and how users can protect ourselves. His first post, below, on the growth of government surveillance provides a nice historical overview of the problem. I am publishing it with Steve’s kind permission. You may want to share it with family members, colleagues, or friends who could use a clue or think that if they have “nothing to hide,” there’s no reason to be concerned. In the future, Steve will write about how we can protect ourselves.

From wiretapping organized crime figures to monitoring an enemy during times of war, intercepting communications has been a key part of intelligence gathering. So it is expected that our government intelligence agencies will do just that, monitor communications (data). Few of us have any issue with them doing this to catch the “bad people”. After all, we are law abiding citizens and having nothing to hide, we have nothing to fear. Unfortunately, we are wrong. We have much to fear.

What we have to fear isn’t the government gathering intelligence data. We already expect that they do this and besides, we’re not doing anything wrong, so let them protect us. However, the fear lies not in the monitoring, but in the oversight, or rather lack thereof. This has lead to proved abuse time and time again. History is rife with the US government abusing intelligence. Intelligence data has been used repeatedly as a political weapon.

Have you ever been upset with politics? If so, chances are there that somewhere deep behind what upset you is “secret” intelligence being used to pressure someone. Even though we, ourselves, are not doing any wrong, the lack of oversight on secret projects is likely negatively affecting our lives in some form. Are you an equal rights advocate? If so, did you know that the FBI used secret intercepted communications to try to pressure Martin Luther King into committing suicide? Although, that was a long time ago (1964) and certainly things have changed, we assume. Unfortunately, they haven’t changed.

The Electronic Frontier Foundation (EFF.org) was founded in 1990 by John Perry Barlow (Grateful Dead), Mitchell Kapor (founder of Lotus Development Corp, remember Lotus 1-2-3?), and John Gilmore (a large contributor to Open Source projects and one of the founders of the Cypherpunks mailing list, an informal group who’s aim was/is to improve privacy and security through the use of encryption). It was formed in response to the abusive activities of law enforcement with regards to electronic data. The government had/has free reign here and Eff.org is a major fighter on this front.

As recently as this year, EFF has forced the government to release files detailing abuse of power by government agencies like the FBI and NSA. These abuses included the monitoring of political opposition and innocent Americans. This means that even today these government agencies are illegally spying on political opposition and likely using gathered intelligence to manipulate political process. In fact, due to the contentious process politics has devolved into, I would claim that a rational human being would have to take this as a given based upon past history, current animosity, and the fact that they are still abusing these powers. So, how are they doing this? And where is the proof? Lets look into Internet history.

With the explosion of the Internet it was definitely expected that government agencies would seek ways to tap into it. They have been doing so since the early beginning. In fact, the US government started the Internet, it was a Department of Defense (DoD) project under the Defense Advanced Research Projects Agency (DARPA, first known as ARPA). Being a DoD project, intelligence agencies had their hand in it from the start.

The Internet, as we know it, started as a simple memo on April 23, 1963 dictated by Joseph Licklider as he was rushing to catch a plane. Licklider, a professor of experimental psychology at MIT had lead a team that researched the human factors of what was a computer controlled network of radar stations in turn controlled by a master computer called Whirlwind, located at MIT and which could perform automated decision making. This Semi Automatic Ground Environment (SAGE) system was the world’s first long distance computer network. This project spurred Licklider’s imagination to envision what would eventually become the Internet.

It remained a government research project until Jan 1, 1983, when the research network that had been created (ARPANET) switched to a new protocol for transmitting data between computers (TCP/IP, which was in the public domain). This allowed for more to join the network, including private entities. From 1983 until 1989 the Internet existed mainly between large universities and research institutes. in 1989, two commercial Internet Service Providers (ISPs) were formed, one in Australia and one in Brookline, MA (called The World). The Internet came to the people and left the control of the government in 1989.

By 1995 the Internet had 16 million users and intelligence agencies had definitely taken notice. In 1997 the FBI had implemented a program called Carnivore, mainly to capture e-mail, web, and messaging communications so they could better track drug traffickers, organized crime, fugitives, and suspected spies. Carnivore required that a machine be installed on the ISP network. This machine captured and stored the target’s traffic for later review.

Carnivore was exposed in 1999 and by 2001 was accused of casting too wide a net and effectively snooping on innocents (discovered by AP reporters via documents requested under the Freedom of Information Act). Press flared up about Carnivore, so the FBI renamed it DCS 1000 and the controversy quickly died down. Carnivore expanded into Omnivore and continued to gather even more data. Carnivore/DCS 1000/Omnivore was quickly forgotten when Magic Lantern got exposed.

Magic Lantern is a keystroke logging software (meaning it records everything you type) developed by the FBI and “installed” on a target’s machine via hacking it (compromising a known vulnerability), mainly by sending the target a malicious e-mail attachment. This was certainly easier than having to install a machine in the target’s ISP datacenter, plus it captured everything typed. A boon to lazy investigators, Magic Lantern was exposed in November of 2001 by Bob Sullivan (MSNBC) and Ted Bridis (Associated Press). They reported that the government was hacking into private machines to capture all typed communications.

Concerns about Magic Lantern included the scope of what it could do, whether non-government hackers could subvert it and use it too, and what type of oversight it had. This was the first time oversight was really brought up as a concern. Who was approving this? Was a judge’s signature needed like with a warrant or could the FBI just install it whenever they wanted without needing any approval? The FBI was non-committal on all questions, completely avoiding the oversight question. Instead the FBI deflected such concerns citing a need to protect children from child pornography, among other reasons.

Long capitalizing on public concerns and buzzwords like drug trafficking, organized crime, child pornography, and most recently terrorism, government agencies have continued to expand monitoring and reduce oversight using excuses a rational person can not argue against (who will come out and say “You can’t do that” when the stated reason is to stop child pornography? That places the opponent in the position of seeming to defend child pornography by opposing the methods). This technique rapidly quashed public outcry. I assume the project is still ongoing and has expanded, although it probably changed names again.

Because of increased scrutiny and a need to circumvent US law (it is illegal in the US for US agencies to spy on US citizens), US intelligence agencies decided to move off shore to avoid this restriction. By allowing other countries to do the monitoring in conjunction with US agencies, they could then spy on Americans by requesting data another country had collected and thereby circumventing US law against such collection, for there is no law against asking someone else for what they collected. The result was the UKUSA Security Agreement for the formation of a data analysis network (Echelon).

This agreement included the signatory states of Australia, Canada, New Zealand, the United Kingdom, and the United States. It resulted in the expansion of a 1960s cold war system to monitor Russian communications into something that could monitor and control commercial and private satellite communications. In other words, Echelon became capable of the interception and inspection of telephone calls, faxes, e-mail, and other data traffic without any oversight. What was illegal to capture in one country was legal in another.

Echelon caused a brief flurry of concern in the early 2000s, but that furor was quickly quashed using lines like “if you have nothing to hide you have nothing to fear” and “we protect you and your children”. Public opinion was one willing to give up personal privacy for supposed security. The rally cry of “if you have nothing to hide you have nothing to fear” became mantra. Whether apathetically, ignorantly, or by consent, Americans gave up their privacy and ignored the lack of oversight effectively without question. Echelon has since expanded.

Now we see PRISM in the news. PRISM is a system designed to tap into “the cloud”, meaning large Internet data repositories such as Facebook, Google, Yahoo, Apple, Paltalk, AOL, and DropBox, among, I’m sure, others. The claim is that to do so they must be 51% sure the target is not an American. What is wrong with this, you may ask? Well, besides the fact it appears to require little or no oversight, 51% is barely over majority (imagine if only 51% of your e-mail was delivered or you only received 51% of your paycheck, that 49% is a pretty large loss). So there is a 49% chance of illegally monitoring and building a dossier on an innocent.

Why should we even worry about this? After all, the Internet is public and again they are after “bad people”. If you think this, you are missing a larger picture. Mainly that while they claim to be only tracking “bad people”, statistics show they have to also be tracking innocent people. Before addressing the statistics directly, lets go further. Do you own an iPhone or Android device? If so, guess where your phone data is being stored? On Apple and Google “cloud” servers, yes, the same servers being tapped.

Recently Facebook announced Facebook Home. Facebook Home is an overlay that essentially takes over your phone. This gives Facebook the opportunity to collect more data than ever before, some of which they already collect, like your location and contact databases, but now with other new potential information to collect like phone call info, phone texts, and apps you launch and use. Where will this information be stored? In the cloud, of course, for both Apple and Android devices. Again, the same cloud being tapped.

Lately it seems like every company desires more information about us. That is because with every free service we use, we are the product being sold. It is our information that is valuable. Much of this information would normally require a warrant for a government agency to retrieve, except we’ve given them unchallenged access without oversight to our data indirectly (ie. via the Internet). That will soon include all of your phone data too and eventually, everything about us.

All this we have assented to effectively without oversight. This means that it does not require a warrant signed by a judge, so there are no checks and balances. In fact, it may only require a signed letter from a manager or maybe nothing at all. In addition, they have built a facility in Utah to store all this captured information indefinitely, meaning they will be able to trawl back through it at any time should laws change or they desire influence over someone, like a political opponent. Imagine everything you ever said recorded to be used against you at anytime, we are headed that way.

While we give away our data privacy because we have nothing to fear when we have nothing to hide, at the same time we must remember that everything is data, phone calls, phone texts, our current location, everything about us. We must also remember that it isn’t just our own actions which affect our lives, but those of others. Some of those people may be “good people” who are pushing a social agenda which the government does not approve (as in MLK). The government then may use the powers we blindly granted them to push that person into their party line. They have used secret communications before and continue to use them to manipulate democracy.

Lets go back to those statistics mentioned. The US government has so far reported that this free access to data has resulted in at least fifty thwarted global terrorist or other crimes since inception. Statistically, that is so negligible a percentage that it is not worth pursuing, yet it is pursued. At the same time, and again only in the last six months alone, Apple reported requests for data on 5,000 accounts, Google reported requests for 21,000 accounts, Facebook reported requests for 18,000 accounts, and Microsoft reported requests for up to 32,000 accounts.

This leads to the fact that at least 87,950 innocent people using one or more of those four companies may have been monitored and dossiers built on them over the last six months to catch or stop only fifty “bad people” since the program’s inception. These are also only the reported requests, not information already secretly tapped, and in addition, these are just a few of the many companies providing services on the Internet. We can expect similar numbers from every popular service that stores our data.

It is important to note that the majority of these requests were without warrant, with a gag order (meaning the company receiving the request is not allowed to tell anyone they received it), and are fully enforceable. In other words, this is a secret program, with secret requests, returning secret information, approved by secret means, with the data recovered used secretly, and it is constantly expanding and storing that data indefinitely. So, do you still think that you have nothing to fear from this in the land of “freedom and transparency”?

——

Steve notes: “Please note that the above information was all gained from public sources and is not the result of any past associations nor insider knowledge. Footnotes available upon request.”