Feeds

We're losing the battle with a government seduced by surveillance

And a hearty 'Screw you!' to the cynical cowards

Top 5 reasons to deploy VMware with Tegile

Comment As Scott McNealy - always a man who deliberately gives good quote - famously said in 1999, "You have zero privacy anyway. Get over it." On Thursday night he tweeted "Wow! I was righter than I ever thought I would be as an American. You have no privacy but this is hard to get over."

It really is, but it shouldn’t be. Anyone who has been around the block in the IT security industry knows deep down that the government was probably doing this kind of stuff. For years such discussions have been dismissed as conspiracy theories by some, but it's terribly galling both to have it confirmed, and then have the politicians supposed to enforce proper oversight line up to defend the practice with such blind loyalty.

Even worse is the attitude shown by many in social media who take the position that of course the government does this stuff, and only a naïve fool would think otherwise. After all, there are terrorists out there. Ironically these are usually the same people who previously dismissed fears of government overreach as the stuff of conspiracy theories.

"I'm a conspiracy scientist. I posit a hypothesis then design experiments to prove it. Only after confirmation is it a theory," as El Reg's own Trevor Pott put it elegantly on Thursday.

This is not a new problem; the battle between privacy and security is as old as humankind. Back in the old days you sent diplomats or spies to pick up gossip. Now most people sit down at a potential surveillance device at their workplace or living room, or carry one in their pocket. This is both a great tool and a great temptation.

We have in our hands the ability to both solve – and possibly prevent – some crimes using these devices. But if we want a civilized society in which the rights of privacy are respected, then using them to do so must be tamed, and based on current data we're getting the balance wrong.

Whatever the rights and wrongs of the PRISM case in which the US National Security Agency is said to be tapping into the servers of major service providers, the message from the executive and the legislature on the NSA slurping all mobile metadata is clear – "Get over it." If you use a mobile in the US, expect the number, location, handset signifier, and possibly IP address to get fed into the NSA's Maryland and Utah repositories.

This is bad practice and bad security, and the US needs to get a handle on just how far its government is willing to go in The War Against Terror (TWAT).

Reasonable rights

As the most technologically advanced society of the 20th century, one with a constitution guaranteeing certain privacy rights, and a thriving legal trade, the US was one of the first states to confront government snooping in a public fashion.

The Watergate scandal and it subsequent investigations into government surveillance spawned the Church Committee in 1975, which took the first really detailed look at what intelligence services were up to. In the UK it took until the 1980s before the existence of the domestic secret service known MI5 was even acknowledged.

The Church Committee found that government surveillance of the populace was widespread and commonplace. It also reported on the use of such information for the expedited assassination of those deemed enemies of the peace, and the subversion of overseas governments if their populace voted the "wrong" way.

The key actions springing from the findings of that committee were the setting up of the Foreign Intelligence Surveillance Act (FISA) and the Foreign Intelligence Surveillance Court (FISC) to regulate the ability of government to intrude into the lives of citizens. You can get the information, but you have to ask for it first.

Six weeks after the September 11 attacks, the 363-page Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) legislation was introduced to Congress and voted through three days later. In the fevered days after the attacks that left 2,752 dead, it's a safe bet that few politicians even read the legislation before voting it in.

FISA got gutted by the Patriot Act, and it now appears FISC is passing out mobile surveillance compliance orders with the same free abandon of Justin Beiber at a tasteless clothing store. The system needs a review.

"It's time for a new Church Committee," Cindy Cohn, legal director for the EFF, told The Register. "The last time the NSA was caught spying on innocent Americans there was a huge investigation and a watershed piece of legislation to rein the government back in.

"With new digital technology and fancy footwork and some of the changes in the law the government has expanded back into the place where it's doing general surveillance again," she said.

Big Data mistakes

The subject of government intrusion into private communications is a tricky one. Ask any government security employee about spying on American citizens and they'll deny it vigorously. But it's not spying if it's legal.

Under Section 215 of the act that has been used by the NSA in the Verizon case, it's open season on mobile data. The leaked Verizon court order shows that phone data can be used to gather the precise location of callers, the numbers used and for how long, and also possibly links to your IP address for additional info-gathering based on your browsing history.

It's already being reported that the NSA is getting the same data from AT&T, Sprint, and presumably other mainstream mobile carriers. But is such data trawling really essential, or merely convenient for the authorities?

Now it appears the NSA has caught the Big Data bug. No doubt there are software firms out there promising that by mass surveillance they will be able to pick out the patterns of criminal activity and act as a precog for police. There are two problems with this approach.

First off, it doesn't work. Human motivations are too complex to identify by computer algorithms as yet, and if you've got the slightest idea of how to evade such surveillance, the entire system becomes useless. Despite intense commercial development, we still can't work out reliable algorithms to determine the reasons people buy, let alone the reasons why they kill.

Secondly, the intelligence gained from this kind of surveillance is largely reactive rather than proactive. London is covered by more CCTV cameras per city than anywhere else on the planet. This doesn't stop much crime, but expedites the finding of the suspects more easily.

US TV viewers have been trained on the idea that anti-terrorism is a quick-fire thing – there's a ticking bomb that must be stopped and anything that can be done to stop it must be done. The concept of being able to pull up detailed information on any individual is tremendously seductive and could save time, but the payoff in terms of privacy seems little considered.

If someone is suspected of being such a serious threat, of course they should be investigated. But slurping up everyone's data on the off-chance that you might uncover someone connected to an incident makes for a massive false-positive problem, and is currently only of real use after an incident has taken place.

Smart surveillance

The vast amounts of information that modern communications devices can provide about an individual can be used in beneficial ways, but only with smart targeting and non-partisan oversight.

The kind of large-scale data collection that has been reveled over the last few days has shown a fundamental failing in both security policy and a government's duty to protect the rights of its populace. There needs to be a balance involved.

Targeting suspect individuals under the rule of a court is the way this should be done. Mass data-slurping on the off-chance that you find the right target based on an algorithm or analyst's view is not; not yet and possibly not ever. Humans are, I suspect, too complex for that, and it puts too much temptation in the hands of those with the data.

"If I was in the government's position I'd grab everything I could get and see what comes out in the wash," a noted security expert said in a private conversation with this reporter. "Then again, that's probably why I shouldn't be in government," he added.

Government officials are human too, and there will be a few who are willing to use this kind of data for corrupt purposes, either personal or professional.

And to those of you who say I'm naive in expecting government to act for the people, I say screw you for your cynicism. "You should have expected this," is no excuse. We should demand better of our governments and be willing to pay the price.

For a decade I lived in London under an Irish nationalist bombing campaign that was partially funded by US citizens; in one case I waited for a train while standing next to a bomb that went off 20 minutes later. I'd love to be able to find out the identities of the bombers from their phones, but I'm not willing to give up everyone else's privacy to do so.

Simply saying that this NSA spying is about terrorism and that trumps all else is a canard, and one that deserves to be shot down. Yes, people have died in terrorist attacks, and will do so in the future. But if we sacrifice our society's rights to deal with the problem, we've already lost the most important battle. ®

Beginner's guide to SSL certificates

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.