Slashdot Mirror
Tunisian Gov't Spies On Facebook; Does the US?
jfruhlinger writes "Tunisians logging into Facebook encountered extra JavaScript, probably a sign of their repressive government's attempt to spy on them. The question is: does the US government do the same thing, just more subtly? We're not talking about agents friending you on Facebook to get more information about you; we're talking monitoring your supposedly private information behind the scenes."
Amendment IV - The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Are they? Who knows?
Can they? No doubt.
Clue:
If it were private, your information wouldn't be on facebook in the first place.
Have you been off planet for the last year or two?
Sig Battery depleted. Reverting to safe mode.
It should be assumed that any information you post on a system that doesn't belong to you (and even some that do...) is being peered at by someone that wants to put their nose where it doesn't belong.
We used to live in a society where a comment like 'Oh, but why would they look at you if you're unimportant?' would have been valid, but with the ever-encroaching nemesis of data mining and algorithmic analysis making itself part of our daily lives you have to assume that, at any moment, every transaction you make is being scrutinized.
Your Rights Online: Tunisian Gov't Spies On Facebook; Does the US?
Silly submitter, the government doesn't spy on Facebook, the government uses Facebook to spy on you. Now that the typical Slashdot pedantry is outta the way, isn't the whole point of Facebook to spy on people anyway?
I'm not sure whether any Government, or perhaps every Government, is monitoring or "spying", if you will, on citizens and non-citizens alike. But I am sure that you are a fool if you think they cannot, or if not them, then someone. Aggregation of personal information is the real purpose of the internet, just because it took 20 years for everyone to figure that out doesn't make it any less real, or inevitable. Take care of what you post, and where, and assume it can all be on CNN tomorrow morning. it's that simple.
Not true. HTTPS works quite well against a rouge ISP. Where it fails is with a rogue Certificate Authority willing to sign bogus certificates. If you can get a CA to sign your bogus certificate, then you can execute a main-in-the-middle attack against HTTPS.
And slashdot bought it, hook, line, and sinker.
I had a position that may have involved technology that was a little sensitive for several years. At one point a disgruntled employee burglarized the personnel files and spread information around about various people. As it turned out the investigation of employees went back quite a few years and some of the compiled information had to be garnered from neighbors long since passed away. I know that postal employees are sometimes asked about people on their route but apparently at least in some cases there are very large sums of data that go back for several decades kept and available. I can only imagine our government having the time or interest to do such a search of people's backgrounds. I have never had even a misdemeanor and can not fathom why such files were kept on me. I was not in the military at any time. Apparently some employers must feed the government information about their employees or perhaps even their customers.
As I had nothing in particular to hide I found the incident upsetting but not to the degree that I sought to file suit against the firm involved. But I'm not so sure how free people are when the government can compile information to that degree upon its citizens. I am also assuming it was the government that did the leg work. It is quite possible that other entities do the compilations. In some areas the police kept or keep "yellow sheets". They do it indirectly through a benevolent fund or some other straw man so that they can deny in court that they have such information. Often when a crime takes place they seem to know exactly where to go to snag the culprits. They also really do know about certain machinists that would have special abilities useful in committing certain crimes such as machining a weapon from scratch or the ability to cut through safes due to work in armaments. These days certain areas of electronics might draw a great deal of governmental attention.
Do mammals of the family Ursidae deposit fecal matter in areas of arboreal vegitation?
I don't think so. ...
When you can't trust your ISP and that the site you are connecting to is genuine, I don't think HTTPS works that well.
HTTPS sessions are verified by their SSL certificate, issued by a certificate authority. An ISP cannot tamper with traffic sent via HTTPS, and as long as its also encrypted (almost always) it can't read the traffic. (it CAN however see who you are talking with)
This here is a case of the ISP directing users to a different IP address (via faked DNS responses pointing to their spoofing server) and spoofing the login screen, and skimming the passwords. This would not be possible if the user was using HTTPS to connect to the server. Almost all HTTPS-capable web sites automatically forward HTTP requests to their HTTPS url immediately. Facebook does not. This places their users at risk.
Of course the auto forward itself is a weakness, if the user is used to using the non HTTPS url, they may type it in that way, in which case no HTTPS is ever started, and the skim can take place. Arguably the best thing for an HTTPS-capable site to do when someone tries an HTTP url is to pop up a page saying "type THIS instead" and do NOT offer an easy click-to-go-there. Make the user type it themselves. Make them get used to typing H-T-T-P-S. Make sure the only bookmarks they make that will ever work are HTTPS URLs. If you let the user be lazy, they'll get used to it and won't behave securely by default, and that can get them phished or skimmed. Too many users think that if the icon to the left of the url is a gold padlock they're secure, you need to train them to do things the right way, and not accept insecure initiations of traffic.
I work for the Department of Redundancy Department.
There's a reason that almost all browsers have controls to enable/disable java and/or javascript. Programmers who have used these languages normally understand why you don't want your browser to automatically execute code downloaded from strangers, and browse with "scripting" disabled. Maybe we can teach others to do the same. If you tell us here which browser(s) you use, we can probably tell you where the controls are to turn off the execution of outside code. If you browser doesn't allow this, you should probably use a different browser.
Some browsers, such as firefox, have the ability to enable/disable scripting selectively for specific sites. Those browsers are much safer than the others.
(And to the geeks here: Yes, I know you know all that. I'm talking to the large part of the population who don't seem to know it. This obviously includes whoever wrote TFA. ;-)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
the US is the biggest spy in this age and has been for since wo2. Off course they fuck us. This question is truly naive. Hell, this one would be the one question that proofs that: 'there are no dumb questions' is just wrong. There are dumb questions. This is one.
Or more generally, anything you send to anyone on the Internet that isn't encrypted should be considered public. Your ISP is almost certainly mining it for commercial (e.g., advertising) purposes, and is probably also looking for keywords that your government is interested in. Anyone along the route that the packets take is capable of intercepting your packets and doing whatever they like with them.
One of the long-standing bits of advice from the security people is that nothing except end-to-end encryption is secure. The Internet (actually its predecessor the ARPAnet) was designed with this in mind. The low-level networking stuff doesn't much do "security", because they knew back in the 1960s that this was pointless. You can't ever trust any of the owners of the "tubes". Your only defense, if you don't want your packets forwarded to your worst enemies, has always been end-to end encryption. Everything else should always be considered public.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Most countries more-or-less run a certificate authority that every browser is willing to trust. Look at the list some time, bearing in mind that businesses and universities often do government work. Worse yet, some that you see in the list have delegated their authority. China has at least **two** that they can use. (see previous Slashdot story, including comments)
I try to post non-anonymously using my real name whatever possible, partly because ultimately I want the problems fixed. (Look at the polls I submitted for example) But I know in the real world that isn't always possible.
Alternate Headline: Tunisian Gov't Spies on Facebook; Does Spain?
only if the US tells them to.
rewriting history since 2109
We're talking monitoring your supposedly private information behind the scenes
Well, here's the thing about US law (for better or worse, I'm just explaining it as I understand how it actually operates) is that there is no constitutional reasonable expectation of privacy in Facebook stuff, since my assumption you have already shared it with others (if only Facebook Inc). This is called "the third party doctrine", since it covers only information that an individual has voluntarily disclosed some third (non-government) entity. See, e.g. United States v. Miller (1976):
The Fourth Amendment does not prohibit the obtaining of information
revealed to a third party and conveyed by him to Government authorities,
even if the information is revealed on the assumption that it will be used
only for a limited purpose and the confidence placed in the third party will
not be betrayed.
The long and short of this is that the act of transmitting to Facebook establishes that you have no REP in whatever you transmit. A lot of ink has been spilled in debating the doctrine, both legally and normatively but that's past the scope of this post so I'll just point you to an article criticizing the doctrine and one defending it. Both contain excellent overviews of the law and the surrounding doctrinal argument.
More interestingly, however, Congress stepped in to provide even more protection than the Court when it passed the Stored Communications Act that provides an intermediate level of scrutiny past the normal scrutiny that attaches to any criminal subpoena[1]. In the SCA, Congress requires the government to prove "specific and articulable facts" that the information is relevant and material to a criminal investigation. That would be the standard applicable to a subpoena to Facebook.
Of course, if Facebook wanted to disclose information voluntarily, that would be well covered by the Third Party Doctrine (as it exists) except to the extent prohibited by the Facebook TOS.
[1] That would be, approximately, 'reasonable possibility that the materials sought will produce information relevant to the investigation'. See, e.g. United States v. R. Enterprises (1991) and FRCP 17.
[2] 18 U.S.C. 2703(d).
HTTPS works well even when ISP's wear makeup?
"I do not agree with what you say, but I will defend to the death your right to say it"
Firefox and Chrome both throw up a giant red page warning you that someone might be listening whenever it encounters an unsigned certificate.
But they don't give any warnings if say the www.citibank.com certificate turns out to be signed by CNNIC (a chinese CA), or any other CA installed in your browser, or signed by sub-CA certs that are signed by any CA in your browser!
So all the Tunisian gov would have to do is get a CA to sign some certs for them, or get them to sign a sub CA cert for them - so that they can sign any cert with that[1]
To handle this scenario you either have to rely on third party plugins like certificate patrol, or manually check the certificates every time without error (good luck with that).
[1] http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/7ba51ca49de0f6cf/82ae68bc8d4292f8
Strong arm? Why? Just $$$ will do: http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/7ba51ca49de0f6cf/82ae68bc8d4292f8
Tell that to the guy who has his cell phone rummaged through without a warrant. And tell it to the the guy who has a GPS tracker attached to his car without a warrant. Tell it to the guy who has his computer searched, with anything found being prosecutable, whether it was what the warrant specified or not. Tell it to the people whose cars (and possibly even persons) have been subjected to airport "naked body" scanners from vans on the street without--you guessed it--a warrant. Tell it to the people whose Internet information is handed over to the government willy-nilly without any kind of warrant. Tell it to the guy whose cell phone signal is geo-located without a warrant. Tell it to 94 baseball players whose drug results that were obtained without a warrant.
The list goes on and on. The Fourth Amendment is a joke today. I know it, the government knows it, and apparently you didn't get the memo. It's at the point where we need to pass a new amendment that basically says, "Goddammit, we mean it." Realistically, it's probably never going to change because too many people stupidly think that 1) if you're innocent you shouldn't have anything to hide, and 2) it could never happen to them.
In Soviet Russia, Facebook spies on you!
Wait a minute, that didn't come out right...
Of course not. The US government isn't going to go through the trouble of having ISPs insert malicious Javascript, when they can just send a few agents over to Facebook (and/or the ISPs) and set up a tap sending all data directly to the NSA instead. A lot more reliable and less detectable by the victim.
The Yakima NSA listening post has been under expansion for years. Google hid work on the center by removing the huge dirt piles from their history in ~2005 A fire inspector leaked that the center was over 40 stories underground, this is before the expansion. The complaint from the Yakima tribe about dirt dumped on their land has also been deleted,
Another reason sites should enable HTTPS by default everywhere.
Nothing new except that they are more obvious these days. It is real obvious if you use an older slower computer.
You are being MICROattacked, from various angles, in a SOFT manner.
Tunisia was blocking https connections to www.facebook.com.
You are posting to a public gateway and then are afraid that someone is treating that data as public - how dare they!
Really, it isn't private communications and, as such, there is no need for a warrant or anything for anyone to get at it. This is data mining, not spying, and is done all the time. I bet there is a web crawler somewhere on this planet that is "spying" on this post on slashdot too - there is no fourth amendment rights to information you broadcast to everyone on the planet, indeed I do not even see how there could be.
------- Sorry about the spelling, I suffer from two problems. Dyslexia makes it difficult to spell well, lazy makes it