Slashdot Mirror
MIT Project Reveals What PRISM Knows About You
judgecorp writes "MIT's Immersion project sifts your Gmail, and constructs a map of your associations. Without opening a single message, it gives a clear view of who you connect with. It's a glimpse of some of what the NSA PRISM can do. From the article: 'You can assume that if the NSA is looking at your email, the information in Immersion is similar to what they will see. Consider that they probably see all of your email addresses (and not just Gmail) and that the metadata is examined along with the metadata from everyone you’ve corresponded with, and you can see just how much can be inferred from this data alone.'"
I'm guessing MIT haven't tapped Google's fibre like the NSA so are doing it on a consent based basis, but no, I haven't read TFA.
One has your consent, the other doesn't?
What now? Are they water-boarding people for information?
Have gnu, will travel.
One of them is opt-in. One of them is not.
I always thought it would be interesting way to figure out a way to seed surveillance and information gathering networks with unique information you could then watch for to see where it "leaks out". For all the worry about NSA surveillance, my real fear is that is that it's actually a front for commercial operations. (My theory is that the NSA is mostly a headless monster of a "Security Industrial Complex" that lives off of milking the public for money in exchange for useless services and general industrial espionage. It's really the perfect scam because you can avoid any investigation of conflict of interest with 'state secrets' privilege) It would be a real coup to find your honeypot information leaking in to commercial databases.
More than a decade ago I registered a few domains with bogus names. To this day I still get offers in the mail for "Longdong McPorksword", even though mining whois data for commercial purposes has always been supposedly illegial (well, a terms of service violation at least)
The government, by definition, has the consent of the governed. Otherwise, it would be long gone.
So the purpose of this is what? To reassure us that the NSA is telling the truth and that they really do only view metadata? I think at this point it is quite safe to assume that any official announcement from the NSA is a lie. If MIT really wants to simulate seeing what the NSA can see then they should give you a view of every form of online communication plus any voice communication. The content. Not just the fucking metadata.
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
I thought places like Google and Yahoo retain e-mail for several years in order to facilitate all future subpoenas. Who's to say the NSA doesn't have access to a shadowcopy of these e-mails directly on the server/s?
Life is not for the lazy.
The murderer an the rapist have the consent of the victim, otherwise these crimes simply would not happen.
Seven puppies were harmed during the making of this post.
This. In the West, I am less scared of the government (in its public capacity) than any other entity. They have the most openness and democratic oversight of any organisation. The thing I fear most about the government is the extent to which it partners with private organisations which are more interested in furthering special interests of small groups - usually the bank accounts of the wealthy.
The information GCHQ/NSA has on me CAN be used to exploit me - if insufficient regulation allows corruption to set in. The information private entities have about me WILL be used to exploit me - by design.
They have the consent of the governed only if they follow the constitution which gives them the power to do what they do.
Since they are wiping their rear ends with the constitution on this matter however, they do not have any consent at all.
The simulator helps you understand how your civil liberties are being violated. It helps make vague understandings more concrete.
How, when both of the only two parties the corporate media dare mention are both all for a surveillance state? Remember, a vote for a candidate who doesn't want your loved ones in jail for pot and doesn't want a police state (e.g., Green and Libertarian, both on enough ballots to win) is a wasted vote? All the newspapers and TV stations agree, we need to have a surveillance state and we need to jail your loved ones!
And nobody seems to realize how stupid their vote is, corporate media keep us in the dark.
Free Martian Whores!
In today's America, the government has less the consent, and more the apathy of the governed. The fact that the populace is so disengaged and ill-informed is the only reason there aren't many more protests in the streets.
"But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
"Um... so your emails don't go through the internets? How does that work? Even though you tell the server to delete it, it still passes through the server..."
I knew somebody would bring this up. :)
No, of course the email goes through the 'net. But consider: trying to separately store and analyze each separate event takes vastly more resources than doing periodic static analysis of the contents of your email folder.
Conclusion: they probably don't. Almost certainly, they simple take periodic snapshots. While they may analyze traffic too, that's still not the same thing.
Consent requires information. If the government does not provide any information what they are doing, there can be no consent. Additionally, any implied consent is bounded by the constitution, and it does not appear that the government of the US has any intent whatsoever to abide by those restrictions.
The power of an integrating capability isn't what it can glean from ONE source (gmail), but rather the cross product of combining MULTIPLE sources. (gmail, facebook, phone records, credit report, amazon purchases? banking transactions?...) This cross-cutting capability is really the only portion that is unique/specific to government. (Except there is also a vast and shadowy industry of buying and selling the same personal information on private markets which we also know very little about).
Interesting points about openness and democratic oversight in government as opposed to the corporate world.
So shouldn't you be up in arms about the lack of both openness and democratic oversight shown in the NSA affair? You can't defend the virtues of one system over another, then turn a blind eye when it reneges on those virtues.
Everything is better with chainsaws.
Do they also know whether you're paying taxes on your mail order purchases and side-job income? (I mean, not that they would have gone to all the trouble of collecting the data just for that, but now that it's sitting right there...)
So... The government secretly developed, deployed, and has been illegally managing this mechanism enabling them to spy on every citizen and foreign national that has passed data or made phone calls through the US. And you recognize how it could easily be used to intimidate, coerce or blackmail.
Your solution then is to allow the program to continue and feel safe from it's potential abuse by asking the same people who illegally developed, deployed and are managing it, to follow the rules? Pretty please?
What could possibly go wrong?
"But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
The problem is that now, thanks to the PRISM leaks, no one believes Google. Not even a little bit. And yes, they can be legally compelled to lie and if they are so compelled they will be shielded from any consequences of those lies, just like the phone companies were the first time a massive warrantless wiretapping program leaked 5 years ago.
Well, the earlier /. story mentioned that GCHQ (UK) stores *three days* worth of data flowing through Britain (where almost all the high-speed cross-Atlantic cables terminate), and the metadata from that for 30 days.
A shadow copy of all the text in email or Facebook is easy. Adding the media is more costly, but not that much.
Additionally, any implied consent is bounded by the constitution, and it does not appear that the government of the US has any intent whatsoever to abide by those restrictions.
Au contraire. Secret court rulings have confirmed that the US is abiding by the constitution. Please do not attempt to disprove this, as slashdot is not cleared to receive classified information.
Trust the Computer. The Computer is Your Friend.
I'm guessing MIT haven't tapped Google's fibre like the NSA so are doing it on a consent based basis, but no, I haven't read TFA.
I don't think tapping Google's fiber would do the NSA that much good. All traffic between gmail servers and gmail users is encrypted. They could get traffic between Google's SMTP servers and other mail providers, because although Google uses SMTP over TLS when talking to any other provider that supports it, few do, but messages between gmail accounts are never transmitted in cleartext.
If you argue that the NSA can lean on certificate authorities to let them spoof Google certs, I think that approach is unlikely to succeed. First, even if CAs cooperated the NSA would need to use it sparingly, because it's likely that eventually someone would notice that they're getting different -- though apparently valid -- certs, especially since all valid certs from Google should be issued by Google's CA. Second, the fact that Chrome pins all Google certs by default makes the odds of discovery even higher. In fact, that's how the DigiNotar compromise was surfaced; someone tried to use the compromised signing key to spoof a Google cert and Chrome threw up big red error pages.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Democratic leaders have the one-time approval of 51% of the governed. They certainly don't have the consent of ALL of the governed at any point. Generally speaking governments don't always have consent, they do however, have the most soldiers and weapons.
I don't think Google could be legally compelled to lie
I'm not so optimistic, but in any case there's plenty of scope for carefully hiding the truth.
"we do not provide any government, including the US government, with access to our systems. Nor do we allow goverments to install equipment on our networks or property that gives them access to user data."
What about equipment "just outside" their networks, or accessing whatever Google considers non-user data?
I'd be surprised if (unknown to Google) they aren't employing some people who also work for the NSA.
"Third, we provide user data to governments only in accordance with the law."
Through a secret court?
Hopefully we can get more transparency, and it's good that Google are pushing for that.
Your premise is wrong if it's "government is an entity that follows laws", because this completely ignores the fact that government is made up of individuals, with personal agendas. The data they collect may not be used against you right now, but that's only because you're not in someone's way yet. Once you step into the crosshairs of someone in power, do you still think all that data is innocent and inert? Do you think regulation is going to save you? Are you willing to accept a society where you cannot poke your head up too high, unless you're of a chosen breed and have greased the right palms?
... whatever
The problem is that now, thanks to the PRISM leaks, no one believes Google. Not even a little bit.
That is a problem, indeed. It's why Google has filed suit against the DoJ, because Google can't provide the details needed to defend itself.
And yes, they can be legally compelled to lie and if they are so compelled they will be shielded from any consequences of those lies
Cite? As far as I know, the telecoms never lied. They refused to answer, and then eventually admitted to it. I could be wrong, however, since my memories of the details are fuzzy. But a few web searches seem to support my recollections. Yes, they definitely were shielded from any legal consequences.
But even if Google were shielded from legal consequences, Google could not be shielded from the extremely severe and irreparable PR consequences. Google might be able to recover from proof of the allegations by coming clean and promising to do better, but proof that the allegations were true and that Google lied would be disastrous for a company with Google's current business model. Remember that unlike the telecoms which have local monopolies, a national oligopoly and fairly high switching costs, Google's competition is just a click away.
I see three options:
1. Google is telling the truth.
2. Google is lying and is absolutely certain that it can never, ever be proven.
3. Google's executives are idiots.
I know 3 is false, and arguably it would have to be true for Google's execs to believe that their lies could never be proven, per 2. I think they're telling the truth.
(Disclaimer: I should mention that I work for Google. However, if the PRISM allegations were supported, I probably wouldn't be working for Google much longer, and neither would an awful lot of other people, including many who are far more talented and valuable than I am.)
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
The equivalent of saying that there is no such thing as rape as anyone that does not successfully get away has consented.
What about equipment "just outside" their networks, or accessing whatever Google considers non-user data?
Well, since nearly all Google traffic is encrypted, equipment just outside their networks wouldn't do much good. And Google considers all data in any way related to users to be user data
I'd be surprised if (unknown to Google) they aren't employing some people who also work for the NSA.
That could certainly be. However, Google security is pretty deep, and focuses at least as much on securing against insider threats as outsider threats. Those NSA employees would have to be extremely well-placed. (I work for Google, on security infrastructure, which means I know whereof I speak, but also that I can't provide much detail.)
Through a secret court?
Where that's what the law says, then yes. I think it's very clear that we have some deep public policy problems. However, Google's claim is that the number of requests they receive is small and affects only a tiny number of users. Unfortunately, the law doesn't allow them to be more specific, which is why they're suing.
Hopefully we can get more transparency, and it's good that Google are pushing for that.
Agreed. We absolutely need more transparency, and it's great that a company with the clout and resources of Google is pushing for it. It doesn't even matter whether they're pushing for it because they think it's a good thing in general or because the allegations are damaging to their business model.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
At least the NSA says it doesn’t read the contents of your email. Google does, and it admits that it does.
Like I believe NSA does not look at the contents... If it weren't for Snowden, we would still not know about PRISM.
the government has] the most openness and democratic oversight of any organisation
Ha ha ha ha ha!!!! That was a good one!
We have the internet now, but thanks to the NRA our candle is a searchlight pointing at us. Vote Libbie or Green!
Free Martian Whores!
perhaps it's not "rape rape" but "spousal rape."
What would be OK is if they posted some code to run and then let you save and browse the result all on your own machine.
-- "Oh. This guy again."
Actually...Google provides 15 Gb of storage for standard, free Gmail accounts. Unless you're attaching movies or large numbers of music files, that is enough to retain years worth of e-mail.
I know, I have years worth of e-mail in my Gmail box. 8 years, to be exact, and I'm using less than 10% of that 15 Gb.
The money is spent.
And as a side note. I once went thru and started deleting large quantities of older e-mail, that I had no reason to keep. After about 15 minutes the little "advertising" strip on the top of Gmail switched to "We have a sale going on tin-foil hats" and stayed there until I logged out..
Learning HOW to think is more important than learning WHAT to think.
I allowed Immersion to review my gmail, and I don't think it really reflects what PRISM is accessing in any way. All it did was go through my emails and build a standard social network map out of my emails based on who was in the address lines. My understanding is that PRISM is actually analyzing the content of my emails. Immersion is neat, but it really seems like the developers are trying to promote their own software by attaching it to the surveillance scandal.
As for Immersion itself. It is a neat application and it's fun to see a chart of everyone you interact with an how they are all networked together. If you're interested in seeing your Facebook and Twitter networks modeled in a similar way, you can use the open-source NodeXL plugin for Excel, which let's you harvest your data from these social networks and build your own visualizations. It's actually much much more robust than Immersion and you don't have to give a third-party access to your accounts since you run it from your local machine yourself.
i ~ Celebrating Science, Cyberspace, Speculation
Two words. "Spousal Rape."
I think you'll find that this is a relatively recent concept, and some can condemn other forms of rape, while having a difficult time understanding how rape can possibly exist with the confines of marriage.
You assume an antagonistic relationship between the people and the state. This is not necessarily a good assumption to make when trying to understand why NSA wiretapping is still accepted by significant segments of the population.
I don't think it's apathy, I think it's surrender of the governed.
For example, Congress currently has an approval rating of 7%, and a disapproval rating of 65% (Rasmussen). If there's one thing Americans agree on, it's that our elected leadership is, on average, terrible. And yet early polling suggests that of 435 Congressmen, only about 50 are likely to be replaced.
The fastest-growing party affiliation in America is independent. That strongly suggests that neither major party is representing the citizens. And yet there are only 3 independents holding federal elected office, and 1 of those independents (Joe Lieberman) is really a Democrat in disguise because his party supported him over the candidate chosen by voters in Connecticut in the primary.
So this leads to the argument that Americans are paying attention, think their elected leaders and political parties are horrible, and vote for them anyways because they think the alternatives are even worse.
I am officially gone from
Unless the NSA has the private key for the certificate. There's no need to spoof a certificate if all you want is to listen. Just get hold of the private key, and the data could as well have been sent in cleartext. Since the browser will get the original certificate, there's nothing raising suspicion.
Indeed, even Google may be unaware of the NSA having the key, if they got it through an inofficial way (either bribing/threatening someone who has access to give it to them, or put an undercover agent in to get the key, or maybe even use a not publicly known vulnerability on the certificate generating computer's operating system to break in).
The Tao of math: The numbers you can count are not the real numbers.
One has your consent, the other doesn't?
One needs your consent. One just needs a courts consent.
One has no legal oversight, one does.
The thing I find puzzling about the PRISM uproar is that there's not actually any allegations by Snowden that the NSA ever looks at records without a court order. Only employees with superuser-level access who commit felonies have.
At least there are laws to appropriately punish people like Snowden who step well beyond the legal limits of their roles and violate privacy. Do you think there's anything protecting your personal information at ATT or Verizon from any schmuck who wants to do the same thing? Do you think, even if PRISM wasn't there, that an analyst who is willing to break federal law couldn't do the exact same thing, anyway?
Hell, I'd comfortably argue there is vastly less of a privacy risk having all of that data in NSA systems, than having the NSA one-off requests for each and every bit of data. Assuming an analyst isn't breaking the law, no one but the NSA knows if I'm being investigated. And when it comes to nothing, no one is the wiser. If I happened to be standing too close to a terrorist suspect, and the NSA wanted to verify I hadn't had any contact with that individual, and that request was sent to ATT, my local Telco, maybe my financial institutions -- under a court order, just as legal as with PRISM -- now every one of those institutions knows I was being investigated *and there's no controls about the ramifications of it*. It also reduces the risk of my personal information to social engineering.
Hell, the history of organized crime in the US makes it pretty clear why its a problem for a Telco to know about a wiretap -- because it wasn't at all uncommon to have the telephone engineers who had to do them on the take, not 20 or 30 years ago.
I honestly am baffled how any reasonably intelligent person who has spent more than ten seconds thinking about it is up in arms about PRISM. Its just bizarre.
...a lot of rich Nigerians, quite a few Viagra and p. enlargement sellers, a number of individuals who know jobs that pay thousands of dollars that you can do from home, a handful of real estate executives, and more.
Scanning the 10,000 pieces of email in my inbox, over and over again, is more efficient than tracking each individual piece as it comes in? That doesn't really follow.
"Mind, as manifested by the capacity to make choices, is to some extent present in every electron." -Freeman Dyson
Well it depends if it's 'regular doubling' or 'doubling doubling'.
and the people who have been elected into positions to provide that oversight did.
Did they? I'd be interested to hear how you know that, given that the court opinions are secret. Is there actually oversight, or are the information requests simply rubber-stamped? We don't know, and that's the problem.
The funny thing about covert surveillance is that you can get a warrant for it. The process is not secret, and it happens all the time. The warrant is then shown in court along with the acquired evidence. That's completely public knowledge, and it hasn't seemed to "tip off" the criminals any. Do criminals not use cars because of license plate cameras, or not use phones because of wiretapping?
The "revealing its existence will compromise security" argument is so wrongheaded as to be laughable.
Everything is better with chainsaws.
Look at insider trading, what percent of occurrences do you think are actually discovered and successfully prosecuted? Proving where information came from - such as the idea to look at a few disparate sources and put them together in a certain way - can be accomplished only to a certain degree.
If you look at past corrupt officials that did a lot of damage with much less powerful tools at their disposal, such as J Edgar Hoover or Senator McCarthy or President Nixon, the admissibility of evidence in court really had very little to do with anything.
As for Congress, Clapper was caught in a bald-faced lie to them. After being caught, he said sorry, so apparently that's the end of that. For that matter, under Bush similar activities were carried out without any notification of Congress or the courts. They were caught eventually, and nothing happened. It's a real shame, because integrity is everything when you're dealing in secrecy and cannot directly verify the facts. All we know for sure, now, is that they're making up secret rules for themselves as they go along.