Slashdot Mirror

← Back to Stories (view on slashdot.org)

3 Reasons To Hate Mass Surveillance; 3 Ways To Fight It

Posted by timothy on from the not-an-exhaustive-list dept.

This site's "Your Rights Online" section, sadly, has never suffered for material. The revelations we've seen over the last year-and-change, though, of widespread spying on U.S. citizens, government spying in the E.U. on international conferences, the UK's use of malware against citizens, and the use of modern technology to oppress government protesters in the middle east and elsewhere shows how persistent it is. It's been a banner year on that front, and the banner says "You are being spied on, online and off." A broad coalition of organizations is calling today "The Day We Fight Back" against the growing culture of heads-they-win, tails-you-lose surveillance, but all involved know this is not a one-day struggle. (Read more, below.) THREE REASONS TO HATE MASS SURVEILLANCE:

1) Because the Internet is nearly everywhere, it means the spying it makes possible has spread to match its footprint. 30 years ago, "on the internet" really was novel, because the public Internet simply wasn't. There were a few big military and academic sites around the world, and the concepts that make today's internet work were already embodied in running systems, but there was little reason for individuals to care about privacy invasion, or having their systems crippled by government malware, because their systems and their privacy weren't at issue. There wasn't a World Wide Web as a portal to nearly every resource online, no "Cloud," and no Blue Coat. Now, not only can individuals get on the internet, but the meaning of that phrase has moved, fast, over the last decade: now, getting on the internet is just a fact of modern life, a banal, automated background fact of the way we stay in touch with friends, deal with bills, find entertainment, get directions, and work. Online surveillance of all the signals we emit and receive (over home internet links, over cellular networks, on landline telephones, even on postcards) might be minimized and waved away as the collection of "mere" metadata, but in reality, if you're reading these words online, and even if you're doing your best to read them anonymously, it means you've almost certainly got a collection of data about you online already.

2) Because "online surveillance" is a slippery slope, and it will only get slipperier. Remember the Clipper chip's hardware-based encryption escrow scheme? Who and how often you email, chat with online, or call on the phone is the tip of the iceberg. Robert Bork didn't like having his video watching habits spied on, and that was before Netflix and competitors made the sorting and stacking of movie-watching habits not only possible but an never-ending exercise in deep data analysis. Maybe you don't care in particular about what the NSA, FBI, or anyone else thinks of your taste in entertainment, but you might prefer them to stay out not only of the information revealed by your current online activity, but also out of whatever things are revealed by future developments. Right now, a relatively small part of the online population uses crypto-currency like Bitcoin; a decade from now, it seems likely to be even more widespread than Netflix is today. Do you want your transactions to be public record, or even public-servant record? Beyond that, the era of ubiquitous, automated surveillance doesn't need you to mail an angry letter, or declare allegiance to an unpopular cause online: Just walking around means sooner rather than later you're likely to be captured on camera.

Access to your medical records almost certainly will be online, too, even more than it already is. Online and offline lives will only get blurrier: Your GPS (and increasingly, that means your phone, too) knows where you've been, and your should-be-private Google Maps page knows where you might have considered going. (Couple that with the cavalier attitude that dominates rules about data that you carry in your phone, laptop or USB data sticks, if you cross, or even come near, the U.S. border.) Think about the meta-data (or what the government might characterize that way) that your reading and viewing habits, your prescription medicine needs, your airline tickets, and your Amazon wishlist could reveal, and whether you'd want everyone's digital dossier to be up for ad-hoc scrutiny in 10 years any more than it already is. You don't want the equivalent of the TSA viewing rooms (for your own good, of course) attached to every stream of online communication.

3) Because you're paying for it. How much you're paying is hard to say, because of black budgets, overlapping programs, and the sheer number of systems that are or could be used to make widespread surveillance the new normal, but the mystery price tag starts out high. If you're an American, or an EU citizen, at least you can be grateful that you're likely only being spied on, rather than actively harmed in other ways; in other countries, the outcome can be far grimmer. How much do you want to pay to build an infrastructure for constantly surveilling yourself, your friends, and your family? Especially one that fails so miserably at even its stated aims?

THREE WAYS TO FIGHT IT:

The good news is, while you can't stop the entire octopus, you're not required to be a full-time victim of online surveillance or the offline surveillance that it seems to normalize. Instead, you can take some simple steps that at least fog the glass a bit. Readers will no doubt suggest better technologies and practices, but here's a short list to start with:

1) Encryption, more often and in more contexts. Encrypted hard drives are now easy to buy off the shelf, or to implement with software per-user. Use encryption when it makes sense, for documents, emails, file systems, or browsing; the more you do, the more normal this becomes — if it's perfectly normal to carry data encrypted, no matter how innocuous, it's hard for merely possessing encrypted data to be vilified. TrueCrypt might not be impregnable, but neither are the opaque envelopes you might put in a physical mailbox: making it harder to spy on you even in small ways beats indifference. Good news: not every layer of security takes much effort for you to take advantage of: Mozilla's move to HTTPS Everywhere is an example, as is the option that many OSes are embracing to offer the user full-disk or per-directory encryption.

2) Avoid standing in front of the biggest targets. If you don't yet, use an operating system like Linux or one of the modern BSDs, at least part of the time. The SCADA vulnerabilities exploited to cripple a key part of Iran's nuclear program exploited a well-known hole in a widespread operating system, and the same can be said of many attacks blandly characterized as "Advanced Persistent Threats." Even a cheap, adjunct laptop running an up-to-date Linux or OpenBSD could make you safer for some tasks online; cheaper yet, you can run an entire Linux system from a USB drive, and yank it when you're through. That doesn't stop a mid-stream listener (which is a very hard problem), but a compartmentalized system like that means you can do your online banking or anything else and be less vulnerable to common malware. (Besides, it's fun!)

3) Tell companies, politicians (for instance, by voting for or against), and the people around you, that you object to being spied on. You can't prevent malicious individuals, governments, (or Google, or Yelp, or your Facebook friends) from looking at some of the data that you emit; you might feel perfectly satisfied with lots of the transactions you take part in freely. But you can minimize the worst consequences by being mindful of what you do or don't mind putting out there, and spreading the word when you find abuses of trust that compromise your privacy.

Online spying didn't pop into existence with Edward Snowden's revelations about mass data gathering by the NSA on U.S. citizens. For Americans, having our communications tapped by government agents (even if by a government that has remained far more benign than have many others) extends as long as the history of the country; likewise for Europeans and others all over the world. It's much easier, now, though, for those agents to put an ear to your wall or an eye on your correspondence than it's ever been before. For those in many countries, taking practical steps to reduce your exposure is a sensible move for more than just aesthetic or philosophical reasons, though, and luckily the range of options for preserving privacy and private communications have advanced right along with the growth of the technologies that threaten them.

20 of 120 comments (clear)

  1. TMN by Anonymous Coward · · Score: 5, Interesting

    I'm running the firefox plugin TrackMeNot which periodically runs random google queries with keywords like: "building bombs", "terrorist attacks", "nitroglycerine" ...

    1. Re:TMN by psithurism · · Score: 3, Interesting

      They can detect the "random" activity, and isolate it

      Theoretically, but in reality, anything that looks too suspicious has to be investigated. Otherwise, if someone who actually wanted to build a bomb knew that fake data was discarded, they just run 10,000 random queries in the exact same manor as the few real ones they need and easily hide their intent. Or consider after a terrorism indecent, the report on why some beyond-obvious activity wasn't caught, "Well, they looked too much like terrorists, like they were some caricature perpetrated by someone trying to troll us so we ignored it."

      Also, I know for a fact that once you check so many boxes, They have to come do an investigation. My random e-mailer pissed off the secret service right after 9-11*. Though in that case, my service provider passed on the unusual activity when they noticed I got their domain blacklisted by Yahoo for spam email; I wasn't caught by NSA spying.

      The question you would be asking anywhere but slashdot would be: "why did you do that?" And the answer would be: in a course I was taking at college, internet monitoring came up, and I single handedly argued against the whole class and teacher that They would not show up for a few emails with the word bomb. So I went home to prove the class wrong and maybe the class was kinda right.

      Your idea sounds really cool, kinda like what TOR does but more-so. I just wanted to point out that random activity does get noticed. Your welcome to try your own experiments though!

  2. HTTPS Everywhere by DrXym · · Score: 4, Interesting
    I think this is one add-on that Mozilla should incorporate, or at least heavily promote to encourage people to use it.

    And develop a long term strategy to put crypto in all comms - e.g. use response headers from servers to push requests over to https where they are supported. Better yet produce an https+ which allows sites to use unsigned keys, CA signed keys, or even web of trust signed keys and present that info to the user in a meaningful way. Get rid of the CA tax and there would be far less reason for sites to use plain http any more.

    1. Re:HTTPS Everywhere by WaywardGeek · · Score: 3, Interesting

      The crypto weenies over on metzdowd.com seem to think HTTPS is currently a badly broken security layer that gives users a false sense of security. There are a number of suggested fixes, however.

      My own pet peeve is that we don't even protect our passwords properly. My ssh id_rsa password protection is a joke: literally a single round of MD5 by default. My TrueCrypt password is protected a bit better, but with custom ASICs, a thousand rounds or so of SHA-256 runs so fast it's not even a significant part of the password guessing latency. I got so POed over this issue ,that I've submitted my own password hashing entry in the Password Hashing Competition. Fortunately, there are guys way smarter than me working on this specific problem, and in a couple of years we should have a far better password protection solution. In the meantime, someone should do friendly forks of TrueCrypt and OpenSSL and incorporate Scrypt as the default password hash for user-land encryption (as opposed to servers that may have to run thousands of hashes per second).

      The advice to use more encryption seems sounds, but most of us geeks here on slashdot don't even know how weak our own password security really is.

      --
      Celebrate failure, and then learn from it - Nolan Bushnell
    2. Re:HTTPS Everywhere by DrXym · · Score: 4, Insightful
      It is a valid reason. It's a hassle to get a CA to bestow their worthless signature on a cert and to do this year in and year out just to make some silly browser warning go away. And doing this every year forever after. Even if a CA was a well known name and boiled signing down to dragging and dropping a cert onto a box to receive a signature it would still be too onerous.

      Why can't Apache just generate a cert when it installs and sites can go off and use that? Ah you might say, it doesn't protect against man-in-the-middle attacks. But it's still better than plain text and it's still sufficient for many sites that want crypto to be on by default. And browsers could store the fingerprint of the cert if they wished and add-ons like HTTPS Everywhere could collate these fingerprints to look for attacks (they already implement this in something called the SSL observatory).

      AND it wouldn't stop certs being signed if users wished. For some people, a CA may still be a meaningless signatory and it has its own security problems. Why can't the likes of Google, Amazon, Microsoft hold a key signing party? Would you trust Amazon's signature more if it was signed by Google? I would. And it would be hard to forge certs because there could be multiple signatories and each signatory could have their own. That's a web of trust and scales.

      CAs can still be signatories in a web of trust but the existing model where certs MUST have a single CA signature is broken.

    3. Re:HTTPS Everywhere by Ex-MislTech · · Score: 2

      When they own the firmware, they basically own the box.

      http://www.extremetech.com/com...

      And don't blame the chinese, they were paid to put it there for you can guess who...

      --
      google "32 trillion offshore needs IRS attention"
  3. Re:Why do I get the feeling that by gmuslera · · Score: 2

    Don't worry. The confirmation bias will make sure that you will become an expert too.

  4. But, This is Slashdot. by rmdingler · · Score: 4, Interesting
    These are all great ideas. This advice will and should be met with interest, applause, and even implementation.

    This just isn't news for the folks who read here regularly.

    Reaching Joe Six Pack is what this comes down to, and the cynic in me says that ship has already sailed.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:But, This is Slashdot. by CanHasDIY · · Score: 4, Interesting

      Reaching Joe Six Pack is what this comes down to, and the cynic in me says that ship has already sailed.

      The trick is to word your platform in such a way that Joe Six Pack has an immediate and extreme emotional reaction, which will cause him to demand knee-jerk legislation to address the issue.

      At least, that's how politicians manipulate people into supporting causes; high time we fight fire with fire.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    2. Re:But, This is Slashdot. by Anonymous Coward · · Score: 4, Interesting

      Joe Six Pack, who is most of the nation, doesn't care. He doesn't care if the government is listening to his phone calls or spying on his email because it doesn't affect his ability to put food on the table or a roof over his head or provide for his kids or pay for his car to get to work or pay his bills in retirement. Joe Six Pack thinks government collection of "metadata" is over his head and doesn't give two shits about it.

      Joe Six Pack believes in having his gun. Let the government listen to his phone calls, but if he tries to take away his ability to defend himself, they should plan for return fire. Joe Six Pack believes in low taxes and less government intrusion, because the government sucks at just about everything.

      Joe Six Pack believes in tangible threats to his person, his family, and his ability to make something for himself. Government surveillance of his phone call to check up on his mom is not tangible. This is an issue for the minority of tech people trying to do things under the government radar; it doesn't concern Joe Six Pack.

      At some point Slashdot readers need to realize that in the standard distribution of American citizens and their values, Slashdot readers are not the median. They are the left tail end. The median folks don't care much about the values that you all think are universal, and as proponents of those values most Slashdot readers do a pretty poor job of communicating to the median of folks and convincing them of the importance of these issues.

    3. Re:But, This is Slashdot. by Opportunist · · Score: 4, Interesting

      Well, use Joe Sixpack as your shield. As long as they get data from him, they are complacent and satisfied that they get enough data. Educate Joe Sixpack and the stream of data will dwindle to a trickle and they'll start using more invasive means to gather data.

      Sorry to say it, but the days when I try to educate the masses are over. I use them as a shield for my privacy nowadays.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:But, This is Slashdot. by Anonymous Coward · · Score: 2, Interesting

      Joe Six Pack believes in having his gun.

      Yeah, isn't it funny how some people pretend to care about the constitution and rights, but actually only care about the 2nd amendment? Isn't it funny how people can be so profoundly ignorant as to believe that mass government surveillance is unimportant or even acceptable?

      "The government is 100% incompetent and often malicious, but hey, why not let them spy on my communications? What could go wrong!?"

      I find it funny people think the other way. Gun rights are a Constitutional right; clearly defined. Collection of meta-data on the internet which is semi-public is not so clear. And yet those opposed to government surveillance seem to be very ant-gun rights, anti-NRA etc.

      But I find your post pointless because you divert from the point, ask a question and then fail to answer it. Why is mass government surveillance important or unacceptable? Why should it be important to, say, a 65 year old retiree who uses the internet to see pictures of their grandkids on Facebook, occasional internet research about knitting or woodcrafting, and emailing their other retired friends to meet up? Why should it matter to a 35 year old professional accountant who uses his phone to arrange his schedule with his wife so their babies are picked up and they know what groceries to get for the evening? Because there are far more of those two non-techie stereotypes who VOTE and make a difference than the techies who care about government surveillance.

      Time and time again I see those opposed to government surveillance stating their reason they're against is because:

      1) "it's immoral", but not defining why and therefore leaving it entirely subjective
      2) "it's illegal", while failing to address the fact that these systems were created by laws passed via a Constitutional process
      3) "it's unconstitutional" while failing to address what aspects of the Constitution apply (the 4th Amendment is unreasonable search and seizure but the data collected is metadata from searches which is quasi-public and phone conversations passing through non-private transmission stations and satellites; the 4th Amendment argument has been struck down many times for public surveillance (see the "plain view doctrine" and "open fields doctrine", particularly the case Oliver v. United States, 1984))
      4) "it's important" while failing to address why it should be important to Americans.

      Note, I'm all for the curbing of these programs, but guess what? The Government is not doing that. The new policies put in by the Obama Administration are extremely minor procedural speed-bumps to placate people through a show of change, but the programs are not being curtailed; they're too useful. If you want real change, those in favor of removing the programs need to address the 4 issues above, specifically to the average American who is not you, or nothing will. It's your cause, so be it's champion.

    5. Re:But, This is Slashdot. by gIobaljustin · · Score: 2

      Yet people tolerate the TSA, unfettered border searches, free speech zones, DUI checkpoints, stop-and-frisk, etc. All of those things affect people in the physical world, and yet nothing much is done about them. I would honestly like it if lots of people actually cared about freedom and the constitution, but that sadly does not seem to be the case.

      --
      Thank you Dave Raggett
  5. The problem with blankt surveylance by Chrisq · · Score: 2

    The problem with blanket surveillance is it encourages a wide range of people to look for ways round it - which later can be used by "the usual suspects" to cover up their drug trafficking, terrorism, and pedophile rape gangs. We would be much better off just monitoring the undesirables

  6. Verified Threat? by Dr+Caleb · · Score: 2

    So, clicking on that 'learn more' link at the top of the page puts Trend Micro into an uproar that "yourbrowser.net" is:

    Details: Verified fraud page or threat source
    Suspected fraud page or threat source
    Associated with spam or possibly compromised
    Rating in progress. Trend Micro Web Reputation is currently set to block pages that have not been checked for safety.

    Irony, or on purpose?

    --
    "History doesn't repeat itself, but it does rhyme." Mark Twain
  7. Re:Mass connection leads to mass surveillance, can by gIobaljustin · · Score: 2

    Yes, how horrible it would be if some country was left behind and didn't violate the rights of its citizens in the same way as the other countries! Get with the times, guys!

    --
    Thank you Dave Raggett
  8. Yeah, benign right now... by messymerry · · Score: 2

    Yeah the U.S. is relatively benign right now, butt, let the economy go south and see if they are so friendly and honorable. it's clear to all but the blind, deaf, and comatose that the State is hardening their facilities and forces...WITH OUR MONEY!!! Gird Nerds, the ride is just beginning.

    --
    Dear Microlimp: I give you 2 valid product keys for win7 and you reject both of them. Piss off you wankers!!!
  9. February 11th, 2014 is The Day We Fight Back again by NigelT · · Score: 2

    February 11th, 2014 is The Day We Fight Back against Mass Surveillance http://www.naaij.org/2014/02/1... Over 100k signatures now!

    --
    nigelt.wordpress.com
  10. Re:We Won't Win by Yelling by Opportunist · · Score: 4, Informative

    I'm a statistician. And from the data I have at hand from our "war on terror" so far, I can only say that the threat from false positives is higher than the threat from false negatives.

    Or, bluntly, if we didn't "fight terror", we'd have less to fear.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Boomerang by JimSadler · · Score: 2

    As far as security goes I would not be shocked if more intense spying is not applied to individuals who take precautions against being spied upon. Look at it from a law enforcement view or national security point of view. We can name one fellow Joe and another fellow Sam for purposes of demonstration. Suppose Joe is seen to use strong encryption, avoids using smart phones or cell phones, pays cash always and quietly rents a room from a private home owner. That alone may send out signals that Joe needs a hard look. Sam on the other hand is welded to his smart phone, never even uses a password and is wide open to scrutiny in every area of his life. Guess which one will attract interest. Sam's flaws are known. Sam's negatives match the negatives of almost all people in the area. Joe, conversely, seems to have no flaws and no real data points in the system. Any smart agent or cop will want to find ways to define Joe and frankly it won't take much effort at all. In the past very unlikely people were employed as agents. A man might make progress with a very pretty, very pretty, young girl who he would never suspect is employed by the police department as a professional spy. But these days tiny cams and recording devices are rather easy to insert into a suspicious person's environment. I have seen this stuff in action and knew a young girl who worked in a spy like capacity for the cops. She was inserted in a community and under the age of twenty and played the role of a hippie like youth in rebellion which in fact she sort of was. But her pay check was through her spying efforts.