Slashdot Mirror
Ask Slashdot: Jamming UK Metadata Collection?
AmiMoJo writes: It looks likely that the UK will try to require ISPs to collect metadata on behalf of its security services, and various other agencies will have access to this vast, privacy- and security-destroying database.
How can individuals resist? Some metadata is trivial to hide, e.g. much email is encrypted between the user and server, but a record of an access will still exist. Would there be much benefit to creating fake traffic, say by sending dummy emails to yourself? What about fake browsing, or keeping TOR running 24/7 (not as an exit node, just a client)?
The goal is to make the data less useful and harder to tie to an individual or separate from fake data, and to increase the cost of collecting and storing such data. Don't worry, I'm already on the list of known dissidents anyway.
How can individuals resist? Some metadata is trivial to hide, e.g. much email is encrypted between the user and server, but a record of an access will still exist. Would there be much benefit to creating fake traffic, say by sending dummy emails to yourself? What about fake browsing, or keeping TOR running 24/7 (not as an exit node, just a client)?
The goal is to make the data less useful and harder to tie to an individual or separate from fake data, and to increase the cost of collecting and storing such data. Don't worry, I'm already on the list of known dissidents anyway.
A lot of people use GMail, Hotmail, etc. There's no encryption there. Even with encryption, your emails go through their servers anyway so they can store them too.
Your only option is to have your own email server at home which requires encryption on both ends.
Use pen and paper. Personal papers have more legal protection than digital data that cross over the ether.
People forget how this data is really collected. They aren't looking at packets and breaking encryption between the client and server. They are tapping into the endpoint. They are accessing the Gmail/hotmail server endpoint databases. I am in the network monitoring field and I can tell you there isn't enough horsepower to do packet based monitoring of large numbers of people. They are getting the data because Google. Microsoft, Apple, etc are giving them access to their datastores.
If you run an exit node you will generate lots of useless data for them to collect. Just dont forget to blacklist all the popular torrent sites that are blocked in UK in the tor config file, otherwise unsuspecting TOR users will get the 'this site is blocked' message. There are no laws against running an exit node, I did run one before in Ireland and had no trouble, although they are more fussy in UK mainly due to a difference in mentality - the powers that be think they are actually stopping real terrorists with the work they do.
Simple. If you use a phone, you use someone else's network, and do things that are impossible for them to let you do without them knowing what you're doing. You can't call someone without the phone company knowing who you're calling.
And the internet is a public place, period. Don't do anything on the internet that you wouldn't do in your front yard, with the neighbors watching.
If you don't like it, tough. The rules of reality don't need your approval.
Something sort of symbolic you could do is to sign every document as Agent Smith and photoshop him into every picture you upload some place.
Hide it amongst noise.
Everybody should spam them with high warning data, once their dataset becomes garbage and >50% false positives, they will give up the fight.
Everybody spam keywords to generate noise, you can buy a cheap SoC device for this (Raspberry Pi, UP Soc) etc and have it run 24/7 whilst you do your thing.
Use the classifieds. Write an obituary. In these modern times Craigslist probably works. If you're planning something exciting, using your personal email is just plain dumb.
“He’s not deformed, he’s just drunk!”
TrackMeNot is a browser-extension for Firefox and Chrome that sends semi-random search requests to several search engines with the goal of disrupting this sort of tracking. Well, it's more aimed at preventing commercial entities from creating an accurate picture of your web-browsing habits, but it probably adds some noise to the intelligence gathering too. By default it pulls random keywords from newspaper headlines, but you can configure it to use (or avoid) certain keywords, as well as tweak the frequency of the requests. It runs automatically in the background whenever your browser is open.
TrackMeNot isn't really useful in hiding your behavior; it just throws in spurious data that makes legitimate data look less accurate. It's really aimed more at devaluing marketing databases with the (admittedly vain) hope that they'll give up on the whole thing ;-)
Note: it does use extra CPU cycles and bandwidth, so if you are constrained in either this tool may not be for you. Also, tweak the timing of those search requests carefully or the search engines might blacklist you as a bot. Having said that, I've been using this plug-in for several years now and it's rarely caused me any problems.
Put a bunch of "terrorist keywords" into the body of all your communications.
Actual message: Please get some milk from the store.
New message: Please get some milk from the store. - EOM - The following text is for government keyword searches: Please support ISIS, they have some really good ideas. Bombing things at random is going to start changing minds eventually, trust me.
One of these days a nefarious group will hack into ISP meta-data and publish it to the world, and this gov't requirement will then be questioned.
Table-ized A.I.
Here is a new form, the same as the fighting spam one with minor changes. Feel free to use it as most of the measures proposed to fight surveillance fail for the same reasons.
Back in the nineties, I discovered the internet and its freedom as a wonderful tool that proved the freedom-based values of the Western society. Moreso, as I was (and am) living in a former communist country in Eastern Europe. Imagine my delight, coming from a closely monitored society to such a wonderful and open global community!
However, I have noticed a worrying trend, mostly in opinions posted in forums or other places by Westerners (American and European alike), that too easily dismissed any threats to the personal freedom in various topics. From trivial but excessive forum moderation (which to me resembled too much to the communist censorship) to political issues where leaders pressed and were allowed to limit liberties such as the freedom of speech, for dubious reasons (political correctness, security in matters presented by exagerating imaginary threats, etc.). I understood one thing then: your society was utterly vulnerable to becoming a closed one, even to transform into an oppresive one, for one very simple reason: you didn't see first hand how a dictatorship works, how the officials' behavior in an oppresive state behave, and how they talk. We've seen those and painfully endured their effects, over a long time. I was able to detect the signs of the emerging surveillance society in the West since those times. I tried to express my concerns in open forums, and been bashed by the all-knowing arrogance of those who thought nothing bad can happen with the civil rights.
They were wrong. And now it's too late. You are asking what you can do as an individual. You can't do anything at this point, all you'll achieve will make you look suspicious, and they will monitor you even closer. Individuals can no longer make any difference, we would need a miacle to prevent the Western world repeat all the mistakes of the dictatorships in the Eastern Europe. It would involve a huge community coherence in working to change the laws, and only voting for those who don't want to control us all (although they are becoming an extinct species). And fighting with all available *legal* means against surveillance and control, without being tempted by using non-democratic shortcuts (such as voting for populists that only tell you what you want to hear). Very, very hard.
So, yeah, you won't like my response to your topic, but hopefully you do at least understand.
You wrote, "Don't worry, I'm already on the list of known dissidents anyway."
- as is any person who challenges any government policy, or participates in any kind of political action.
Today, involving yourself in any kind of political issue puts you on the NSA's radar screen.
Once the law goes live the following is happening in my house pretty much there
:) as their policy will be to store long term encrypted traffic for later viewing)
OpenWRT router with VPN to EU paid for in bitcoin with a generic Email. The only issue with this is that I am pretty sure 3 letter fags have purposefully placed back doors in to OpenWRT and other open soruce routers (based on stuff read from Snowden stuff), however I am not hiding anything I just do not believe the government should log my data.
All in all fairly cheap, the only thing the ISP will see is the connection to the VPN which will be heavily encrypted. (I will be downloading random torrents to force them to store massive amounts of encrypted data
Go Fuck yourself UK government, Wave to GCHQ o7 fucking traitor cunts if you were on fire I would not even piss on you.
It's already happening in Australia; a first-world country where the citizens have few rights and no-one is proclaiming the government is wrong. The governemnt is trying to add the policy of 'guilty until proven innocent'.
When you're not browsing run a script that will surf random web sites for you, go to bbc.co.uk and you'll find hundreds of links, follow them, find more links, follow them, etc. Occasionally pull a word from a web page and do a google search, then follow a bunch of the search results, and follow links on them, etc. Build in a random timer function so it looks like a human surfing. The idea is to make the haystack bigger so the needle is harder to find.
Then do all of the surfing you don't wan them to know about from a WiFi hotspot with a spoofed (random) IP address using a virtualized OS incidence that is scrubbed afterwards.
"Grab them by the pussy" -- President of the United States of America
Seriously, don't do it. Don't even try. I understand how you feel, about 10 years ago I would have been just as passionate. I would have suggested encryption by default, darknets, anonymizing proxies, whatever. Hell, at the time I would have written software myself to that end.
But now? I'm married, I have my own house, a job. It's largely an uneventful life, far from the adventures I dreamed in my youth, but it's a good one. One that I intend to keep on living. Going against the government would endanger all of that.
Encryption? You end up on a watchlist, then you get summoned to a police station and are interrogated. When you're working, it's just a nuisance the first time. Then, after the third time, your employer will simply let you go. And then you won't find anyone hiring you, not in this economy, not with such "precedents". Yes, you didn't commit any crime but neither did many youths hit with ASBOs. It doesn't matter anymore if you didn't do anything illegal: if you displease the State, you will pay.
Darknets? Proxies? Forget it. Running a TOR exit node may end up getting your computer confiscated. In the eye of public opinion, confiscated computer = pedophilia and child porn. You're as good as dead. Enjoy the divorce. Enjoy not seeing your kids anymore. Enjoy being an outcast.
Let it go. The State has won. We cannot resist. Getting older is a blessing: you learn how much you have to lose and how far you're willing to go to protect what you hold dear. You will understand this as well. I hope you will before you do anything foolish.
That's a really fucking stupid idea. All you're gonna do is give the law enforcement agency probable case to get really invasive. The prefix text you put there won't stop that.
Morph as much as possible. Get a few cheap smart phones and rotate your sim through them. Avoid getting addicted to apps!!! Change your username by creating new accounts regularly on sites you want a modicum of privacy. Talk about kittens and puppies on social media if you really can't not use it. Morph morph morph...
One example that makes metadata collection much more difficult is Bitmessage. Its main feature is uncensorability rather than anonymity, but it scores very high on the anonymity scale as well. Its metadata is encrypted, so additional actions and costs are necessary to deanonymise the users. It also has uncensorable shared communication feature called chans. There are gateways that provide connectivity to email. Disclaimer: I am one of the developers of Bitmessage and I also operate one such gateway, https://mailchuck.com.
Not really, as they'll filter that out pretty fast. The systems doing those searches are a lot more intelligent than simple regex checks, and can factor other contextual clues into it. Just look at what Google does: they factor recent searches into new searches, so results related to recent searches (especially those in the last few minutes) appear higher in the list. I'm sure the government has something at least as good at contextual clues, possibly even provided by Google itself.
You can never go home again... but I guess you can shop there.
On the fake traffic thing, there is a screen saver for Linux which will do web searches for images and create a collage. It always produced a fascinating results over time. Lots of random things, a fair amount of porn, just.... the internet...in all its naked boobs and pictures of text glory.
Well one day, I was feeling a little parnoid, and more than a little mischevious, so I tracked down how it invoked wget and made sure it used a local tor proxy. Didn't really seem to change the end result on my end, but... talk about generating fake traffic....
"I opened my eyes, and everything went dark again"
It creates heat. Just sayin'.
In the us the NSA considers what numbers you called and what numbers called you and how long the calls were connected metadata.
So I will assume when applied to ISPs that they are going to be logging endpoint information as in a log of every ip:port connection in and out w/duration for your connection.
This is often enough to determine what websites were visited as most websites have a dedicated ip for their domain but some have several websites hosted under the same ip address.
My first thought would be to setup a portscan all ports random addresses idle speed and scan the full ipv4 address space.
But looking through the connection duration would filter that out
You could run a web spider that should do a pretty good job at making requests that resemble normal usage. But running a full scan of the ipv4 space should do a great job if your objective is to create a huge unwieldy logfile.
This is assuming that dns requests aren't being logged and http headers aren't being collected.
Will it help your privacy any? Maybe if the log file is size limited. Otherwise not likely.
VPN at your router would limit you to one endpoint this would make for the shortest log file although a connection lasting more than 24 hours would stick out.
Minimum threshold fixed. Thanks!
There is no way to jam the metadata collection (to overload the collection engine) simply because you overload the mail system with a spam in the process. The only way to get rid of metadata collection is some darknet where metadata cannot be collected by design.
Not really, as they'll filter that out pretty fast.
Got it in one. Anyone who thinks "I'll just shove a load of random spam keywords and searches into my web activity, I'm so clever har har" is dangerously naive if they think it won't be relatively easy for a well-funded government agency to filter out that crap once they realise what's going on.
Could you use a browser plugin that acts a little bit like a distributed version of TOR by having your requests reach the internet via other browsers running the plugin? The idea wouldn't be to make your browsing untraceable, but rather to make the sort of metadata that ISPs are forced to collect unuseful for monitoring the browsers running the plugin. The big problem would be adoption. Each individual running the plugin would have legal vulnerability similar to that of someone running a TOR exit node. If you had a popular news story about someone abusing the collected metadata, that would be a good time to announce a free browser plugin that protects people from that sort of abuse. If the adoption is sufficiently widespread, action by the government to imprison lots of people who see their actions as protecting themselves from metadata abuse would be deeply unpopular.
Alternatively, why not just move? Why support with the taxes on your labour a government that does that to its citizens?
True, such entries COULD be filtered out, but it provides enough PC should they need it. What the OP suggests is at best not going to help and at worst going to create huge problems. All in all, a stupid idea.
How can individuals resist?
Strawberry, blueberry or crowberry? The only way to be sure is to taste the national situational awareness screen.
Recently found out about this plugin. No clue whether it would be helpful though...
I plan to pay a few quid a year for a VPN. My ISP can then collect my metadata, it won't be terribly useful having only a single IP address and port.
Only use Tor over an additional VPN so there is no Metadata to collect.
If you want to fuck with them, run your own email server and create arabic sounding email addresses with TOR on Gmail and make them exchange highly encrypted files (your laundry and grocery list for example) so that they'll set up a special group to try to decrypt them. ... and say goodbye to traveling per airplane for the rest of your life.
Why not, for a change, vote for people being ... ?
a) intelligent
b) honest
To get an idea about who's what, take some time to regularly watch the news. Keep in touch with what happens in the world. Yes, you have to make *some* effort to keep the world a nice place to live in.
If people were willing to make that effort, I can not help but to believe this subject wouldn't even be mentioned here.
1. The truth is the spooks don't care about you. This statement applies to 99.99999% of the people reading this. Your meta data goes into a giant data base and is never seen again unless your internet habits cross paths with a bad guy. Then your data is tossed out when a cross check shows your a loser living in your mothers basement. Less than a dozen guys are ever really put under a microscope and have to explain why they are buying plane ticket to the mid east and are sending money to ISIS!
2. You already tell the government everything anyway; facebook, phonebook, drivers license, and your annual taxes. And your worried the government's computers know which web sites you viewing and your email contact. The IRS knows 1000 times more damaging information about you and your family than the NSA ever will.
3. This information is only known by the government's computers. If a government agent wants to know this information he has to show probable cause to a court and get a warrant to obtain this information. Congress and the President have authorized this system and the Supreme court has said it's legal. But I know that won't satisfied you tin foil hat guys.
4. Meta data is the least dangerous type of information. For any query, the government gets of thousands of hits which they throw away. No one goes to jail for googling ISIS.
5. The government agency I fear the most is the IRS. I tell the IRS a million times more about myself then could ever be learned about me from the internet. The IRS F*!@s up 100's of thousands of lives a year. When is the last time the NSA arrested anybody? What I want to know is why are you guys NOT afraid of the IRS? They are far more dangerous.
The meta-data they are going to be analyzing is primarily going to be looking for aberrations in usage. Only if the see spikes or slowing of data use will they even look into the questionable activity any closer. So, set up a Scheduled Task (Windows) or a Cron (Linux) to send some encrypted data (personally, I would calculate Pi to say, 10,000 digits, then randomize the results, encrypt, (then re-encrypt, etc.) Make sure that the size of the message is always within around the same range, but never exactly the same. Have your Scheduled Task/Cron/whatever, automatically regenerate the message and send it on very predictable schedules (say, every x minutes...exactly every x minutes.) When you want to send something you actually want kept private, make it a similar size, pause your scheduled task/cron temporarily, encrypt as usual, and send right on schedule. Then, resume your automated process. Then, to really fuck with them, download some nasty porn (guy has threeway with a grandma and her son, or something ridiculous.) Multi-encrypt that file, which should be quite larger than your automated fakes. Send that on an off-schedule time. By the time they waste all of that computing to view your "unusually sent" file transfer, they will never want to read your email again.
Crude? Yes. Will it work? Yes.
Like you said, you are already on the list. The only people who are going to bother to generate fake traffic are the same people who want to hide / obfuscate their behavior with said fake traffic.
The only way to do it would be create applications that people can run, and convince enough people to run them. Sort of like SETI @Home or similar. You would want to get people to run the apps on their phones as well.
The only realistic way that I see to do this in the current environment is via some sort of malware. Infect people and take 5% of their bandwidth to generate a whole slew of fake traffic. Even by doing this I do not think that it would take long for the surveillance providers to tune their filters to account for the noise that you were generating.
I hate to be pessimistic, but this battle has already been lost. We are on the other side. The only way to deal with it is to know what your rights are and defend them at all costs. You have to stand up and say, "Yes, I did X. So what? Prosecute me. Put me in front of a jury of my peers and convict me for it."
In the old days of limited bandwidth, we used to choose things to download before we read/watched them so that when we were ready to they were already downloaded. We may have to return to that sort of model for two reasons, 1) because using TOR or whatever is slow, and 2) because even if we generate fake traffic, our lumpy usage patterns will be easy to discern and yield a lot to traffic analysis. So start spreading those transmissions out over time and choose sizable things to download ahead of time. Uploads will be spread out as well (and slow). This is all going to feel like the Interplanetary Internet, where bandwidth is very limited and latency is enormous.
It's pretty simple actually. Just route all of your traffic through a VPN that connects to a gateway in a sane jurisdiction. Then, run a Tor *exit* node (not through the VPN) to generate some plausible deniability.
It would be double plus ungood if all the metadata pointed to the government GHCQ as being the primary source of terrorism, for example.
Metadata is meaningless out of context, but those who live in Fear will spend years on mole hunts.
-- Tigger warning: This post may contain tiggers! --
What do they do in Japan I'm sure it's much better, especialy if you like tiny yellow cocks.
I wrote a script towards the end of last year which connects to a random website every few minutes (+ random additional connections) in order to flood my ISPs data log with junky visits.
I activated it at the start of January.
Your move, Gestapo fucks.
1. Separate private contacts and public contacts
Use gmail with two-factor authentification for amazon, itunes, netflix, etc. As the government has access to everything you do there having the security compromised, do not try to hide it. At least google does a good job protecting the product (you) from being infiltrated by private crooks, use it to protect against daisy chain attacks against password recovery identity theft. They offer you a big mailbox and unusual usage invokes their automatic protection systems, use it. Do not use outlook.com.
Setup an emailaccount at posteo.de (change to english) using a random emailaddess as your login-name. Do not use that emailaddress for communicating; you have three free aliases. Use an anonymous payment method although they claim that they throw away the payment record right after payment: You can rely on the GCHQ to store information that makes you tracable. Use a very long, very strong password. Use that password to encrypt all your data so that they themselves can not access your data.
Use this account to synch contacts and calendars. Setup aliases to privately communicate with people. Use pgp (you could use your public key to automatically encrypt all incoming messages).
The storage space is 2 GB, so it's a good thing that spammers only know your public emailaddress. Do not ever post the posteo aliases on the internet to avoid spamming.
Check posteos website regulary, because my governemnt also has evil plans up their sleeve, so it is possible that they are required to data retention in the future. At the moment Germany has exempt emailproviders from data retention.
2. If you are sing windows, use true crypt or veracrypt.
If that is not an option due to gpt-formatted hdds or ssds, buy Windows 10 professional. Cheapest way is to buy windows 7 professional and use that key to install windows 10 using the media creation tool. Tone down every data collection as far as possible. Enable bitlocker. Enable strong pin at startup. Enable the best encryption; it is reduced per default. Do not store the recovery key online. Do not use the home edition as it will store the recovery key at microsoft without the chance to avoid that.
Use an local account and if neccessary only use a microsoft account for the store. That is possible.
Do not use cotana, it will only work with american providers for calendar and contacts anyway. Use thunderbird for contacts, calendar and email. Install pgp plugin.
3. Mobile use
On iOS use the standard programs to log into your calendar, email and contacts and notes at posteo, do not use icloud or gmail for calendar, notes or contacts. On android there is a synch tool for calendar and contacts. There are some reliable emailprograms on android, use them.
Use firefox to synch favorites and history. On chrome enable a strong password to encrypt the synching. I'd prefer firefox.
It goes without saying that you use signal for messaging and telephone. So you need a provider allowing voip and messangers. Maybe you should also look for a foreign voip provider that has no data retention and allows zrtp for private calls.
4. Vpn and tracking
As strange as it seems I would use freedome as they simply don't know your login name after the payment if you did not buy it digitally at an american or english company but directly at f-secure. Do not only rely on them to protect against tracking, install fsf privacy badger and https everywere on your favorite browser. A vpn protects against the bulk collection of every website visited as suggested by the british government.
5. What it's worth
All this will only stop the mass collection by the british government, it will not protect you against individual attacks. But as you wrote you are aware of the fact that circumventing big brother npmakes you a target, but you are correct that the goal is to make it costly to track everyone. It is worth the effort: If they cracked the safety precautions of the activists, all they achieve is to get uninteresting information.
Get a router supporting DD-WRT and add custom route configurations to put all non VoD / Gaming traffic or anything requiring all of your bandwidth through a VPN like Vyper or something. That sufficiently covers most browsing / text communications. TBH I wouldn't bet that the security services don't have the power to snoop into encrypted / VPN connections on our national infrastructure anyway, but why would you care as long as you're not a terrorist or kiddie fiddler? You just want to prevent Theresa May and her bullshit short sighted policies from snooping on you for no justified / legal reason (like they probably already have been, anyway).
- Dan
You can't solve a political issue with technology. The UK metadata collection is mandated by law, and if you plan to "jam" it you can be charged with obstructing justice and aiding and abetting criminals and terrorists. As an individual, there is nothing you can do. If you want a solution, get involved politically and have laws changed. What you plan to do will not only be ineffective, but it will also mark you as a target. Believe me, you don't want to be on the receiving end when some government official decides to "set a high-profile example".
What we're talking about here is an additional cost in a very low-margin industry. And it can only be applied to UK data processed in the UK. Hence it creates a further pressure for these services to move off-shore, making it much, MUCH harder for the UK government to get access to the information. Really they're doing you and all dissidents a favour :)