Ask Slashdot: Jamming UK Metadata Collection?

AmiMoJo writes: It looks likely that the UK will try to require ISPs to collect metadata on behalf of its security services, and various other agencies will have access to this vast, privacy- and security-destroying database.

How can individuals resist? Some metadata is trivial to hide, e.g. much email is encrypted between the user and server, but a record of an access will still exist. Would there be much benefit to creating fake traffic, say by sending dummy emails to yourself? What about fake browsing, or keeping TOR running 24/7 (not as an exit node, just a client)?

The goal is to make the data less useful and harder to tie to an individual or separate from fake data, and to increase the cost of collecting and storing such data. Don't worry, I'm already on the list of known dissidents anyway.

Go old school...

[__aaclcg7560]

Use pen and paper. Personal papers have more legal protection than digital data that cross over the ether.

Re:Go old school...

[Impy+the+Impiuos+Imp]

In the US we should push for the Supreme Court to overturn outdated metadata laws based on the idea you "have no reasonable expectation of privacy in phone records at the phone company".

As people shift more of their lives into online services, they do indeed carry a 4th Amendment expectation of privacy in their "papers" with it.

Re:Go old school...

[idontgno]

Use pen and paper. Personal papers have more legal protection than digital data that cross over the ether.

Only if you're hand-delivering. If you're using U.S. Snail Mail, they've been photographing envelopes for metadata collection for years.

It's precisely analogous to internet metadata collection: who you're communicating with, at what time. But not what you're saying (by not being allowed to open the envelope and read the mail, or not being able to crack message content encryption).

In the context of OP's question, paper-and-pen offer no meaningful improvement.

Re:Go old school...

[Impy+the+Impiuos+Imp]

This does not follow, as it is ancient understandings. An envelop passing through the hands of the government, with deliberately viewable info, i.e. the address, is not the same as things people expect to be held in confidence.

Remember, we are just demanding a proper warrant to see it. Much of our secret, personal papers are moving online for convenience. Government doesn't get the honor of filtching through it at their whim looking for crimes.

Re:Go old school...

[MrKaos]

In the US we should push for the Supreme Court to overturn...

The cornerstone of which all of these programs were built, which is the illegal authorization of wartime powers to .W.Bush that allowed the passage of all of the bills that made all this legal. This is not a political issue as it has continued via Obama, it is a structural issue of whether you have a democracy or a plutocracy. Whether you will accept responsibility to defend your several hundred year old democracy from attack from within.

Why the U.S population continues to tolerate this harrasment by government through the weakening of the fundamental citizen rights that makes a nation what it is, is confusing. You have the power to fix the issues however you don't use it. You founding father Franklin warned you about trading Security for essential Liberty and how the corruption of the people would lead to despotism. Are your domestic enemies so powerful that it is easier for you to let them turn you into slaves begging for a job and hoping you don't get sick?

You *should* do a lot of things however as we have seen net activism doesn't amount to much. Whilst your comment *is* insightful I doubt a single person reading it will write a letter to your politicians and do something whilst you are distracted by what is on TV.

I hope you can - the fate of the free world rests on what you do.

People forget easily

[110010001000]

People forget how this data is really collected. They aren't looking at packets and breaking encryption between the client and server. They are tapping into the endpoint. They are accessing the Gmail/hotmail server endpoint databases. I am in the network monitoring field and I can tell you there isn't enough horsepower to do packet based monitoring of large numbers of people. They are getting the data because Google. Microsoft, Apple, etc are giving them access to their datastores.

Re:People forget easily

[PhilHibbs]

Yes. It is aggregated data... You don't think they are really only accessing metadata do you? How cute!

Almost. The real meaning of the term is data about data. For files, it's the file name, size, extension, timestamps, and maybe the magic numbers could be called metadata (which is why I don't like magic numbers in files). For pictures, it's camera exposure settings, focus, GPS data, etc. For emails, body text is the "data", whereas email headers are "metadata". From, To, Subject, that sort of thing. You can then aggregate that to get a different kind of metadata (metametadata?), but in its un-aggregated state it's still metadata.

I'm So Meta, Even This Acronym.

Exit node

[ickleberry]

If you run an exit node you will generate lots of useless data for them to collect. Just dont forget to blacklist all the popular torrent sites that are blocked in UK in the tor config file, otherwise unsuspecting TOR users will get the 'this site is blocked' message. There are no laws against running an exit node, I did run one before in Ireland and had no trouble, although they are more fussy in UK mainly due to a difference in mentality - the powers that be think they are actually stopping real terrorists with the work they do.

Re:Exit node

[SuricouRaven]

It's risky though. Exit nodes can be used for all sorts of illegal activity - hacking, fraud, child abuse imagery, the usual suspects. There's a small but worrying chance of being busted by the police for a crime commited via your node. You can probably use the node to demonstrate that you are not guilty of the accused crime, but that doesn't until after they've siezed every computer, phone and storage device you own, destroyed your reputation, cost you your job and crippled you financially with legal costs. Criminal investigations are damaging even if no charges are eventually pursued.

I'm wondering what will happen if some well-intentioned but morally-dubious virus writer puts together malware that installs exit nodes. That would be amusing.

Re:Exit node

I'm wondering what will happen if some well-intentioned but morally-dubious virus writer puts together malware that installs exit nodes. That would be amusing. I thought of this. It would be brilliant. Compromised Box's all over the world would be come TOR exit nodes.The TOR Network would be more powerful than they ever imagined.

Re:Exit node

[unrtst]

Even if it's true, IMO it reads more like support for running a node than a deterrent.

The story in short:
* guy set up Tor exit node
* months later, police seized his computer because his IP showed up in logs on a pedo site
* 4 months after that, he got his computer back - they found no evidence of wrongdoing

Sucks to be inconvenienced and all that, but that's a much nicer outcome than I had expected for a story that was meant to discourage people from setting up exit nodes. For example, if the FBI takes your stuff based on some suspicion and finds nothing, then:
1. they'll probably take EVERYTHING electronic. Cameras, monitors, PC's, phones, etc.
2. you probably won't get anything back until about a decade after they've cleared you, and all that stuff will be worthless at that point.

4 months and they only took the computer? That seems, relatively, quite reasonable.

Re:Exit node

[erapert]

Considering the reach of the alphabet agencies I think it more likely that they just gave him back a completely 0wn3d machine so that they could watch him.

Don't use a phone

[taustin]

Simple. If you use a phone, you use someone else's network, and do things that are impossible for them to let you do without them knowing what you're doing. You can't call someone without the phone company knowing who you're calling.

And the internet is a public place, period. Don't do anything on the internet that you wouldn't do in your front yard, with the neighbors watching.

If you don't like it, tough. The rules of reality don't need your approval.

Add noise with TrackMeNot

[Somebody+Is+Using+My]

TrackMeNot is a browser-extension for Firefox and Chrome that sends semi-random search requests to several search engines with the goal of disrupting this sort of tracking. Well, it's more aimed at preventing commercial entities from creating an accurate picture of your web-browsing habits, but it probably adds some noise to the intelligence gathering too. By default it pulls random keywords from newspaper headlines, but you can configure it to use (or avoid) certain keywords, as well as tweak the frequency of the requests. It runs automatically in the background whenever your browser is open.

TrackMeNot isn't really useful in hiding your behavior; it just throws in spurious data that makes legitimate data look less accurate. It's really aimed more at devaluing marketing databases with the (admittedly vain) hope that they'll give up on the whole thing ;-)

Note: it does use extra CPU cycles and bandwidth, so if you are constrained in either this tool may not be for you. Also, tweak the timing of those search requests carefully or the search engines might blacklist you as a bot. Having said that, I've been using this plug-in for several years now and it's rarely caused me any problems.

Your post advocates a

[vivaoporto]

The goal is to make the data less useful and harder to tie to an individual or separate from fake data, and to increase the cost of collecting and storing such data.

Here is a new form, the same as the fighting spam one with minor changes. Feel free to use it as most of the measures proposed to fight surveillance fail for the same reasons.

Your post advocates a

( ) technical ( ) legislative ( ) market-based (X) vigilante

approach to fighting surveillance. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws not included here)

(X) Governments can easily use it to identify dissidents
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop surveillance for two weeks and then we'll be stuck with it
(X) Users will not put up with it
(X) Microsoft will not put up with it
( ) The police will not put up with it
(X) Requires too much cooperation from everyone
(X) Requires immediate total cooperation from everybody at once
( ) Many users cannot afford to lose business or alienate potential employers
( ) Governments don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for communication
( ) Open relays in foreign countries
(X) Ease of searching all text based communication
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in current solutions
( ) Susceptibility of other forms of encryption
( ) Willingness of users to install OS patches
( ) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all surveillance approaches
(X) Extreme profitability of surveillance
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people
( ) Dishonesty on the part of everyone themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) Encryption should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Speech should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government decrypting my stuff
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Email?

[PPH]

Your only option is to have your own email server at home which requires encryption on both ends.

Hillary? Is that you?

You won't like this comment

Back in the nineties, I discovered the internet and its freedom as a wonderful tool that proved the freedom-based values of the Western society. Moreso, as I was (and am) living in a former communist country in Eastern Europe. Imagine my delight, coming from a closely monitored society to such a wonderful and open global community!

However, I have noticed a worrying trend, mostly in opinions posted in forums or other places by Westerners (American and European alike), that too easily dismissed any threats to the personal freedom in various topics. From trivial but excessive forum moderation (which to me resembled too much to the communist censorship) to political issues where leaders pressed and were allowed to limit liberties such as the freedom of speech, for dubious reasons (political correctness, security in matters presented by exagerating imaginary threats, etc.). I understood one thing then: your society was utterly vulnerable to becoming a closed one, even to transform into an oppresive one, for one very simple reason: you didn't see first hand how a dictatorship works, how the officials' behavior in an oppresive state behave, and how they talk. We've seen those and painfully endured their effects, over a long time. I was able to detect the signs of the emerging surveillance society in the West since those times. I tried to express my concerns in open forums, and been bashed by the all-knowing arrogance of those who thought nothing bad can happen with the civil rights.

They were wrong. And now it's too late. You are asking what you can do as an individual. You can't do anything at this point, all you'll achieve will make you look suspicious, and they will monitor you even closer. Individuals can no longer make any difference, we would need a miacle to prevent the Western world repeat all the mistakes of the dictatorships in the Eastern Europe. It would involve a huge community coherence in working to change the laws, and only voting for those who don't want to control us all (although they are becoming an extinct species). And fighting with all available *legal* means against surveillance and control, without being tempted by using non-democratic shortcuts (such as voting for populists that only tell you what you want to hear). Very, very hard.

So, yeah, you won't like my response to your topic, but hopefully you do at least understand.

Overload with garbage

[Macdude]

When you're not browsing run a script that will surf random web sites for you, go to bbc.co.uk and you'll find hundreds of links, follow them, find more links, follow them, etc. Occasionally pull a word from a web page and do a google search, then follow a bunch of the search results, and follow links on them, etc. Build in a random timer function so it looks like a human surfing. The idea is to make the haystack bigger so the needle is harder to find.

Then do all of the surfing you don't wan them to know about from a WiFi hotspot with a spoofed (random) IP address using a virtualized OS incidence that is scrubbed afterwards.

Re:Email?

This answer, like almost all the other answers in the discussion is an answer to the question

how can I hide?

that's not the question the article asked. The question was

how can I resist?

It's a completely different thing. The aim of reistance is to create consequences and problems for the authorities and visible protests shown to other people. It's something completely different. You do not resist by being entirely hidden. That makes no difference to other people. You resist by making things more costly / dlfficult / complex for the security services.

It's probably also not a good idea to resist the wrong things. The ostensible aim of surveillence is to stop terrorism. If you actually or apparently make investigation of terrorism difficult that won't work out for you. Instead you probably want to resist something different; e.g. deliberate spying for non-terrorist crimes (and keep paedophilia out of it too).

Bitmessage

One example that makes metadata collection much more difficult is Bitmessage. Its main feature is uncensorability rather than anonymity, but it scores very high on the anonymity scale as well. Its metadata is encrypted, so additional actions and costs are necessary to deanonymise the users. It also has uncensorable shared communication feature called chans. There are gateways that provide connectivity to email. Disclaimer: I am one of the developers of Bitmessage and I also operate one such gateway, https://mailchuck.com.

Use a VPN

[Simon+Rowe]

I plan to pay a few quid a year for a VPN. My ISP can then collect my metadata, it won't be terribly useful having only a single IP address and port.

Re:A prediction

[AHuxley]

It really depends who is getting the keys to the many months of ISP log retention databases without court oversight as part of their everyday tasks.
NGO's, trusted and cleared US brands in the UK helping with all image tracking, comparing image content, file names, government workers with a task to find financial, gambling issues over all UK data sets. Even local government can request cleared staff track images, messages back to people and then log their internet use with few or no court supervision.
Insiders who sold to the press or anyone with cash got to be a huge issue in the UK in the 1980-2010's within UK telco and computer systems.
A few attempts got made to try and re secure the most sensitive court computer networks but the amount of data been sold was so politically sensitive that investigations had to be re focused or stopped or blocked.
The UK tried with Operation Nigeria (1999), Operation Glade (2003), Goodman inquiry (2006), Yates review, Operation Weeting (2011), Operation Elveden (2011) other Select Committee questions.
The data flow out from secure systems and networks was vast and ongoing that further questions just showed more issues. Collect it all has always been open to anyone with a lot of cash and a few contacts :)

Re: Email?

[mcfedr]

Actually with the data ISPs will collect and given that all of those providers use https for the webmail, your ISP will only know you accessed gmail, but have no idea of the contents of your mail