Wednesday, June 12, 2013

Computer news you may not want to hear

I am  usually busy writing product reviews, reading books, hosting sampling parties and there is this thing called a full-time job and graduate school (even though I am taking this semester off since I just finished one course of study). Because of all these things going on, I am rarely writing about other topics. I also avoiding these opinion-driven blog posts because I don't want to influence people in a certain way. People, who are old enough to vote, should be able to do their own research and form their own opinions.

But lately a lot of stories dealt with government oversight, if you want to call it that, by using customer records from companies such as Verizon. You can make argument for and against such data collection to and handing them over to the government for some form of analysis - because at this point, we really do not know what the government is going to use these records for. But one thing I want to make sure that people understand, all the data in the world in the hands of a government is not going to make you or me one bit more secure unless the government actually knows what they are looking for and how these records need to be analyzed.

The government may be able to make a justified legal case for why Verizon must comply with granting access to its phone records. Specifically, under the program called PRISM, the NSA is being provided with information as follows (courtesy of Sophos Naked Security here): The timeframe covers a nearly three-month period ending July 19 (although Senator Dianne Feinstein on Thursday said that the order has been renewed every three months for the last seven years) and requires the numbers of both parties on a call to be handed over, as well as location data, call duration, unique identifiers, and the time of all calls.

It is also likely that the leak regarding Verizon is only the tip of the iceberg in terms of how the current government is harvesting data from regular US citizens (and any foreign nationals living in this country). The Guardian, as relayed by Sophos, lists additional companies that supposedly provide data to the NSA and lists:
  • Google (Gmail, YouTube, etc)
  • Facebook
  • Microsoft (Hotmail, Skype, etc.)
  • Apple
  • Yahoo
  • PalTalk
  • AOL
Interesting are, as Sophos states, which companies are not on the list or when specific companies joined the list. Twitter is absent and Apple supposedly joined the list years after Microsoft. While we can only speculate how the government is using the data and what goal the administration has in collecting access to the data in the first place, one thing is clear, big government now really likes big data. Because big data is certainly what is being transferred to the government now and maybe transferred to the government for the foreseeable future.

So are we supposed to all run towards the hills now, live in the woods and off the grid? No, no one needs to go to these extremes. Selecting a search engine less popular than Yahoo, maybe even a social networking site less popular than Facebook (Myspace could see a revival) are options that those concerned about having their data turned over to the NSA can take. De-identify your browsing as much as possible through the use of VPNs and search engines such as Duck Duck Go that do not retain search histories are possible options that still let you use the internet on a regular basis. I had to smile today when I read somewhere that book sales of 1984 spiked. I always found Animal Farm to be the scarier view of the world because the government is one entity, but your next door neighbor sending you to the slaughterhouse and declaring who is more equal still creeps me out to this day.

I have two concerns about what goes on with the NSA and the collected data:
1) does the government really have the capability to sort out the data for the few points that are of interest and how long does the government intend to store the data?

It is clear that the government is now going fishing. Rather than define specific persons of interest, the NSA intends to collect and store (possibly for long-term) information about the communication habits of a large number of people living in the USA.  So what will the famous NSA analysts do now with the data? Will they search fo abnormalities and spikes in communications to specific countries? Do they plan to correlate phone and internet records based on amounts alone and determine whether increased chatter was associated with specific persons in the USA? If the NSA really starts off that way, the question becomes "then what?". So you identify increased communication to Yemen or Libya, now what do you do? Approach courts with wiretapping requests for the people in the USA engaged in such communications? Keep in mind that so far, the NSA has not gotten access to content, only metadata regarding US communication habits.

taken from an article on here

More dangerous in my opinion is the possibility that the NSA is simply storing the information, hoping for technology to catch up and provide easy and cheap means to truly analyze the data collected so far. Through aggregation and statistical analysis, the NSA could hope to build a strong enough case over years that certain US residents are possibly involved in terrorist activities. My fear is that this second option would mean that the data presently handed over to the NSA could stick around forever (data storage is fairly cheap these days) and that the government would be able to aggregate enough data points on every individual that the data will be easily identifiable simply because of the amount of data that the NSA will eventually have available. The sad thing is that the terrorists, assuming already that they are being wiretapped by the "hostile" US government will have protective measures in place to de-identify their data as much as possible that aggregation of their data will likely be the most difficult.

2) if the Guardian is correct and the Government Communications Headquarters (GCHQ or in this case the equivalent of the NSA in Great Britain) is also doing similar data collection for people living under its jurisdication, how did this become permitted due to the different privacy rights in Europe versus the USA. 

One of the basic differences between the US and Europe is how countries approach data privacy. While the US traditionally has taken an approach that SSNs can be collected for a number of reasons and agencies then focus on protecting that information. European countries take an approach share only, if you must, with less emphasis on improving protection because not a lot is collected to begin with. Do not get me wrong, European countries also work hard on securing the personal information of their citizens, but because they have less data collected to begin, worrying about the ever increasing need to protect collected data is less prevalent in Europe. The Guardian hints that the GCHQ could have broken the law by piggy backing on the NSA and asking for collected information on UK citizens (see the article here). It will be interesting to see what consequences will occur in the USA versus UK regarding the actual collection of the data. No matter what happens to individual officials involved, such as James Clapper, we should not forget the bigger issue. How sound is the legal basis under which the records were requested by the governments to begin with?

James Clapper's picture taken from the Guardian article here

No comments: