Tag Archives: intelligence

Facebook records self-censorship

Recently I came across an article about Facebook, more specifically, that Facebook wants to know why you self-censor, in other words, why you didn’t click Publish on that status update you just wrote, but decided not to publish instead. It turns out Facebook is sending everything you type in the Post textarea box (the one with the “What’s on your mind?” placeholder), to Facebook servers. According to two Facebook scientists quoted in the article: Sauvik Das, PhD student at Carnegie Mellon and summer software engineer intern, and Adam Kramer, a data scientist, they only send back information to Facebook’s servers that indicate whether you self-censored, not the actual text you typed. They wrote an article entitled Self-Censorship on Facebook (PDF, copy here) in which they explain the technicalities.

It turns out this claim that they only send metadata back, not the actual text you type is not entirely true. I wanted to confirm whether they really don’t send what you type to Facebook before you hit Publish, so I fired up Facebook and logged in. I opened up my web inspector and started monitoring requests to/from my browser. When I typed a few letters I noticed that the site makes a GET request to the URL /ajax/typeahead/search.php with parameters value=[your search string]&__user=[your Facebook user id] (there are more parameters, but these are the most important for the purposes of this article). The search.php script probably parses what you typed in order to find contacts that it can then show to you as autocomplete options (for tagging purposes).

Now, the authors of the article actually gathered their data in a slightly different way. They monitored the Post textarea box, and the comment box, and if more than 5 characters were typed in, it would say you self-censored if you didn’t publish that post or comment in the next 10 minutes. So in their methodology, no actual textual content was needed. But it turns out, as my quick research shows above, that your comments and posts actually do get send to Facebook before you click Publish, and even before 5 characters are typed. This is done with a different purpose (searching matches in your contacts for tagging etc.), but clearly this data is received by Facebook. What they subsequently do with it besides providing autocomplete functionality is anyone’s guess. Given that the user ID is actually sent together with the typed in text to the search.php script may suggest that they associate your profile with the typed in text, but there’s no way to definitively prove that.

When I read through the article, one particular sentence in the introduction stood out to me as bone-chilling:

“(…) Last-minute self-censorship is of particular interest to SNSs [social networking sites] as this filtering can be both helpful and hurtful. Users and their audience could fail to achieve potential social value from not sharing certain content, and the SNS [social networking site] loses value from the lack of content generation. (…)”

“loses value from the lack of content generation.” Let that sink in. When you stop from posting something on Facebook, or re-write it, Facebook considers that a bad thing, as something that removes value from Facebook. The goal of Facebook is to sell detailed profiling information on all of us, even those of us wise enough not to have a Facebook account (through tagging and e-mail friend-finder functionality).

Big Data and Big Brother

And it isn’t just Facebook, it’s basically every social network and ad provider. There’s an entire industry of big data brokers, with companies most of us have never heard of, like Axciom for instance, but there are many others like it, who thrive on selling profiles and associated services. Advertising works best if it is specific, and plays into users’ desires and interests. This is also the reason why, for this to be successful, companies like Facebook need as much information on people as possible, to better target their clients’ ads. And the best way is to provide a free service, like a social network, enticing people to share their lives through this service, and then you can provide really specific targeting to your clients. This is what these companies thrive on.

The bigger problem is that we have no influence on how our data gets used. People claiming they have nothing to hide, and do nothing wrong, forget that they don’t decide on what constitutes criminal behavior, it’s the state making that decision for them. And what will happen when you are suddenly faced with a brutal regime that abuses all the information and data they got on you? Surely we want to prevent this.

This isn’t just a problem in the technology industry, and business, but a problem with governments as well. The NSA and GCHQ, in cooperation with other intelligence agencies around the world are collecting data on all of us, but without providing us, the people, the possibility of appeal, and correction of erroneous data. We have no influence on how this data gets used, who will be seeing it, how it might get interpreted by others, et cetera. The NSA is currently experiencing the same uneasiness as the rest of us, as they have no clue how much or what information Edward Snowden might have taken with him, and how it might be interpreted by others. It’s curious that they now complain about this same problem that the rest of us have been experiencing for years; a problem that NSA partly created by overclassifying information that didn’t need to be kept secret. Of course there is information that needs to be kept secret, but the vast majority of information that now gets rubber stamped with the TOP SECRET marking, is information that is of no threat to national security if it were known to the public, but more likely information that might embarrass top officials.

We need to start implementing proper oversight to the secret surveillance states we are currently subjected to in a myriad of countries around the world, and take back powers that were granted to them, and subsequently abused by them, if we want to continue to live in a free world. For I don’t want to live in a Big Brother state, do you?

Economic Consequences of NSA Surveillance

Note: This article is also available in Portuguese, translated by Anders Bateva.

(Note: A version of this article also got published on Consortium News) In the last 6 months or so, Edward Snowden, former NSA contractor, came forward with revelations about the NSA, disclosing quite a few of the agency’s surveillance programs, and revealing that the agency has the most blatant disrespect for civil rights and spies on everything and everyone, all over the world, in a Pokémon-style “Gotta catch ’em all!” fashion. The actions of the NSA are also having a real effect on the United States economy. Let’s talk about the economic consequences the NSA’s surveillance programs will have on the United States economy, and, more specifically, its tech industry. The actions of the US administration, and more specifically what the NSA is doing with their surveillance programs, are having a big impact on the US economy, especially in Silicon Valley. Why would I store my data on servers in the United States, where this data is easily accessible by the NSA, among others, if I can just as easily store it in Europe or some other, more secure place?

A Positive Investment Climate

To understand the US hegemony when it comes to IT companies and services, it is good to have a look at the history of the investment climate. Why did these companies pop up in the United States? Why wasn’t Google invented in, say, Germany, or Finland? The reason many of these cloud storage services and internet companies popped up in Silicon Valley as opposed to Europe, say, is because of the investment climate in the United States, which made it much easier to start an internet company in the United States. Large institutional investors, venture capitalists, are less likely to invest in a start-up in Europe. Also, bankruptcy laws are much more relaxed in the US as opposed to Europe. Whereas in the US, you can be back on your feet in a year or so after going bankrupt, in Europe, this is generally a much longer process. According to the Economist, it takes a minimum of 2 years in Spain, 6 years in Germany, and a whopping 9 years in France. In my own country, The Netherlands, it takes 3 years to be debt-free again after a bankruptcy, but if you go bankrupt in Paris, good luck, you’ve just ruined your future. This makes it far more risky to try new things and set up shop in Europe, because the consequences if things go bad are so much worse. Unfortunately, this has left us Europeans in the position that we currently don’t really have a European ‘Silicon Valley’, we don’t have a lot of viable, easy to use alternatives, and these desperately need to get developed. We depend too much on American companies right now, and I think it’s good if we diversified more, so that we will get a healthy market with plenty of good alternatives, instead of what we have now, which is a US monopoly on web-mail (Gmail/Hotmail etc.), social networks (Facebook, Twitter, LinkedIn, Foursquare, etc.), internet search (Google), cloud storage (Dropbox, Microsoft, Amazon), and other things. Already, cloud storage providers in Silicon Valley currently see big drops in their revenues because of the disclosures of Snowden. Why would we store our data across the pond? This is the central question and this is having real economic consequences for the United States.

US Cloud Service Providers Face Economic Consequences

Cloud providers based in the US were experiencing significant profit drops when the NSA revelations were made public. People outside the United States suddenly began to question whether their sensitive data was safe on American soil. All these companies are subject to the  PATRIOT Act, which requires them to hand over any information and data they have on their customers, and they are prohibited by the US government to tell their customers about it. So the conclusion can quite definitively be that no, your data cannot be trusted to stay secure if you send it over to the United States, by using ‘convenient’ cloud services like Dropbox, or Amazon, among others.

This is the critical criterion. It doesn’t matter that the company tells you that they use the most high-end military-grade encryption, it doesn’t matter that they thought of an interesting technical solution to try and circumvent surveillance, it doesn’t matter that they write glowing blog posts solemnly promising not to hand over your data, all that matters is that it is a US company, required to obey US law, and required to hand over your data. Few companies will be able to resist the pressure and forfeit their entire business model to protect your privacy. This is also what strikes me as funny when I read about major US tech companies, like Google, Apple and Microsoft, who found out that their server-to-server connections were being intercepted by NSA. These intra-server connections were not encrypted, sent in the clear, probably on some private fibre optic cable. Of course this could be intercepted given the NSA’s technical competence. So now these companies are trying really hard to sell the story to their overseas customers that their intra-server communications are now fully encrypted. This is a feeble attempt to keep some of their customers from switching to alternatives (of which there are not many, unfortunately), as these companies are still US companies, with offices and infrastructure in the US, and the need to obey the laws over there. So it’s totally irrelevant that these tech companies are now encrypting their intra-server communications, as the US government can simply request the data via other, more official means. But these companies aren’t just promoting irrelevant measures, they actively act against our interests. After the revelations done by Edward Snowden, Facebook is making data hand-offs to US authorities easier (fully automated, without judicial oversight). Facebook is also partnering with police to make protests harder to organise. And still we insist in using its social network. These are instruments of control and surveillance. We’re not their customers, we’re the product being sold. We have a distinct lack of viable alternatives which aren’t based in the US, and it’s important to remember that social networks have a social aspect. It isn’t enough for you to change over to a competitor, you have to convince your friends to switch as well. This is what keeps social networks afloat for so long, because this is indeed very hard to do.

March to Irrelevance

In October 2013, Congress raised the debt ceiling again, which will buy some time until January 2014. Then they will have the exact same problem. The United States is structurally spending more money than they have available, and current US national debt ($17 trillion dollars) can never be repaid. They are pretty much already in default. But since the financial system is based on trust and hearsay, smoke and mirrors, it takes a while for people to face the reality, wake up and smell the coffee. At which point the United States will be an irrelevant relic from the past. Here in Europe, we need to protect our own citizens’ interests, and start developing viable alternatives for the US hegemony, because the US hegemony will be over one day.

At the Crossroads: Surveillance State or Freedom?

When I went to OHM2013 last week, it was great to see such increased political activism from the hackers and geeks at the festival. I truly believe we are currently at a very important crossroads: either let governments the world over get away with crimes against the people’s interests, with programs like PRISM, ECHELON, TEMPORA and countless other authoritarian global surveillance schemes, or enter the path towards more freedom, transparency and accountability.

A good example of what not to do is Google Glass. A few weeks ago I came across the story of a hacker who modded Google Glass as to allow instant facial recognition and the covert recording of video.  Normally you need to tap your temple or use voice commands to start recording with Glass, all of which are pretty obvious gestures. But now people can record video and do automatic facial recognition covertly when they wear Glass. I even saw that there’s an app developed for Glass, called MedRef. MedRef also uses facial recognition technology. This basically allows medical professionals to view and update patient records using Glass. Of course having medical records available on Glass isn’t really in the interests of the patient either, as it’s a totally superfluous technology, and it’s unnecessary to store patient records on a device like that, over which you have no control. It’s Google who is calling the shots. Do we really want that?

Image above © ZABOU.

Image above © ZABOU.

As hackers, I think it’s important to remember the implications and possible privacy consequences of the things we are doing. By enabling the covert recording of video with Google Glass, and also adding on top of that, instant and automatic facial recognition, you are basically creating walking CCTV cameras. Also given the fact that these devices are controlled by Google, who knows where these video’s will end up. These devices are interesting from a technical and societal standpoint, sure, but after PRISM, we should be focusing on regaining what little we have left of our privacy and other human rights. As geeks and hackers we can no longer idly stand by and just be content hacking some technical thing that doesn’t have political implications.

I truly and with all my heart know that geeks and hackers are key to stopping the encroaching global surveillance state. It has been said that geeks shall inherit the earth. Not literally of course, but unlike any other population group out there, I think geeks have the skills and technical know-how to have a fighting chance against the NSA. We use strong encryption, we know what’s possible and what is not, and we can work one bit at a time at restoring humanity, freedom, transparency and accountability.

These values were won by our parents and grandparents after very hard bloody struggles for a reason. They very well saw what will happen with an out-of-control government. Why government of the people, for the people, and by the people, is a very good idea. The Germans have had plenty of hands-on experience with the consequences as well, first with the Nazis who took control and were responsible for murdering entire population groups, not only Jews but also people who didn’t think along similar lines: communists, activists, gay people, lesbians, transgenders, etc. Later the Germans got another taste of what can happen if you live in a surveillance state, with the Stasi in the former East-Germany, who encouraged people to spy on one another, exactly what the US government is currently also encouraging. Dangerous parallels there.

But you have to remember that the capabilities of the Stasi and Gestapo were only limited, and peanuts to what the NSA can do. Just to give a comparison: the Stasi at the height of its power, could only tap 40 telephone lines concurrently, so at any one time, there were at most 40 people under Stasi surveillance. Weird isn’t it? We all have this image in our minds that the prime example of a surveillance state would be East-Germany under the Stasi, while they could only spy on 40 people at a time. Of course, they had files on almost anybody, but they could only spy on this very limited number of people concurrently. Nowadays, the NSA gets to spy continuously on all the people in the world who are connected to the internet. Billions of people. Which begs the question: if we saw East-Germany as the prime example of the surveillance state, what do we make of the United States of America?

The Next Step?

I think the next step in defeating this technocratic nightmare of the surveillance state and regain our freedom is to educate others. Hold cryptoparties, explain the reasons and need and workings of encryption methods. Make sure that people leave with their laptops all configured to use strong encryption. If we can educate the general population one person at the time, using our technological skill and know-how, and explain why this is necessary, then eventually the NSA will have no-one to spy on, as almost all communication will flow across the internet in encrypted form. It’s sad that it is necessary, really, but I see no other option to stop intelligence agencies’ excess data-hunger. The NSA has a bad case of data addiction, and they urgently need rehab. They claim more data is necessary to catch terrorists, but let’s face it: we don’t find the needle in the haystack by making the haystack bigger.

Life, Liberty and the Pursuit of Snowden

Note: This article is also available in Portuguese, translated by Anders Bateva.

237 years ago, 56 traitors to their King and country signed a document which outlined a new philosophy, that all men are created equal, that they are endowed by their creator with certain unalienable Rights. That among these are Life, Liberty, and the Pursuit of Happiness. This gave birth to a new nation, the United States of America. Funny how your perception can change depending on your viewpoint and background, isn’t it? In 1776, these 56 signatories of the United States Declaration of Independence did something very brave indeed. They took a stand against the Empire on which the sun never sets, the British Empire, because it failed to embody and represent what they believed in: that it should be the task of the government to secure the above rights, and that governments derive their just powers from the consent of the governed. And that whenever the government becomes destructive of these ends, it is the right of the people to alter or abolish it. These men are considered patriots by many Americans, because in defying the King of Great Britain in 1776, they founded the United States of America, a nation once conceived on these noble principles. A nation that sadly no longer adheres to the philosophy laid down it its Declaration of Independence. Had history played out differently, these men could have been tried for high treason and hung, drawn and quartered. These men took a huge personal risk based on what they personally believed in. You have to remember, back in 1776, the British Empire was a superpower, quite similar to the roles the United States, Russia and China play today. But history is written by the victors, as they say.

Snowden

Now, Snowden blew the whistle because he recognized the government failed to defend the rights of the people, failed to embody the spirit in which it was founded 237 years ago. This is an incredibly brave thing to do. Just think about it: he had to leave his friends and family and his entire life behind and can probably never visit his friends and family again, because he did what he felt was right: expose the crimes committed by the US government. By many he is now branded a traitor, similar to how those 56 signatories were viewed by a portion of the British people back in the day. I sincerely hope Snowden will stay safe. One of the things that struck me when following the Snowden story, is that the media spin machine is now in full swing, trying to come up with dirt on both Edward Snowden, and the journalist who published the story in the Guardian: Glenn Greenwald. The goal of course, is to slowly make the media shift their focus away from the main story, and onto petty things instead, like the obsession with Snowden’s girlfriend, or whether Greenwald should be charged with a crime or not. The goal of those manipulators behind the scenes is to discredit the source who has been leaking this classified but vitally important information, so that eventually people will start to no longer believe him. By discrediting the whistle blower, they hope to also discredit his story. Don’t they get it? Don’t they get that transparency, and democratic oversight, checks and balances are what any government that claims to be a government of the people, by the people and for the people desperately needs? Precisely those things that it is now sorely lacking. By having informed, intelligent citizens, we increase overall safety and national security. We don’t make our nations any safer by scaring our citizens and beating them into submission. But as of late, the truncheon is used in lieu of conversation more and more…

Meanwhile in Europe…

Here in Europe, we saw politicians finally taking a stand against the NSA PRISM program, but sadly only because it was in their own self-interest to do so. It wasn’t until Snowden released documents proving that the United States had been spying on European diplomats in Washington, New York and Brussels, as was published in Der Spiegel on July 1st, that we finally got some strong language from some European leaders, with François Hollande even threatened to suspend the trade pact talks with the US. This delayed reaction by European politicians seems to send the message to the European citizens that it’s apparently perfectly OK to spy on European citizens (politicians here were awfully quiet when the story broke), as long as the Americans are not spying on our diplomats and politicians. Oh, and if you’ve heard the NSA’s stories about ‘metadata’, and you’re wondering what ‘harmless metadata’ really means, be sure to check out German Green Party Member Malte Spitz’s six months of telephone records mapped on a moving map. It’s quite a humbling experience. 🙂 Update: Since I wrote this article on July 2nd, 2013, things have changed even more dramatically, as long-established diplomatic principles in international law have been grossly violated by denying President Morales’ plane access to French, Spanish, Italian and Portuguese airspace, causing it to have to divert to Vienna when the president was on his way home from a summit in Moscow. Of course, this caused massive anger in Latin America. The real problem we now have in Europe are leaders with rubber knees. We have our brain, and our sovereignty. Let’s start using it.

Dangers of the ‘nothing to hide, nothing to fear’ mentality

Note: This article is also available in Portuguese, translated by Anders Bateva.

With regards to the whole PRISM program recently unveiled by NSA whistleblower Edward Snowden, I had a discussion with someone a few days ago who still held to the view that if you have nothing to hide, you have nothing to fear from the government. This blog post is mainly aimed at dispelling some of these myths that keep cropping up in these discussions.

Change in Government

One of the biggest problems with this argument is that the government isn’t this all-good, benevolent entity that most people think it is. They actively and purposefully violate their own laws regularly. Now governments always have claimed that they work in the best interest of the people (which is the thing they should do), but who guarantees to me that this will always stay this way? Who guarantees that the Dutch government for instance, won’t turn into a full-blown police state in 5 or 10 years time, the way the British government already has? GCHQ is even worse than the NSA, as they’re tapping over 200 fibre optic cables indiscriminately. Who guarantees to me that there won’t be a dictator in 10 years time, maybe elected in a fit of fear, who then grabs power and starts abusing it to the fullest? Many people seem to laugh at the suggestion, but the danger is still very real. We don’t know what will happen in the future so therefore we should instead be proactive, and make sure that when a malevolent government does come to power (which I hope not), it has as little influence over the lives of the people as possible. An interesting story about changing governments, and sudden abuse of power is the story of Jacob Lentz. Lentz was a Dutch civil servant who worked on setting up the national resident registration system and designed the new national ID cards during the Second World War. In the summer of 1940, Lentz was convinced that Nazi Germany would win World War II, and he worked very hard at creating a watertight system. His ID cards were notoriously difficult to forge, even better that the German variant, the Kennkarte, making the lives of the Dutch resistance members a lot harder. His system registered a lot of information about the Dutch citizens, religion among other things. This make it ridiculously easy for the Nazis, when they conquered The Netherlands in May 1940, to see who was of Jewish descent and who wasn’t. And we all know the unimaginable horrors that led to. Now, Lentz thought he had good intentions. But the road to hell is paved with good intentions, as they say. If Lentz had thought it through just a little bit, had thought of the possible consequences, he might have chosen a different path. He could have saved the lives of thousands of Jews, with little to no danger to his own personal safety, or his family’s.

ProfilingSurveillance: Nothing to hide?

Now, it’s important to remember that you as a citizen usually don’t get to decide what constitutes criminal or suspicious behavior or not. You usually have no say in this matter, and governments habitually move the goal posts during the game. The average Dutchman can be found in well over 5,000 different government databases (link in Dutch). Now, with this much data on 17 million people, the government is bound to make mistakes. Because of the vast amount of information, they have to pattern match and profile you. This often leads to mistakes. If you buy a bag of fertilizer, are you simply a gardener, growing marijuana in your attic or maybe even a potential terrorist? This seemingly innocent act can suddenly raise a lot of flags in the numerous interlinked government databases. These databases aren’t perfect, and more often than not are failing to register the critical bits of context that might explain your behavior. The danger that your actions are registered while missing a lot of context, should be reason enough why we shouldn’t want to expand the surveillance state any further.

Feature Creep

Then there’s the problem of feature creep. When the government proposes a new law that enhances the powers of the surveillance state, they are always keen to solemnly promise to the MPs that these powers will of course only be exercised under strict conditions and regulations, with proper, independent oversight, with a court order, et cetera. In the end, this is almost never the case, and even your common neighborhood cop suddenly has access to sensitive information about you. This is exactly what happened in the case of RIPA (the Regulation of Investigatory Powers Act 2000) in Britain. This was an Act that was passed at the start of the War on Terror, expanding the powers of the British spooks significantly. (It’s interesting to note that a law expanding powers of the spooks has a name that seems to suggest that it seeks to regulate said powers) When it was passed into law, it was supposed to only be used by the spooks, while nowadays, local councils can exercise these powers as well. And this is happening in a lot of places. These dangers are very real, and we need to start speaking up, and start demanding proper oversight for the spooks and the rest of the surveillance apparatus. In the meanwhile, there are a lot of things we can do to at least make their work a bit more difficult. 🙂