Tag Archives: NSA

The TTIP Tragedy

europeYesterday, the European Parliament passed a draft report containing the EP’s recommendations to the Commission on the negotiations for TTIP. TTIP is the “free trade” treaty that is being negotiated between the US and the EU. It is the latest chapter in a long range of abbreviations across the world, from ACTA, to CETA, to TPP, TISA, etc. The end goal for TTIP is to create a single, massive free trade area/single market between the United States and the European Union member states. In practice, this requires that our standards be lowered to theirs and American businesses given unfettered access to the European markets (and in name vice versa, but it remains to be seen whether that will be the case in reality.)

The negotiations with the United States are being conducted in secret. There are various MEPs who are regularly informed about the progress of the negotiations, but they are prevented from saying anything substantial about the actual contents of the documents currently on the table. The peoples of Europe have no influence and no say in what makes it in the final treaty. Most of the Members of the European Parliament also have no idea about the exact contents of the negotiating document, and what is currently on the table. The European Parliament will vote on TTIP when the treaty is completed, but does not have the power to make amendments to the final text. This is a massive shame, since this treaty will influence us in major ways. In practice, it will open up our markets to American big business, while the effect for European middle and small enterprises are almost non-existent (as the vast majority of SMEs will not make the step to export to the United States).

Negligible Economic Advantages

The long-term economic advantages of TTIP to Europe is in fact completely negligible. Karel De Gucht, the previous EU Commissioner for Trade until 2014, claimed that TTIP will create lots of jobs in Europe, when in fact, we’re looking at an increase of GDP of at most 0.4 to 0.5 percent over a time period of decades. Claiming that this treaty will be about job creation and creating opportunities for workers on both continents is just completely dishonest, as also claimed in a blog on the U.S. Center for Economic and Policy Research (CEPR) website. According to various studies, the economic advantages are quite negligible. Incidentally, when De Gucht was confronted by some questions asked by the journalist regarding the alleged economic advantages of TTIP, he couldn’t provide an answer. And these are the sorts of people in charge of these things?

ISDS With A Different Name

ttip-2One important aspect that hasn’t been scrapped in the new resolution is the notorious ISDS provision (Investor-State Dispute Settlement). ISDS is a arbitration provision, that basically says that if a corporation thinks that a certain law passed by a nation-state’s parliament is hurting the profits of the corporation, they will have a way to sue the state for damages, in practice amounting to hundreds of millions of euro’s.

The most laughable thing about this arbitration commission is, that in the initial proposals, it consists of 3 lawyers, one of which will be from the company and another one from the nation state; the third one to be decided by the 2 parties. No legitimate judge would be asked to take this decision, and this provision has the potential to hurt democracy in a massive way. That this was even up for serious discussion is simply insane. When we as people can no longer decide for ourselves what we do and do not allow onto the market, because we should always take into account whether or not that will hurt someone’s business model, what independence do we have left? What will be left of the people’s sovereignty, granted to them by international law?

The ironic thing is that in the latest resolution passed by the European Parliament (P8_TA-PROV(2015)0252), the term “ISDS” has been replaced with: ‘a system for resolving disputes between investors and states’. Tell me: how is that different from “Investor-State Dispute Settlement”? This was just a different term used in the new resolution just so some fractions in the European Parliament can say: “Look people, we stopped ISDS!”, while at the same time the Commission and the negotiating team can say to the Americans that it’s still in. In effect, nothing has changed on this point. The entire concept of investors suing states for damages because legislation is a threat to their business model, and doing so in kangaroo courts, is an utter travesty to the legal system.

Another problem is that big corporations have an excessive influence on European policy-making. During the preparatory phase of TTIP, 590 meetings took place between the Commission and corporate lobbyists. 92% of these meetings were with representatives of big business. In fact, quite a few sentences in the proposals are directly written by the lobbyists, and made it in the proposals virtually unchanged. And this is not only a problem for TTIP, this happens all the time.

Consequences of Arbitrary Arbitration

An example of where this could lead to is the case of Achmea vs the Republic of Slovakia. In this case, Achmea (which is a major Dutch insurance conglomerate) sued the Slovak Republic for damages because they wanted to re-nationalise their health care system. Of course, Achmea stood to lose millions of euros in potential profits due to this policy change, so they sued, citing alleged breaches of the Treaty on encouragement and reciprocal protection of investments between the Czech and Slovak Federal Republic and the Kingdom of the Netherlands. Luckily, the arbitration committee in this case dismissed all of Achmea’s claims, and recognised the sovereignty of the Slovak Republic to make these kinds of policy decisions.

Now imagine what happens when TTIP is implemented, on a massive scale and in a vast area across many different industries? What sovereignty do we have left when we have to think about protecting the profits of huge corporations with each and every policy decision?

Investor-State Dispute Settlement is wholly unnecessary

Protecting investments by means of arbitration committees only makes sense if your trading partner is a country without a well-developed and functioning legal system. It does not make sense whatsoever in the context of a free trade deal between the United States and the EU, since European countries do have functioning legal systems. It isn’t a union of banana republics. At least not yet. So any investment arbitration mechanism in the TTIP treaty that circumvents the nation states’ legal system is wholly unnecessary. The only reason it will make it into the treaty is to give big business a lot more power to overrule the decisions made by our elected representatives. One step closer to a United States of Europe, which in the vision of eurocrats the likes of Guy Verhofstadt is only complete when it stretches from California to the Caspian Sea.

Benito Mussolini, the fascist Italian dictator during WWII, once defined fascism as: the merger of the corporate with the state. When TTIP is passed, the corporate is the state! We will open our European markets up to American multinationals who, as we know, have little concern for labour standards, food safety regulations, and more. It will amount to us lowering our standards to theirs in the interest of “free trade”.  If we don’t lower our standards, that would imply that the United States would raise theirs, which is extremely unlikely to happen in the current political climate. It will introduce a dispute settlement system that is actively hostile to the very principle of democracy. And our parliaments will have no say in the matter. Despite what the average eurocrat says, these are very real dangers. But there are even more reasons not to want this trade agreement with the United States.

Free Trade? With the people who spy on their allies?

nsaRecently, news came out that the United States NSA spied on the German Chancellor and her most senior officials and also on the last 3 Presidents of the French Republic. These documents on WikiLeaks also reveal that the US has a decade-long policy of economic espionage, and is intercepting all French corporate contracts and deals valued over $200 million.

Two years after Edward Snowden’s revelations were made public, we have seen a move towards more secrecy, more surveillance, and more corporatism, and a lot less transparency and accountability. Transparency and accountability is also a major issue within the EU institutions and in particular the TTIP negotiations, but I’ll get to that it a bit.

Over the last 2 years we have seen moves by various European intelligence agencies to imitate the NSA and GCHQ in their capabilities. Just recently, the Dutch government released for public consulting a proposal aimed to give the AIVD, more power, authorising them to start tapping cable-bound communications.

Also, the FBI by means of James Comey and others in the US and UK (Cameron, May) are desperately trying to ban encryption, against all expert advice. Banning encryption makes us less secure, preventing, for example, banks and corporations from protecting our personal data against interception by criminals. Without encryption we cannot securely shop online, we cannot message online, businesses cannot keep their trade secrets confidential, etc. Encryption is essential to the internet, and essential to innovation.

The important point is this: Do we really want to increase cooperation in the areas of trade and industry, across all sectors, with the country that has been spying on us and disregards its own Constitution and rule of law? Do we really think that is in the interest of European citizens?

I wonder what would happen in the following hypothetical situation. Let’s say for the sake of argument that it is revealed that the Bundesnachrichtendienst (Germany’s foreign intelligence agency) has been spying on the last 3 US Presidents. Would the US then take the initiative and start negotiating a trade deal and much closer cooperation with the Europeans? Or would these actions be strongly condemned and action taken to prevent these actions in the future? I think we know what the response of the US in this hypothetical situation would likely be. However, in the real world, the US has been spying on the Europeans for decades on a massive scale, and we still don’t reconsider who our allies are?

verhofstadt_van_baalenWe still mindlessly follow the US lead when it comes to demonising Russia, we don’t consider what actions are in the best interest of European businesses, we continue to give the US great advantages as they continue to stir up trouble, start revolutions and regime changes in Ukraine, hurting stability in the entire region, with MEPs Verhofstadt & Van Baalen joining in, calling for regime change on Maidan square.

The fact that US foreign policy is not a force of good in the world would already be grounds to scrap this entire treaty altogether.

Europe’s democratic deficit

ostrakon

An Ancient Greek ὄστρακον (ostrakon), mentioning Megacles, son of Hippocrates (inscription: ΜΕΓΑΚΛΕΣ ΗΙΠΠΟΚΡΑΤΟΣ), 487 BC. In the ancient Athenian democracy, ὄστρακον were pieces of discarded pottery that people would scratch a name into to cast their vote of who to banish from the city.

Some people may accuse me of being Eurosceptic. That is not the case: I like the concept of European cooperation and integration, I have many clients across Europe, I like the fact that I am able to travel, live, and work anywhere in the European Union. That is not the problem, and in fact, one of the greatest achievements of close European cooperation.

What is the problem, however, is the clear lack of democracy and transparency at the European level at various European institutions. European elections are held to elect Members for a small piece of the pie that is the European Parliament (depending on the country you’re from the piece may be bigger or smaller), but other than that, the European institutions are completely closed from all meaningful interactions with European citizens. The Commission is not elected, and all other European institutions that make or influence European policy also have unelected officials who decide on things. We have 4 different Presidents responsible for God knows what, and all unelected. This is the major problem with the Union, and the thing in my opinion needs to be fixed before we start thinking about further expansion, or the transfer of even more powers to Brussels.

Europe should embrace democracy, not eschew it, like we could see yet again prior to the latest Greek referendum, when various European leaders made threats to the Greek people about the consequences should they not agree to more austerity. Even the President of the European Parliament, Mr. Martin Schultz has made such threats, which is wholly unbecoming of a President of a poor excuse of a Parliament, who should be above all parties, and adhere to independence from such political opinions.

Democracy is a great concept, invented in the 5th century BCE by the ancient Athenians in Greece. We should do more of it!

The Sad Truth

The sad truth regarding TTIP is that — based on the resolution just passed by the EP — I can already make the prediction regarding the final verdict of the European Parliament when the TTIP final document is finally presented to them: they will pass it, and it’ll probably include some sort of ISDS provision. There will probably be time pressure involved, requiring MEPs to read and interpret thousands of pages of legalese in a very short time-frame, which ensures that no MEP will actually read the document they vote on.

And when TTIP is passed, corporate fascism in Europe has won.

RT Going Underground Interview About Regin

I recently did an interview with RT‘s Going Underground programme, presented by Afshin Rattansi. We talked about the recently-discovered highly sophisticated malware Regin, and whether GCHQ or some other nation state could be behind it. The entire episode can be watched here. For more background information about Regin, you can read my article about it.

With Politicians Like These, Who Needs Terrorists?

The text on the cover says: "Love is stronger than hate."

The text on the cover says: “Love is stronger than hate.”

Last week, on the 7th of January 2015, the satirical magazine Charlie Hebdo‘s office in Paris was attacked by Islamic fundamentalists. Charlie Hebdo is a French satirical magazine featuring jokes, cartoons, reports etcetera. that is stridently anti-conformist in nature. They make fun of politics, Judaism, Christianity and Islam and all other institutions. Like all of us they have every right to freedom of expression. But alas, fundamentalists did not agree, and opted to violently attack their office in Paris with assault rifles and rocket propelled grenades, leaving 12 people killed and 11 wounded. This was a terrible attack, and my heart goes out to the families and their colleagues and friends who have lost their loved ones.

After the attack, there was (rightly so) worldwide condemnation and the sentence “Je suis Charlie,” French for “I am Charlie,” became the slogan of millions. What I am afraid of however, is not the terrorists who perpetrate these attacks. What frightens me more, is the almost automatic response by politicians who immediately see reasons to implement ever more oppressive legislation, building the surveillance state. After all, the goal of terrorism is to change society by violent means. If we allow them to, the terrorists have already won. Their objective is completed by our own fear.

Hypocrites At The March

When I was watching footage of the march in Paris for freedom of expression I saw that a lot of government leaders were present, most of whom severely obstructed freedom of expression and freedom of the press in their home countries. Now they were were at the march, claiming the moral high ground and claiming to be the guardians of press freedom.

Here’s an overview of some of the leaders present at the march and what they did in relation to restricting press freedom in their own countries, courtesy of Daniel Wickham, who made this list and published it on his Twitter feed:

Politicians like the ones mentioned above, but also the likes of May (UK Home Secretary), Opstelten (the Netherlands’ Justice Minister) and many others are jumping on the bandwagon again to implement new oppressive laws limiting freedom of expression and the civil and human rights of their peoples. With leaders like these, who needs terrorists? Our leaders will happily implement legislation that will severely curtail our freedoms and civil liberties instead of handling the aftermath of tragic events like these as grown-ups. It would be better if they viewed participating in the march as a starting point to start improving the situation in the areas of freedom of expression and freedom of the press at home.

The Political Consequences Of Terrorist Attacks

What frightens me is the fact that people like Andrew Parker, head of MI5, the kind of person who normally never makes headlines, is given all the space he needed to explain to us “why we need them,” to put it in the words of High Chancellor Adam Sutler, the dictator from the film “V for Vendetta,” which is set in a near-future British dystopia. UK Chancellor George Osborne immediately said in response to the piece by Andrew Parker that MI5 will get an extra £100 million in funding for combating Islamic fundamentalism. David Cameron has confirmed this.

Politicians are using the tragic events in Paris as a way to demand more surveillance powers for the intelligence community in a brazen attempt to curtail our civil liberties in a similar way to what happened after the 9/11 attacks.

All the familiar rhetoric is used again, how it’s a “terrible reminder of the intentions of those who wish us harm,” how the threat level in Britain worsened and Islamic extremist groups in Syria and Iraq are trying to attack the UK, how the intelligence community needs more money to gather intelligence on these people, how our travel movements must be severely restricted and logged, the need for increased security at border checks, a European PNR (Passenger Name Record) (which, incidentally would mean the end of Schengen, one of the core founding principles on which the EU was founded — freedom of movement). The list goes on and on.

A trend can be seen here. UK Home Secretary Theresa May wants to ban extremist speech, and ban people deemed extremist from publicly speaking at universities and other venues. The problem with that is that the definition of extremist is very vague, and certainly up for debate. Is vehemently disagreeing with the government’s current course in a non-violent way extremist? I fear that May thinks that would fit the definition. This would severely curtail freedom of speech both on the internet and in real life, since there are many people who disagree with government policies, and are able to put forward their arguments in a constructive manner.

Before we can even begin to implement laws like these we need to discuss what extremism means, what vague concepts like “national security” mean. There are no clear definitions for these terms at this point, while the legislation that is being put into place since 9/11 is using these vague notions intentionally, giving the security apparatus way too much leeway to abuse their powers as they see fit.

I read that Cameron wants to ban all encrypted communications, since these cannot be decrypted by the intelligence community. This would mean that banks, corporations and individuals would leave themselves vulnerable to all kinds of security vulnerabilities, including identity theft among others, vulnerabilities which cryptographic technologies are meant to solve.

Cryptography is the practice of techniques for secure communication in the presence of adversaries. Without cryptography, you couldn’t communicate securely with your bank, or with companies that handle your data. You also couldn’t communicate securely with various government agencies, or health care institutions, etcetera. All these institutions and corporations handle sensitive information about your life that you wouldn’t want unauthorised people to have access to.  This discussion about banning cryptography strongly reminds me of the Crypto Wars of the 1990s.

Making technologies like these illegal only serves to hurt the security of law-abiding citizens. Criminals, like the people who committed the attacks at Charlie Hebdo, wouldn’t be deterred by it. They are already breaking the law anyway, so why worry? But for people who want to comply with the law, this is a serious barrier, and restricting cryptography only hurts our societies’ security.

Norwegians’ Response to Breivik

Instead of panicking, which is what these politicians are doing right now, we should instead treat this situation with much more sanity. Look for instance to how the Norwegians have handled the massacre of 77 people in Oslo and on the Norwegian island of Utøya by Anders Behring Breivik on July 22nd, 2011.

Breivik attacked the Norwegian government district in Oslo, and then subsequently went to Utøya, where a large Labour Party gathering was taking place. He murdered 77 people in total.

The response by the Norwegians was however, very different from what you would expect had the attack taken place in the UK, the US or The Netherlands, for instance. In these countries, the reaction would be the way it is now, with the government ever limiting civil liberties in an effort to build the surveillance state, taking away our liberties in a fit of fear. The Norwegians however, urged that Norway continued its tradition of openness and tolerance. Memorial services were held, the victims were mourned, and live went on. Breivik got a fair trial and is now serving his time in prison. This is the way to deal with crises like this.

Is Mass Surveillance Effective?

The problem with more surveillance legislation is the fact that it isn’t even certain that it would work. The effectiveness of the current (already quite oppressive) surveillance legislation has never been put to the test. Never was a research published that definitively said that, yes, storing all our communications in dragnet surveillance has stopped this many terrorist attacks and is a valuable contribution to society.

In fact, even the White House has released a review of the National Security Agency’s spy programmes in December 2013, months after the first revelations by Edward Snowden, and this report offered 46 recommendations for reform. The conclusion of the report was predictable, namely that even though the surveillance programmes have gone too far, that they should stay in place. But this report has undermined the NSA’s claims that the collection of meta-data and mass surveillance on billions of people is a necessary tool to combat terrorism.

The report says on page 104, and I quote:

“Our review suggests that the information contributed to terrorist investigations by the use of Section 215 telephony meta-data was not essential to preventing attacks and could readily have been obtained in a timely manner using conventional Section 215 orders.”

And shortly after Edward Snowden’s revelations about the existence of some of these programmes were published, former director of the NSA Keith Alexander testified to the Senate in defence of his agency’s surveillance programmes. He claimed that dozens of terrorist attacks were stopped because of the mass surveillance, both at home and abroad. This claim was also made by President Obama, who said that it was “over 50.” Often, 54 is the exact number quoted. Alexander’s claim was challenged by Senators Ron Wyden (D-OR) and Mark Udall (D-CO), who said that they “had not seen any evidence showing that the NSA’s dragnet collection of Americans’ phone records has produced any valuable intelligence.” The claim that the warrant-less global dragnet surveillance has stopped anywhere near that number of terrorist attacks is questionable to say the least, and much more likely entirely false.

More oppressive dragnet surveillance measures aren’t helping with making the intelligence community any more efficient at their job. In fact, the more intelligence gets scooped up in these dragnet surveillance programmes, the less likely it becomes that a terror plot is discovered before it occurs, so that these may be stopped in time. More data needs to be analysed, and there’s only so much automatic algorithms can do when tasked with filtering out the non-important stuff. In the end, the intel needs to be assessed by analysts in order to determine their value and if necessary act upon it. There is also the problem with false positives, as people get automatically flagged because their behaviour fits certain patterns programmed into the filtering software. This may lead to all sorts of consequences for the people involved, despite the fact that they have broken no laws.

Politicians can be a far greater danger to society than a bunch of Islamic terrorists. Because unlike the terrorists, politicians have the power to enact and change legislation, both for better and for worse. When we are being governed by fear, the terrorists have already won.

The objective of terrorism is not the act itself. It is to try and change society by violent means. If we allow them to change it, by implementing ever more oppressive mass surveillance legislation (in violation of Article 8 of the European Convention on Human Rights (ECHR)), or legislation that restricts the principles of freedom of the press and freedom of speech, enshrined in Article 10 of the ECHR, freedom of assembly and association enshrined in Article 11, or of freedom of movement which is one of the basic tenets on which the European Union was founded, the terrorists have already won.

Let’s use our brains and think before we act.

Regin: The Trojan Horse From GCHQ

In 2010, Belgacom, the Belgian telecommunications company was hacked. This attack was discovered in September 2013, and has been going on for years. We know that this attack is the work of Western intelligence, more specifically, GCHQ, thanks to documents from Edward Snowden. This operation was called Operation Socialist. Now, however, we know a little bit more about how exactly this attack was done, and by what means. Internet connections from employees of Belgacom were sent to a fake LinkedIn page that was used to infect their computers with malware, called “implants” in GCHQ parlance. Now we know that Regin is the name given to the highly complex malware that seems to have been used during Operation Socialist.

Projekt 28Symantec recently reported on this malware (the full technical paper (PDF) can be found here), and it’s behaviour is highly complex. It is able to adapt to very specific missions and the authors have made tremendous effort to make it hard to detect. The malware is able to adapt and change, and since most of anti-virus detection relies on heuristics, or specific fingerprints of known malware, Regin was able to fool anti-virus software and stay undetected. However, Symantec put two and two together and has now revealed some of Regin’s inner workings.

fig3-countriesThe infections have ranged from telecoms and internet backbones (20% of infections), to hospitality (hotels, etc.), energy, the airlines, and research sectors but the vast majority of infections has been of private individuals or small businesses (48%). Also, the countries targeted are diverse, but the vast majority of attacks is directed against the Russian Federation (28%) and Saudi Arabia (24%).

The Regin malware works very much like a framework, which the attackers can use to inject various types of code, called “payloads” to do very specific things like capturing screen-shots, taking control of your mouse, stealing passwords, monitoring your network traffic and recovering files. Several Remote Access Trojans (also known as RATs) have been found, although even more complex payloads have also been found in the wild, like a Microsoft IIS web server traffic monitor (this makes it easy to spy on who visits a certain website etcetera). Another example of a highly complex payload that has been found is malware to sniff administration panels of mobile cellphone base station controllers.

How Regin Works

As mentioned above, Regin works as a modular framework, where the attackers can turn on/off certain elements and load specific code, called a “payload,” to create a Regin version that is specifically suited to a specific mission. Note that it is not certain whether all payloads have been discovered, and that there may be more than the ones specified in the report.

fig2-sectorsRegin does not appear to target any specific industrial sector, but infections have been found across the board, but mostly in telecom and private individuals and small businesses. Currently, it is not known what infection vectors can possibly be used to infect a specific target with the Regin malware, but one could for instance think of tricking the target into clicking on a certain link in an e-mail, visiting spoof websites, or maybe through a vulnerable application installed on the victim’s computer, which can be used to infect the target with Regin. In one instance, according to the Symantec report, a victim was infected through Yahoo! Instant Messenger. During Operation Socialist, GCHQ used a fake LinkedIn page to trick Belgacom engineers into installing the malware. So one can expect infection to take place along those lines, but other possibilities may of course exist.

regin_stages

The various stages of Regin.

Regin has six stages in its architecture, called Stage 0 to Stage 5 in the Symantec report. First, a dropper trojan horse will install the malware on the target’s computer (Stage 0), then it loads several drivers (Stage 1 and 2), loads compression, encryption, networking, and EVFS (encrypted file container) code (Stage 3), then it loads the encrypted file container and loads some additional kernel drivers, plus the payloads (Stage 4), and in the final stage (Stage 5) it loads the main payload and the necessary data files for it to operate.

The malware seems to be aimed primarily against computers running the Microsoft Windows operating system, as all of the files discussed in the Symantec report are highly Windows-specific. But there may be payloads out there which target GNU/Linux or OS X computers. The full extent of the malware has not been fully revealed, and it will be interesting to find out more about the exact capabilities of this malware. The capabilities mentioned in the report are already vast and can be used to spy on people’s computers for extended periods of time, but I’m sure that there must be more payloads out there, I’m certain that we’ve only scratched the surface of what is possible.

Regin is a highly-complex threat to computers around the world, and seems to be specifically suited towards large-scale data collection and intelligence gathering campaigns. The development would have required significant investments of time, money and resources, and might very well have taken a few years. Some components of Regin were traced back all the way to 2003.

Western Intelligence Origins?

In recent years, various governments, like the Chinese government, and the Russian government, have been implicated in various hacking attempts and attacks on Western infrastructure. In the article linked here, the FBI accuses the Russians of hacking for the purpose of economic espionage. However, Western governments also engage in digital warfare and espionage, not just for national security purposes (which is a term that has never been defined legally), but they also engage in economic espionage. In the early 1990s, as part of the ECHELON programme, the NSA intercepted communications between Airbus and the Saudi Arabian national airline. They were negotiating contracts with the Saudis, and the NSA passed information on to Boeing which was able to deliver a more competitive proposal, and due to this development, Airbus lost the $6 billion dollar contract to Boeing. This has been confirmed in the European Parliament Report on ECHELON from 2001. Regin also very clearly demonstrates that Western intelligence agencies are deeply involved in digital espionage and digital warfare.

Due to the highly-complex nature of the malware, and the significant amount of effort and time required to develop, test and deploy the Regin malware, together with the highly-specific nature of the various payloads and the modularity of the system, it is highly likely that a state actor was behind the Regin malware. Also, significant effort went into making the system very stealthy and hard for anti-virus software to detect. It was carefully engineered to circumvent anti-virus software’s heuristic detection algorithms and furthermore, some effort was put into making the Regin malware difficult to fingerprint (due to its modular nature)

Furthermore, when looking at the recently discovered attacks, and more especially where the victims are geographically located, it seems that the vast majority of attacks were aimed against the Russian Federation, and Saudi Arabia.

According to The Intercept and Ronald Prins from Dutch security company Fox-IT, there is no doubt that GCHQ and NSA are behind the Regin malware. Der Spiegel revealed that NSA malware had infected the computer networks of the European Union. That might very well been the same malware.

Stuxnet

symantic_virus_discovery.siA similar case of state-sponsored malware appeared in June 2010. In the case of Stuxnet, a disproportionate amount of Iranian industrial site were targeted. According to Symantec, which has published various reports on Stuxnet, Stuxnet was used in one instance to change the speed of about 1,000 gas-spinning centrifuges at the Iranian nuclear power plant at Natanz, thereby sabotaging the research done by Iranian scientists. This covert manipulation could have caused an explosion at this nuclear facility.

Given the fact that Israel and the United States are very much against Iran developing nuclear power for peaceful purposes, thinking Iran is developing nuclear weapons instead of power plants, together with Stuxnet’s purpose to attack industrial sites, amongst those, nuclear sites in Iran, strongly indicates that the US and/or Israeli governments are behind the Stuxnet malware. Both of these countries have the capabilities to develop it, and in fact, they started to think about this project way back in 2005, when the earliest variants of Stuxnet were created.

Dangers of State-Sponsored Malware

The dangers of this state-sponsored malware is of course that should it be discovered, it may very well prompt the companies, individuals or states that the surveillance is targeted against to take countermeasures, leading to a digital arms race. This may subsequently lead to war, especially when a nation’s critical infrastructure is targeted.

The dangers of states creating malware like this and letting it out in the wild is that it compromises not only security, but also our very safety. Security gets compromised when bugs are left unsolved and back doors built in to let the spies in, and let malware do its work. This affects the safety of all of us. Government back doors and malware is not guaranteed to be used only by governments. Others can get a hold of the malware as well, and security vulnerabilities can be used by others than just spies. Think criminals who are after credit card details, or steal identities which are subsequently used for nefarious purposes.

Governments hacking other nations’ critical infrastructure would constitute an act of war I think. Nowadays every nation worth its salt has set up a digital warfare branch, where exploits are bought, malware developed and deployed. Once you start causing millions of Euros worth of damage to other nations’ infrastructure, you are on a slippery slope. Other countries may “hack back” and this will inevitably lead to a digital arms race, the damage of which does not only affect government computers and infrastructure, but also citizens’ computers and systems, corporations, and in some cases, even our lives. The US attack on Iran’s nuclear installations with the Stuxnet malware was incredibly dangerous and could have caused severe accidents to happen. Think of what would happen had a nuclear meltdown occurred. But nuclear installations are not the only ones, there’s other facilities as well which may come under attacks, hospitals for instance.

Using malware to attack and hack other countries’ infrastructure is incredibly dangerous and can only lead to more problems. Nothing has ever been solved by it. It will cause a shady exploits market to flourish which will mean that less and less critical exploits get fixed. Clearly, these are worth a lot of money, and many people that were previously pointing out vulnerabilities and supplying patches to software vendors are now selling these security vulnerabilities off on the black market.

Security vulnerabilities need to be addressed across the board, so that all of us can be safer, instead of the spooks using software bugs, vulnerabilities and back doors against us, and deliberately leaving open gaping holes for criminals to use as well.

The Ukrainian Putsch: NATO’s Imperialistic Expansion and the Role of the Mainstream Media

As I’ve written earlier, the position the main stream media is taking seems to be one of being an extension of the powers that be. Rarely are the critical questions asked, and for the most part, with rare exceptions here and there, there is a significant bias to the reporting done.

An excellent example of this bias is when you look at the reporting done on the current crisis in Ukraine. This is a case that I want to look into in a bit more detail, now that several more things have become clear. In the Western media, the opinion seems to be that Vladimir Putin is bad, and NATO is good. They call the Russian position in this case imperialism, but forget their own role in creating and supporting this crisis in the first place.

In this article, I’ll explain some history about NATO expansion, and then go on trying to place the Ukrainian crisis into that historical framework, and subsequently I’ll take a look at the role the (Western) media have been playing so far, and what improvements can be made, to both our own governments’ positions relating to the U.S., and to media reporting.

Regime change and broken promises

As the phone call between Victoria Nuland (U.S. Assistant Secretary of State) and Geoffrey Pyatt (U.S. ambassador to Ukraine) reveals, the U.S. had made a plan of regime change for Ukraine. Nuland specifically mentioned Arseniy Yatsenyuk as Yanukovich’s successor and talk it through (“Yats is our man!”, “Have the UN help glue this thing”, “If it does gain altitude the Russians will be working behind the scenes to try to torpedo it.”, “Fuck the EU”). How convenient then, that when  Viktor Yanukovich is ousted, and the dust settles in Kiev, Yatsenyuk is suddenly prime minister? And what is the first thing he does? Instead of attending to the problems in Ukraine and finding a peaceful resolution to the crisis, he flies off to the very people who put him in power, and visits the United States. No doubt to thank them, I would presume.

Meanwhile, Western nations have been trying to punish Russia for annexing the Crimea (which, by the way, was originally part of the Russian SFSR, before it was transferred to the Ukrainian SSR by Nikita Khruchev in 1954). The sanctions don’t seem to have a big effect on Russia, and Russia has signed a new $400 billion 30-year gas deal with China on 21 May to try and make itself less dependent on Western gas customers. Russia is currently the biggest supplier of natural gas to Europe, and without the Russian gas, nations like Germany and Italy, as well as the Baltic states will get into trouble. There has been movement from these nations to try and become less dependent on Russia, and similarly, Russia has now signed a deal with China to become less dependent on the Western market, thereby significantly weakening any effect the sanctions were aimed at having.

NATO’s broken promiseNATO Expansion

NATO has been steadily expanding, despite the promise made in 1990 to the last Soviet president, Mikhail Gorbachev, who agreed that East- and West-Germany could be united and become a member of NATO, on the condition that NATO would not move one inch further east. Since then, NATO, mistakenly assuming that they had somehow “won” the Cold War, went on and happily incorporated 12  Eastern European nations into their fold, within Moscow’s sphere of influence, with the largest expansion eastwards taking place in 2004. Here’s an overview:

  • In 1999: Poland, the Czech Republic and Hungary were added to NATO,
  • In 2004: Bulgaria, Estonia, Latvia, Lithuania, Romania, Slovakia and Slovenia,
  • In 2009: Albania and Croatia.

Just imagine what would have happened had 12 South American nations joined the former Warsaw Pact? Now that would be something the U.S. would not accept. Similarly, Russia does not accept the continued expansion of NATO into their sphere of influence.

It looked like Ukraine was all set on becoming a future member of NATO. The prospect of Ukraine becoming a member state of the U.S.-led NATO is understandably a threat to Russian national security. They operate a major naval base in the Crimean city of Sevastopol, which is the main base of the Russian Black Sea Fleet, and from Sevastopol, the Russian fleet has quick access to the Mediterranean Sea. The Russians used to lease the base from the Ukrainians. However, the future of the lease might have been severely compromised if Ukraine would become part of NATO.

That the Russians feel threatened by the continued expansion of NATO is understandable given the fact that the U.S. military-industrial complex and their partners in Europe have been busy for many years expanding the “Star Wars” missile defense system in Eastern Europe, ostensibly to protect against a missile launch from Iran. The “Star Wars” program was established by President Reagan on 23 March 1983 as Strategic Defense Initiative (SDI), and renamed to Ballistic Missile Defense Organisation (BMDO) by the Clinton administration on 13 May 1993, then later renamed to Missile Defense Agency (MDA) in 2002 by the George W. Bush administration. I wonder why all the name changes were deemed necessary? To obfuscate and redirect unwanted media attention maybe? But I digress.antimissile

The hypocrisy of U.S. policy amazes me, because as some people still remember, when the Soviet Union did a similar thing in Cuba in 1962 (hint: supplying weapons to the Cubans to counter a possible future U.S. invasion attempt in Cuba after the failed CIA-sponsored Bay of Pigs invasion, and also sparked because the U.S. stationed nuclear weapons in Turkey), this in turn sparked anger from the United States and led to the Cuban Missile Crisis and subsequently, the Cuban Blockade.

A relic from the Cold War

In my opinion, NATO is a relic from the Cold War, which serves no purpose any longer and is now used as a way of furthering U.S. military hegemony in the world. With the revelations of Edward Snowden this last year, and hopefully with many more revelations to come, we should, as Europeans, ask whether we are still willing to continue to play the role of subservient lap dog of the U.S.. A role we’ve been playing since the end of the Second World War. We should start thinking about how we can safeguard the safety and security of European citizens, which by the way, is exactly what our governments, by definition, should worry about. Do we want to keep our own sovereignty? Because if we don’t, the game is up.

Instead, our governments seem more interested in giving our private data to U.S. corporations, and (by extension) their intelligence agencies. This in many cases significantly hurts European companies, for the powers of intelligence agencies are mostly used for industrial espionage purposes, not to combat terrorism. In fact, there has not been a single documented case of the NSA’s spying programs actually stopping any terrorists. President Obama claimed that 54 terrorist plots had been prevented (PDF, first page, 4th paragraph, published on 1 August 2013) thanks to the intel gathered by the NSAs metadata program, but this number is most likely pulled out of thin air, because there is no justification for this number, nor a way of checking that number independently.

The funny thing is, that the behaviour of the NSA is also significantly hurting U.S. companies, who see their European customers flee in droves for better alternatives that protect their privacy more. This is a negative economic effect the spying is having on the U.S. economy, as I’ve written about before, in November.

Our governments’ subservient attitude towards the U.S. is completely unjustified. For the people who claim that we would all be speaking German today had it not been for the Americans, they should retroactively get an F for history and re-take their history classes. For had it not been for the Soviets who suffered tremendous sacrifices combating Hitler (20 million Soviet civilians were killed during the war, not counting military personnel, more than 3 times the estimated 6 million Jews who died during the Holocaust), the Western allies would probably not have been able to land on the beaches of Normandy, as Hitler would not have to split his forces, and could then focus solely on the Western front.

America only got involved in the Second World War in 1941, after the Japanese attacked Pearl Harbour. Britain was left for years to fend for themselves, being bombed heavily by the German Luftwaffe. Massive kudos should be given to the Royal Air Force for keeping the British isles free of German occupation (with the notable exception of the Channel Islands just off the coast of France, as that was the only part of British soil occupied by the Germans during the war). To be clear, I don’t want to deny the American war effort, and I surely want to give credit where credit is due, but on the other hand, it wasn’t the “America saved the world” that many people think it is.

There simply is no further need for NATO to exist. The North-Atlantic Treaty Organisation was created on 4 April 1949 as a defensive alliance of Western countries to protect Western Europe from encroachment by the Soviet Union. However, the Soviet Union no longer exists, and modern-day Russia closely cooperates with Europe, despite the current diplomatic difficulties. With the increasing interdependence between Russia and Europe there’s less and less need for an organisation like NATO to continue to exist.

Nowadays, NATO’s only reason for existence seems to be to contain Russia, and further the U.S. military/industrial complex and the militarist hawks are trying to prove the necessity of NATO by means of the Ukrainian crisis. The United States sees the future of NATO increasingly as an offensive organisation that is meant to further U.S. interests, and will not only include former Soviet republics into their fold, but plans are already under way to expand NATO’s influence even further, and cooperate even more closely with the current “Partners across the globe,” namely Afghanistan, Australia, Iraq, Japan, South Korea, Mongolia, New Zealand and Pakistan. Why are we such willing accomplices in that scheme?

The Role of the Mainstream Media

What struck me when watching the Ukrainian crisis unfold was the total and utter complacency and subservient attitude towards the official Western “party line” when the mainstream media reported on the crisis. There were hardly any critical questions asked when the telephone conversation between Nuland and Pyatt become publicly available, and no questions were asked as to the legitimacy of the current Ukrainian coup-imposed government.

Dare to ask the critical questions!

I would gladly watch the mainstream media more if they start being a bit more critical to the establishment, and not always simply copy/paste press releases, and actually try to analyse the matter for themselves and dare to ask the tough questions to the people in power.

This is again so lacking when it comes to coverage of the Ukrainian crisis, where there seems to be a unanimous consensus in the West that Putin is an evil imperialist, and NATO/EU/US is good, without even considering what really happens in Ukraine and the strategic and national interests involved, let alone the role the U.S. played in organising the coup d’état.

Of course the media can be critical towards Russia as well, and in fact they should. Truth be told, Russia still has a lot of problems to deal with, as do Western countries. And the media’s job should be to keep people informed so that they can freely form their opinions about the world around them, not just blindly copy the official party line. As then I might start watching again, and the employees of these media organisations might one day earn the title of “journalist.”

Country X: The Country That Shall Not Be Named

On Monday, 19 May 2014, Glenn Greenwald published his report entitled Data Pirates of the Caribbean: The NSA is recording every cell call in the Bahamas, in which he reported about the NSA SOMALGET program, which is part of the larger MYSTIC program. MYSTIC has been used to intercept the communications of several countries, namely the Bahamas, Mexico, Kenya, the Phillipines, and thanks to Wikileaks we now know that the final country, redacted in Glenn Greenwalds original report on these programs, was Afghanistan.

MYSTICSOMALGET can be used to take in the entire audio stream (not just metadata) of all the calls in an entire country, and store this information for (at least) 30 days. This is capability the NSA developed, and was published by The Washington Post in March this year.

Why the Censorship?

The question however, is why Glenn Greenwald chose to censor the name of Afghanistan out of his report. He claims it has been done to protect lives, but I honestly can’t for the life of me figure out why lives would be at risk when it is revealed to the Afghani’s that their country is one of the most heavily surveilled on the planet? This information is not exactly a secret. Why is this knowledge that’s OK for the Bahamians to possess, but not the Afghani’s? The US effectively colonized Afghanistan and it seems that everyone with at least half a brain can figure out that calling someone in Afghanistan might have a very high risk of being recorded and analysed by NSA. Now we know for certain that the probability of this happening is 1.

Whistleblowers risk their lives and livelihoods to bring to the public’s attention, information that they deem to be in the gravest public interest. Now, whistleblowers carefully consider which information to publish and/or hand out to journalists, and in the case of intelligence whistleblowers, they are clearly more expert than most journalists when it comes to security and sensing which information has to be kept from the public in the interest of safety of lives and which information can be published in the public interest. After all, they have been doing exactly that for most of their professional lives, in a security-related context.

Now, it seems that Greenwald acts as a sort of filter between the information Edward Snowden gave him for publication, and the actual information the public is getting. Greenwald is sitting on an absolute treasure-trove of information and is clearly cherry picking which information to publish and which information to withhold. By what criteria I wonder? Spreading out the publication of data however, is a good strategy, given that about a year has passed since the first disclosures, and it’s still very much in the media, which is clearly a very good thing. I don’t think that would have happened if all the information was dumped at once.

But on the other hand: Snowden has risked his life and left his comfortable life on Hawaii behind him to make this information public, a very brave thing to do, and certainly not a decision to take lightly, and has personally selected Greenwald to receive this information. And here is a journalist who is openly cherry-picking and censoring the information given to him, already preselected by Snowden, and thereby withholding potentially critical information from the public?

So I would hereby like to ask: By what criteria is Greenwald selecting information for publication? Why the need to interfere with the whistleblower’s judgement regarding the information, who is clearly more expert at assessing the security-related issues surrounding publication?

Annie Machon, whistleblower and former MI5, has also done an interview on RT about this Afghanistan-censoring business of Greenwald, whistleblowers deserve full coverage. Do watch. Whistleblowers risk their lives to keep the public informed of government and corporate wrongdoing. They need our support.

Update: Mensoh has also written a good article (titled: The Deception) about Greenwald’s actions, also in relation to SOMALGET and other releases. A highly recommended read.

Gave Privacy By Design Talk At eth0

eth0I gave my talk about privacy by design last Saturday at eth0 2014 winter edition, a small hacker get-together which was organised in Lievelde, The Netherlands this year. eth0 organizes conferences that aim at bringing people with different computer-related interests together. They organise two events per year, one during winter. I’ve previously given a very similar talk at the OHM2013 hacker conference which was held in August 2013.

Video

Here’s the footage of my talk:

Quick Synopsis

I talked about privacy by design, and what I did with relation to Annie Machon‘s site and recently, the Sam Adams Associates for Integrity in Intelligence site. The talk consists of 2 parts, in the first part I explained what we’re up against, and in the second part I explained the 2 sites in a more specific case study.

I talked about the revelations about the NSA, GCHQ and other intelligence agencies, about the revelations in December, which were explained eloquently by Jacob Applebaum at 30C3 in Hamburg in December. Then I moved on to the threats to website visitors, how profiles are being built up and sold, browser fingerprinting. The second part consists of the case studies of both Annie Machon’s website, and the Sam Adams Associates’ website.

I’ve mentioned the Sam Adams Associates for Integrity in Intelligence, for whom I had the honour to make their website so they could have a more public space where they could share things relating to the Sam Adams Award with the world, and also to provide a nice overview of previous laureates and what their stories are.

Swiss FlagOne of the things both sites have in common is the hosting on a Swiss domain, which provides for a safer haven where content may be hosted safely without fear of being taken down by the U.S. authorities. The U.S. claims jurisdiction on the average .com, .net, .org domains etc. and there have been cases where these have been brought down because it hosted content the U.S. government did not agree with. Case in point: Richard O’Dwyer, a U.K. citizen, was threatened with extradition to the United States for being the man behind TVShacks, which was a website that provided links to copyrighted content. MegaUpload, the file locker company started by Kim Dotcom, was given the same treatment, where if you would visit their domain, you were served an image from the FBI telling you the domain had been seized.

Privacy in danger, but there’s light at end of the tunnel

Note: This article is also available in Portuguese, translated by Anders Bateva.

Last week I read an article about the plan by the National Police of the Netherlands to connect all CCTV cameras to the national camera network which is operated by the police. SurveillanceThe upper echelon of the Dutch police is currently secretly writing their policy document entitled Sensing, in which the definite plans will be written out in further detail. It would be interesting to know the contents of this secret report, since I’m pretty sure all the standard, same old arguments about why this should be implemented will be brought to the table again. They will probably say that it’ll prevent crime and deter hoodlums, etcetera. We’ve read the arguments for it again and again, but fact of the matter is that more cameras doesn’t mean less crime, CCTV cameras have never stopped criminals from committing a crime, they are ineffective, and it’s an invasion to our privacy, especially when it’s all connected into a single, nation-wide network, recording all our movements. It’s the Panopticon! This then gets stored indefinitely, because governments the world over only remember the ‘delete’ command (‘rm -rf’ if you will) when it’s in their interest to delete stuff. All other stuff (like these camera images, but also information stored by our various intelligence agencies, financial information, the sites you visit, your e-mail, call records, medical records, etcetera) never gets deleted. That’s why the NSA is building their new data-bunker in Bluffdale, Utah, to create more storage space so they get to keep storing all kinds of data about our lives that goes over a wire. And our intelligence agencies are all in on it. Dutch Home Office Minister Ronald Plasterk had a bit of a row with parliament, with MPs being angry about a tiny parliamentary technicality, namely that Plasterk lied to them, claiming the NSA collected metadata on 1.8 million phone calls in the Netherlands, while it was in fact our own intelligence service, the AIVD, doing it. The sad thing of our political system is that they put all the focus on this tiny parliamentary technicality, when they totally forget about the big picture, namely that 1.8 million phone calls were being tapped, and that we should do something about this. 1.8 million is an enormous number for a country of 17 million people. Even more scary is that the parliamentary commission which is supposed to provide oversight over the intelligence community, the Commisie van Toezicht op de Inlichtingen- en Veiligheidsdiensten (CTIVD), also known as Commissie Stiekem, had no knowledge about this, and didn’t know that this was even happening. So much for oversight. The problem with oversight over intelligence agencies is that because of the very nature of these agencies they keep their information a secret, and they can lie to our elected representatives with impunity, and there’s no way to check until someone brave enough to blow the whistle steps forward.

This House Would Call Edward Snowden A Hero: 212 yay, 171 nay

Edward SnowdenMeanwhile, at an Oxford Union debate last week in Oxford, United Kingdom, the Union passed a motion to call Edward Snowden a hero by 212 votes against 171. It was a lively debate, both from the members of the proposition and the members of the opposition, and I have to side with the proposition, because without people like Snowden, who has given up his previous comfortable life on Hawaii to blow the whistle, the world would have never known about the crimes of the spies. Eventually there comes a point where you’re asked to forget about it! so many times and about such egregious crimes that you can no longer look at yourself in the mirror any more, and something has to be done, the people need to be informed. During the debate I heard the opposition say that Snowden “violated his oath”. This is an argument that popped up again and again in various articles I’ve read in which people vilified Snowden. In fact, he didn’t swear an oath to secrecy, no-one does. He swore an oath to the Constitution of the United States; to uphold the Constitution. He hasn’t violated the Constitution; the U.S. government and the NSA in particular violated it. Yes spies spy, that’s not surprising, but they claim all is done in the name of national security, when it is in fact often corporate espionage that these intelligence agencies engage in. It’s about making sure the lucrative contract goes to Boeing instead of to Airbus; it has nothing to do with national security, but more with corporate profits. And there’s no meaningful oversight whatsoever: these people lie with impunity. That alone is already endangering our very democracies, having people with absolute power without any form of effective oversight is very detrimental and damaging to our very democracies and free societies. Snowden mentioned that whilst working at Booz Allen Hamilton, he had the power to tap everyone, including the President of the United States. And he wasn’t the only one with that kind of security clearance either. In the United States, almost 5 million people have a security clearance, with more than 1.4 million people having access to TOP SECRET documents. Imagine what kind of information the intelligence community has about the private life of the President and his family, and how a less honest person might use that. It would be easy to blackmail the President into doing the spooks’ bidding! And in the United States, more and more tasks that used to be done by government exclusively (like intelligence), is now being done by companies like Booz Allen Hamilton, or Academi (which I like to call: the company previously known as Blackwater USA). This is a very scary development because these companies have profit as their basic motivation. They do not have our best interests at heart. Lord Acton wrote in 1887:

“Power tends to corrupt, and absolute power corrupts absolutely. Great men are almost always bad men, even when they exercise influence and not authority, still more when you super-add the tendency or the certainty of corruption by authority. There is no worse heresy than that the office sanctifies the holder of it.”

Chelsea Manning Receives Sam Adams Award 2014

Also at the Oxford Union last week, the Sam Adams Associates for Integrity in Intelligence awarded Chelsea Manning their award for the year 2014, meant for people who display extraordinary integrity in intelligence. The group and award was named after Sam Adams, a CIA intelligence analyst, who in 1967 discovered that there were far more Communist forces under arms in Vietnam, roughly twice the number U.S. command in Saigon would admit to. This intelligence revealed that the Pentagon was vastly under-reporting the number of enemy forces. But I digress.. Collateral MurderChelsea Manning revealed, by releasing the Collateral Murder video to WikiLeaks, that U.S. forces were committing war crimes. This showed the crew of a U.S. Apache attack helicopter firing away at unarmed civilians, Reuters journalists, and a father who was bringing his children to school and stopped his van to help one of the Reuters journalists who tried to drag himself onto the curb, heavily wounded. The U.S. forces were yelling like it was some sort of snuff video game, it’s absolutely horrific, and these people should be brought to trial and charged with war crimes and crimes against humanity. Because that’s what it is. Chelsea Manning displayed extraordinary courage in releasing these documents, and rightly deserves this award. Meanwhile, I’m looking forward to the day the U.S. government and the crew of the Apache helicopter in question, are indicted for multiple counts of war crimes and crimes against humanity. At which point the United States will invoke the American Service-Members’ Protection Act (also known as the The Hague Invasion Act). But that’s another story.

NSA is coming to town!

I just stumbled upon this funny video made by the ACLU (American Civil Liberties Union). It fits perfectly, and it’s funny to see that when invasions of privacy gets really personal (Santa photographing your face, recording your conversations and rifling through your smartphone), people really don’t like this and some respond strongly, but when the exact same thing is done by some big, anonymous government agency it doesn’t get such a strong response, which in unfortunate. Anyway, without further ado:

Facebook records self-censorship

Recently I came across an article about Facebook, more specifically, that Facebook wants to know why you self-censor, in other words, why you didn’t click Publish on that status update you just wrote, but decided not to publish instead. It turns out Facebook is sending everything you type in the Post textarea box (the one with the “What’s on your mind?” placeholder), to Facebook servers. According to two Facebook scientists quoted in the article: Sauvik Das, PhD student at Carnegie Mellon and summer software engineer intern, and Adam Kramer, a data scientist, they only send back information to Facebook’s servers that indicate whether you self-censored, not the actual text you typed. They wrote an article entitled Self-Censorship on Facebook (PDF, copy here) in which they explain the technicalities.

It turns out this claim that they only send metadata back, not the actual text you type is not entirely true. I wanted to confirm whether they really don’t send what you type to Facebook before you hit Publish, so I fired up Facebook and logged in. I opened up my web inspector and started monitoring requests to/from my browser. When I typed a few letters I noticed that the site makes a GET request to the URL /ajax/typeahead/search.php with parameters value=[your search string]&__user=[your Facebook user id] (there are more parameters, but these are the most important for the purposes of this article). The search.php script probably parses what you typed in order to find contacts that it can then show to you as autocomplete options (for tagging purposes).Facebook sends data

Now, the authors of the article actually gathered their data in a slightly different way. They monitored the Post textarea box, and the comment box, and if more than 5 characters were typed in, it would say you self-censored if you didn’t publish that post or comment in the next 10 minutes. So in their methodology, no actual textual content was needed. But it turns out, as my quick research shows above, that your comments and posts actually do get send to Facebook before you click Publish, and even before 5 characters are typed. This is done with a different purpose (searching matches in your contacts for tagging etc.), but clearly this data is received by Facebook. What they subsequently do with it besides providing autocomplete functionality is anyone’s guess. Given that the user ID is actually sent together with the typed in text to the search.php script may suggest that they associate your profile with the typed in text, but there’s no way to definitively prove that.

When I read through the article, one particular sentence in the introduction stood out to me as bone-chilling:

“(…) Last-minute self-censorship is of particular interest to SNSs [social networking sites] as this filtering can be both helpful and hurtful. Users and their audience could fail to achieve potential social value from not sharing certain content, and the SNS [social networking site] loses value from the lack of content generation. (…)”

“loses value from the lack of content generation.” Let that sink in. When you stop from posting something on Facebook, or re-write it, Facebook considers that a bad thing, as something that removes value from Facebook. The goal of Facebook is to sell detailed profiling information on all of us, even those of us wise enough not to have a Facebook account (through tagging and e-mail friend-finder functionality).

Big Data and Big Brother

And it isn’t just Facebook, it’s basically every social network and ad provider. There’s an entire industry of big data brokers, with companies most of us have never heard of, like Axciom for instance, but there are many others like it, who thrive on selling profiles and associated services. Advertising works best if it is specific, and plays into users’ desires and interests. This is also the reason why, for this to be successful, companies like Facebook need as much information on people as possible, to better target their clients’ ads. And the best way is to provide a free service, like a social network, enticing people to share their lives through this service, and then you can provide really specific targeting to your clients. This is what these companies thrive on.

The bigger problem is that we have no influence on how our data gets used. People claiming they have nothing to hide, and do nothing wrong, forget that they don’t decide on what constitutes criminal behavior, it’s the state making that decision for them. And what will happen when you are suddenly faced with a brutal regime that abuses all the information and data they got on you? Surely we want to prevent this.

This isn’t just a problem in the technology industry, and business, but a problem with governments as well. The NSA and GCHQ, in cooperation with other intelligence agencies around the world are collecting data on all of us, but without providing us, the people, the possibility of appeal, and correction of erroneous data. We have no influence on how this data gets used, who will be seeing it, how it might get interpreted by others, et cetera. The NSA is currently experiencing the same uneasiness as the rest of us, as they have no clue how much or what information Edward Snowden might have taken with him, and how it might be interpreted by others. It’s curious that they now complain about this same problem that the rest of us have been experiencing for years; a problem that NSA partly created by overclassifying information that didn’t need to be kept secret. Of course there is information that needs to be kept secret, but the vast majority of information that now gets rubber stamped with the TOP SECRET marking, is information that is of no threat to national security if it were known to the public, but more likely information that might embarrass top officials.

We need to start implementing proper oversight to the secret surveillance states we are currently subjected to in a myriad of countries around the world, and take back powers that were granted to them, and subsequently abused by them, if we want to continue to live in a free world. For I don’t want to live in a Big Brother state, do you?