Harvard's Berkman Center recently published a study entitled Don’t Panic: Making Progress on the ‘Going Dark’ Debate. The study group was convened by Matt Olsen, Bruce Schneier, and Jonathan Zittrain, and the New York Times reports:
Among the chief authors of the report is Matthew G. Olsen, who was a director of the National Counterterrorism Center under Mr. Obama and a general counsel of the National Security Agency.Two of the report's conclusions are:
Two current senior officials of the N.S.A. — John DeLong, the head of the agency’s Commercial Solutions Center, and Anne Neuberger, the agency’s chief risk officer — are described in the report as “core members” of the group, but did not sign the report because they could not act on behalf of the agency or the United States government in endorsing its conclusions, government officials said.
The intelligence community agrees:
- Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.
- Metadata is not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread.
James Clapper, the US director of national intelligence, was more direct in testimony submitted to the Senate on Tuesday as part of an assessment of threats facing the United States.Xeni Jardin at BoingBoing points out that:
“In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,” Clapper said.
The war on encryption waged by the F.B.I. and other intelligence agencies is unnecessary, because the data trails we voluntarily leak allow “Internet of Things” devices and social media networks to track us in ways the government can access.Not to mention that yesterday's revelation of a buffer overflow in glibc means that much of the IoT is vulnerable and is unlikely to be patched. This bug won't be the last of its kind, so the agencies are likely to retain their ability to spy even if IoT vendors clean up their act.
The intelligence agencies aren't the only ones enjoying their new-found surveillance capabilities. J.M. Porup at Ars Technica reports:
Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams.And sleeping babies.
The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores, according to Dan Tentler, a security researcher who has spent several years investigating webcam security.
Cory Doctorow at BoingBoing starts a recent book review:
Nitesh Dhanjani's 2015 O'Reilly book Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts is a very practical existence-proof of the inadequacy and urgency of Internet of Things security.Of course, companies can avoid any liability for harm caused by their shoddy security practices by copying VTech and disclaiming responsibility in their terms and conditions. Commisioner Julie Brill of the FTC addressed these problems in her closing plenary of the Fall 2016 CNI meeting. But Cory Doctorow points out the pressure on the FTC not to do anything:
Abusing the Internet of Things is structured just like one of those cookbooks, only the recipes explain the (relatively simple) steps you need take to compromise everything from a smart lightbulb -- one recipe explains how to plunge a smart lighting system into permanent, irrevocable darkness -- to a smart baby-monitor (this was published months before a family in San Francisco woke to discover a griefer terrorizing their toddler through his bedside monitor) to a smart TV to -- what else? -- a smart car.
Companies that use and trade in personal information rely on the people involved not discovering what's going on. For example, one data-broker sells its services to retailers as a means of getting the home addresses and other information of their customers in secret, avoiding "losing customers who feel that you’re invading their privacy."Of course, many of these information leaks are accidental, but the sad truth is that the pervasive surveillance enabled by the Internet, and especially by the Things in it, is not just the favored business model of government agencies but also of pretty much any company that can figure out how to collect and sell information. Conor Friedersdorf at The Atlantic has the example of a company that has, Vigilant Solutions:
Throughout the United States—outside private houses, apartment complexes, shopping centers, and businesses with large employee parking lots—a private corporation, Vigilant Solutions, is taking photos of cars and trucks with its vast network of unobtrusive cameras. It retains location data on each of those pictures, and sells it.You are paying for this technology through your taxes:
The company has taken roughly 2.2 billion license-plate photos to date. Each month, it captures and permanently stores about 80 million additional geotagged images. They may well have photographed your license plate. As a result, your whereabouts at given moments in the past are permanently stored. Vigilant Solutions profits by selling access to this data (and tries to safeguard it against hackers). Your diminished privacy is their product.
Supreme Court jurisprudence on GPS tracking suggests that repeatedly collecting data “at a moment in time” until you’ve built a police database of 2.2 billion such moments is akin to building a mosaic of information so complete and intrusive that it may violate the Constitutional rights of those subject to it.
Many powerful interests are aligned in wanting to know where the cars of individuals are parked. Unable to legally install tracking devices themselves, they pay for the next best alternative—and it’s gradually becoming a functional equivalent. More laws might be passed to stymie this trend if more Americans knew that private corporations and police agencies conspire to keep records of their whereabouts.
During the past five years, the U.S. Department of Homeland Security has distributed more than $50 million in federal grants to law-enforcement agencies—ranging from sprawling Los Angeles to little Crisp County, Georgia, population 23,000—for automated license-plate recognition systems,And also because police forces are either paying Vigilant for access to its data or giving them a piece of the action:
Vigilant Solutions, one of the country’s largest brokers of vehicle surveillance technology, is offering a hell of a deal to law enforcement agencies in Texas: a whole suite of automated license plate reader (ALPR) equipment and access to the company’s massive databases and analytical tools—and it won’t cost the agency a dime.Alex Campbell and Kendall Taggart's The Ticket Machine is a must-read, in-depth look at how this works. Yves Smith at naked capitalism points out how the private equity (PE) and security worlds have become intertwined:
Vigilant is leveraging H.B. 121, a new Texas law passed in 2015 that allows officers to install credit and debit card readers in their patrol vehicles to take payment on the spot for unpaid court fines, also known as capias warrants. When the law passed, Texas legislators argued that not only would it help local government with their budgets, it would also benefit the public and police.
The “warrant redemption” program works like this. The agency is given no-cost license plate readers as well as free access to LEARN-NVLS, the ALPR data system Vigilant says contains more than 2.8-billion plate scans and is growing by more than 70-million scans a month. This also includes a wide variety of analytical and predictive software tools. Also, the agency is merely licensing the technology; Vigilant can take it back at any time.
The government agency in turn gives Vigilant access to information about all its outstanding court fees, which the company then turns into a hot list to feed into the free ALPR systems. As police cars patrol the city, they ping on license plates associated with the fees. The officer then pulls the driver over and offers them a devil’s bargain: get arrested, or pay the original fine with an extra 25% processing fee tacked on, all of which goes to Vigilant.
And a contact who knows the private equity world pointed out (emphasis mine):No-one is in a position to make educated trade-offs between the societal and personal costs and benefits of the Things they connect to their own Internet. How much worse is it when they had no say in what the Things were and where they were deployed?
Morgan Stanley’s PE arm lists [Vigilant Solutions parent, Digital Recognition Network] as an investment, which is a good example of how enmeshed PE has become in the security/intelligence state. The spooks, I am sure, love the secrecy of PE compared to public markets. And the love goes both ways, as it is my experience that PE people love the spooks because returns are able to be generated by influence peddling behind closed doors, and also because they just find them intellectually interesting.In other words, proprietary opposition research, which is often hard to distinguish from blackmail.
Notice the similarities between this rush to exploit technical capabilities without regard for the possible downsides and the escalation of cyberwar. James Ball at Buzzfeed reports that Alex Gibney's new documentary Zero Days reveals that:
The United States hacked into critical civilian and military infrastructure in Iran to allow its operatives to disable the country with a devastating series of cyberattacks at a moment’s notice,The cyberwarriors don't seem to have paid much attention to the possible downsides:
The targets of the U.S. hacking operations, covered by the code name “NITRO ZEUS,” include power plants, transport infrastructure, and air defenses, the film will state, with agents entering these protected systems nightly to make sure the attacks were still deployable.
the U.S.-Israel “Stuxnet” worm — which destroyed around 1 in 5 of the centrifuges used in Iran’s nuclear program — was just a small part of a much larger set of offensive capabilities developed against the nation.
The State Department was seen by those in other agencies as a “wet blanket” when it came to operations for expressing concerns about violating the sovereignty of third-party nations’ cyberspace, or about operations that could have significant impact on civilians.At least Michael Hayden seems to have a "f**king clue":
one confidential source expressed concerns to Gibney about the extent of NITRO ZEUS, saying some planners had “no fucking clue” as to the consequences of some of the proposed attacks.
“You take down part of a grid,” they told him, “you can accidentally take down electricity in the entire country.”
Michael Hayden, a former director of both the CIA and the NSA, told Gibney the U.S. action risks creating new international norms of cyber warfare.Exactly. And why would anyone think that the US was less vulnerable than Iran to these kind of attacks? But USA Inc's terms and conditions mean that the cyberwarriors bear no liability for the foreseeable consequences of their actions.
“I know no operational details and don’t know what anyone did or didn’t do before someone decided to use the weapon, all right,” he said. “I do know this: If we go out and do something, most of the rest of the world now thinks that’s a new standard, and it’s something they now feel legitimated to do as well.
David Sanger and Mark Mazzetti at the New York Times have other details of the NITRO ZEUS program.
Similarly, the NSA has a program called SKYNET that uses machine learning techniques on data collected from Pakistan's phone network to target for assassination by drone or death squad people whose behavior is deemed characteristic of terrorists. Machine learning experts estimate that it may have killed thousands of innocent people. Cory Doctorow's response on Dave Farber's IP list is a must-read analysis of the problem:
At root, this is a story about the problems that occur in the absence [of] adversarial peer review. NSA and GCHQ cut corners in their machine-learning approach, and no one called them on it, and they deployed it, and it kills people.We all remember how that turned out, right?
But is also a microcosm of the spy services' culture of secrecy and the way that the lack of peer review turns into missteps.
You could ask for no better proof that the NSA believed its actions would never be subjected to public scrutiny than the fact that they called the program SKYNET.
Skynet launched nuclear missiles under its command at Russia, which responded with a nuclear counter-attack against the U.S. and its allies. Consequent to the nuclear exchange, over three billion people were killed in an event that came to be known as Judgment Day.