Here we have an anatomy of a surveillance world that grows more, not
less, powerful and full of itself with every passing moment and
technological advance, a national security world whose global
ambitions know no bounds.
The question Senator Ron Wyden asked on March 12 of last year was
straightforward enough and no surprise for Director of National Intelligence
James Clapper. He had been given it a day in advance of his testimony before
the Senate Intelligence Committee and after he was done, Senator Wyden and
his staff offered him a chance to “amend” his answer if he wished. Did the
National Security Agency, Wyden wanted to know, gather “any type of data at
all on millions or hundreds of millions of Americans”? Being on that committee
and privy to a certain amount of secret intelligence information, Wyden already
knew the correct answer to the question. Clapper, with a day to prepare,
nonetheless answered, “No, sir. Not wittingly. There are cases where they
could inadvertently perhaps collect, but not wittingly.”
That was a bald-faced lie, though Clapper would later term it the “least
untruthful” thing he felt he could say. As we now know, the NSA was, among
many other things, gathering the phone “data” of every American and storing it
for future use. In other words, after some forethought, the director perjured
himself.
Mind you, Clapper isn’t exactly shy about charging other people with implicit
crimes. In recent testimony before Congress, he demanded that whistleblower
and former NSA contractor Edward Snowden “and his accomplices” return all
agency documents. It was a stunning use of a term whose only meaning is
criminal and clearly referred to the journalists - Glenn Greenwald, filmmaker
Laura Poitras, and reporters from the Guardian, the New York Times, and the
Washington Post, among other papers - who have been examining and writing
about the Snowden documents.
It caught something of the chutzpah of the top officials who run Washington’s
national security state - and little wonder that they feel emboldened and
demanding. After all, not only is Clapper not going to be charged with perjury,
but he has retained his post without a blink. He has kept the “support” of
President Obama, who recently told CNN’s Jake Tapper (in what passes these
days for a rebuke of our surveiller-in-chief), “Jim Clapper himself would
acknowledge, and has acknowledged, that he should have been more careful
about how he responded.” More careful indeed!
I've long argued that while we, the citizens of the US, remain in legal America,
the US national security state exists in "post-legal America" because no illegal
act from warrantless surveillance to torture committed in its service will ever be
prosecuted. So it's no surprise that Clapper won’t even be forced to resign for
lying to Congress. He's free as a bird and remains powerful indeed. Tell that to
some of our whistleblowers.
In his latest post, TomDispatch regular Pratap Chatterjee offers an anatomy of a
surveillance world that grows more, not less, powerful and full of itself with
every passing moment and technological advance, a national security world
whose global ambitions know no bounds. Tom Engelhardt
Selling your secrets
By Pratap Chatterjee
Imagine that you could wander unseen through a city, sneaking into houses and
offices of your choosing at any time, day or night. Imagine that, once inside,
you could observe everything happening, unnoticed by others - from the
combinations used to secure bank safes to the clandestine rendezvous of
lovers. Imagine also that you have the ability to silently record everybody’s
actions, whether they are at work or play without leaving a trace. Such
omniscience could, of course, make you rich, but perhaps more important, it
could make you very powerful.
That scenario out of some futuristic sci-fi novel is, in fact, almost reality right
now. After all, globalization and the internet have connected all our lives in a
single, seamless virtual city where everything is accessible at the tap of a finger.
We store our money in online vaults; we conduct most of our conversations and
often get from place to place with the help of our mobile devices. Almost
everything that we do in the digital realm is recorded and lives on forever in a
computer memory that, with the right software and the correct passwords, can
be accessed by others, whether you want them to or not.
Now - one more moment of imagining - what if every one of your transactions in
that world was infiltrated? What if the government had paid developers to put
trapdoors and secret passages into the structures that are being built in this
new digital world to connect all of us all the time? What if they had locksmiths
on call to help create master keys for all the rooms? And what if they could pay
bounty hunters to stalk us and build profiles of our lives and secrets to use
against us?
Well, check your imagination at the door, because this is indeed the brave new
dystopian world that the US government is building, according to the latest
revelations from the treasure trove of documents released by National Security
Agency whistleblower Edward Snowden.
Over the last eight months, journalists have dug deep into these documents to
reveal that the world of NSA mass surveillance involves close partnerships with
a series of companies most of us have never heard of that design or probe the
software we all take for granted to help keep our digital lives humming along.
There are three broad ways that these software companies collaborate with the
state: a National Security Agency program called “Bullrun” through which that
agency is alleged to pay off developers like RSA, a software security firm, to
build “backdoors” into our computers; the use of “bounty hunters” like Endgame
and Vupen that find exploitable flaws in existing software like Microsoft Office
and our smartphones; and finally the use of data brokers like Millennial Media to
harvest personal data on everybody on the internet, especially when they go
shopping or play games like Angry Birds, Farmville, or Call of Duty.
Of course, that’s just a start when it comes to enumerating the ways the
government is trying to watch us all, as I explained in a previous TomDispatch
piece, “Big Bro is Watching You.” For example, the FBI uses hackers to break
into individual computers and turn on computer cameras and microphones,
while the NSA collects bulk cell phone records and tries to harvest all the data
traveling over fiber-optic cables. In December 2013, computer researcher and
hacker Jacob Appelbaum revealed that the NSA has also built hardware with
names like Bulldozer, Cottonmouth, Firewalk, Howlermonkey, and Godsurge
that can be inserted into computers to transmit data to US spooks even when
they are not connected to the internet.
“Today, [the NSA is] conducting instant, total invasion of privacy with limited
effort,” Paul Kocher, the chief scientist of Cryptography Research, Inc. which
designs security systems, told the New York Times. “This is the golden age of
spying.”
Building backdoors
Back in the 1990s, the Clinton administration promoted a special piece of NSA-
designed hardware that it wanted installed in computers and telecommunication
devices. Called the Clipper Chip, it was intended to help scramble data to
protect it from unauthorized access - but with a twist. It also transmitted a "Law
Enforcement Access Field" signal with a key that the government could use if it
wanted to access the same data.
Activists and even software companies fought against the Clipper Chip in a
series of political skirmishes that are often referred to as the Crypto Wars. One
of the most active companies was RSA from California. It even printed posters
with a call to “Sink Clipper.” By 1995, the proposal was dead in the water,
defeated with the help of such unlikely allies as broadcaster Rush Limbaugh
and Senators John Ashcroft and John Kerry.
But the NSA proved more tenacious than its opponents imagined. It never gave
up on the idea of embedding secret decryption keys inside computer hardware a
point Snowden has emphasized (with the documents to prove it).
A decade after the Crypto Wars, RSA, now a subsidiary of EMC, a
Massachusetts company, had changed sides. According to an investigative
report by Joseph Menn of Reuters, it allegedly took $10 million from the
National Security Agency in exchange for embedding an NSA-designed
mathematical formula called the Dual Elliptic Curve Deterministic Random Bit
Generator inside its Bsafe software products as the default encryption method.
The Dual Elliptic Curve has a “flaw” that allows it to be hacked, as even RSA
now admits. Unfortunately for the rest of us, Bsafe is built into a number of
popular personal computer products and most people would have no way of
figuring out how to turn it off.
According to the Snowden documents, the RSA deal was just one of several
struck under the NSA’s Bullrun program that has cost taxpayers over $800
million to date and opened every computer and mobile user around the world to
the prying eyes of the surveillance state.
“The deeply pernicious nature of this campaign - undermining national
standards and sabotaging hardware and software - as well as the amount of
overt private sector cooperation are both shocking,” wrote Dan Auerbach and
Kurt Opsahl of the Electronic Frontier Foundation, a San Francisco-based
activist group that has led the fight against government surveillance. “Back
doors fundamentally undermine everybody's security, not just that of bad guys.”
Bounty hunters
For the bargain basement price of $5,000, hackers offered for sale a software
flaw in Adobe Acrobat that allows you to take over the computer of any
unsuspecting victim who downloads a document from you. At the opposite end
of the price range, Endgame Systems of Atlanta, Georgia, offered for sale a
package named Maui for $2.5 million that can attack targets all over the world
based on flaws discovered in the computer software that they use. For
example, some years ago, Endgame offered for sale targets in Russia including
an oil refinery in Achinsk, the National Reserve Bank, and the Novovoronezh
nuclear power plant. (The list was revealed by Anonymous, the online network
of activist hackers.)
While such “products,” known in hacker circles as “zero day exploits,” may
sound like sales pitches from the sorts of crooks any government would want to
put behind bars, the hackers and companies who make it their job to discover
flaws in popular software are, in fact, courted assiduously by spy agencies like
the NSA who want to use them in cyberwarfare against potential enemies.
Take Vupen, a French company that offers a regularly updated catalogue of
global computer vulnerabilities for an annual subscription of $100,000. If you
see something that you like, you pay extra to get the details that would allow
you to hack into it. A Vupen brochure released by Wikileaks in 2011 assured
potential clients that the company aims “to deliver exclusive exploit codes for
undisclosed vulnerabilities” for “covertly attacking and gaining access to remote
computer systems.”
At a Google sponsored event in Vancouver in 2012, Vupen hackers
demonstrated that they could hijack a computer via Google’s Chrome web
browser. But they refused to hand over details to the company, mocking Google
publicly. “We wouldn’t share this with Google for even $1 million,” Chaouki
Bekrar of Vupen boasted to Forbes magazine. “We don’t want to give them any
knowledge that can help them in fixing this exploit or other similar exploits. We
want to keep this for our customers.”
In addition to Endgame and Vupen, other players in this field include Exodus
Intelligence in Texas, Netragard in Massachussetts, and ReVuln in Malta.
Their best customer? The NSA, which spent at least $25 million in 2013 buying
up dozens of such “exploits.” In December, Appelbaum and his colleagues
reported in Der Spiegel that agency staff crowed about their ability to penetrate
any computer running Windows at the moment that machine sends messages
to Microsoft. So, for example, when your computer crashes and helpfully offers
to report the problem to the company, clicking yes could open you up for attack.
The federal government is already alleged to have used such exploits (including
one in Microsoft Windows) - most famously when the Stuxnet virus was
deployed to destroy Iran’s nuclear centrifuges.
“This is the militarization of the Internet,” Appelbaum told the Chaos Computer
Congress in Hamburg. “This strategy is undermining the internet in a direct
attempt to keep it insecure. We are under a kind of martial law.”
Harvesting your data
Among the Snowden documents was a 20-page 2012 report from the
Government Communications Headquarters (GCHQ) - the British equivalent of
the NSA - that listed a Baltimore-based ad company, Millennial Media.
According to the spy agency, it can provide “intrusive” profiles of users of
smartphone applications and games. The New York Times has noted that the
company offers data like whether individuals are single, married, divorced,
engaged, or “swinger,” as well as their sexual orientation (“straight, gay,
bisexuall, and ‘not sure’”).
How does Millennial Media get this data? Simple. It happens to gather data
from some of the most popular video game manufacturers in the world. That
includes Activision in California which makes Call of Duty, a military war game
that has sold over 100 million copies; Rovio of Finland, which has given away
1.7 billion copies of a game called Angry Birds that allows users to fire birds
from a catapult at laughing pigs; and Zynga - also from California - which makes
Farmville, a farming game with 240 million active monthly users.
In other words, we’re talking about what is undoubtedly a significant percentage
of the connected world unknowingly handing over personal data, including their
location and search interests, when they download “free” apps after clicking on
a licensing agreement that legally allows the manufacturer to capture and resell
their personal information. Few bother to read the fine print or think twice about
the actual purpose of the agreement.
The apps pay for themselves via a new business model called “real-time
bidding” in which advertisers like Target and Walmart send you coupons and
special offers for whatever branch of their store is closest to you. They do this
by analyzing the personal data sent to them by the “free” apps to discover both
where you are and what you might be in the market for.
When, for instance, you walk into a mall, your phone broadcasts your location
and within a millisecond a data broker sets up a virtual auction to sell your data
to the highest bidder. This rich and detailed data stream allows advertisers to
tailor their ads to each individual customer. As a result, based on their personal
histories, two people walking hand in hand down a street might get very
different advertisements, even if they live in the same house.
This also has immense value to any organization that can match up the data
from a device with an actual name and identity - such as the federal
government. Indeed, the Guardian has highlighted an NSA document from
2010 in which the agency boasts that it can “collect almost every key detail of a
user's life: including home country, current location (through geolocation), age,
gender, zip code, marital status… income, ethnicity, sexual orientation,
education level, and number of children.”
In denial
It’s increasingly clear that the online world is, for both government surveillance
types and corporate sellers, a new Wild West where anything goes. This is
especially true when it comes to spying on you and gathering every imaginable
version of your “data.”
Software companies, for their part, have denied helping the NSA and reacted
with anger to the Snowden disclosures. “Our fans’ trust is the most important
thing for us and we take privacy extremely seriously,” commented Mikael Hed,
CEO of Rovio Entertainment, in a public statement. “We do not collaborate,
collude, or share data with spy agencies anywhere in the world.”
RSA has tried to deny that there are any flaws in its products. "We have never
entered into any contract or engaged in any project with the intention of
weakening RSA’s products, or introducing potential ‘backdoors’ into our
products for anyone’s use,” the company said in a statement on its website.
“We categorically deny this allegation." (Nonetheless RSA has recently started
advising clients to stop using the Dual Elliptical Curve.)
Other vendors like Endgame and Millennial Media have maintained a stoic
silence. Vupen is one of the few that boasts about its ability to uncover software
vulnerabilities.
And the NSA has issued a Pravda-like statement that neither confirms nor
denies the revelations. "The communications of people who are not valid
foreign intelligence targets are not of interest to the National Security Agency,"
an NSA spokeswoman told the Guardian. "Any implication that NSA's foreign
intelligence collection is focused on the smartphone or social media
communications of everyday Americans is not true.”
The NSA has not, however, denied the existence of its Office of Tailored Access
Operations (TAO), which Der Spiegel describes as “a squad of [high-tech]
plumbers that can be called in when normal access to a target is blocked.”
The Snowden documents indicate that TAO has a sophisticated set of tools at
its disposal - that the NSA calls “Quantum Theory” - made up of backdoors and
bugs that allow its software engineers to plant spy software on a target
computer. One powerful and hard to detect example of this is TAO’s ability to be
notified when a target’s computer visits certain websites like LinkedIn and to
redirect it to an NSA server named “Foxacid” where the agency can upload spy
software in a fraction of a second.
Which way out of the walled garden?
The simple truth of the matter is that most individuals are easy targets for both
the government and corporations. They either pay for software products like
Pages and Office from well known manufacturers like Apple and Microsoft or
download them for free from game companies like Activision, Rovio, and Zynga
for use inside “reputable” mobile devices like Blackberries and iPhones.
These manufacturers jealously guard access to the software that they make
available, saying that they need to have quality control. Some go even further
with what is known as the “walled garden” approach, only allowing pre-
approved programs on their devices. Apple’s iTunes, Amazon’s Kindle, and
Nintendo’s Wii are examples of this.
But as the Snowden revelations have helped make clear, such devices and
software are vulnerable both to manufacturer’s mistakes, which open
exploitable backdoors into their products, and to secret deals with the NSA.
So in a world where, increasingly, nothing is private, nothing is simply yours,
what is an internet user to do? As a start, there is an alternative to most major
software programs for word processing, spreadsheets, and layout and design the
use of free and open source software like Linux and Open Office, where the
underlying code is freely available to be examined for hacks and flaws. (Think
of it this way: if the NSA cut a deal with Apple to copy everything on your
iPhone, you would never know. If you bought an open-source phone - not an
easy thing to do - that sort of thing would be quickly spotted.) You can also use
encrypted browsers like Tor and search engines like Duck Duck Go that don’t
store your data.
Next, if you own and use a mobile device on a regular basis, you owe it yourself
to turn off as many of the location settings and data-sharing options as you
can. And last but hardly least, don’t play Farmville, go out and do the real thing.
As for Angry Birds and Call of Duty, honestly, instead of shooting pigs and
people, it might be time to think about finding better ways to entertain yourself.
Pick up a paintbrush, perhaps? Or join an activist group like the Electronic
Frontier Foundation and fight back against Big Brother.
This piece, including Tom Engelhardt's introduction, is reposted
from TomDispatch.com with that site's permission.
Related Articles
The surveillance marketplace
JILLIAN C. YORK
Extending a hand or raising a fist to the state?
MAX GR.MPING
Towards a twenty-first century society of control?
GIOVANNI NAVARRIA
This article is published under a Creative Commons Attribution-NonCommercial 3.0
licence. If you have any queries about republishing please contact us. Please check
individual images for licensing details.