Many interesting "nuggets" buried in this report. For example:
...A more sophisticated effort, though, relied on intercepting Google Maps queries made on smartphones, and using them to collect large volumes of location information.
So successful was this effort that one 2008 document noted that "[i]t effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system."
At this point it is perhaps not wrong to conclude that the whole internet is bjorked by these agencies. Open to snooping and manipulation at any and every level for any user.
It is time for a reboot, this time with much more focus on security.
The sad thing is that if I watched these sort of pronouncements in an episode of "Person of Interest" or some other show I would normally laugh them off like I do the infinite zoom/sharpen capability of security video.
Interestingly, things like the zooming and enhancement of video similar to the TV capabilities often portrayed are also now easily accessible. Read about 'super-resolution' [1,2] techniques for more details.
I find the two green slides (Capability - iPhone and Capability - Android) the scariest. Hot mic? Kernel stealth? And self protection? How many networks - knowingly or unknowingly - are delivering these things?
Apple didn't store users location data. Cell tower positrons were cached on iOS devices, and this was turned into a false controversy because sensationalism sells. Citing this piece as if it asserts that Apple collects user location data in the way the parent poster fears the NSA might do is dishonest.
Apple programmed a feature that cached all location data on a file on the iPhone. GCHQ's linked PowerPoint says "If it's on the phone, we can get it". Ergo, GCHQ and the NSA certainly had access to your cached location data if they wanted it. Maybe Apple intended this to be the case, maybe Apple did not, but the mere fact that the file existed is enough that it most certainly could have been scooped up by spooks.
No. "All the location data" was not cached. Only cell tower locations.
"Maybe apple intended this to be the case" is baseless innuendo and has no place here.
"If it's on the phone, we can get it" has separately been shown only to apply when the agencies have physical access to the device to extract data or implant malware.
You seem to want to spread the idea that spies can access the real-time location of your iPhone remotely - which is what the parent post was fearing, but for which there is no evidence. What is your motive here?
Cell tower data is sufficient to determine phone location via triangulation. Additionally, spies can get real-time data from the carrier directly, as can law enforcement.
The parent comment said nothing about real-time access, but if someone has a remote exploit that gives filesystem access (and if jailbreakers can do it, then the NSA can, too), that location data file would provide a detailed history of the phone's location.
No. Triangulation requires near-simultaneous signal strength readings from multiple towers at the time the position is to be computed.
The cell tower cache you refer to does not contain that kind of data, so the data file des not provide a detailed history of the phones location. This has been shown by the people who investigated the file.
An extremely coarse location, to the resolution of cell towers can be obtained from the file, but as we know, that is available to the phone network anyway.
The parent comment talks about geolocation data at regular X minute intervals. This file does not provide that. Nor does it provide any information that the NSA can't get via the cell network about any phone. Indeed the network likely can provide triangulation.
The link you referenced is nothing but innuendo intended to implicate 'Apple' somehow.
Maps and other apps on the iPhone weren't using HTTPS in 08 (underpowered device, need to squeeze every last drop from battery). They do now however. It's not just a spy agency issue, anyone could have sniffed the unencrypted traffic.
Again I ask: Any specific examples from companies or organizations that implement HTTP(S) in their products stating device power as reason for non-implementation?
I imagine it to be a horrible miscarriage of trust to not use HTTPS. We made the decision early on that handling any personal data not over HTTPS was massively irresponsible - and this is pre-Snowden.
That said, if they have kernel-level hacks or can intercept and decode HTTPS (or sit and listen on say, any AWS server they want), what does HTTPS really matter against the NSA?
Still, totally irresponsible - battery life is a constant struggle, but not enough to even make us consider changing our API client code.
The problem is that HTTPS is very difficult to audit, we just have to trust that it is being done correctly.
How do you know that the apparently random stream of bits is actually properly encrypted and does not leak private data? It would be better to let the OS add the SSL layer and only let apps talk HTTP. This would give the user much more control.
One slide from a May 2010 NSA presentation on getting data from smartphones – breathlessly titled "Golden Nugget!" – sets out the agency's "perfect scenario": "Target uploading photo to a social media site taken with a mobile device. What can we get?"
To me, this is quite telling.
The NSA is not considering what data they need to achieve their mission, and then trying to find that data. Instead, they're just looking for "what can we get", and worry later about how it might be useful (or legal!).
This is no way to run a successful organization in the 21st century.
Why not? It is technically feasible. There was essentially no legal oversight at NSA or GCHQ.
It seems like they responded correctly to the incentives they were given. The problem is with the legislature (and the judiciary), voters, and the media.
I'm specifically questioning "no way to run a successful organization"; it was morally wrong (and legally, but there's no legal oversight, so that doesn't matter), but in no way hindered their success at their mission.
So, because it's not hurting them in terms of success to operate this way, there's a need for external controls to prevent it. If being all-collecting hurt their effectiveness, we wouldn't need any new controls, because they'd be replaced for being unsuccessful.
> in no way hindered their success at their mission
Except that their mission is deeply compromised by their actions: they've lowered domestic cyber-security, undermined the rule of law, and deeply shaken the public confidence in the armed forces - all of which are contrary to their core mission.
They seem to have lost sight of their high level goals in their quest for more power to accomplish specific secondary tasks.
It's not hurting them insofar as they can sell this kind of useless (in terms of catching terrorists) data collection to bureaucrats who will sign off on it. I would argue that it is compromising their ability to sift the wheat from the chaff, when so much of their efforts and funding seems to be dedicated to adding to the latter.
Plus, the inevitable outrage generated when these tactics became public is undeniably hurting their credibility and in the long term their ability to gather information.
Murdering people is technically feasible as well. If entities are given essentially no legal oversight then the correct response would be to act on the incentives they were given to murder freely.
The problem is with the legislature (and the judiciary), voters, and the media.
I don't think the parent was trying to absolve the NSA of responsibility, merely pointing out that its mission incentivizes it to collect as much data as it can. It's ultimately the responsibility of Congress to ensure that the NSA and other intelligence agencies adhere to the law, and Congress has largely ignored this responsibility.
The more subtle point that the parent makes is that, rather than always trying to prevent bad actors from doing bad things (e.g. murdering), a working system of checks and balances can punish the bad actors and deter future abuses. But checks and balances obviously don't work when everything is classified. The legislature and the judiciary were essentially the only two institutions that had access to this information and they did nothing about it.
You can't vote judges out of office, but if large scale surveillance is an issue important to you I'd make sure my congressman or congresswoman knew about it.
So they're spying on the children playing Angry Birds in the name of preventing terrorism. I bet the data they're gathering has saved a lot of lives.
This is just one more strike into the already well-beaten dead horse of an argument that the NSA is spying in the name of preventing terrorism.
I will spell it out: the goal of the NSA surveillance is omniscience in the name of preserving the power of the state. They have made great progress toward this ideal.
Still a ridiculous unneeded incursion onto an individual's right to be left alone when they aren't hurting anyone.
As violent and primitive as the Islamic fundamentalists are, the vast, vast, vast majority of the world's 1.6 billion Muslims are not fundamentalists, nor are they terrorists, nor do they aid terrorists.
The phrases that people bookmark in a religious app book are a very far cry from demonstrable intent to commit violence, anyway. If you spied on everyone's bookmarks in religious text apps, I'm fairly certain that if you pitched it properly you could depict my own gentle mother as a genocidal crusader.
While I would agree that the "vast, vast, vast" majority of Muslims do not present a threat to national security, it is going too far to say that the "vast, vast, vast" majority are not fundamentalists.
The majority are almost certainly not, but a frighteningly large minority are. For example, only 54% of Muslims in Turkey believe that suicide bombings are never justified, and 16% believe that they are sometimes or often justified: http://www.pewglobal.org/2013/09/10/muslim-publics-share-con...
This should not be particularly surprising. Fundamentalism also runs strong in Christianity. Nearly half of all Americans are creationists, believing that the earth is only a few thousand years old, and that people did not evolve (we're not talking Catholic-style "god used evolution" creationism here, we're talking straight up "literal talking snake" creationsim): http://www.gallup.com/poll/155003/hold-creationist-view-huma...
Anymore, it seems prudent to simply assume that if you use the internet at all, all of the details about you are available to determined individuals, public or private. Even details you've never consciously given out over the internet are available to those with the power and desire to infer from your browsing datasets (see: Target and the pregnant daughter).
I'm afraid it's much worse than that, even. You don't even need to use the internet.
You can be walking down the street and an hour later, unbeknownst to you, your picture makes it to the front page of reddit. It could be that you were skipping work that day, and told your boss you were sick. Or perhaps picking up an engagement ring.
This sort of free-for-all will only get worse as technologies like Google Glass and the so-called "Internet of Things" become mainstream. Your life is now a commodity for internet voyeurism and, possibly, witch hunts.
The tech is ripe for turning citizens against citizens. "Turn in your neighbor for un-American activities" sort of stuff.
Somehow, people were able to convince users that something on the internet could be secure. Nothing on the internet is secret, that's not what the internet is for.
If you're using Android, I'd highly recommend using a combination of XPrivacy [1] and Android Firewall [2] (iptables frontend).
To make your life easier, disallow everything from accessing the net in Android Firewall. Then, for those apps which you've allowed net access, further tweak what they're allowed to access in XPrivacy. As a rule, turn off account info, clipboard, location, contacts, and storage.
Better yet, only use Android as a game console / YouTube viewer with no personal info or real Google ID. Web browsing only through Firefox that can use some privacy addons.
The only solution is to move to a phone OS that is 100%, completely, open. I.e. Not even apps developers are allowed to ship blobs - its All-Source-Code, All-The-Time.
I know, its a highly unlikely scenario, but I can't help but feel in the midst of this human rights disaster, Open Source can come to the rescue.
That's not enough. Take the Google maps example, for instance. I bet the NSA could grab the same data from an open-source map app that used OpenStreetMap data. They can infer your location based upon the set of map tile URLs that your phone is loading over the network.
No need for any code weaknesses in the app. Open source is not your saviour here!
many OSM apps provide offline vector data. works without data connection and also leaks less information - the most you can infer from those downloads is that people are interested in mapping data of a certain area.
Not just the OS, but the entire phone, chipset -> firmware -> os (including wireless sub-OSes) -> app.
Of course, if your open source apps request any data related to your activities (such as detailed map data about your current location, even without your exact location, or routing information for TCP packets), you're leaking data about yourself again.
If people don't read and understand the code, ideally before running it since part of the code might be to make some low level change to its environment and then erase itself, then it doesn't matter whether it's there or not. And reviewing significant code bases is not something one person can do on their own, even in the unlikely event they've all the specialities to understand it all. It would require non-trivial organisations to be directed towards auditing the applications/system to ensure security.
Which isn't to say that I don't think open source is a necessary condition for security. But I don't see that sort of audit getting done for everything that your average user is going to run on their phone.
Ridiculous,seems like they are taking data and storing it and waiting to get subpoenas to look into and analyze the data later. Welcome to the new world order where your every movement is known.
Don't be alarmed citizen. They only 'know' about your movements if they actually look at them. Until then, they don't 'know' anything as long as it sits in their archives untouched.
It's a bit more Orwellian than that. The NSA claims it doesn't "collect" data until it looks at the data. Somehow the data magically appears in its databases, but it isn't collected.
These caches of information exist all over the place. While I'd prefer NDA/GCHQ to not slurp and store this stuff at least they have a duty to keep it secret. I am a lot more bothered by my ISP keeping that stuff. They're a lot less competant and have many fewer access controls.
Just be very careful not to do anything that might give them reason to "know" about you. Such as holding impermissible political views or knowing too much about computers, to pick two random examples.
I will quote United nations declaration of human rights:
Article 12
"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."
Privacy or correspondence...
"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence"
The only fix to our information, privacy, and security pop culture is destroying the whole system, and building a new one holistically with a focus on security and education at the lowest levels of the system. This almost certainly means destroying computing as we know it as a prerequisite.
“Once you have something that grows faster than education grows, you're always going to get a pop culture.” - Alan Kay
Exploiting phone information and location is a high-priority effort for the intelligence agencies, as terrorists and other intelligence targets make substantial use of phones in planning and carrying out their activities, for example by using phones as triggering devices in conflict zones.
That's a good point and a good reason why it's irresponsible for these newspapers to post the details about this technology. This kind of CI doesn't work as well once everybody knows what you're doing. It also gives a road map to more oppressive governments looking for ways to spy on their citizens.
The documents do not make it clear how much of the information that can be taken from apps is routinely collected, stored or searched, nor how many users may be affected.
Right, so this is just publishing some details of NSA/GCHQ counterintelligence technology without saying how they are using it. Unless they have some evidence of wide scale deployment of these techniques, how is this surprising? Do we not expect spy agencies to develop surveillance technology?
> It also gives a road map to more oppressive governments looking for ways to spy on their citizens.
This is just sad. Western governments are the oppressive governments. That we have the “moral high ground” is a lie that’s been used as a weapon by these same warmongering immoral people that have always been in charge. “American exceptionalism” is an immoral indefensible position.
To still be trying to state that our governments are the only ones morally worth to use these military weapons, after all the revelations of torture, lying into war, detaining people for life without trial, kidnaping, assassinations, spying, etc, is to willfully refuse to break out of the military propaganda that you've been subjected to.
The US has 1.5 times the number of prisoners as China, with 6.3 times as many per capita.
The US has 2.5 times the number of prisoners as Russia, with 1.2 times as many per capita.
The US has 27.5 times the number of prisoners as the UK, with 5.0 times as many per capita. (Interestingly, China has less prisoners per capita than the UK.)
So you can make a lot of points about the relative quality of those prison experiences (and they might be valid points), but in terms of sheer volume of people that are incarcerated by their own government, the US outstrips both China and Russia by a wide margin - in both absolute and per capita terms.
If the government offered a legitimate and effective way for whistleblowers to expose wrongdoing and unconstitutional behavior, perhaps they could limit this type of damage from being done. As it stands, the release of this information could be considered collateral damage as result of their continued persecution of whistleblowers.
The people who are harmed by making this information public is not the U.S. government. Think it through. Who wins by knowing how the US government conducts targeted counterintelligence operations? That will be primarily terrorists, organized crime, and oppressive governments. So then who loses? That will naturally be victims of terrorism, organized crime, and oppressive governments. That is why I don't think it's responsible to go around publicizing every little detail about NSA/GCHQ CI techniques and technology.
You're assuming that these programs really are serving to curtail terrorist activities. In fact, that is very much in doubt.
Given that the net effect of these programs, so far as anyone in the government has been able to demonstrate, ranges from zero to trivially small, rendering these programs inoperative will have a zero or trivial positive effect for the terrorists.
I suspect that you're reply that the govt's inability to demonstrate the program's efficacy is because such a demonstration would necessarily reveal so much that the programs would be rendered ineffective in the process. Too damned bad. At some point we've got to touch base with the philosophical foundation on which the government is built. Ultimately, we are the masters, and the government operates only as we allow it to. Allowing the government to circumvent so many of the liberties which the Bill of Rights guarantees will be conserved for the people is to turn the design of our government on its head.
I don't think you're being very clear. The victims of terrorism generally don't have access to the information that these counterintelligence operations obtain. In other words, the victims are in the same place they were before they knew what the NSA was capable of. What I think you're saying is doublespeak. To paraphrase your argument, "Snowden is doing damage to our counterintelligence capabilities by releasing this information. Also, Snowden isn't doing any damage to the government." These statements contradict one another.
That's certainly a possibility. The contrary may prove to be true as well. For example, if I was a terrorist and I knew that the NSA was spying on all my phone communications, I may elect to not use a phone. This means that I'm not as effective at communicating with other terrorists which may reduce the effect I have. You may very well be right though. It's unclear to me.
To be clear, you are saying that a cell phone used to receive a command to denotate a bomb is the same phone the bomber uses to share photos on Facebook?
I'm sure they are finding and identifying tons of "terrosim threats" by looking at angry birds data... /s
If anything they are just making it harder to find the needle (terrorist threat) in the haystack (their dragnet of data). At the end of the day maybe they don't care about finding the needle anymore.
All kinds of data are interesting. You've seen episodes of CSI. Position data scraped from some app, any app, can come in useful but only when you want to track somebody. Who to track is a different problem.
Its not all about finding criminals. But when you've found one, you want to know where he's at, who he's associating with etc.
Absolutely data is interesting. However, just because it is interesting doesn't mean it is useful to catch a terrorist. The US Government / NSA is creating more enemies then it is "catching" right now. Since when did the American citizen become the default criminal especially one that commits act of terrorism?
Hmmm.... I can see how open source app can exist on githib and in your iTunes if you have Developer Account. But can you be sure it is 100% open source once it went through the AppStore gates? I am just asking.
Can you be sure about that for any binary you did not compile yourself? And if being more paranoid: can you be sure about that for any binary you did not compile yourself using compiler you compiled yourself?
Between this and the recent credit card and identity leaks by Target and others, I really wish people would connect the dots. If companies are grabbing and storing incredible amounts of information about millions of people, that information will inevitably get the attention of spammers, scammers, stalkers, criminals, governments, and anyone else who could possibly put it to use. The solution is to limit what companies collect in the first place.
...A more sophisticated effort, though, relied on intercepting Google Maps queries made on smartphones, and using them to collect large volumes of location information.
So successful was this effort that one 2008 document noted that "[i]t effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system."
At this point it is perhaps not wrong to conclude that the whole internet is bjorked by these agencies. Open to snooping and manipulation at any and every level for any user.
It is time for a reboot, this time with much more focus on security.