Guest blogger Chris Swan contributed this from the UK. Chris is Chief Technology Officer of CohesiveFT, where he focuses on product development and product delivery. After a decade as a Combat Systems Officer in the Royal Navy, Chris moved to the financial services industry where over the last 12 years he was an engineer, architect, R&D director, investment banker and CTO, most recently at UBS where he was CTO for Security then CTO for Client Experience.
Caspar Bowden (who used to be Microsoft’s ‘Chief Privacy Advisor’) gave an excellent talk at ORGCon yesterday ‘How to wiretap the Cloud (without almost anybody noticing)‘. The almost had been added in at the last minute in response to the PRISM kerfuffle.
Foreigners have no rights
Caspar’s central point is that the 4th Amendment only applies to US Citizens, pointing out case law going back to 1990 establishing this. Futhermore the Foreign Intelligence Surveillance Amendments Act (FISAA), and specifically section 702, basically declares open season for US government access to data belonging to anybody from the rest of the world.
Let’s just restate that point: If you’re not a US Citizen (or US resident) then you don’t have any 4th Amendment rights – that’s been true since 1990. Furthermore since 2008 the US Government has specifically authorised itself to access data held on US based services originating from the rest of the world.
Signals Intelligence (SIGINT) has been around in one form or another for most of human history. Wherever there have been messages of military, political or commercial value there have been attempts to intercept them. Of course our methods for sending messages have got more sophisticated – from the original marathon runner, to tattooed heads, to telegraphy, to radio, to TCP/IP packets.
Codes and cyphers to protect messages from interception are just as ancient, but modern day SIGINT and the birth of modern day computing share a common herritage in the Ultra effort to read Nazi messages encoded with Enigma.
There are in essence two things that can be captured:
- Metadata – not the message itself, but information about the message. A field radio transmission might be encrypted, but an intercept can see where it came from, what frequency it was on, how long it lasted etc. Detailed analysis might be able to pick out a specific transmitter (by its idiosyncrasies) or radio operator (by how they use their morse key). Join together a bunch of metadata and you can start to do traffic pattern analysis – once you have a good idea who is talking to who else, and when – various inferences can be made. With telephone intercepts the call logs are a source of metadata, and are convenienly separate from the calls themselves.Metadata based analysis is important for two reasons:
- It can be performed on encrypted traffic without having to break the cypher. In many jurisdictions the collection and use of metadata is considered less damaging than message intercepts, with a correspondingly lower barrier to entry for access. This becomes problematic as we move from systems with easily separated metadata (like telephones) to those where metadata is integral (like social networks).
- It can be used to narrow a search to targets of interest without having to go through tons of actual communications.
- Messages – the actual communications between parties. This is pretty straightforward for plain text or clear voice communications, but gets challenging when encryption is used as the encryption has to be broken (usually hard) or circumvented.
Why are Americans worrying about this?
It seems that the net has been cast pretty broadly, with a 51% probability that a party isn’t American being a pretty low bar. This comes on top of various other erosions of the 4th Amendment such as the border search exception, and a great deal of ambiguity around police search of mobile phones.
My guess at what PRISM actually is/does
The accusation is that Internet giants like Facebook and Google have been providing direct access to the servers to government agencies like the NSA and FBI, which those companies have all strenously denied.
There’s also a theory that the government agencies have insider operatives placed inside target organisations to access data on demand.
I don’t believe that either of these things is true. One of the few things we know about National Security Letters (NSLs) is that there have been 300,000 of them issued, which is hundreds per day. Large operators like Google and Facebook are thus having to respond to tens of these things a day. I’ve seen the work caused by responding to a single subpoena, and it’s not pretty, so any firm that needs to field tens of law enforcement requests per day (in secret) is going to want an effecient system to deal with that. I think PRISM is the name for that system – a mechanism for serving and responding to NSLs.
The secrecy problem
The people who know aren’t telling, and the people who want to know have no way of being told.
We don’t know whether PRISM, NSLs etc. are mouse or a Gruffalo because we can’t see them.We don’t know that the powers are being used reasonably, proportionaly or effectively because there’s no transparency.
The secrecy solution?
Highly classified programmes have their very own sort of data gravity. Like black holes stuff goes in and nothing comes out. This should be of at least some comfort to those concerned about their secrets, their private data, going into the maw of this particular machine.
Stuff collected by SIGINT systems is normally classified up the wazoo not because the data itself is particularly sensitive (it’s mostly a firehose of the mundane), but the means of collection is sensitive. This creates a problem – once the interesting stuff has been sifted out of the firehose it can’t be given to anybody without revealing the whole gig and expanding the ring of secrecy.
We might be worried about espionage concerning political speech, but if you’re going to pass information to another governement about politically active people who may be dissidents then you need to trust that government.
We might be worried about industrial espionage, but if you’re going to pass information to a company about one of their foreign competitors then you need to trust that company (which is particularly hard in a world of multinationals).
Of course this is often of little use to law enforcement people on the ground – particularly those at a local/regional level who lie way outside the ring of trust (and are treated with the same disdain as the ordinary citizens whose data is being swept up).
Flee the US cloud?
For those of us outside of the US does all this mean we should flee from US services? If we’re not protected by the constitution and we’re fair game for spying then is it time to run?
I think the answer here is less straightforward than it might superficially seems – only if you care enough to make the journey (and endure the sacrifices it will throw at you), and only if you have a safer place to run to.
If you find Facebook useful then it’s almost certainly because it’s Facebook, not because it’s a social network. The option is binary rather than shades of grey. People in China use different social networks and get spied on by their own government rather than the US government – hardly an improvement.
If you’re using something more commodity like an email service, or CRM, or servers on demand, then there are more choices. Those choices need to be carefully evaluated on the merits of the protections offered by the service provider and legislature it operates in.
Don’t forget that the US isn’t the only country that does spying – essentially everybody is at it, and the rules for who and what consitutes fair game are often far less transparent.
A sense of proportionality is also needed. Hundreds of NSLs a day sounds scary because we’re scared of the dark and struggle to count past ten, but it’s tiny compared to the billions of people using US based systems to talk and transact. Your data is mostly safe because it’s mostly uninteresting (and that’s not the same as ‘nothing to hide, nothing to fear’, which is only ever said by politicians with something to hide who fear being found out).
US citizens enjoy a constitution that prohibits unwarranted search and siezure, and though that law was made centuries before the advent of the Internet it’s mostly found its way into the mindset of modern services and their providers (even if all that means is ‘we’ll use your data to make money’ rather than ‘we’ll poke around your stuff on behalf of the government’). US law does not protect the rest of the world, in fact the US has given itself permission to spy on the rest of the world. We don’t know how bad the problem is because spying is a covert activity. If that bothers you then there might be alternative services in alternative jurisdictions – caveat emptor – read the fine print.
 It’s interesting that section 702 is referenced so much in the James Clapper’s statement on PRISM, and I found this disection amusing.
 It’s hard to think that there’s much of the USA that isn’t subject to this exception if searches are allowed within 100 miles of the border and any international airport counts as a border. Perhaps somebody can do a cool infographic where we can find tiny islands of US soil that don’t count.
 It’s funny how much of the debate is about how reasonable or proportional things are, and how little is about effectiveness. Sadly this is just a microcosm of the missing debate on appropriate risk and cost in a civil society.
 There may also be issues for a receiving government regarding how it is allowed to treat such information – the Communication Data Bill (aka ‘Snoopers Charter’) might very well have been an attempt to legalise the receipt of PRISM data in the UK.