In May of this year, Dalhousie University had the privilege of hosting noted whistleblower, Edward Snowden, to address the implications of government surveillance, Big Data, and the trends that have emerged in the wake of the NSA’s mass surveillance program, Prism. Since speaking to the university, Snowden has published his most recent book, Permanent Record, which entails his experience exposing the world’s largest intelligence committee. While Snowden is optimistic about consumer privacy, he is concerned that the United States and other governments, aided by large ISPs, are moving towards the creation of permanent records of every person on earth.
In his talk, Snowden began by discussing the creation of Prism, and why the program had received little opposition from Congress. “We have moved into a time where people care more about feelings, then they do about facts […] this is a dangerous movement for democracies because people believe that once we have achieved a free and open society, it will always stay that way”. While the terror attacks on 9/11 may have demonstrated a need for Prism’s existence, Showden proclaims that indiscriminate bulk data sweeps have proven to be a poor tool to thwart terrorism – since details always fall through the cracks. The grim reality is that we have cultivated a society whose behaviors are dictated by emotions.
What Still Needs to Change: Metadata
A useful way to describe ‘Metadata’ is by example – a telephone conversation between you and a co-worker. To access the digital information from the call, authorities would require a warrant. However, access to the connections and peripheral data regarding the telephone call are openly accessible for governments to analyze. Snowden exclaimed, “Everyone you have talked to, the places both you and they were at, when you connected to them, the duration […] or even aspects such as the fact that you are attending this [Dalhousie] talk […] that’s meta data”.
This lack of privacy comes as a result of weak government legislation designed to protect the types of metadata that are permissible to collect- such as information about location. This, combined with floaty definitions of legal privacy, has enabled many governments to obtain sufficient information about its citizens to negate the need for actual transcripts from the conversation itself. As Snowden stated, “The problem is that when you have enough metadata, you don’t need any content.”
Understanding your where-a-bouts is a simple as locating your cellular device (which happens to transmit this data every fifteen minutes to cellular towers), along with a few other metrics. “With the pristine records of your phone’s location over the past decade, it becomes quite easy to connect the dots about an individual’s behaviours”.
High Level Trends in the Industry:
1) The Commercial Trade of Software Exploits – Eternal Blue
More than ever, governments are paying third party enterprises to develop digital weapons used to hack popular operating systems such as Windows. Most of these privatized, commercial enterprises exists for the sole purpose of exploiting computer vulnerabilities. These companies find weak points that are universal within devices running the targeted operating system and deploy their digital weapons to force entry into computers, networks and information systems.
As history has shown, the individual consumer ends up paying the price for these vulnerabilities. There are multiple occurrences of terrorist organizations obtaining these types of weapons and deploying them on a large scale. In May 2019, an NSA-developed digital weapon codenamed, EternalBlue, was obtained by several terrorist organizations and auctioned on the dark web for millions of dollars to Russian, Chinese, and North Korean intelligence organizations. The New York Times reported that the ransomware, WannaCry, propagated through External Blue to cripple government computers in American cities. Baltimore had many of it’s municipal networks, including hospitals and traffic lights, compromised as a result of a phishing attack. Without legislation to ban the trade of software exploits like ExternalBlue, this problem is likely to reoccur.
2) Over Collection and Oversharing of The Universe of Data:
The most significant digital trend that Snowden identified was the over-collection of data by corporations. While some companies have made strides to protect consumer data, many operating systems still fail to present incoming and outbound communication data in an intuitive manner for the average consumer to comprehend.
In Android 10, Google has permitted users to identify and block the types of information accessed by applications used on the device. While this is a step in the right direction, it will be interesting to see if software developers can integrate a way for users to effectively monitor the connections that our devices are always utilizing.
However, for Snowden, the issue has focused back on the lack of discussion surrounding the importance of data collection. For the average consumer, Snowden believes the overcollection of data can be more of a danger than a blessing, stating “Since your life is worth money, the more they know about your private life… all the intimate details… your preferences… political associations… the more you are worth to them. The better you are at being exploited”.
3) Supply Chain Manipulation
Snowden emphasized that the issue surrounding data collection originates from the current organization and design of our global data infrastructures. Even today, individuals using communication technologies are reliant on computers that were never designed for a secure transfer of information. Therefore, it has become increasingly difficult to develop privacy solutions in a world that is exceedingly dependent on this infrastructure. Snowden stated, “Until we can fully change the connections by which we communicate through, the spying will continue”.
In 2013, Snowden released documents about Operation Quantum that proved the NSA poisoned web pages by implanting a malicious code into URL texts, known as spoofing. While Huawei was also suspected to use this type of exploitation, Snowden stated that American tech companies such as Intel, Amazon’s AWS cloud services, Cisco, were also guilty of supplying their network services to the NSA to host these types of exploits.
The Quantum insert attacks worked because the NSA relies on secret partnerships with US ISPs to execute these attacks effectively. Integrating themselves into communication system, the NSA strategically places secret servers at key nodes within the backbone of Internet connections. These placements are crucial because they ensure that NSA servers respond faster than those which host the websites themselves.
By exploiting this speed difference, NSA servers can impersonate a visited website before the legitimate site can respond. This results in the users target browser being tricked into visiting a corrupt Foxacid server, compromising the users system without their knowledge. It stands to reason that midpoint manipulation is a structural issue.
Snowden stated, “until we change our protocol on how machine language is used for our devices to communicate… in a way that they are not vulnerable with midpoint manipulation, it will be a recurring problem”.