Spy Files

M. C. McGrath: Watching the Watchers: Building a Sousveillance State

Secret surveillance programs have metadata too. The same people and companies that operate secret surveillance programs also publish details about their work on the open internet. We can use this data to watch the watchers.

M. C. McGrath – https://transparencytoolkit.org

Creative Commons Attribution-ShareAlike 3.0 Germany (CC BY-SA 3.0 DE)


Eric King: The Five Eyes secret European allies

Did you know there is an elite intelligence sharing club called SIGINT Seniors Europe working in partnership with the Five Eyes? For 35 years, the club has operated as a “European bazaar” for surveillance, playing games of jurisdictional arbitrage, exploiting secret loopholes in domestic legal frameworks to swap and share data on each others citizens. For the first time we have the information to act, and we must!

Secret interpretations of secret law is no way to govern our world. By remaining in the shadows, our intelligence agencies – and the governments who control them – have removed our ability to challenge their actions and their impact upon our human rights. Trawling through clues in the Snowden documents, and declassified documents in the UK National Archives, we have the most complete picture we’ve ever had of how the secret club operates.

Exposing them through research, campaigning and litigation is the only way to hold them to account. This talk will reveal the results of Privacy Internationals investigation into the secret club, how European intelligence agencies swap and share their data, and their co-operation with the Five Eyes alliance!


The Creepy New Security Credit Score for Spotting “Insider Threats”

Almost two years after Edward Snowden climbed the world stage, the intelligence community is just now putting the finishing touches on a computer-driven system for catching insider threats– one that promises not just to detect future Snowdens and Mannings in the act, but also to predict who the next leakers will be.

The new method, meant to identify leakers of classified information but also homegrown terrorists, drug financiers, school ground shooters, and even sexual predators, builds the security equivalent of a “credit score.” It would secretly attach to every individual, while automatically generating and changing scores as behaviors and associations trigger indicators of anomalous activity.

The initial “security scores” would be applied to insider threats (or “InThs” as they are now being called internally)—that is, people “affiliated” with the federal government. But the definition of who qualifies as being an insider is already so broad, and the methods of activity monitoring so widespread and promising, that it’s only a matter of time before some kind of security score system is applied universally.

After Snowden accessed and then downloaded over 1.5 million Top Secret documents from internal networks, some immediate changes were made in intelligence community practices. According to NextGov:

Any piece of data ingested by NSA systems over the last two years has been meta-tagged with bits of information, including where it came from and who is authorized to see …

Tagging both the data and the individual user, NSA thinks, will expose what data any individual accesses and what they do with it. It sounds definitive and big brotherish, except that there are hundreds of thousands of workers and part of the analytic process requires them to legitimately access huge amounts of data to do their jobs. Automated, real-time deterrents are the hope of deterring all but the most fervent and sneaky insider, intelligence sources say. But to catch the next Snowdens?

More on Gawker PhaseZero: The Creepy New Security Credit Score for Spotting “Insider Threats”


Monopoly-Finance Capital, the Military-Industrial Complex, and the Digital Age

Surveillance-cartoon-kidsBy John Bellamy Foster and Robert W. McChesney

The United States came out of the Second World War as the hegemonic power in the world economy. The war had lifted the U.S. economy out of the Great Depression by providing the needed effective demand in the form of endless orders for armaments and troops. Real output rose by 65 percent between 1940 and 1944, and industrial production jumped by 90 percent.1 At the immediate end of the war, due to the destruction of the European and Japanese economies, the United States accounted for over 60 percent of world manufacturing output.2 The very palpable fear at the top of society as the war came to a close was that of a reversion to the pre-war situation in which domestic demand would be insufficient to absorb the enormous and growing potential economic surplus generated by the production system, thereby leading to a renewed condition of economic stagnation and depression.

Assistant Secretary of State Dean Acheson declared in November 1944 before the Special Congressional Committee on Postwar Economic Policy and Planning, that if the economy slipped back to where it was before the war “it seems clear that we are in for a very bad time, so far as the economic and social position of the country is concerned. We cannot go through another ten years like the ten years at the end of the twenties and the beginning of the thirties [i.e., the Stock Market Crash and the Great Depression], without the most far-reaching consequences upon our economic and social system.” Acheson made it clear that the difficulty was not that the economy suffered from a lack of productivity, but rather that it was too productive. “When we look at the problem we may say it is a problem of markets. You don’t have a problem of production. The United States has unlimited creative energy. The important thing is markets.”3

Postwar planners in industry and government moved quickly to stabilize the system through the massive promotion of a sales effort in the form of a corporate marketing revolution based in Madison Avenue, and through the creation of a permanent warfare state, dedicated to the imperial control of world markets and to fighting the Cold War, with its headquarters in the Pentagon. The sales effort and the military-industrial complex constituted the two main surplus-absorption mechanisms (beyond capitalist consumption and investment) in the U.S. economy in the first quarter-century after the Second World War. After the crisis of the 1970s, a third added surplus-absorption mechanism, financialization, emerged, propping up the underlying system of accumulation as the stimulus provided by the sales effort and militarism waned. Each of these means of surplus absorption were to add impetus in different ways to the communications revolution, associated with the development of computers, digital technology, and the Internet. Each necessitated new forms of surveillance and control. The result was a universalization of surveillance, associated with all three areas of: (1) militarism/imperialism/security; (2) corporate-based marketing and the media system; and (3) the world of finance. […]

More on Monthly Review: Surveillance Capitalism


Online IP netsurveillance cameras of the world

20110409012336235611ef203c4ef9efb816453ff9b3e7

Sometimes administrator (possible you too) forgets to change default password like ‘admin:admin’ or ‘admin:12345’ on security surveillance system, online camera or DVR. Such online cameras are available for all internet users. Here you can see thousands of such cameras located in a cafes, shops, malls, industrial objects and bedrooms of all countries of the world. To browse cameras of the world just select the country or camera type.


The spy station that will probably come in from the cold

russia-sigint-facility-cuba.si

The media this week was full of reports that Russia is making a deal with Cuba to reopen a former spy base that provided “75% of Russia’s Strategic Information” on the US during the Cold War. The facility, built in 1964, opened in 1967 after the Cuban missile crisis, and was closed in 2001. Some reports say it was closed due to “US pressure”. Others say it was closed to “improve relations with the US” after the September 11 attacks.

According to RT, Putin denied Russia was planning to reopen the Soviet-age SIGINT facility. Russia can “meet its defense needs without this component” and has no plans to renew its operation, Putin assured journalists on Wednesday.

But then the article in RT closes with:

No detail of schedule for the reopening the facility, which currently hosts a branch of Cuba’s University of Information Science, was immediately available. One of the principle news during Putin’s visit to Havana was Moscow’s writing off of the majority of the old Cuban debt to Russia. The facility is expected to require fewer personnel than it used to, because modern surveillance equipment can do many functions now automatically.

With the Lourdes facility operational again, Russia would have a much better signal intelligence capability in the western hemisphere.

“Returning to Lourdes now is more than justified,” military expert Viktor Murakhovsky, a retired colonel, told Kommersant. “The capability of the Russian military signal intelligence satellite constellation has significantly downgraded. With an outpost this close to the US will allow the military to do their job with little consideration for the space-based SIGINT echelon.”

And the Moscow Times mentions:

Russian business daily Kommersant had cited an unnamed defense official on Wednesday as saying that an agreement had been signed during Putin’s visit to Cuba to reopen the base, leading to a flurry of speculation that Russia was preparing to intensify intelligence efforts against the U.S.


Encryption For Beginners In an Era of Total Surveillance

By @AnonyOdinn   (Published May 23, 2013 / Republished July 10, 2014)

If you’ve read the news lately, you’ve pretty much caught the drift of what’s going on. Surveillance is fast spreading to become a universal problem, governments are becoming the largest sponsors and purchasers of intrusive malware, and for all intents and purposes, all so-called “secure” systems are, simply put, not secure – at least not from governmental intrusion, and certainly not from the steady increase of corporate intrusion – a growing problem in a world where the concept of an open and free net is more at risk than ever.

The purpose of this simple tutorial is to provide some encryption for beginners. No lies here, the process of setting up software that helps protect your privacy, is not as easy as just using facebook or installing an ordinary browser. It takes a little (but not much) work. Fortunately, you don’t need to have any technical skill at all in order to set up and use these tools. The guidance is here for you. The purpose of programs which provide good encryption, with off-the-record communication, is to provide you with privacy you deserve. This is needed for ordinary people. Even the people at NASA, should consider using these tools: They are two examples of people who have been taken offline by copyright robots that auto-detected “violations” of a NASA Mars Curiosity Rover youtube stream and took them offline. Does having gmail help you? It wasn’t enough for General Petraeus to hide his intimate affairs with Broadwell: If it can happen to them, It can happen to you too. But – not if you are using good encryption tools and software that hides your “address” online. To do this: You need simple tools that facilitate privacy, security, and a certain level of anonymity to help avoid problems from happening to you. This will help you do that.

This is not a tutorial on hacking. This is simply about maintaining your privacy.

A couple of points before you proceed. No system is perfect — the following recommendations are good, but are not guaranteed to protect you perfectly in every circumstance. The level of encryption and protection of your privacy provided below is designed to protect you from most corporations and governments most of the time. It is said, “most of the time,” because security is never guaranteed – you yourself must determine your appropriate level of security and ensure that your communication (and by extension, yourself) are kept safe.

If you are a journalist, or if you have special reason to believe you may be the subject of an active investigation due to your being named in a pending case or other similar matter, you should take other precautions, including reducing your online exposure when you are active in the field. If you fall into one of those categories, consider seeking a professional consultation with a computer security firm that can provide you with services tailored to protect you in a way that is particular to your needs and situation. Shop around. None will be specifically recommended for you here. For general recommendations and thoughts on various subjects, see the privacy pack.

Let’s Begin

Grab a pen and paper (or just open up a pad on your screen)
Now go to the IP Checker and make a note of what you see, save the result.
This will be important for later.

The Tor Project

Perhaps you’ve heard of this. The TOR project, simply put, will be a new browser for you to install which will help anonymize your online activity. Basically it helps hide the address where you reside online while you are active online. There’s not much to it. Just install the browser.

However, if you are installing TOR in Ubuntu or Debian, please read this install guidance all the way through.

Go here for any difficulties or general TOR questions.

It is recommended to leave general entry/exit up to the Tor anonymizing network.

If you ever have to troubleshoot TOR or deal with a problem you encounter with TOR on the fly, this is an excellent resource. Do not wait until you have problems to read this. Read it now, it may save you trouble already. Firefox users and those using proxies in particular.

The Tor Project: Tor Tails

This is a part of the TOR project you can use on a computer if you don’t want to install TOR but if you do want to run TOR to partially anonymize your online activity. This is helpful if you need to run TOR on a workstation you are not normally doing your thing on. TOR tails runs from a USB stick or a DVD or CD. That’s right, you don’t have to install it on your computer.

Tails is a complete operating system (it does not just include TOR). You can do everything in Tails based on the USB you have it on, and it won’t ‘remember’ anything. If attempting to use it in tandem with Pidgin/OTR check your settings (see rest of tutorial below) to ensure they are in place.

Start Fresh

Make sure you have TOR running before doing this step.

Check your IP again at that link you visited in the first step “Let’s Begin”.
Does it still show your IP address? It should not anymore.
Also check if your TOR is working.
Check your TOR settings.
Recheck until you are no longer revealing your IP address to that site.

Once that’s done, Obtain (create) an e-mail address that is not connected to your name or any of your social profiles. Do not use the password that you use for anything else and do not use your name or any part of your name when creating the e-mail address. If using this e-mail address to create a social profile, ensure that the new social profile name does not have anything to do with your real name. Come up with something different. If you don’t want to use an e-mail address for very long, google the search term: temporary e-mails
Find a site on the list of results. Create e-mail address(es) for yourself as needed.

Install Pidgin or Adium

To communicate off the record in an encrypted way, you should utilize either Pidgin (OTR) if on Windows / PC or Adium, if on Mac. While it’s good to use this Pidgin or Adium alone, if you are using one of these while also running TOR, even better – you are working to hide your IP address while also communicating in an encrypted, off the record fashion. (Do not utilize Skype or similar software for private communication, as the communications from that software are logged through central servers. Consider limiting to a minimum (or stop) any communication you are doing through facebook, as this is not a secure way to communicate ~ “private messages” are not private in that system. Twitter is considered reasonably secure for communication as the company has a good record of protecting user privacy, however, its ‘private’ direct messages are increasingly viewed by government due to surveillance techniques including National Security Letters, administrative subpoenas, and warrantless surveillance. Minimize your direct messaging or delete those direct messages that you have sent once the conversation is complete. This is not a method of avoiding surveillance, it is simply a recommendation.)

Pidgin and Adium work in a true peer to peer manner in which the encrypted communication does not involve any intermediary service pulling (logging) your data in order to complete the process of communication.

When you create your username, create a name that has nothing to do with your e-mail address or any of your social media accounts nor should it be anything at all like your actual name.

A simple (archived) instruction on how to set up Pidgin or Adium is here.

It is important you follow the instruction and select the XMPP option in order to maximize privacy and ensure proper setup.
Use servers which are known not to log your activity, for example, dukgo.com

To ensure that the server you use does not log your activity, after setup is complete, go into options, and make sure you go into Preferences (in Pidgin), similar in menu in Adium, and uncheck everything under the Logging tab.

Then, go to the Proxy tab and configure for TOR/Privacy (SOCKS5) selection. It’s a dropdown menu item.
Enter 127.0.0.1 for the host
Enter 9050 for the port
Leave user/pass blank

Go to Accounts, Manage Accounts, click on your account, click Modify
Go to the instructions here.
Check under the advanced tab and see if it is set up properly in the Connect Server area. (ignore the riseup stuff in the File Transfer Proxies area unless you are using a riseup account with it)

If you are using TOR with Adium and a Riseup account you need to read this. In fact, if you are using TOR with Adium, even if you are not a Riseup user, read that. If you are an Adium user you will find your way through this process in the Proxy area with the SOCKS5 setting.

If you’ve installed Pidgin you want to make sure you get the OTR extension. This is critical to your security. Your communications will not be private in Pidgin without it. You can get it here. Once you’ve downloaded it, go into the Tools menu, then Plugins, find Off-The-Record messaging, and make sure it’s checked. You are good now.

If you are an Ubuntu user trying to install OTR, go here.  Installation instructions for other systems are also available at the downloads area.

This isn’t necessary for Adium users as the OTR (off the record) feature is already incorporated into Adium. However, if you are an Adium user (on Macs), it is important you turn off your Growl. Your Growl being on will cause information leakage and compromise your privacy.
If you don’t know how to turn off Growl you can see the answer at this link.

More info on Pidgin, etc., is available here. However, it is recommended that the instructions above be followed for best security.

Once you’ve added a buddy you want to start a private conversation with a buddy using the OTR tab if in Pidgin or just start a conversation with a buddy if in Adium. If you are in Adium, make sure your menu settings are set to Initiate Encrypted OTR Chat every time. (There is a “lock” that should show as locked closed that confirms this.)

If you are in Pidgin, IMPORTANT, you must take the additional step of following these instructions.

Ask the person you are connecting with to authenticate so that you and that person share information back and forth. If it is the fingerprint of each other you share, or if you ask each other questions that only each of you could answer, make sure that those answers are shared between you only outside of the Pidgin / Adium environment (in person, or via twitter DM, etc). This ensures that you know the person actually is who they say they are.

At this point with TOR and Pidgin or Adium configured all together you are able to communicate with encryption, off the record, and without disclosing your “IP” – your computer’s address – to the network. This is the level that most people should be at to protect their private communication.

The Final Layer

VPNs (Virtual Private Networks) are another option, another layer you can add (if you choose). This will likely require that you tweak settings in your Pidgin or Adium, but try it just the way it is already set up and see how it works once you add a VPN. (You may need to adjust your Pidgin / Adium settings based on the VPN setup.) Here are some examples of recommended VPNs. (You’ll want to stick with ones that don’t log and that allow for you to pay in bitcoin or a different cryptocurrency, should you so choose.)

Due to laws and extraordinary surveillance going on from the United States we recommend when you set up your VPN once the service is up, select from the list of servers and pick ones that are outside the United States. Servers in Czech Republic or alternately in Romania are recommended due to their minimal to zero data retention laws and their Constitutional decisions which have struck down attempts at data retention.

Additional information from EFF Surveillance Self Defense is here.

Even more info

5 minute summary: Data Retention

Status of countries (in EU) implementing data retention

Have fun out there – and stay safe!


Systematic Government Access to Personal Data: A Comparative Analysis

surveillance-camera-cartoonReport from 2013 by Ira Rubinstein, Greg Nojeim and Ronald Lee.

(Ronald Lee took no part in the preparation of any portions of this report referring to US government activities and programs.)

Executive Summary

In recent years, there has been an increase worldwide in government demands for data held by the private sector, driven by a variety of factors. This includes an expansion in government requests for what we call “systematic access:” direct access by the government to private sector databases or networks, or government access, whether or not mediated by a company, to large volumes of data. Recent revelations about systematic access programs conducted by the United States, the United Kingdom and other countries have dramatically illustrated the issue and brought it to the forefront of international debates.

Although it seems that systematic access is growing, there are also cases – in Germany, Canada, and the UK – where government proposals for expanded access have recently been rejected due to public and corporate concerns about privacy, cost, and the impact on innovation.

This report is the culmination of research, funded by The Privacy Projects, that began in 2011. In the first phase of the study, outside experts were commissioned to examine and write reports about laws, court decisions, and any available information about actual practices in thirteen countries (Australia, Brazil, Canada, China, France, Germany, India, Israel, Italy, Japan, South Korea, the United Kingdom, and the United States). Two roundtables were held with private sector companies, civil society, and academics. Based on that research, for this report we identified a number of common themes about the countries examined and developed a descriptive framework for analyzing and comparing national laws on surveillance and government access to data held by the private sector. We also developed a normative framework based on a series of factors that can be derived from the concept of “rule of law,” from constitutional principles, and from existing (although still evolving) international human rights jurispudence.

Key findings

We found that in most, if not all countries, existing legal structures provide an inadequate foundation for the conduct of systematic access, both from a human rights perspective and at a practical level.

Even after the Snowden leaks, transparency remains weak, so we lack an accurate or comprehensive understanding of systematic access.

  • The relevant laws are at best vague and ambiguous, and government interpretations of them are often hidden or even classified.
  • Practices are often opaque; it is sometimes in the interests of both governments and companies to proceed quietly, and the companies are often prohibited from public comment.
  • Oversight and reporting mechanisms are either absent or limited in scope when they exist, and generally do not reach voluntary data sharing.

In every country we studied, even those nations with otherwise comprehensive data protection laws, access for regulatory, law enforcement, and national security purposes is often excluded from such laws, or treated as accepted purposes for which access is authorized under separate laws that may or may not provide adequate safeguards against possible abuses. Moreover, almost everywhere, when it comes to data protection, access for national security purposes is more sparingly regulated than is access for law enforcement purposes.

Overall, it seems there has been relatively little discussion of the complex legal and political issues associated with asserting jurisdiction over data stored in other countries or relating to citizens of other countries. Also, until the recent disclosures, discussion of the complex questions regarding extraterritorial application of human rights raised by trans-border surveillance has been lacking.

While standards for real time interception of communications for law enforcement purposes are high in most of the countries we surveyed (but not in India and China), standards for access to stored communications held by third parties are less consistent. When it comes to transactional data regarding communications, standards are even weaker.

With respect to the standards for government access to communications in national security investigations, the overall picture is very complex. Almost half the countries studied do not have provisions requiring court orders for surveillance undertaken in the name of national security or for foreign intelligence gathering.

Most countries handle travel and financial data under laws requiring routine, bulk reporting for specified classes of data.

Conclusions

We reached four major conclusions, each of which has policy implications:

  1. Technological developments associated with the digital revolution make it easier than ever for governments to collect, store, and process information on a massive scale. Governments seem to be exploiting these developments and responding to pressing threats such as terrorism by demanding more information.
    • Policy implications: The trend toward systematic collection poses challenges to the existing legal frameworks because many of the statutes regulating government access and data usage were premised on particularized or targeted collection, minimization, and prohibitions on information sharing and secondary use.
  2. As Internet based services have become globalized, trans-border surveillance – surveillance in one country affecting citizens of another – has flourished.
    • Policy implications: Statutory frameworks for surveillance tend to be geographically focused and draw distinctions between communications that are wholly domestic and communications with one or both communicants on foreign soil. Moreover, statutory frameworks, as far as we can tell, often draw a distinction between the collection activities that an intelligence service performs on its own soil and the activities that it conducts extraterritorially.

Lowered standards for trans-border surveillance have a substantial impact on companies that offer global services and want to be able to assure their customers worldwide that their data is secure. It also raises human rights questions about the existence and scope of state duties to protect and respect privacy and free expression of people outside the state’s territorial boundaries.

  1. In the post 9/11 world, as technological capabilities are increasing, and as global data flows are expanding exponentially, national security powers have also been getting stronger.
    • Policy implications: This combination of powerful technology and weak laws raises questions relating to the trust that citizens, customers, and users vest in governments and corporations alike, and has begun to upset diplomatic relationships and international trade.
  2. This expansion in powers has been conducted in extreme secrecy.
    • Policy implications: The lack of transparency makes it very difficult to have a rational debate about governmental powers and concordant checks and balances. The lack of openness is leading to proposals that could fragment the Internet, harming both innovation and access to information.

What we need globally is a robust debate about what the standards should be for government surveillance. That debate should be premised on much greater transparency about current practices and their legal underpinnings. Based on this study, we believe that international human rights law provides the most useful framework for making progress on these issues because it offers well established criteria for assessing national surveillance and data reporting laws and practices.

Source: Systematic Government Access to Personal Data: A Comparative Analysis (pdf)

Note: Simply stop all power elite games. Time for a power-down-the-farting show. While still able to do so in somewhat a semblance of graceful dignity.