Monthly Archives: June 2013

Going off the deep end over PRISM

Darth Vadar pulls up a PRISM developer on frequency of cat images pulled from Facebook

Darth Vadar pulls up a PRISM developer on frequency of cat images pulled from Facebook

The degree to which stories about governments mucking around with the Internet (eg SOPA) turn into forewarnings of an impending apocalypse really demonstrates how shallow our appreciation of the world around us has become.

On any given day, the US Military could fly an drone aircraft into northern Pakistan, a sovereign nation, ostensibly in search of terrorists, and kill 30-40 civilians. This would barely make the international news cycle, but as soon as a Government agency starts looking at pictures of people’s cats on Facebook, its the end of the world.

That is not to say that digital snooping on the part of a State agency is a trivial matter; it isn’t, but it needs to be presented in the correct context, rather than with the type of alarmist rhetoric that has accompanied recent reporting of PRISM.

To believe various organisations who specialise in State paranoia, and indeed certain news organisations, PRISM is a real-life version of Skynet, programmed and managed by Darth Vadar from a city-sized space ship somewhere in outer space.

On the other side of the coin, the agency that developed PRISM, the NSA, have claimed that PRISM is entirely innocuous (if you’re a US citizen) and of no more concern to your digital privacy than posting a Facebook update about what you had for lunch.

And who is telling the truth?

Well, that’s the thing, we just don’t know, but as in all these things, the truth is probably as far from either extreme as is mathematically possible.

What we do know is as follows:

1. US Law permits the NSA and FBI to obtain data about users from Internet companies whose networks are in the US. Information can be requested about individual users, groups and users and trends. For instance, if the NSA wants the personal details of any users who have used the phrase “bomb in my backpack”, they can legally obtain this from the likes of Google and Facebook.

2. To facilitate this (the transfer of data from the companies to the agencies), agencies like the NSA have hardware located on the premises of these companies. This was explicitly referred to in some of the documents leaked to the Washington Post and the Guardian.

3. Companies affected are legally prevented from disclosing the nature or existence of such systems (which is why they didn’t refer to the existence of such equipment in their statements about PRISM).

4. Companies like Google and Facebook, for whom privacy is a key selling point in the delivery of their services, are not required to allow any State agency connect directly to their servers. They are only required to provide data in accordance with specific legal requests, as indicated in their various responses to the PRISM story.

And that’s really about it.

What this paints a picture of is a permanent and sophisticated IT infrastructure that allows the likes of the NSA and FBI to quickly obtain specific data from private companies when those agencies have obtained legal permission to do so.

The payload of data, which is derived from parameters entered into the system, could include a large portion of information which is of no interest or value to those agencies (eg a picture of your cat), but it is gleaned none the less. Seemingly, only that information that is relevant to the particular investigation made by the agency is kept and used further.

What this doesn’t paint a picture of is a system which is sucking every single piece of data directly out of Facebook and storing it permanently in a State owned database which is then opened up to tax authorities, health insurance companies and private detective agencies.

So, is this something you should be worried about? Well, yes and no.

Yes, because it demonstrates yet again that the US citizens have no problem with their Government pushing the envelope on civil liberties to the absolute limit in terms protecting “National Security”; and no, because if you’re a regular, sane person, you’re not including highly sensitive personal information in Skype chats and Facebook status updates, let alone sharing plans for dirty bombs with your friends, and will therefore not be of any interest to anyone working for the NSA or FBI.

But isn’t there some sort of principle involved here, that should prevent the State looking into your inner most secrets, even if those secrets involve no more than pictures of your cat? Isn’t it the thin end of the wedge, that will ultimately result in CCTV in our living rooms?

Probably, yes, but these compromises arise all the time in our daily lives. A law enforcement officer can stop any motorist at any time and ask them to perform a breath test; you can be denied bail even if you have not been convicted of a crime; tax authorities can require you to  provide details of your income and assets.

All of these are infringements of civil liberties that we take for granted, partly because we recognise their value in preserving order in society, and partly because they have been around for a long time.

However, when it comes to the Internet, perspective seems to go out the window at even the slightest mention of State intrusion. The difference seems to be that the Internet is regarded as some sort of frontier territory which has been colonised by “good guy” activists and which the State now belatedly wants to control. The fact that the Internet is also a “hip” subject to offer your opinion on (unlike dead Pakistani peasants) and widely misunderstood in technical terms are also contributing factors.

And what of claims from EU leaders, that the NSA is infringing the rights of EU citizens by looking at their data?

There may be something in this, but how it can possibly be policed is beyond me. Are we going to have an EU-only Facebook, Google and Twitter, where nobody in the US can interact with anyone in the EU, and vice-versa, or is the EU Commission going to ban Google unless Google locates its entire data infrastructure (for the entire world) in the EU?

This would appear to be another case of politicians thinking that global data communication can be regulated in the same way as dog licenses.

Over the coming weeks, a lot more technical detail will probably emerge in relation to PRISM. The NSA will most likely review its use, and rebuild it in some other way, and the detail about the old system will lose its security value.

This will give us a better picture of what PRISM was/is capable of. It may be the case that Darth Vadar is in fact at the controls, but I’m guessing that probably isn’t true, so for now, just  follow the Golden Rule re. Internet Privacy and you’ll be fine:

Nothing on the Internet is private