Hiding in Plain Sight
“Charity, dear Miss Prism, charity! None of us are perfect. I myself am peculiarly susceptible to draughts.” (Dr. Chasuble, in The Importance of Being Earnest)
Not long ago, I was – inevitably – asked a number of questions about NSA and Prism, one of which was “Can you protect yourself against it somehow?”
To which I responded: “I suspect that effective self-concealment from SIGINT functionality like ECHELON is probably not only out of reach of the average person, but might also actually attract more active investigation.”
And it seems I wasn’t far wrong. Subsequent revelations indicate that – as Lisa Vaas of Sophos (among many others) observed – Using Tor and other means to hide your location piques NSA’s interest in you. That works because people who hide their location will be assumed to be non-Americans, and those of us outside the US are considered fair game even if we’re communicating with Americans. Still, there’s a sufficiency of loopholes that make USians talking to Usians almost equally justifiable as targets.
In particular, it turns out that “all communications that are enciphered or reasonably believed to contain secret meaning” are also fair game, even if they’re known to be domestic. But the grounds for hanging onto harvested information apparently include communications containing “significant foreign intelligence information”, “evidence of a crime”, “technical data base information” (such as encrypted communications), or “information pertaining to a threat of serious harm to life or property”. You might wonder how many electronic communications aren’t encrypted these days at some stage during their transmission… But I suppose it doesn’t really matter whether the NSA is exceeding its brief by paying too much attention to too many all-American transactions, since apparently the UK’s GCHQ is tapping every fibre-optic cable it can lay hands on and sharing its data with our Transatlantic cousins.
It might seem strange that the security community isn’t getting more worked up about all this, but that’s probably because none of us really believe that government and law enforcement agencies worldwide aren’t carrying out information gathering and analysis to the fullest extent that their resources permit. The problem with establishing a balance between the right to privacy of the individual and the right to security of the majority is not really about the gathering of information. Not that there’s much likelihood of the forty-niners (I’m thinking Gold Rush, not football) of the world’s intelligence agencies giving up panning the gravel beds of the world’s data streams.
What really matters is (a) what they do with the nuggets and (b) what they do with stuff that isn’t nuggets. It would be nice to think that where legislation limiting the State’s right to surveillance fails because of the sheer volume of data, legislation limiting the use that can be made of information gathered collaterally would at least partly compensate. However, it’s none too clear that this is the case right now in the Five Eyes community, far less among states with less of a tradition of observing democratic and libertarian principles. In the meantime, if you’re at all concerned about the privacy of your data, you might want to consider John Leyden’s suggestion of a combination of carrier pigeon and one-time pad. Bearing in mind that if an out-of-band communication does come to the attention of the authorities, it’s likely to attract attention rather than deflect it. Which is where I came in.
“The good ended happily, and the bad unhappily. That is what fiction means.” (Miss Prism, in The Importance of Being Earnest)