Strife

The Academic Blog of the Department of War Studies, King's College London

You are here: Home / Archives for Surveillance Technologies

Surveillance Technologies

Strife Series on Intelligence in the digital age, Part II – Surveillance, data protection and the right to privacy

by

By: Felix Manig

Security camera installations are seemingly ubiquitous in our modern lives.

Counterterrorism efforts in the digital age are characterized by the ability of certain governments to systematically intercept, collect and analyze metadata and private information worldwide. Through the disclosure of classified information on covert global surveillance programs in 2013, the ex-NSA contractor Edward Snowden initiated an important debate on the balance between national security and civil liberties. While proponents of extensive surveillance legislation argue that these measures are necessary in the 21st-century fight to uncover and neutralize terrorism plots, the indiscriminate interception and retention of personal data poses serious challenges to international human rights law.

Surveillance and human rights law

Article 17 of the International Covenant on Civil and Political Rights asserts the right to privacy and prohibits states from unlawful and arbitrary interference with the privacy of individuals within their jurisdiction. The Covenant clearly states that any search, surveillance or collection of data about a person must be lawful and authorized. Furthermore, once personal information is collected, states and their relevant agencies must ensure the protection of data against unlawful or arbitrary access. It is evident that governments have an obligation to develop legitimate counterterrorism measures and the rights of victims of terrorism should be the focal point when discussing the proportionality of such strategies.  However, governments with the necessary capabilities have institutionalized operations and legislation which is simply not compatible with the Right to Privacy under article 17.

And we do not have to look far for drastic examples. In November 2016, the British government passed the Investigatory Powers Bill, better known as ‘The Snooper’s Charter’, which is arguably the most extreme surveillance law in the western world today. The bill provides British intelligence agencies with extensive powers of snooping, recording and hacking of communications data, forces service providers to store details of customer online movement for 12 months, and makes this information accessible to dozens of public authorities. This bill, which astoundingly attracted little public outcry, effectively removes the right to online privacy and was scrutinized by the European Court of Justice.

Tensions between intelligence agencies and private technology enterprises

Despite the introduction of such worrying legislative measures, intelligence agencies have voiced concern that they are losing the technological edge over potential terrorists as tech companies are increasingly focusing on developing sophisticated encryption tools and software to reassure their customers’ privacy concerns. The rift between agencies and tech giants surfaced publically when Apple rejected an FBI order to unlock the iPhone used by the San Bernadino shooter Syed Farook. Other companies like Google and Facebook consequently doubled down on statements denying law enforcement agencies a backdoor access to their servers and products. Understandably, those with bad intentions can equally access proprietary encryption software and drop off the radar to avoid eavesdropping. Yet, it appears that major companies have formed a consensus to place a premium on user privacy and security, and warned of the potential implications of providing agencies with access to virtually any of their products. This move is likely to spread through companies dealing with vast amounts of user data as their customers are becoming increasingly wary about privacy concerns. Many messaging services such as ChatSecure or WhatsApp have options to encrypt content its users write and share. By using a virtual private network (VPN), users can circumvent geo-restrictions, censorship, and increase their security when online. Lastly, so-called ‘proxy servers’ hide the online traffic of devices and provide anonymity.

The road ahead

In their fight against terrorism, it is crucial for governments to take this balance seriously. The Investigatory Powers Bill flies in the face of the principle of proportionality and fails to protect individuals from arbitrary targeting. Ben Emmerson, Special Rapporteur on counterterrorism and human rights for the UN, has made important recommendations for the way forward. He calls for detailed and evidence-based public justification for the systematic surveillance of the online community, stresses the need for strong and independent oversight bodies to assess existing programs, and proposes case by case decision-making on the proportionality of interfering with an individual’s data.

If unchecked, the current technological capabilities of intelligence services have serious negative impacts on the privacy of everyone relying on modern technology in their daily lives. In the end, the question of surveillance and privacy falls in line with the greater theme of balancing liberty and security. There is an argument to be made that sacrificing more freedoms to ensure our security is a false choice. The NSA itself has failed to provide compelling evidence that its programs had directly thwarted any terrorist attack, thereby posing serious questions about effectiveness.

The question of liberty versus security is clearly an ideological one with no easy answers. Nonetheless, this debate is now more necessary than ever. Until this debate takes place in a meaningful and serious way, all that ordinary citizens can do is take small steps to protect themselves and their data when accessing the internet.

Felix (@felix_manig) is a postgraduate in International Relations at King’s College London. He focuses on conflict resolution strategies, political violence, and human rights. Outside of academia, he is Series Editor at Strife and advocates for human rights defenders across the world at Peace Brigades International. 

This Strife series focuses on intelligence in the digital age and will have contributions by Jessica Malekos Smith on Russian intelligence operations; on TOR and the challenges around anonymity by Charlie Campesinos; on Proprietary vs Open source encryption by Hemant S; on digital surveillance by Felix Manig and finally an interview with Prof David Omand of King’s College London on intelligence reforms in the UK. 

Image credit: http://www.riams.org/2012/10/31/changes-to-ripa-removal-of-surveillance-powers-2/

Feature image credit: http://bordc.org/news/baltimore-polices-secret-surveillance-comes-light/

PROXY Capabilities – Spying by Proxy: The Privatisation of Surveillance

by

This is the fourth piece in a series of articles we will be featuring on Strife in the coming week looking at the role of Proxy Warfare in the 21st century by Series Editor Cheng Lai Ki. Previous articles in the series can be found here.

By: Saher Naumaan

dgfsdgsgf
Source: Computer World

Intelligence agencies have long conducted their own surveillance domestically and abroad. However, is outsourcing surveillance an emerging trend for governments? Following the Snowden leaks in 2013, the role of telecommunication companies and Internet Service Providers as intermediaries allowing intelligence agencies access to user data was exposed. The United States tried to obligate companies—such as Google and Yahoo! who own and operate the infrastructure of cyberspace—to become agents of government controls in the private sector, monitoring threatening or suspicious activity in their own networks. This has resulted in the companies becoming an extension of government surveillance

Beyond this debate, private companies who design, sell, and employ surveillance hardware and software, have begun to act as proxies for intelligence agencies. While they don’t directly gather data, they develop the tools that enable spying on the public. In 2011, the Wall Street Journal reported that the global surveillance industry was valued at $5 billion and increasing dramatically from virtually zero prior to September 11.[1] The lawful interception industry in particular is estimated to reach $1.3 billion by 2019, up from just $251 million in 2014.[2] Private companies are profiting from the rapidly expanding market for off-the-shelf surveillance technologies that governments are so keen to acquire. The development of this industry and its popularity among government agencies is part of a larger trend in the privatisation of the creation and application of surveillance technologies.

Intercept Technology

When one communicates online or browses the internet, the data is transmitted over telecommunication companies’ fibre-optic cables to reach the recipient.[3] Attaching splitters to these wires at telecommunication junction points allows the government to intercept communications. The data travelling through the cables is duplicated and one copy diverted to the government, as technician Mark Klein revealed to be the case at the AT&T facility in San Francisco.[4] The equipment installed in this case was a Narus Semantic Traffic Analyzer, used for data packet inspection—tracking and filtering data as it travels through the network. Similar to Narus, another company called Verint taps the communications at Verizon. Under an NSA program, FAIRVIEW, these companies installed surveillance equipment capable of targeting Internet Protocol traffic in real time and sending the data (emails, chats, etc.) to the NSA.

But the NSA isn’t the only government agency engaging in surveillance using invasive technologies. International Mobile Subscriber Identity (IMSI) catchers are tactical interception technologies that capture the information identifying mobile phones in the target area. Behaving as a fake cell-tower, an IMSI catcher is able to intercept communication and manipulate a phone’s functions by emitting a signal that connects the phone to it. The most well-known IMSI catcher, the “StingRay” sold by Harris Corporation, has been used by state and federal authorities in the United States for years.[5] The Federal Bureau of Investigation (FBI) and other law enforcement agencies use these intrusive surveillance tools to track and monitor suspects and dispense with the need for warrants. A notable example of this application is a case in Arizona where the legality of a StingRay’s use was challenged following the FBI’s warrantless deployment of the device to locate and arrest the suspect.[6] Even more troubling are the signs that the acquisition of tactical spyware has expanded to private security and military companies,[7] and the creation of IMSI catchers for example has become “democratized,” or a capability not exclusive to law enforcement.[8] Its prevalence among other actors means increased vulnerability of cellular networks and individuals to foreign governments, hackers, criminals, or any party with the knowledge and resources to build an IMSI catcher.

Hacking Tools

Interception can also take the form of “Computer Network Exploitation” or government speak for “hacking.” Computer exploitation allows governments to hack people’s mobile phones and computers, record their activity, and read the contents of their communications. Unlike PRISM which provides the US government with court-approved front-door access to user accounts under the Foreign Intelligence Surveillance Act, the MUSCULAR project infiltrated Google and Yahoo!’s back-end infrastructure, bypassing the companies’ security without their knowledge.[9] The NSA along with its British equivalent, the Government Communications Headquarters (GCHQ), was able to access communications in real time and search target activity through tapping the Google and Yahoo! clouds.

Other means of tampering with networks for surveillance purposes involve software such as “network injectors,” physical devices located inside internet service providers’ networks that can replace people’s internet browsing traffic with malicious code. Gamma International’s FinFisher products can corrupt files, send infected software updates, or inject code on websites that infects a user when it visits the sites.[10] Any unencrypted traffic is vulnerable to interception and even clicking on a link can exploit a target and infect the user’s device.[11] WikiLeaks exposed internal documents which showed that Hacking Team’s Remote Control System (RCS) can hijack mobile devices, access emails, record calls, and activate webcams.[12] After the private Italian company was hacked last year, internal documents also proved the FBI’s use of RCS in targeted surveillance operations.[13] The further discovery of the Drug Enforcement Administration as a Hacking Team client[14] not only shows the trend of surveillance technologies making their way from intelligence agencies to law enforcement, but also calls into question the legality of using this spyware.

ISS World: Where does the technology come from?

 Intelligence agencies in places like the US, Israel,[15] and China[16] have developed their own versions of tactical intrusion software. “Implants” can target and commandeer a mobile phone or computer; “trojan horses” disguised as legitimate software damage or control data; and “spear-phishing” to target specific parties by impersonating a known sender to access the network. These capabilities have recently been commercialized[17] and are now on the market for those who covet the technology but are unable to produce it themselves.

TeleStrategies Inc. hosts a conference and arms trade fair annually in several different regions called Intelligence Support System (ISS) World, which claims to be the world’s “leading Lawful Interception, HiTech Criminal Investigations and Intelligence Gathering.”[18] Major players in the private surveillance industry, such as Vupen Security SA in France and the previously mentioned Hacking Team and Gamma Group, market computer hacking tools and malware advertised as capable of circumventing or defeating encryption. Intelligence and law enforcement agency invitees from around the world attend to connect with vendors and train on industry practice and equipment.

Aside from the highly invasive and legally ambiguous nature of this spyware, the number of buyers is growing to include authoritarian regimes that use the tools to target their own citizens. The commercialization of digital spying is setting a precedent for the proliferation of surveillance technologies to actors with significant records of human rights abuses. Whether it is activists monitored during the Arab Spring,[19] US-based Ethiopian journalists targeted by their own government,[20] or political dissidents bugged in Panama and Columbia,[21] the burgeoning surveillance industry provides tools for all scenarios. According to TeleStrategies these products fall within the legal parameters of the export controls regime, the Wassenaar Arrangement, which was expanded in 2013 to include surveillance technologies.[22]

Concerted attention needs to be paid by legislators, jurists, and activists to resolve the increasing gap between the capabilities provided by surveillance technologies and the legal framework needed to regulate the use of those capabilities, otherwise the liberty, security, and privacy of global citizenry will continue to erode.

 

Saher Naumaan is a Master’s student in the War Studies Department at King’s College London and an editorial assistant for War on the Rocks. Her research interests focus on surveillance, technology, and security. She can be found on Twitter @sahernaumaan

 

 

 

[1] Jennifer Valentino-Devries, Julia Angwin, Steve Stecklow, “Document Trove Exposes Surveillance Methods,” The Wall Street Journal, November 19, 2011, http://www.wsj.com/articles/SB10001424052970203611404577044192607407780.

[2] “Lawful Interception Market worth $1,342.4 Million by 2019,” Marketsandmarkets.com, last modified August 2014, http://www.marketsandmarkets.com/PressReleases/lawful-interception.asp.

[3] Major telecommunications companies use fibre-optic cables, or other similar connection between the point of origin and the point of reception, for electronic voice or data communication. See more at: https://www.eff.org/files/filenode/att/mark_klein_unredacted_decl-including_exhibits.pdf.

[4] Kevin Poulsen, “Mark Klein Documents,” Wired, May 1, 2007, http://www.wired.com/2007/05/mark_klein_docu.

[5] Ryan Gallagher, “Meet the Machines that Steal Your Phone’s Data,” ArsTechnica, September 25, 2013, http://arstechnica.com/tech-policy/2013/09/meet-the-machines-that-steal-your-phones-data/.

[6] United States v. Rigmaiden, CR08-814-PHX-DGC, Dkt. #0674-1 [Declaration by FBI Supervisory Agent Bradley S. Morrison RE: Harris StingRay] (D.Ariz., Oct. 27, 2011). See https://www.documentcloud.org/documents/1282619-11-10-17-2011-u-s-v-rigmaiden-cr08-814-phx-dgc.html#document/p3/a220910.

[7] Ben Bryant, “The Black Market Dealers Selling Tactical Surveillance Equipment Online,” VICE Motherboard, January 15, 2016, http://motherboard.vice.com/read/the-black-market-dealers-selling-state-surveillance-equipment-online.

[8] Bruce Schneier, “The Further Democratization of Stingray,” Schneier on Security (blog), April 27, 2015 (6:27 a.m.), https://www.schneier.com/blog/archives/2015/04/the_further_dem_1.html.

[9] Barton Gellman and Ashkan Soltani, “NSA Infiltrates Links to Yahoo, Google Data Centers Worldwide, Snowden Documents say,” The Washington Post, October 30, 2013, https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html.

[10] “Finfisher: Governmental IT Intrusion and Remote Monitoring Solutions,” WikiLeaks: The Spy Files, October 2011, https://wikileaks.org/spyfiles/docs/gamma/298_finfisher-governmental-it-intrusion-and-remote-monitoring.html.

[11] Morgan Marquis-Boire, “You Can Get Hacked Just by Watching This Cat Video on YouTube,” The Intercept, August 15, 2014, https://theintercept.com/2014/08/15/cat-video-hack/.

[12] “Remote Control System V5.1,” WikiLeaks, accessed March 25, 2016, https://wikileaks.org/spyfiles/files/0/31_200810-ISS-PRG-HACKINGTEAM.pdf.

[13] Joseph Cox, “The FBI Spent $775K on HackingTeam’s Spytools Since 2011,” Wired, July 6, 2015, http://www.wired.com/2015/07/fbi-spent-775k-hacking-teams-spy-tools-since-2011/.

[14] Lorenzo Franceschi-Bicchierai, “The DEA Has Been Secretly Buying Hacking Tools from an Italian Company,” VICE Motherboard, April 15, 2015, http://motherboard.vice.com/read/the-dea-has-been-secretly-buying-hacking-tools-from-an-italian-company.

[15] An extreme example includes Stuxnet, a virus jointly designed by US and Israeli intelligence to attack the computer systems that controlled the centrifuges in Iran’s nuclear enrichment program.

[16] While attribution remains difficult, US State Department cables revealed by WikiLeaks identify China’s People’s Liberation Army as responsible for certain cyber espionage incidents. See more at: http://www.reuters.com/article/us-china-usa-cyberespionage-idUSTRE73D24220110414.

[17] “The Surveillance Catalog: Where Governments Get Their Tools,” The Wall Street Journal, Updated February 7, 2012, http://graphics.wsj.com/surveillance-catalog/.

[18] “ISS World Training,” TeleStrategies.com, 2015, http://www.issworldtraining.com/AboutUS.html.

[19] Steve Stecklow, Paul Sonne, and Matt Bradley, “Mideast Uses Western Tools to Battle the Skype Rebellion,” The Wall Street Journal, June 1, 2011, http://www.wsj.com/articles/SB10001424052702304520804576345970862420038.

[20] Lorenzo Franceschi-Bicchierai, “Ethiopia Might Have Bought a Ton of Surveillance Tech,” VICE Motherboard, March 23, 2015, http://motherboard.vice.com/read/ethiopia-might-have-bought-a-ton-of-surveillance-tech.

[21] James Bamford, “The Espionage Economy,” Foreign Policy, January 22, 2016, http://foreignpolicy.com/2016/01/22/the-espionage-economy/.

[22] Collin Anderson, “Considerations on Wassenaar Arrangement Control List Additions for Surveillance Technologies,” Access Now, March 9, 2015, https://www.accessnow.org/cms/assets/uploads/archive/Access%20Wassenaar%20Surveillance%20Export%20Controls%202015.pdf.