I’m convinced that there’s a sociotechnical blind spot in how current technology handles access to personal devices. We, in the infosec community, need to start focusing more on allowing users the flexibility to handle situations of duress rather than just access control. Deniability and duress codes can go a long way in helping us get there.
Source: On Deniability and Duress
In recent months, and in the wake of a series of terrorist attacks across Europe, Germany, France and the United Kingdom — Europe’s biggest superpowers — have passed laws granting their surveillance agencies virtually unfettered power to conduct bulk interception of communications across Europe and beyond, with limited to no effective oversight or procedural safeguards from abuse.
Source: A New Era of Mass Surveillance is Emerging Across Europe | Just Security
“If an intelligence law is not well-conceived and rational, it could easily become a formidable weapon of repression. An intelligence law should not only protect citizens against terrorism, but also against the State. We in France are doing neither. There is a total absence of control in this law.”
— Marc Trévidic, former chief terrorism investigator for the French judicial system
America’s top spy and the future of surveillance.
“Is spying moral?”
After a pause, Clapper answered unapologetically: “We can do our job with a clear conscience, but we have to be careful. The history of the intelligence community is replete with violations of the trust of the American people.” That doesn’t mean that the job is immoral—it just means the job has to be done correctly. “I have always accepted intelligence was an honorable profession. We are all mindful of the need to comply with our moral values and the law.”
Source: America’s Top Spy James Clapper and the Future of Cyberwar and Surveillance | WIRED
If whistleblowers don’t dare reveal crimes and lies, we lose the last shred of effective control over our government and institutions. That’s why surveillance that enables the state to find out who has talked with a reporter is too much surveillance—too much for democracy to endure.
To have privacy, you must not throw it away: the first one who has to protect your privacy is you.
If we don’t want a total surveillance society, we must consider surveillance a kind of social pollution, and limit the surveillance impact of each new digital system just as we limit the environmental impact of physical construction.
Most data collection comes from people’s own digital activities. Usually the data is collected first by companies. But when it comes to the threat to privacy and democracy, it makes no difference whether surveillance is done directly by the state or farmed out to a business, because the data that the companies collect is systematically available to the state.
For the state to find criminals, it needs to be able to investigate specific crimes, or specific suspected planned crimes, under a court order. With the Internet, the power to tap phone conversations would naturally extend to the power to tap Internet connections. This power is easy to abuse for political reasons, but it is also necessary. Fortunately, this won’t make it possible to find whistleblowers after the fact, if (as I recommend) we prevent digital systems from accumulating massive dossiers before the fact.
Digital technology has brought about a tremendous increase in the level of surveillance of our movements, actions, and communications. … Unless we believe that our free countries previously suffered from a grave surveillance deficit, and ought to be surveilled more than the Soviet Union and East Germany were, we must reverse this increase.
Source: How Much Surveillance Can Democracy Withstand? – GNU Project – Free Software Foundation
Internet governance bodies agree that improving online security is important, but disagree on what a more secure internet would look like.
The tensions that arise around issues of security among different groups of internet governance stakeholders speak to the many tangled notions of what online security is and whom it is meant to protect that are espoused by the participants in multistakeholder governance forums. What makes these debates significant and unique in the context of internet governance is not that the different stakeholders often disagree (indeed, that is a common occurrence), but rather that they disagree while all using the same vocabulary of security to support their respective stances. Government stakeholders advocate for limitations on WHOIS privacy/proxy services in order to aid law enforcement and protect their citizens from crime and fraud. Civil society stakeholders advocate against those limitations in order to aid activists and minorities and protect those online users from harassment. Both sides would claim that their position promotes a more secure internet and a more secure society—and in a sense, both would be right, except that each promotes a differently secure internet and society, protecting different classes of people and behaviour from different threats.
Source: What we talk about when we talk about cybersecurity: security in internet governance debates | Internet Policy Review
Google is the latest tech company to drop the longstanding wall between anonymous online ad tracking and user’s names.
The practical result of the change is that the DoubleClick ads that follow people around on the web may now be customized to them based on the keywords they used in their Gmail. It also means that Google could now, if it wished to, build a complete portrait of a user by name, based on everything they write in email, every website they visit and the searches they conduct.
Source: Google Has Quietly Dropped Ban on Personally Identifiable Web Tracking – ProPublica
Consider this: The smartphone in your pocket is 10 times more powerful than the fastest multi-million dollar supercomputers of just 20 years ago. There are tens of millions of lines of software in that phone of yours. There are hundreds of apps written by more than one million developers, some of whom are hackers, and some of whom are just incompetent at security. And then there are chips in your phone that run sophisticated software, from companies located in countries all around the world, all of which have security bugs.
The complexity is mind-boggling — and so are all the security vulnerabilities that exist and will be found in the future.
Source: Why an unhackable mobile phone is a complete marketing myth | TechCrunch
the liberties designed almost a quarter-millennium ago by the Founding Fathers still turn out to be curiously well-aligned with the security of this country and the safety of Americans, while the government overreach of this era has proved to be anything but. As it turned out, those heavy-handed government policies meant to pry our lives open in an invasive and expansive way, torture information from suspects, and lock away people forever, it seems, without charges or trial, were remarkably counterproductive and ineffective—and that reality, rather than the concerns of civil libertarians, was essential to whatever backswing of the pendulum we’ve seen in recent years.
When civil libertarians defend their side of the liberty-security debate, they usually claim that liberties are just as important as security. Perhaps what they should be saying is that protecting our liberties means ensuring our safety; that surveilling everyone produces more but not better information and is not a national security measure; and that the informed interrogation of prisoners who have rights, including the right to a fair trial, is not only more consonant with the American way, but more effective than secret prisons and physical abuse.
It should by now be far clearer that needing to know everything to know something is a sign of weakness, not strength; that needing to be a bully instead of a smart operative is a sign of insecurity, not security.
What should be seen as incompatible with liberty and safety is the overreach of the state in the name of ensuring both of them. It was that overreach, not our liberties, which made us less secure. So let’s note it carefully: the Founding Fathers were right and the Bush administration, its Justice Department memos, and more recently, the candidate who has called for ever more extreme measures, supposedly to protect us and our country, will only endanger us further. Let’s take this lesson to heart: liberty is security for Americans.
Source: Liberty Is Security | The American Conservative
Mass surveillance of citizens without their knowledge is on the rise in America. This is the story of how one city fought back – and is teaching others how to do the same.
The port of Oakland had been given federal funds in 2008 to build a DAC as part of a post-9/11 push to protect critical infrastructure from terrorist attack.
At some point, the city council decided to extend the system to cover the whole of Oakland and its population of 400,000 people.
Hundreds of new cameras would be installed across the city and data would be incorporated from number plate readers, gunshot-detection microphones, social media, and, in later phases, facial recognition software and programs that can recognise people from the way they walk.
Brian Hofer [now chairman of Oakland’s Privacy Advisory Commission] agrees that security cameras can prevent crime but says there is no evidence that mass surveillance does. And he argues that police departments only turn to “shiny gadgets” when relations with the public they are meant to protect, and on whom they rely as witnesses, have broken down.
Many of the systems being offered for sale to law enforcement agencies across the US, and around the world, were developed by defence giants for use on the battlefields of Iraq and Afghanistan.
Source: Police surveillance: The US city that beat Big Brother – BBC News
What the FCC did this year, with little fanfare, was cripple telecoms companies and wireless networks from doing what Google and Facebook do. That’s a very odd decision. If behavioural advertising is so bad consumers need an opt-out, how come you can opt out of your ISP’s profiling, but not Google’s. How could that be?
Source: Google’s become an obsessive stalker and you can’t get a restraining order • The Register