CSEC used airport Wi-Fi to track Canadian travellers: Edward Snowden documents CBC News, Jan 30, 2014
All I was going to do in this post, as previously advertised, was paste in my reponse to the security, liberty, privacy question on the recent Pew/Elon survey on the future of the Internet (please see previous post if this makes no sense).
Many clusters will resolve to other Airports! Awesome! And no spying on Canadians!
But these days you can’t blow your nose without bumping into another scandal about a power-mongering little spy creep who’s found a way to violate your space without ever having to face the consequences of his actions, and another way to pretend it’s all legal because all he’s collecting is your metadata. These dweebs must love the guy who handed them that concept, and not just because I guarantee you nobody actually knows what that means (my 4th-yr Comm Studies majors don’t, so that’s good enough for me). We only record your IMSI, MEID, numeric IP, photo EXIF data, tower and location data, phone numbers called, address book… But we would never, ever record the content of your messages since some unpatriotic idiots who claim to teach at university might consider that illegal.
Public service announcement: how to stick a personal VPN to CSEC (where the sun don’t shine)
Even though the spies have assured us we’re not being spied on (and if they did inhale, they didn’t enjoy it), you might want to read my shrewd advice here on how to minimize the chances they will pick you up at the airport over public Wi-Fi, while they’re not spying on you – or over public Wi-Fi in Starbucks or anywhere you might end up in public with a mobile device. Get a subscription to a personal virtual private network (VPN) and go for the good guys at WiTopia (I’ve mentioned them previously and they’re now getting promoted to my Categories list).
VPNs have been used for years in the enterprise (=business). A VPN allows employees to communicate securely with HQ even whenthey’re thousands of miles away. The VPN uses one form or another of encryption, and is said metaphorically to “tunnel” through the public Internet. It’s a “virtual” network because there’s no real tunnel. Your packets are still co-mingling with other people’s packets, but only you and the folks with the authentication tools – like a password – can read those packets. The VPN is said to be private for exactly that reason, like an office behind a locked door.
WiTopia offers both Pro and Basic versions. Go for the Pro at $69.99 a year for the best value (nope, no commission or price breaks for all my trouble). Here’s the beauty part, as the lovely UI screen grab above indicates. You’re not just getting locally encrypted. You have the option of logging onto any one of dozens of WiTopia’s VPN gateways around the planet, each of which spits out a local numeric IP for both the server and you the client, on the fly. Because numeric IPs are allocated by the regional registeries on a geographical basis, the addresses used for the San Francisco gateway mean you are “virtually” in San Francisco – even if you’re actually in the Lester B. Pearson Airport.
Major caveat here. None of this is foolproof and you can be compromised in all sorts of ways on a VPN, like when your provider has been coerced into putting a backdoor into their encryption software (like the NSA does). Some of it is under your control – especially that old bugaboo, the password. If you have a stoopid password – admin123 or mywitopiaVPN – you’re screwed. While we wait for the day our thumbprint does everything, you can test your passwords at various places, with varying degrees of reliability. The trick is you want maximize the number of bits (binary digits) of “entropy” in your string – a concept that essentially means uncertainty. You want to have at least 75 bits to get into the “would take centuries to break” category. Check out the GitHub resource here – which btw says the crack time for “admin123” is 0.167 seconds.
Pew’s question on security, liberty, privacy online
Okay, that should give the CSEC genius who found this enough for tomorrow’s presentation. Sadly, the whole CSEC imbroglio largely confirms what I said in my Pew response on the initial question about online privacy. Here’s the question:
Security, liberty, privacy online – Will policy makers and technology innovators create a secure, popularly accepted, and trusted privacy-rights infrastructure by 2025 that allows for business innovation and monetization while also offering individuals choices for protecting their personal information in easy-to-use formats?
My one-word answer:
Then, as I said last time, the survey asks us to explain ourselves:
Please elaborate on your answer. Describe what you think the reality will be in 2025 when it comes to the overall public perception about whether policy makers and corporations have struck the right balance between personal privacy, secure data, and compelling content and apps that emerge from consumer tracking and analytics.
Pew added a “bonus” question to the opener about changing public norms on privacy, but I didn’t have anything more to add. Okay, enough foreplay, my (pessimistic) survey answer…
Big corporations will always want more confidential data from customers, especially those in the targeted-ad industrial complex, since increasingly intrusive data-mining is the hallmark of success. These motives will apply less to firms whose business is not ad-supported but based on selling content and apps (and other digital retail goods). Yet this distinction is by no means hard and fast, since lots of developers have shown they’re not above deceiving end-users about their actions. Firms that are exposed may stop for a while, but it seems likely that most developers, in the tradition of the big dogs like Facebook, will regard sanctions for intrusive behavior as a cost of doing business. Meanwhile, public interest advocacy groups (which are proportionately far more plentiful in the US than in Canada) will keep fighting for some balance between the perceived needs of business growth and personal privacy. Like so much in online culture, however, privacy has no end-game; the “right balance” today won’t be seen as workable tomorrow. By 2025, in any case, public perceptions about balance will have become more sophisticated. Perceptions will be sharpened by disclosures such as those involving the NSA, as well as commercial actors, and the heightened awareness of privacy issues that comes with them.
Pew found last September that a surprisingly large number of Americans are taking steps to mask their online activities. But in doing so, mainstreamers will be bucking both technical progress and the contrary attitudes of developers, service providers and advertisers, not to mention spies. First, invoking protection of any kind has always been challenging to lay users, whether because of the difficulties inherent in encryption technologies or simply because strong passwords are way too inconvenient for most people. Second, those who lust after consumer data, and have the resources, will always be 1 or 2 steps ahead. Just as mainstreamers have started to manage their cookies, for example, along come alternative technologies – like browser fingerprinting and mobile tracking – that are even more difficult to challenge. Third, even with heightened awareness on privacy issues, it’s doubtful that mainstreamers have both an understanding of the motives behind running a business on customer data-mining, and the fortitude to withstand the seductive appeal of great convenience at low or no cost. By 2025, these trends are likely to be exacerbated by the appification of the Web and the growth of the Internet of things, and the far greater degree of intrusiveness they will enable.