PATRIOT Act greatly expands what a ‘financial institution’ is

From Bruce Schneier’s “News” (Crypto-Gram Newsletter: 15 January 2004):

Last month Bush snuck into law one of the provisions of the failed PATRIOT ACT 2. The FBI can now obtain records from financial institutions without requiring permission from a judge. The institution can’t tell the target person that his records were taken by the FBI. And the term “financial institution” has been expanded to include insurance companies, travel agencies, real estate agents, stockbrokers, the U.S. Postal Service, jewelry stores, casinos, and car dealerships.

Government-created viruses for surveillance

From John Twelve Hawks’s “ How We Live Now” (2005):

The Traveler describes for the first time in any book the secret computational immunology programs being developed in Britain. These programs behave like the leucocytes floating through our bloodstream. The programs wander through the Internet, searching, evaluating, and hiding in a person’s home PC, until they detect a “dangerous” statement or unusual information. After gathering our personal information, they return to the central computer. There is no reason why they can’t easily be programmed to destroy a target computer … such as the one on which you’re reading this essay.

What RFID passports really mean

From John Twelve Hawks’s “ How We Live Now” (2005):

The passports contain a radio frequency identification chip (RFID) so that all our personal information can be instantly read by a machine at the airport. However, the State Department has refused to encrypt the information embedded in the chip, because it requires more complicated technology that is difficult to coordinate with other countries. This means that our personal information could be read by a machine called a “skimmer” that can be placed in a doorway or a bus stop, perhaps as far as 30 feet away.

The U.S. government isn’t concerned by this, but the contents of Paris Hilton’s cell phone, which uses the same kind of RFID chip, were skimmed and made public last year. It may not seem like a problem when a semi-celebrity’s phone numbers and emails are stolen, but it is quite possible that an American tourist walking down a street in a foreign country will be “skimmed” by a machine that reads the passport in his or her pocket. A terrorist group will be able to decide if the name on the passport indicates a possible target before the tourist reaches the end of the street.

The new RFID passports are a clear indication that protection is not as important to the authorities as the need to acquire easily accessible personal information.

Surveillance cameras that notice aberrations

From John Twelve Hawks’s “ How We Live Now” (2005):

And everywhere we go, there are surveillance cameras – thousands of them – to photograph and record our image. Some of them are “smart” cameras, linked to computer programs that watch our movements in case we act differently from the rest of the crowd: if we walk too slowly, if we linger outside certain buildings, if we stop to laugh or enjoy the view, our body is highlighted by a red line on a video monitor and a security guard has to decide whether he should call the police.

L.A. police using drones to spy on citizens

From Zachary Slobig’s “Police launch eye-in-the-sky technology above Los Angeles” (AFP: 17 June 2006):

Police launched the future of law enforcement into the smoggy Los Angeles sky in the form of a drone aircraft, bringing technology most commonly associated with combat zones to urban policing.

The unmanned aerial vehicle, which looks like a child’s remote control toy and weighs about five pounds (2.3 kilograms), is a prototype being tested by the Los Angeles County Sheriff’s Department. …

“This technology could be used to find missing children, search for lost hikers, or survey a fire zone,” said Commander Sid Heal, head of the Technology Exploration Project of the Los Angeles County Sheriff’s Department. “The ideal outcome for us is when this technology becomes instrumental in saving lives.”

The SkySeer would also be a helpful tool to nab burglary suspects on rooftops and to chase down suspects fleeing on foot. The drone comes equipped with low-light and infrared capabilities and can fly at speeds up to 30 miles (48 kilometers) per hour for 70 minutes. …

A small camera capable of tilt and pan operations is fixed to the underside of the drone which sends the video directly to a laptop command station. Once launched, the craft is set to fly autonomously with global positioning system (GPS) coordinates and a fixed flight pattern.

As technology improves, the drone will be outfitted with zoom capabilities. For now, the craft simply flies lower to hone in on its target. …

“The plane is virtually silent and invisible,” said Heal. “It will give us a vertical perspective that we have never had.”

The Los Angeles Sheriff’s Department operates a fleet of 18 helicopters, priced between three and five million dollars each. The SkySeer will cost between 25,000 and 30,000 dollars.

4 ways to eavesdrop on telephone calls

From Bruce Schneier’s “VOIP Encryption” (Crypto-Gram Newsletter: 15 April 2006):

There are basically four ways to eavesdrop on a telephone call.

One, you can listen in on another phone extension. This is the method preferred by siblings everywhere. If you have the right access, it’s the easiest. While it doesn’t work for cell phones, cordless phones are vulnerable to a variant of this attack: A radio receiver set to the right frequency can act as another extension.

Two, you can attach some eavesdropping equipment to the wire with a pair of alligator clips. It takes some expertise, but you can do it anywhere along the phone line’s path — even outside the home. This used to be the way the police eavesdropped on your phone line. These days it’s probably most often used by criminals. This method doesn’t work for cell phones, either.

Three, you can eavesdrop at the telephone switch. Modern phone equipment includes the ability for someone to listen in this way. Currently, this is the preferred police method. It works for both land lines and cell phones. You need the right access, but if you can get it, this is probably the most comfortable way to eavesdrop on a particular person.

Four, you can tap the main trunk lines, eavesdrop on the microwave or satellite phone links, etc. It’s hard to eavesdrop on one particular person this way, but it’s easy to listen in on a large chunk of telephone calls. This is the sort of big-budget surveillance that organizations like the National Security Agency do best. They’ve even been known to use submarines to tap undersea phone cables.

THE answer to “if you’re not doing anything wrong, why resist surveillance?”

From Bruce Schneier’s “The Eternal Value of Privacy” (Wired News: 18 May 2006):

The most common retort against privacy advocates — by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures — is this line: “If you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these — as right as they are — is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

Two proverbs say it best: Quis custodiet custodes ipsos? (“Who watches the watchers?”) and “Absolute power corrupts absolutely.”

Cardinal Richelieu understood the value of surveillance when he famously said, “If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.” Watch someone long enough, and you’ll find something to arrest — or just blackmail — with. Privacy is important because without it, surveillance information will be abused: to peep, to sell to marketers and to spy on political enemies — whoever they happen to be at the time.

Exploits used for corporate espionage

From Ryan Naraine’s “Microsoft Confirms Excel Zero-Day Attack Under Way” (eWeek: 16 June 2006):

Microsoft June 15 confirmed that a new, undocumented flaw in its widely used Excel spreadsheet program was being used in an attack against an unnamed target.

The company’s warning comes less than a month after a code-execution hole in Microsoft Word was exploited in what is described as a “super, super targeted attack” against business interests overseas.

The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers.

It’s easy to track someone using a MetroCard

From Brendan I. Koerner’s “Your Cellphone is a Homing Device” (Legal Affairs: July/August 2003):

Law enforcement likewise views privacy laws as an impediment, especially now that it has grown accustomed to accessing location data virtually at will. Take the MetroCard, the only way for New York City commuters to pay their transit fares since the elimination of tokens. Unbeknownst to the vast majority of straphangers, the humble MetroCard is essentially a floppy disk, uniquely identified by a serial number on the flip side. Each time a subway rider swipes the card, the turnstile reads the bevy of information stored on the card’s magnetic stripe, such as serial number, value, and expiration date. That data is then relayed back to the Metropolitan Transportation Authority’s central computers, which also record the passenger’s station and entry time; the stated reason is that this allows for free transfers between buses and subways. (Bus fare machines communicate with MTA computers wirelessly.) Police have been taking full advantage of this location info to confirm or destroy alibis; in 2000, The Daily News estimated that detectives were requesting that roughly 1,000 MetroCard records be checked each year.

A mere request seems sufficient for the MTA to fork over the data. The authority learned its lesson back in 1997, when it initially balked at a New York Police Department request to view the E-ZPass toll records of a murder suspect; the cops wanted to see whether or not he’d crossed the Verrazano Narrows Bridge around the time of the crime. The MTA demanded that the NYPD obtain a subpoena, but then-Justice Colleen McMahon of the State Supreme Court disagreed. She ruled that “a reasonable person holds no expectation of confidentiality” when using E-ZPass on a public highway, and an administrative subpoena – a simple OK from a police higher-up – was enough to compel the MTA to hand over the goods.

Tracking via cell phone is easy

From Brendan I. Koerner’s “Your Cellphone is a Homing Device” (Legal Affairs: July/August 2003):

What your salesman probably failed to tell you – and may not even realize – is that an E911-capable phone can give your wireless carrier continual updates on your location. The phone is embedded with a Global Positioning System chip, which can calculate your coordinates to within a few yards by receiving signals from satellites. GPS technology gave U.S. military commanders a vital edge during Gulf War II, and sailors and pilots depend on it as well. In the E911-capable phone, the GPS chip does not wait until it senses danger, springing to life when catastrophe strikes; it’s switched on whenever your handset is powered up and is always ready to transmit your location data back to a wireless carrier’s computers. Verizon or T-Mobile can figure out which manicurist you visit just as easily as they can pinpoint a stranded motorist on Highway 59.

So what’s preventing them from doing so, at the behest of either direct marketers or, perhaps more chillingly, the police? Not the law, which is essentially mum on the subject of location-data privacy. As often happens with emergent technology, the law has struggled to keep pace with the gizmo. No federal statute is keeping your wireless provider from informing Dunkin’ Donuts that your visits to Starbucks have been dropping off and you may be ripe for a special coupon offer. Nor are cops explicitly required to obtain a judicial warrant before compiling a record of where you sneaked off to last Thursday night. Despite such obvious potential for abuse, the Federal Communications Commission and the Federal Trade Commission, the American consumer’s ostensible protectors, show little enthusiasm for stepping into the breach. As things stand now, the only real barrier to the dissemination of your daily movements is the benevolence of the telecommunications industry. A show of hands from those who find this a comforting thought? Anyone? …

THE WIRELESS INDUSTRY HAS A NAME FOR SUCH CUSTOM-TAILORED HAWKING: “location-based services,” or LBS. The idea is that GPS chips can be used to locate friends, find the nearest pizzeria, or ensure that Junior is really at the library rather than a keg party. One estimate expects LBS to be a $15 billion market by 2007, a much-needed boost for the flagging telecom sector.

That may be fine for some consumers, but what about those who’d rather opt out of the tracking? The industry’s promise is that LBS customers will have to give explicit permission for their data to be shared with third parties. This is certainly in the spirit of the Wireless Communications and Public Safety Act of 1999, which anticipated that all cellphone carriers will feature E911 technology by 2006. The law stipulated that E911 data – that is, an individual’s second-by-second GPS coordinates – could only be used for nonemergency purposes if “express prior authorization” was provided by the consumer. …

Google’s data trove tempts the bad guys

From “Fuzzy maths” (The Economist: 11 May 2006):

Slowly, the company is realising that it is so important that it may not be able to control the ramifications of its own actions. “As more and more data builds up in the company’s disk farms,” says Edward Felten, an expert on computer privacy at Princeton University, “the temptation to be evil only increases. Even if the company itself stays non-evil, its data trove will be a massive temptation for others to do evil.”

iSee: online map of CCTVs in Manhattan

From Patrick Keefe’s “Camera Shy” (Legal Affairs: July/August 2003):

One extralegal solution is a project called iSee. Launched several years ago, iSee is an online interactive map of the locations of surveillance cameras in Manhattan. To use iSee, you simply open the map of Manhattan and double-click on your point of departure and your destination. After a few moments of computation, iSee generates the “path of least surveillance.”

iSee can be accessed through the website of the organization which created it, the so-called Institute of Applied Autonomy. IAA is a collective of artists, engineers, and scientists who design technologies for the “burgeoning market” of “cultural insurrection.” The organization presents itself as a tech-savvy civil libertarian answer to the Defense Advanced Research Projects Agency, a shadowy R&D wing of the Pentagon. DARPA has recently been in the news for developing the Terrorist Information Awareness project, headed by John Poindexter, which would monitor the everyday transactions of American citizens. Whereas DARPA uses what IAA calls “tools of repression” to take your autonomy away, IAA answers with another set of tools that are intended to give you your autonomy back. …

In Britain, you can see footage of you captured by CCTV

From Patrick Keefe’s “Camera Shy” (Legal Affairs: July/August 2003):

In London, a city even more intensively scrutinized by closed-circuit television cameras than New York, citizens can at least retrieve copies of footage taken of them through a provision in Britain’s Data Protection Act. Americans have no such legal recourse. …

The TSA acts outside the Constitution

From Ars Technica’s “Terrorist watch list follies, and my time in the TSA’s Constitution-free zone“:

So what are your rights if your name is unjustly on the watch-list, and you’d like to be able to move about the country without being singled out by airport screeners and possibly even traffic cops for extra attention? The answer is, unfortunately, that some of your basic Constitutional rights are effectively non-existent if you happen to get caught somewhere in America’s growing terrorist dragnet.

As of right now, there aren’t many rules to which you can appeal for redress—no laws aimed at protecting the accused, no binding judicial decisions, and few formal departmental protocols for addressing grievances. The kinds of rules and precedents that govern most of the other citizen-facing aspects of the federal bureaucracy just aren’t there when it comes to anything terrorism and/or TSA-related. …

To sum up, if you run afoul of the nation’s “national security” apparatus, you’re completely on your own. There are no firm rules, no case law, no real appeals processes, no normal array of Constitutional rights, no lawyers to help, and generally none of the other things that we as American citizens expect to be able to fall back on when we’ve been (justly or unjustly) identified by the government as wrong-doers.

Brin’s Transparent Society explained, briefly

From Technology Review‘s “Big Brother Logs On“:

In his 1998 book The Transparent Society, which is well known in the privacy advocacy community, science fiction author and technology watcher David Brin argues that society inevitably will have to choose between two versions of ubiquitous surveillance: in one, only the rich and powerful use and control the system to their own advantage; in the second, more democratic future, the watchers can also be watched. Brin concedes that the latter version would mean everybody’s laundry hung out in public view, but the transparency would at least be mutual. Rent a porn video and your wife knows it; but if she drives to your best buddy’s house four times a week while you’re at the office, you’ll know that also.

Surveillance tools to detect drowning swimmers

From Technology Review‘s “Big Brother Logs On“:

Consider the benefits of the “computer-aided drowning detection and prevention” system that Boulogne, France-based Poseidon Technologies has installed in nine swimming pools in France, England, the Netherlands and Canada. In these systems, a collection of overhead and in-pool cameras relentlessly monitors pool activity. The video signals feed into a central processor running a machine perception algorithm that can effectively spot when active nonwater objects, such as swimmers, become still for more than a few seconds. When that happens, a red alarm light flashes at a poolside laptop workstation and lifeguards are alerted via waterproof pagers. Last November, a Poseidon system at the Jean Blanchet Aquatic Center in Ancenis, Loire-Atlantique, France, alerted lifeguards in time to rescue a swimmer on the verge of drowning. Pulled from the water unconscious, the swimmer walked away from a hospital the next day.

The Sumitomo Mitsuibank bank heist

From Richard Stiennon’s “Lessons Learned from Biggest Bank Heist in History“:

Last year’s news that thieves had managed to break in to Sumitomo Mitsui Bank’s branch in London and attempt to transfer almost $440 million to accounts in other countries should give CIO’s cause for concern. …

First a recap. Last year it came to light that U.K. authorities had put the kibosh on what would have been the largest bank heist in history.

The story is still developing but this is what we know: Thieves masquerading as cleaning staff with the help of a security guard installed hardware keystroke loggers on computers within the London branch of Sumitomo Mitsui, a huge Japanese bank.

These computers evidently belonged to help desk personnel. The keystroke loggers captured everything typed into the computer including, of course, administrative passwords for remote access.

By installing software keystroke loggers on the PCs that belonged to the bank personnel responsible for wire transfers over the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network, the thieves captured credentials that were then used to transfer 220 million pounds (call it half-a-billion dollars).

Luckily the police were involved by that time and were able to stymie the attack.

From Richard Stiennon’s “Super-Glue: Best practice for countering key stroke loggers“:

… it is reported that Sumitomo Bank’s best practice for avoiding a repeat attack is that they now super-glue the keyboard connections into the backs of their PCs.

Turnpikes, roads, & tolls

From Andrew Odlyzko’s “Pricing and Architecture of the Internet: Historical Perspectives from Telecommunications and Transportation“:

British turnpikes were a controversial response to a serious problem. Traditionally, the King’s Highway was open to all. The problem was how to keep it in good condition. As commerce grew, the need to maintain roads became acute. At first, in Elizabethan times, laws were enacted compelling all able-bodied commoner males to devote several days a year to labor on the highways. (See [1,66,80] for references for the background information as well as other items below that are not attributed otherwise.) The inequitable distribution of the burden this imposed and the lack of effective control mechanisms by the central government led to many complaints. As a result, in 1663, the first turnpike was authorized. A local group was authorized to create a turnpike trust that would borrow money to improve a section of a road, and then collect tolls from travelers for passage over that section of the road. This venture was set up (as were all subsequent turnpikes) as an ostensibly non-profit trust. (There were opportunities for profits there, for example in payment of above-market fees and other abuses, but those were illicit, and in any case were not the high profits that other, more private, enterprises, such as lighthouses and canals, offered.) The reason for the non-profit nature of turnpikes was presumably to allay concerns about a violation of the ancient principle that the King’s Highway was open to all. Still, this turnpike was very controversial (as were many later ones). Apparently largely for that reason, it took until 1695 before the next turnpike was set up [2].

In the early 18th century, the turnpike movement took off in earnest. Although there were frequent protests (sometimes violent, as in the burning of the toll gates around Bristol in 1727 and 1735), by mid-1830s there were over 20,000 miles of turnpikes in England. …

Tolls were usually doubled on Sundays for ordinary commercial traffic, but were eliminated for travel to or from church. They also “were never levied on foot passengers, and were thus unfelt by the labouring poor” (p. 124 of [80]). There were also options in many cases for a flat fee for annual access. Still, there were countless controversies about the toll, “the collection of which led to endless evasions, inequalities and favouritisms of all kinds, arbitrary exactions, and systematic petty embezzlements” (p. 136 of [80]). …

… road tolls are coming back as a result of growing congestion and improved technology. Unlike telecommunications, where technology is increasing capacity of fiber, coax, and radio transmissions, building new roads is increasingly difficult, and making existing ones carry more traffic can only be done to a limited extent. At the same time, electronic means for monitoring traffic and collecting tolls are improving, and we see central business districts in Norway, Singapore, and London imposing tolls. Most of these systems do raise privacy issues, too, since they are centralized ones with information about users, or at least cars. Still, there is a strong tendency to introduce ever more detailed monitoring of traffic, often with the explicit goal of charging users according to their level of activity (whether by governments or by insurance companies).