On the issue of privacy and protecting civil liberties.

Let me ask you a question:

How would you react if one day came home to discover that every room in your house had two or three CCTV cameras installed in it? You don’t know who’s watching them or when or why? Would you be OK with this?

Let’s say someone came to your door, introduced themselves as being a private contractor working for Homeland Security, and demanded a copy of your house key so that they (and presumably the DHS and any one else they contract out to) could come in whenever they wanted to have a look around now and then. Would you be OK with this?

Then I have to ask, why are you OK with what actually IS happening right now with your electronic information and possibly your phone calls? The NSA has their own sealed room at an AT&T switching center with a system that intercepts all electronic data that runs through their backbone. Are they looking at your e-mails or listening to your voicemail? Who knows. Probably not. But they can if they want, and the House just gave them permission to do it with the Senate about to do likewise (years after they installed the room without congressional or judicial oversight.)

Project Carnivore was once thought to be an urban (geek) legend, possibly intentional disinformation. However, over the last few years, network administrators for various ISP’s around the country have confirmed putting packet sniffers on their servers providing the FBI and NSA the ability to intercept and read all data passed through their network. Supposedly used only on court orders and targeting specific individuals–but with the governments track record lately of monitoring first and forgetting to ask permission later (see recent FISA Court cases) can we really be sure they’re keeping themselves to high and ethical standards?

The administration also got in trouble recently (although nothing’s been done about it) for data mining through the call records of all domestic telephone calls, not just the international ones they admit to eavesdropping on.

Q: When Attorney General Alberto Gonzales was testifying a few months ago, he seemed careful to specify that he was talking only about the “Terrorist Surveillance Program.” Does that mean he knew about the phone data mining effort and refused to reveal it earlier?
It seems likely, but we don’t know. During his appearance before the Senate Judiciary Committee and in a subsequent letter to senators, Gonzales’ careful wording seemed to imply that there may be additional domestic surveillance programs beyond the one revealed by The New York Times. (Testifying before senators, Gonzales referred to that program as “the program that the president has confirmed.”)

Data mining is more serious than it seems on the surface:

Data Mining 101: Finding Subversives with Amazon Wishlists

It only takes a few questions about you for someone to know exactly who you are without your providing any identity information. Anyone who visits this Web page is leaving information about what site you were at before this one and where you go to when you leave this one, what browser and operating system you’re using as well as what town you’re in. That alone is enough to create a profile on you. But you also leave your IP address which is the most vital piece of electronic data possible which allows someone to track your activities all over the ‘net. Let’s say someone knows what town you live in, that you did a search for “repairing 2005 Scion,” bought a size 10 dress online, and looked at the Web site for a particular church or health club in your town–how much more information do you think they’d need to find out who you are and what kind of person you seem to be? That’s the kind of information available to advertisers, ISP’s, corporations, and their employees and anyone an employee wants to provide that information to. We’re not even talking about what the government has collected on actual specific information on who you called and when and for how long.

These are just a few of the programs we know about. There may be other programs even more invasive that we don’t know about–but that’s conspiracy theory territory and what has been admitted to Congress and the Supreme Court is bad enough already.

Now, when I talk about this topic to people, there are those whose first response will often be, “So? If you’re not doing anything wrong, why worry about it?

If you’re asking this, let me remind you of my earlier question of whether you’d have any problems with someone wandering through your house without your permission, looking at you and your family, rifling through your stuff, listening to your conversations, whenever they wanted. Even if you’re not doing anything “wrong,” would you not have a problem with this?

I’ll address the abstract principle of privacy and liberty in a moment, but first the practical application of the destruction of privacy and collection of data….

Do you know how big the TSA’a No Fly List is? Nearly a million names. A million. Is there that many terrorists and enemies of the US in the country?! Mmm, doubtful. Names that are on the list include Senator Kennedy,children, soldiers fighting in Iraq, war heroes, and constitutional scholars.

One of the two people to whom I talked asked a question and offered a frightening comment: “Have you been in any peace marches? We ban a lot of people from flying because of that.” I explained that I had not so marched but had, in September, 2006, given a lecture at Princeton, televised and put on the Web, highly critical of George Bush for his many violations of the Constitution. “That’ll do it,” the man said. “

Not caring about being watched and recorded and surveilled assumes that those doing the surveillance and collecting are perfect and without error in judgment and practice and have the cleanest of ethics and intent. If that were true, I probably wouldn’t mind myself! And every night I’d eat a salad of fairy wings sprinkled with unicorn horn croutons. The problem with the government collecting data, wantonly eavesdropping, making lists, is that it’s being done by humans who are quite prone to mistakes, humans that are capable of malicious and unscrupulous actions, for reasons that may be (and most likely are) political in nature and have nothing to do with security and everything to do with power and control.

Everything about the No Fly List and the security regulations are completely useless for real security: any high school chemistry student can tell you it’s neigh impossible to make an effective explosive out of carry-on liquid containers. Each of the 9/11 hijackers had valid and legal identification. As the above link describes, people can easily make fake IDs and boarding passes–and when the TSA is alerted of such real threats to security, they threaten the whistle blowers with arrest. The No Fly List and TSA security is useless at best, and a tool for the government to harass and monitor political enemies at worst.

The same government which we are shrugging our shoulders about collecting our data and watching our communications is the same government that:

  • Signed Homeland Security Presidential Directive #20 which states that should the President declare a “state of emergency” for any reason the office sees fit, all powers of the federal government are turned over to the Executive Branch (the President).
  • Swapped the original Patriot Act bill which Congress got to see, with a rewritten one literally in the middle of the night before Congress voted it in.
  • Rescinded habeas corpus which prevents the government from arresting anyone they want, declaring them an “enemy combatant,” and disappearing them indefinitely.
  • Literally kidnapped a Canadian citizen on Canadian soil and flew them in a CIA plane to be tortured for a year in Syria…before deciding the person was innocent.
  • Advocates using torture methods we’ve convicted other countries of war crimes for, even though overwhelming evidence shows torture is ineffective for gathering viable intelligence (as if the human rights violation isn’t enough).
  • Puts covert CIA agents and their assets at risk (as well as destroying years worth of trust and asset building) for political revenge.
  • Rescinds Posse Comitatus which prevents federally controlled military forces from acting in domestic capacity.
  • Uses privately contracted para-military organizations for foreign and domestic missions without Congressional permission or oversight.
  • Keeps CIA run prisons in countries which use torture methods even worse than what the White House admits to using–and privately contracted security forces to oversee their operations.
  • Infiltrates and harasses organizations that protest the administration’s politics…like Quaker churches.

…to name a few ways in which the government does not act in a responsible, perfect, error-free, ethical manner.

Take a moment to watch this film (even if you’ve seen it before; I’ve posted it on my blog a couple of times…)

This illustrates my point perfectly. From a practical standpoint, you don’t have to be doing anything wrong to be a victim of error, incompetence, unethical use of power.

Cory Doctorow describes the dangers of being a victim of mass surveillance:

Statisticians speak of something called the Paradox of the False Positive. Here’s how that works: imagine that you’ve got a disease that strikes one in a million people, and a test for the disease that’s 99% accurate. You administer the test to a million people, and it will be positive for around 10,000 of them – because for every hundred people, it will be wrong once (that’s what 99% accurate means). Yet, statistically, we know that there’s only one infected person in the entire sample. That means that your “99% accurate” test is wrong 9,999 times out of 10,000!

Terrorism is a lot less common than one in a million and automated “tests” for terrorism – data-mined conclusions drawn from transactions, Oyster cards, bank transfers, travel schedules, etc – are a lot less accurate than 99%. That means practically every person who is branded a terrorist by our data-mining efforts is innocent.

In other words, in the effort to find the terrorist needles in our haystacks, we’re just making much bigger haystacks.

Even ignoring the possibility of unethical or political behavior, mere statistics bear out that innocent people who shrug and say “Doesn’t matter so long as you aren’t doing something wrong” may find themselves arrested by DHS, detained, interrogated, threatened and tortured, have their lives turned upside down–because of a mistake. I’ve blogged a dozen times enumerating many cases of innocent people being the victim of erroneous police drug raids resulting in property damage and even innocent deaths. Shrugging it off and saying it doesn’t matter because you’re not doing anything wrong is the worst of rose-colored, Pollyanna, primrose path thinking.

The principle of privacy is an abstract concept but entirely as vital and important as any concept of practical application. As humans in general and citizens of the United States in particular we have an unalienable right to personal privacy as part of our freedom and liberty. It’s a simple matter of principle that we don’t tolerate unknown people or agents of the government walking into our house unannounced and uninvited for no other reason than some vague pantomime of protecting us from the boogeyman. If the goal of the terrorist is to get a government, an entire people, to fundamentally change out of fear and terror–they’ve won. We are willingly handing away our essential freedoms and liberties that we associate with being American for the price of an illusion of security. Allowing them to listen to our calls, collect all our communications data, scan our e-mail and Web browsing, plant RFID chips in our passports and luggage, create federalized identification, all of these are actions that have nothing to do with protecting us from real threats, as all of these steps would have had no effect stopping 9/11, and everything to do with creating a fascist police state.

I’m about to Godwin the post by bringing it up, but bear with me. In the evolution of all fascist regimes and dictatorships, from Hitler and Mussolini to Stalin and Pinochet, there was a time when things were heading toward Bad but not yet there. Fascism and dictatorships don’t spring up fully formed from out of nowhere–they slowly, step by step, on the backs of a mixture of trusting and lazy citizens, rise from nowhere. Before there was Chancellor Hitler, the Fuhrer, there was a small man leading a rabble party preaching conservatism and fear of the outsider. Before there was an occupation of Czechoslovakia and in invasion of Poland in 1939 by the German army, there was a period from 1921 to 1933, when the Nazi Party was formed to when the burning of the Reichstag building convinced the German legislature to give Hitler full governmental and military power. The Nazi Party didn’t take Germany over by force, they inched their way into power using the law, politics, twisted to their ends and allowed by a populace and Parliament afraid of domestic terrorism and economic frustrations and a desire for a strong leader with a strong, conservative vision who will crush the enemies of the homeland.

Sound familiar?

We do a greater disservice to history by elevating Hitler and the Nazis to some fictionally epic evil that couldn’t possibly happen in real life. It did and it can again when people are too uncaring and lazy to take thrats to their freedom and civil liberties seriously, and by allowing folksy plain-speakin’ conservative war-mongers to have positions of great power thanks to jingoist appeals to false patriotism and invoking the spectral fear of the shadowy anarchist communist terrorist bad guy around every corner.

What can we do? Well, various things, but this post is a focus on protecting privacy which can be done by a greater public use of encryption and Internet anonymity. Here’s the irony that ends up working to protect privacy:

It’s a bad thing that the government is making huge haystacks of data and surveillance, erroneously claiming some straw as needles they’re looking for. But, the greater the haystacks, the more ineffectual the mining and surveillance, until it reaches a point where watching everyone and collecting everyone’s data is no longer even desired by those in power. This happens the more “chaff” there is in the system.

Take London: cover every square inch of the city with CCTVs and you’ll get so much information that you’ll never make any sense of it. Scotland Yard says that CCTVs help solve fewer than 3% of all crimes, while a study in San Francisco found that at best, criminals simply move out of camera range, while at worst they assume no one is watching.

Similarly, if you take fingerprints from every person who applies for a visa – or worse still, from every person in Britain who has to carry one of the proposed new biometric cards – you will fill the databases with chaff that slows down searches, generates endless false matches, and threatens everyone in the database with the worst kind of identity theft.

The more people use secure methods to chat with their friends about the weather, use encryption to share chicken pot pie recipes, use anonymizers in their search for parts for their 2005 Scion, the more frustrating it is for those watching and looking and listening to watch and listen to everyone. At least that’s one theory of circumventing the police state in a grand scale. On the small scale, you have the right to be able to share your chicken pot pie recipe without being eavesdropped on–more so if you’re sharing private personal information or sensitive business or financial information. The more ordinary, non-techie people are using security methods to communicate the easier it is for you to do the same. What good is it if you want to use encryption to discuss anything from plot points of a television show to potentially embarrassing medical information or yearly budget information if the people you’re communicating with doesn’t use encryption or take security precautions.

Here’s something you probably didn’t know but really should: every time you check your e-mail with a program like Outlook or Thunderbird, you are sending your username and password in human readable clear text across the internet. If someone has installed a trojan on your PC, they can read it. If you’re using unsecured wi-fi, anyone in the area could access your info. Anyone who may be snooping between your computer and your mail server can read it.

What if you send sensitive info to Bob, and Bob’s checking his e-mail with Outlook on an unsecured wireless connection? You may have taken precautions logging into your mail securely, but because of Bob’s innocent ignorance your information is open to easy interception.

Here’s another nice thought: man-in-the-middle attacks in this situation is pretty easy for a mid-level cracker to perform. They gain your e-mail access info, intercept a message, make changes to it before letting it continue ion its way with no one the wiser.

OK, now we learn to take some basic precautions:

E-mail. By default most email programs send traffic over unsecured connections (ports 110 for incoming and 25 for outgoing). Find out if your e-mail provider offers secured “SSL” servers (usually ports 995 and 465 respectively). If they do, they should be able to help you change your program settings (Outlook: account properties, Advanced tab).

If you use a Web mail service like Yahoo or Gmail, or even a general ISP but through a Web application like Horde, you’re in better shape. Chances are you’re already using an SSL connection (“https://”). When you log into your mail Web page, make sure the URL has that “s” (https://) and the little lock icon wherever your browser shows you secured connection info (bottom middle status bar for Firefox 3).

Web searching. You know Google stores your searching habits tied to your IP and browser info, right? Here’s a way around that: Scroogle Scraper. (Secure page: https://ssl.scroogle.org/). Read their main page for more info.

Email encryption. OK, things get a little trickier here, but it keeps getting easier than it used to be. Most people who use email encryption use what’s called GnuPG. (You don’t need to go to that site unless you want more info about the tech). You will need to generate a key-pair to do the encrypting and an email program plugin to apply the key-pair to. If you’re lucky enough to be using Linux and Thunderbird, KGpg is probably already installed to help you make your keys and you just need to add the Enigmail add-on (actually, I believe all you need is the Enigmail add-on for Thunderbird as it has a built-in key manager. Which means, if you’re using Thunderbird in Windows, that’s all you need as well! Use your Thunderbird add-on search, or this link.)

If you’re using Outlook, you’ll need to install something like WinPT or better yet, GPG4Win which has everything you need to generate the keys and make Outlook send and decrypt encrypted email. It may be a bit tricky to get used to at first, and you may question its worth-whileness… but it is. (And like Thunderbird and Enigmail, it’s free.)

Security packages. If you really want to get into security, I recommend a package like Steganos. It costs money, but it’s extremely easy to use and a whole lot of options. Email encryption, file (or even entire drive and partition) hiding, encrypted Internet connections (if you can afford that, it’s the best way to go!!) Steganos even offers a free encryption tool on their Web site: LockNote to encrypt data you want to keep on your PC, like passwords and the like, and FreeCrypt which allows you en- and decrypt text that you can cut-n-paste into messages. (The recipient just has to use the same Web page to decrypt so long as they have the password you decide on).

Another is a package endorsed by the Electronic Frontier Foundation: Anonymizer Anonymous Surfing. They have variety of packages like VPN connections, spam foiling disposable e-mail addresses, file and history “shredding.”

Internet anonymity. Steganos and Anonymizer VPN, mentioned above, provides a secure, encrypted connection which makes all of your traffic anonymous so companies can’t track your browsing habits and visits and tie it back to you. A free option that’s not near as complete and secure, but is a pretty good option…for free, is EFF’s daughter project, Tor. It doesn’t involve any encryption. What it does is send your traffic through a large and wide network of participating relays (of which you can choose to be one) so that you look like you’re one of the many random end servers with virtually no way to track the traffic back to your original IP. It can be slow using it, and it’s not foolproof–that is, if you’re doing something illegal you WILL get caught (I highly discourage doing anything illegal anyway. In fact, not sure I’ve mentioned it yet but I’ve certainly implied it: privacy and security is the right of ALL people and one does not have to be doing something illegal to have use of it.) But if you want to avoid general tracking and recording of your surfing by corporations and marketers, etc, this could work for you.

Drive encryption. Getting a bit more tricky is the concept of drive encryption (whether PC drive or USB thumb drive). If you keep passwords or credit card info or any personal info on your thumb drive which would be a major hassle or even financially ruinous of someone got their hand on it, I highly recommend encrypting it. Steganos Safe is very user friendly, but costs. A powerful, free option is TrueCrypt. But I’ll tell you, unless you know some tech, you might not want to touch it. The Fedora 9 Linux distro has a built-in drive encryption feature. Come to think of it, I think Windows XP Pro (and maybe Vista) also has drive encryption if you’ve formatted the drive in NTFS…except, Windows login security is VERY easy to circumvent. Don’t rely on it.

Well, I guess that it. Final thoughts: Security and privacy is everyone’s right, protecting it is everyone’s responsibility. Don’t be lazy, take time investigate how you are at risk and take steps to protect yourself and your civil liberties. It benefits all of us!

Update (28 Jun 1:30pm): Here’s a new example of how trustworthy and ethical those with power and control use it:

And a sign of the times: Sweden, a former protector of civil liberties and privacy, last week passed a bill which allowed the government to monitor ALL domestic electronic and telephone communications.