SMS Text Messages: A Goldmine to Exploit
This is probably the least surprising revelation from the Snowden papers. Texts are sent in the clear, and always have been. i.e. there is no encryption in the SMS standard. Vodafone are reported to be “shocked and surprised”, although I’m not sure why. Perhaps it would have been somewhat surprising back in July.
Incidentally the NSA don’t half like overusing bad smileys on their terrible powerpoints. 🙂
If you haven’t read the original Guardian piece it is worth a read; not so much for the ‘revelation’ that texts are being saved, I rather took that as a given, but for the creative ways this programme seems to skirt around the laws intended to control and limit snooping.
“The NSA program, codenamed Dishfire, collects “pretty much everything it can”, according to GCHQ documents, rather than merely storing the communications of existing surveillance targets”
The extent and the use of data that they are not allowed to search to provide data that would be unknowable otherwise is surprising, creative, and concerning as it would seem the law restricting access to content is being easily circumvented.
Mind you, it does look like the UK telcos have decided to push back a little: BT’s Chief Executive has described the laws on data collection as unfit for purpose, and the four major mobile networks are seeking answers from the government on how spies are apparently able to get around UK law via the DishFire programme. (My emphasis)
I doubt they’ll get anything resembling a straight answer though.
Who is Watching the Watchers?
What is abundantly clear is neither the NSA or GCHQ are abiding by the spirit (or frankly, the letter) of the laws they are subject to. But that’s the opinion of a non-lawyer who naïvely thinks that not being allowed to use the content would obviously also mean you can’t use the content to build a massive database from that content.
They seem to be utterly out of control in their quest to know everything on everyone. Who, meanwhile, is watching the watchers? …and the watchers of the watchers?
Which reminds me, I’m thinking it’s time to rewatch Enemy of the State (1998) but view it as a documentary! At least you can now watch without wondering how much of the clever surveillance is possible – we now know basically all of it, and then some.
There is clearly some weasel word get out clause provided by some agency lawyer in which software searches of said content do not count as being looked at. Well that certainly isn’t what the spirit the law intended. I’m surprised that it can be interpreted that the letter of the law permits it either.
OK, it’s my turn to play with some terms, and perhaps invent a new one.
Meta – a prefix used in English to indicate a concept which is an abstraction from another concept, used to complete or add to the latter.
So, just how the hell is the MESSAGE CONTENT and data within that content abstract to the message content?
Let me introduce another term that I haven’t ever heard used:
The cleaning of illegally obtained or illegal to view data by running it through one or more computer processes and frequently renaming it metadata such that exactly the same data is available for later use without inconvenient laws getting in the way.
[See also GCHQ, NSA]
Dang. Google tells me I haven’t just invented this phrase 🙂
“In contrast to [most] GCHQ equivalents, DISHFIRE contains a large volume of unselected SMS traffic,” it states (emphasis original). “This makes it particularly useful for the development of new targets, since it is possible to examine the content of messages sent months or even years before the target was known to be of interest.”
“The Prefer program uses automated text messages such as missed call alerts or texts sent with international roaming charges to extract information, which the agency describes as “content-derived metadata”, and explains that “such gems are not in current metadata stores and would enhance current analytics”.”
Now wait a bloody moment here.
That would seem to be building a massive database of content your not allowed to have to incriminate new folks for fun and profit.
So, using content, that you’re NOT ALLOWED to view to build more metadata of connections, times, locations? If this is the only means to those new and interesting connections, the law, however inconvenient and annoying should mean that knowledge is, for now, unknowable to you.
It’s “Only” Meta Data
- 113k names
- 76k geocoordinates
- 5m missed call notifications for contact chaining
- 6m SIM card changes
- 1.6m border crossings (from the roaming welcome texts when joining a foreign network)
- 61k correlations of credit cards to individuals
- 750k financial transactions
No one (excepting the odd fool and politician’s Newspeak) would consider any of that meta data – it’s the actual data. From the content of the messages. Roughly 12m daily transgressions of the law not to use the content then. That’s quite some laundry list. Meta data about an SMS would be the time sent, source address and destination address, and perhaps delivery status.
All from data you’re not allowed to look at or search? You consider this legal? Do you consider it abides by the spirit of that law intended to separate content and meta-data?
We’re apparently well into the territory of having a laugh (at our expense).
But don’t worry, it’s “only” meta-data, even when it clearly isn’t. Your credit card number is apparently not data but information about data. In finding ways to evade the law apparently the English language was taken out back and shot.
But we can relax, as GCHQ have a fine control system in place “remember to flip the switch so you don’t see the content before searching”. OK, there’s never going to be any mistakes, typos or temptation in that fabulous system of safeguards now is there?
The note warns analysts they must be careful to make sure they use the form’s toggle before searching, as otherwise the database will return the content of the UK messages – which would, without a warrant, cause the analyst to “unlawfully be seeing the content of the SMS”.
I find it deeply revealing that the DEFAULT case appears to be the potentially illegal search – ie the one which also provides content. Sensible UX ensures that the untouched setting of an option is the one needed the MAJORITY OF THE TIME. Does that therefore imply that the majority use case is the one that we’re meant to have a law to prevent?
Perhaps the box is only ticked when MPs and sovereigns are visiting. “…and you can see, Prime Minister, that we get a list of numbers and times but no content of any of the messages, as the law requires”.
So once you have the database of everything… What’s next? We sure as hell won’t be any safer, from anything. Especially not terrorists.
Want to slash the GCHQ or NSA budget? That text you sent trying to buy a little weed will arrive at the Daily Fail along with anything else that might get twisted adequately by the gutter press. Chances are your political career is very visibly over before you even got to see the actual figures.
Who oversees the overseers? Apparently no one.
“In the statement, the NSA spokeswoman said: “As we have previously stated, the implication that NSA’s collection is arbitrary and unconstrained is false.
“NSA’s activities are focused and specifically deployed against – and only against – valid foreign intelligence targets in response to intelligence requirements.”
The trillions of new “content derived metadata” items captured per year are, what, line noise, coincidence, the laundry? Seems the British Govt are perfectly OK with Brits being categorised and “valid foreign intelligence targets”. Treason? 🙂 Oh look, a smiley. Draw your own conclusions.
Yes, as we’ve repeatedly seen, that meaningless protection for US citizens is easily circumvented, but you’d think as one of the Five Eyes watchers we’d have parity.
Two Simple Recommendations
One: You may choose to write to your MP/representative regarding this. Of course the cynical might feel in the New World Order this will probably see you categorised as a terrorist and get you on assorted global watch lists. Perhaps. It doesn’t seem like this will lead to any more surveillance of you though!
Two: Install, and use whenever possible, TextSecure (Android only for now).It comes from Open Whisper Systems, is open source and was started by Moxie Marlinspike – someone with widely respected crypto capabilities.
Once you’ve got it try and get all your friends to use it – even for those boring running late or fancy a beer texts!
Be very careful with “secure” comms products – like Telegram which came out shortly before Christmas and lasted no more than a couple of days before someone had shown it to be fundamentally flawed. (I refuse to give them a link, so have a link to one of many posts showing how bad they are). Many of the secure products out there are proprietary or snake oil – great marketing but unknown or known bad crypto.