Techno-Exegesis
by Joseph Battaglia (sephail@2600.com)
I've been on the receiving end of a large number of curious glances as I walk down the street with my stylish tin foil-covered cellular phone. No longer a ritual coined by early sci-fi movies to prevent mind control, it's now my best weapon against the wiretapping and data mining policies of today's regime. I, for one, won't let Mr. Bush track me or my phone calls. No sir. The Faraday cage effect of the foil prevents precisely that. And, unfortunately, my ability to place or receive calls as well.
After the September 11th attacks, President Bush gave authorization for the NSA to wiretap any international phone call made within the United States - without a warrant. The beans were spilled late last year when public outrage over the policy seemed to come and go in a single burst as people began to focus less on their privacy and more on why they've begun spending a day's pay to fill their SUV's gas tank. Then, in early May, more beans were spilled, leaving quite a mess for the NSA to sweep under the carpet. The claim this time around was that they had started yet another invasive program at about the same time as the first one. As it turns out, they'd also been data-mining information about every single phone call placed by the customers of cooperating corporations, namely AT&T, Verizon, and BellSouth (although some are denying this claim).
Surprisingly, the reaction I get upon discussion of the matter with most people generally falls into one of two categories: the "What are you talking about? What's the NSA?" category and the "It doesn't affect me. I have nothing to hide and if you do, you must be a terrorist." category. Very rarely do I encounter concerned individuals. It is therefore my hope that by the end of this article, you'll no longer have any doubts about the severity of such policies, be it those made blatant by our government or those existing more subtly in privacy policies set by corporations and various Internet services.
Social networks yield all sorts of valuable information - to advertisers, governments, identity thieves, governments, stalkers, governments, and a whole slew of other people who simply want to know what you're up to for one reason or another. Did I mention governments? Today, not only do social networks exist in real life, but representations of these networks, and even entirely distinct networks, exist on the Internet.
MySpace, Xanga, LiveJournal, Flickr, Blogger, and countless other online networking sites are extremely popular among today's youth. As a college student, the one I find myself relying on most happens to be (((Facebook))), and so I'll focus mainly on this particular site. However, they're all very similar in nature and pose the exact same risks.
Facebook, a popular networking site for students, is a good example of the dangers that lurk inside these virtual networks and behind the policies that govern their use. Every student registered with Facebook has a profile where the opportunity exists to store and exhibit all sorts of information, including birthday, address, phone number, relationship status and partner, high school, political views, favorite music/movies/shows, et cetera.
All the same sort of information you'd be expected to answer when attempting to prove your identity, indexed on a single server and viewable by the world - and people fill it all out. (It's a pity they don't have a "Mother's maiden name?" field.)
After the student's profile is created, Facebook provides a powerful search tool to help build up the social network. Searches can be performed by name, school, class year, and many other fields in an attempt to find someone, be it a close buddy, a long lost classmate, or a random student on the other side of the country.
Adding someone as a "friend" forms a social connection and allows more information to be exchanged between the two parties. Special interest groups can also be formed. The capabilities of Facebook have been expanding greatly in the past few months, too.
One feature in particular, the photo gallery, has made some uncomfortable with the service while others simply love it. You're given the capability to upload photo galleries and tag each photo with the names of those present in it. These pictures are then automatically linked directly from the profile of those tagged in it, regardless of whether or not they approve. Needless to say, many incriminating and embarrassing photos have been uploaded, only to become automatically linked to from the profile of the person shown.
Once you're all set up - profile constructed, pictures uploaded, social network formed, groups created - the data can really do its work. You're able to get statistics on how many people you know from each school, build social trees, and even view a timeline of who you've met, what you've done with them, where you've worked, and all sorts of other data based on how much you've provided.
You can even see how many "hops" away you are from knowing a particular person. The technology is cool, but the privacy implications are chilling. Keep in mind that I've only described a tiny portion of the capabilities of this network and possible fields of data entry.
Now, let's take a quick look at some excerpts of their multi-page privacy policy:
- "We are not responsible for the personally identifiable information you choose to submit in these forums or for others' misuse of such information."
- "Facebook may also collect information about you from other sources, such as newspapers, blogs, instant messaging services, and other users... in order to provide you with more useful information and a more personalized experience."
- "When you use Facebook, you may form relationships, send messages, perform searches and queries, form groups, set up events, and transmit information through various channels. We collect this information..."
- "When you update information, we usually keep a backup copy of the prior version..."
- "By using Facebook, you are consenting to have your personal data transferred to and processed in the United States."
I hope I'm not the only one who finds some of these policies f*cking scary.
The first is a relatively typical disclaimer that you'll find in most policies, but take a look at the next three.
Facebook admits to collecting information about you from other sources - not even information you willingly give them! I'm not quite sure how much this actually helps give a "personalized experience" but the fact that there are partnerships between Facebook and other online entities who share your data is quite disturbing in itself.
They admit to collecting all this information, which is apparent, but then go on to state how it's all retained, regardless of whether or not you attempt to remove it.
This means that anything you post is permanently available to both Facebook and whomever they decide to share it with. These bits of the policy alone essentially give Facebook free reign to do what they'd like with the information, while the last excerpt acknowledges that our government may do the same.
Even if you think that the Facebook employees are pretty nice guys, the government can easily demand their databases with the sign-of-the-times "national security" excuse, and it'd be illegal for Facebook to tell you that it even happened at all.
While online social networks themselves are opt-in and ultimately allow their users to maintain control over the information submitted, the NSA's approach is quite different.
They've persuaded various telephone corporations into providing access to every customer's call logs without any sort of notification at all. At first thought, just the call data seems quite harmless, but upon consideration of how many millions of customers these companies provide for and the sort of interconnections that can be drawn by combining this enormous amount of data using the resources available to the NSA, the picture becomes quite clear.
With the introduction of the PATRIOT Act and other Homeland Security legislation, it's become incredibly easy for law enforcement to detain individuals without even the slightest hint of evidence if they claim that such an action is a matter of national security. They don't need immediate proof, so they've got plenty of time to build up a case - and what better place to start than a person's phone records? With access to the logs of every possible telephone contact point in the country, it's incredibly easy to build a tree based on an individual's activity.
Such a tree can potentially stretch out indefinitely (that is, as far back as their log history can realistically take them), assuming the person doesn't have a single group of friends that communicate exclusively with each other. The potential exists to connect one person with nearly anyone else for which these records exist.
Using well known algorithms, this can be done at fascinating speeds without even considering the processing power and TOP SECRET in-house algorithms the NSA surely has. This capability enables them to make it seem as if two people who've never actually met do indeed know each other.
If some "other person" can be found who has known ties with terrorist organizations and can be easily linked to your call data, they've got all the "proof" needed.
Considering the Facebook example once again, I had mentioned that it's possible to look at exactly how many "hops" away you are from knowing another individual. Once a realistically-sized social network is built, you can literally spend days browsing through others' profiles to whom you are connected via only a few hops.
People you've never seen before seem very closely accessible, and indeed simply throwing out the name of a common friend could connect you to hundreds or thousands of people you would have otherwise never even known existed. The same strategy can be used by law enforcement. There exists a large possibility for them to take a single account and draw a path from that account to nearly any other within the database - it's simply a matter of the number of hops it takes.
Not only this, but using additional information such as call time and, especially with cellular phone accounts, location of the device placing the call, it's easy to see exactly which groups of people have met - exactly when and where - simply by having the call data.
Consider the following situation. You're meeting a group of friends - Jack, Mary, and Phil - for dinner.
You've all arranged for this dinner via telephone on Wednesday of last week, when every call to the participants was made within an hour. You then arrive at the restaurant and you want to ensure you've found the right place. So you call Jack to verify. Jack and Mary arrive shortly after the phone call but Phil seems to be late. Jack then calls Phil to see when he'll be arriving and finds that he's only two blocks away. Phil then arrives and you all enjoy a wonderful vegan dinner. This seems to be a fairly typical way of arranging such meetings these days and, with the advent of cellular telephony, more calls are likely to be made in any such planning than the aforementioned example - but I'm being conservative.
For some reason, the NSA would like to know exactly where and who you met that night for dinner.
All they know is that you called Jack before you ate and, using cell site triangulation from that call (data that is also stored by the carriers), they've narrowed down the location to one city block. Sifting your call logs through a simple algorithm, a group of friends you regularly talk to becomes very apparent, Jack being one of them.
The algorithm shows exactly when you've called Jack in the past, and it's obvious that a chain of calls was made to a group of your friends on the Wednesday you planned the dinner. (Who called whom is irrelevant as they have the logs for everyone who participated anyway.) Cross-referencing to Jack's phone log, they see that shortly after you called Jack that night, he made a call to Phil.
Again, using triangulation data, they see that the call originated from the same location as your call. Then, looking at Phil's logs, they see that he was only two blocks away from your location.
They now know three out of the four people you've met, and Mary can be deduced by looking at the Wednesday log. Overlapping triangulation data from the various cell sites you and Jack were connected to narrows the location down to a single restaurant. QED.
Whether or not you have anything to hide, the reality is that data that is able to pinpoint your exact location is being continuously logged and stored.
Virtual social networks representing your life are being built without consent. Connections can be drawn between you and virtually anyone else for which this data exists, and this data can be manipulated to make it seem as if you're affiliated with someone who you don't even know exists.
If you carry a cell phone, a trail of every location you've been while that phone is on is being stored. Moreover, all this information is being deposited in one central location: NSA headquarters. Scared yet?
I've got some tin foil for you, too.