feeding my own misguided insanity

CISPA & CCDP: Digital Surveillance Laws to Rule them All

New digital snooping laws being discussed in the U.K. and U.S. are generating a lot of negative sentiment from advocates of privacy and human rights groups. The new surveillance laws would allow service and platform providers to collect, store and even sell data to third parties and permit its perusal by various security services.

In the U.K., the new laws would allow phone calls, browsing history, text messages, emails as well as activity on sites such as Facebook and Twitter to be logged and made available for searching in a central national database. The U.S. is seeking even more draconian powers that would enable corporations to exchange, consume and gather private information on internet users.

CISPA & CCDP: Same S*it, Different Shovel

Although the U.K. Communications Capabilities Development Programme (CCDP) and U.S. Cyber Intelligence Sharing and Protection Act (CISPA) differ on some minor points, it is generally understood that both governments are pursuing similar surveillance agendas.

In a recent petition to stop the U.S. bill, Avaaz.org stated that:

“CISPA would give private companies and the U.S. government the right to spy on any of us at any time for as long as they want without a warrant. This is the third time the U.S. Congress has tried to attack our Internet freedom.”

Avaaz.org

We already touched on Reporters sans Frontières recently released Internet Enemies Report in which they discussed countries with poor records of privacy protection or even outright censorship and media control. Their report stated that “Internet content filtering is growing but Internet surveillance is growing even more. Censors prefer to monitor dissidents’ online activities and contacts rather than try to prevent them from going online.”

We were interested to understand how such surveillance measures in countries that are already employing these practices might affect the citizens and shape their digital lives.

The United Arab Emirates (UAE), for instance, has a country-wide firewall that censors and logs all internet activity. In addition to the firewall censorship policies, social networking sites like Twitter and Facebook are subject to round-the-clock monitoring by dedicated teams in Dubai and other emirates.[1]

Security experts, however, say that this type of surveillance is ineffective against anyone who has a genuine need to keep their digital life away from prying eyes. Any such snooping activities can be rendered ineffective by easily-implemented countermeasures and only traffic generated by everyday citizens would be captured.

Expert Opinion on Cyber-Surveillance

Robin Toselli, a Dubai-based senior security specialist, said that “there are dozens of different ways people can thwart the proposed system and remove big brother from the equation completely.” He pointed out that securing web browser communications by means of TLS certificates[2], similar to those used by online banking, and encrypting your emails, can already remove 99% of potential areas of snooping.

“They [the government] might still be able to find out your browsing history or block access to sites which they classify as dangerous, but as long as you use SSL they can’t see the contents of the transaction,” Toselli added.

Masking browsing history can also be achieved by using any of the freely available anonymous proxy services. A simple internet search for “anonymous proxy” will reveal plenty of providers. Of course, the government might be blocking access to these and it could take some trial and error to find a provider that is available. The proxy service hides browsing habits from anyone listening in and can also be used to circumvent website access and censorship restrictions.

Dubai has laws in place which ban the use of VoIP (voice over internet protocol) software, such as Skype, but because many types of these applications can utilize the SSL protocol, they are therefore difficult to completely eliminate without also affecting legitimate commercial traffic. The Skype website itself is not blocked in Dubai, but the download of the software is. Anyone who has the application installed prior to reaching Dubai can continue to use the service without restriction.

The use of VPN (virtual private network) services can also provide a secure and encrypted tunnel to a restriction-free internet node. “It’s quite pointless trying to enforce these types of systems because people will always find ways to get around them,” Toselli said.

There are alternatives which are just as effective, if not more so than a proxy service. The Tor Project, originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory, is a network of virtual tunnels that allows people and groups to improve their privacy and security on the internet by masking their identity, source and the websites they connect to. Messages are repeatedly encrypted and then sent through several network nodes called onion routers. Like someone peeling an onion, each onion router removes a layer of encryption to uncover routing instructions, and sends the message to the next router where this is repeated. This prevents these intermediary nodes from knowing the origin, destination, and contents of the message.[3]

Who Supports and Stands to Profit from Snooping?

The U.S. government is currently trying to amend its National Security Act of 1947 to allow for greater sharing of “cyber threat intelligence” between the U.S. government and the private sector, or between private companies. The Cyber Intelligence Sharing and Protection Act, also known as H.R. 3523, has passed the House of Representatives by a vote of 248 to 168 and will now move to the Senate for further approval.

Internet service providers like AT&T and Verizon and companies like Facebook, IBM, Intel, Oracle and Symantec are all supporting this bill. And for good reason, there is big money involved in data mining and its supply to paying customers. This is perhaps the first large step in privatizing the intelligence gathering sector. Earlier rumors that Microsoft had distanced itself from CISPA were rejected in late April — “Microsoft’s position remains unchanged,” said Christina Pearson, a Microsoft spokeswoman, in a statement to The Hill.

“We supported the work done to pass cybersecurity bills last week in the House of Representatives and look forward to continuing to work with all stakeholders as the Senate takes up cybersecurity legislation.”

— Christina Pearson, Microsoft

Considering that Microsoft is one of the largest providers of free internet-based services such as Hotmail, MSN, Live & Bing, this is certainly worrying news. Furthermore, companies like Facebook, which already store large chunks of our private information, could stand to profit from sharing details with 3rd parties as well as governments.

What is curious, is that most people seem to be okay with posting intimate details on sites such as Facebook and storing their private emails on platforms provided by Google, Yahoo and Hotmail, and yet, start to object the moment this information is to be shared with governments — indicating a clear stance on what is (and what isn’t) acceptable.

We asked Page Dowsling, a German public relations executive, on how the Dubai firewall and censorship laws have affected her online life. “I like to watch TV shows online and some of the sites are blocked, but not all. I mostly go on Facebook to connect with friends, use email, read online newspapers and blogs, but these don’t seem to be censored.”

Having lived in the country for just over a year, Dowsling seems to have adapted to her new but limited digital life. “I accept that I live in a country where things are the way they are and I’m only here temporarily. It’s up to the local Emirati to decide what is going on in their country.”

After outlining the details of what CISPA and CCDP are trying to achieve and by what means, Ms. Dowsling appeared shocked. “What do you mean they will be able to share my information?” Ms. Dowsling exclaimed. “I don’t think it’s right that my personal information would be distributed. Even though my social life would suffer, I’d disconnect from Facebook immediately.”

What are the Flaws in CISPA?

The Center for Democracy and Technology, a nonprofit public policy organization, lists these major flaws in CISPA:

  1. The bill has a very broad, almost unlimited definition of the information that can be shared with government agencies notwithstanding privacy and other laws;
  2. The bill is likely to lead to expansion of the government’s role in the monitoring of private communications as a result of this sharing;
  3. It is likely to shift control of government cybersecurity efforts from civilian agencies to the military;
  4. Once the information is shared with the government, it wouldn’t have to be used for cybesecurity, but could instead be used for any purpose that is not specifically prohibited.

The Electronic Frontier Foundation (EFF) stated that CISPA’s description of cybersecurity is so broad that “it leaves the door open to censor any speech that a company believes would ‘degrade the network.'” Furthermore, the inclusion of “intellectual property” means that companies and the government would have “new powers to monitor and censor communications for copyright infringement.” According to the EFF, CISPA “creates a ‘cybersecurity’ exemption to all existing laws.”

“There are almost no restrictions on what can be collected and how it can be used, provided a company can claim it was motivated by ‘cybersecurity purposes,'” the EFF added.

“That means a company like Google, Facebook, Twitter, or AT&T could intercept your emails and text messages, send copies to one another and to the government, and modify those communications or prevent them from reaching their destination if it fits into their plan to stop cybersecurity threats.”

— Electronic Frontier Foundation

The estimated $751 million U.S. Cybersecurity budget for 2013 is not only an attack on universal human rights, but is highly doubtful to deliver on its promise of bagging the bad guys.

As the population grows more tech savvy and freely available tools permit for complete anonymity and privacy, it is very unlikely that these snooping laws will provide any useful security intelligence on their intended targets. Ultimately, the snooping laws would merely infringe on the rights of unwary individuals who have no reason to hide their online activities or friend lists. Anyone with a legitimate need to stay anonymous and secure has all the tools and technology at their disposal to do so irrespective of what the governments do.

The world is eagerly watching the situation in the U.S. because approval by the Senate would mean that only Obama holds the final veto vote to stop CISPA becoming law and setting a dangerous precedent for the rest of the globe.

N.B.: It is reported that this post has since been banned and censored for anyone trying to access it from the UAE.

Footnotes
  1. As reported by Major Salem Obaid Salmeen, Dubai’s deputy director of anti-electronic crimes unit. ^
  2. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. ^
  3. To prevent an adversary from eavesdropping on message content, messages are encrypted between routers. The advantage of onion routing (and mix cascades in general) is that it is not necessary to trust each cooperating router; if any router is compromised, anonymous communication can still be achieved. This is because each router in an OR network accepts messages, re-encrypts them, and transmits to another onion router. An attacker with the ability to monitor every onion router in a network might be able to trace the path of a message through the network, but an attacker with more limited capabilities will have difficulty even if he or she controls routers on the message’s path. http://en.wikipedia.org/wiki/Onion_routing ^

References

Asser, M. (2000, July 6). Echelon: Big brother without a cause? BBC. Retrieved from http://news.bbc.co.uk/2/hi/europe/820758.stm
Associated Press. (2011, November 30). FBI Ditches Carnivore Surveillance System | Fox News. Fox News. Retrieved from http://www.foxnews.com/story/0,2933,144809,00.html
Barnett, E. (2012, April 1). Internet activity “to be monitored” under new laws. Telegraph.co.uk. Retrieved from http://www.telegraph.co.uk/technology/news/9179087/Internet-activity-to-be-monitored-under-new-laws.html
Bill Summary & Status – 107th Congress (2001 – 2002) – H.R.3162 – All Information – THOMAS (Library of Congress). (n.d.).Library of Congress. Retrieved April 3, 2012, from http://thomas.loc.gov/cgi-bin/bdquery/z?d107:HR03162:@@@L&summ2=m&
Bill Text – 112th Congress (2011-2012) – THOMAS (Library of Congress). (n.d.).Library of Congress. Retrieved April 6, 2012, from http://thomas.loc.gov/cgi-bin/query/z?c112:H.R.3523:
Bomford, A. (1999, November 3). Echelon spy network revealed. BBC. Retrieved from http://news.bbc.co.uk/2/hi/503224.stm
Carnivore (software) – Wikipedia, the free encyclopedia. (n.d.).Wikipedia. Retrieved April 3, 2012, from http://en.wikipedia.org/wiki/Carnivore_(software)
CCPA. (n.d.). US Constitution vs. The Patriot Act. Concerned Citizens Against the Patriot Act. Retrieved April 3, 2012, from http://www.scn.org/ccapa/pa-vs-const.html
Chandrasekhar, I. (2012, April 2). Web surveillance and email monitoring: why should we care? Telegraph.co.uk. Retrieved from http://www.telegraph.co.uk/technology/internet/9180828/Web-surveillance-and-email-monitoring-why-should-we-care.html
Chivers, T. (2012, April 2). Email snooping laws: as idiotic as they are illiberal. News – Telegraph Blogs. Retrieved from http://blogs.telegraph.co.uk/news/tomchiversscience/100148695/email-snooping-laws-as-idiotic-as-they-are-illiberal/
Click here to save the Internet from the US. (n.d.).Avaaz. Retrieved April 6, 2012, from http://www.avaaz.org/en/stop_cispa/
Couts, A. (2012, April 5). Watch out, Washington: CISPA replaces SOPA as Internet’s Enemy No. 1. Digital Trends. Retrieved from http://www.digitaltrends.com/web/watch-out-washington-cispa-replaces-sopa-as-internets-enemy-no-1/
Dart, A., K. (n.d.). Carnivore, Einstein, Tempest and Echelon. AKDart.com. Retrieved April 3, 2012, from http://www.akdart.com/carniv.html
Davies, T. (2012, April 2). Government web surveillance: “Expensive, impractical, totalitarian.” Telegraph.co.uk. Retrieved from http://www.telegraph.co.uk/technology/news/9180577/Government-web-surveillance-Expensive-impractical-totalitarian.html
Downing, E. (2011, June 23). Cyber Security – A new national programme. UK Parliament. Retrieved from http://www.parliament.uk/briefing-papers/SN05832
Hager, N. (n.d.). EXPOSING THE GLOBAL SURVEILLANCE SYSTEM. CoverAction Quarterly. Retrieved May 17, 2012, from http://mediafilter.org/caq/echelon/
Hide My IP l How To Change IP Address, Hide Your IP – Proxy Rental. (n.d.). Retrieved May 19, 2012, from http://proxyrental.net/
Holehouse, M. (2012, April 3). Political backlash against email snooping grows. Telegraph.co.uk. Retrieved from http://www.telegraph.co.uk/news/uknews/law-and-order/9182348/Political-backlash-against-email-snooping-grows.html
Hosein, G. (n.d.). FAQ: The Communications Capabilities Development Programme. Privacy International. Retrieved from https://www.privacyinternational.org/blog/faq-the-communications-capabilities-development-programme
Hundal, S. (2012, April 3). Ten key facts about the new snooping bill | Liberal Conspiracy. Retrieved April 4, 2012, from http://liberalconspiracy.org/2012/04/03/ten-facts-to-know-about-the-snooping-bill/
King, E. (2012, April 3). Every step you take, every move you make: The British government's new plans for mass surveillance. Privacy International. Retrieved from https://www.privacyinternational.org/blog/every-step-you-take-every-move-you-make-the-british-governments-new-plans-for-mass-surveillance
Knowles, D. (2012, April 2). Civil liberties can’t stand up to bureaucracy. News – Telegraph Blogs. Retrieved from http://blogs.telegraph.co.uk/news/danielknowles/100148620/civil-liberties-cant-stand-up-to-bureaucracy/
Leaked Liberal Democrat internal briefing on new government surveillance plans reveals MPs being misled on key issues. (2012, April 3).Privacy International. Retrieved from https://www.privacyinternational.org/press-releases/leaked-liberal-democrat-internal-briefing-on-new-government-surveillance-plans-0
Leopold, J. (2009, July 15). Revisiting Echelon: The NSA’s Clandestine Data Mining Program | The Public Record. Retrieved April 3, 2012, from http://pubrecord.org/nation/2290/revisiting-echelon-nsas/
Lewis Page. (2010, June 25). Original Echelon secret UK-US spookery treaty published The Register. Retrieved April 3, 2012, from http://www.theregister.co.uk/2010/06/25/echelon_publication/
McCullagh, D. (2006, February 7). NSA eavesdropping: How it might work – CNET News. CNET News. Retrieved April 3, 2012, from http://news.cnet.com/NSA%20eavesdropping%20How%20it%20might%20work/2100-1028_3-6035910.html
McCullagh, D. (2012, April 27). Microsoft backs away from CISPA support, citing privacy. CNET. Retrieved from http://news.cnet.com/8301-33062_3-57423580/microsoft-backs-away-from-cispa-support-citing-privacy/
Mellor, C. (2004, October 15). Want to know the hardware behind Echelon? Techworld. Retrieved from http://news.techworld.com/storage/2430/want-to-know-the-hardware-behind-echelon/
Nath, C. (2011, September 22). Cyber Security in the UK. UK Parliament. Retrieved from http://www.parliament.uk/briefing-papers/POST-PN-389
Nick Clegg “totally opposed” to central e-mail and phone call database. (2012, April 2).Telegraph.co.uk. Retrieved from http://www.telegraph.co.uk/technology/technology-video/9180886/Nick-Clegg-totally-opposed-to-central-e-mail-and-phone-call-database.html
Onion Routing. (n.d.). Retrieved May 19, 2012, from http://www.onion-router.net/
Privacy Watch – Echelon. (2004, April 27).Cotse.Net. Retrieved April 3, 2012, from http://www.cotse.net/privacy/echelon.htm
Roberts, M. R. (2012, March 12). DHS reveals 2013 cybersecurity budget – Urgent Communications article. Urgent Communications. Retrieved May 19, 2012, from http://urgentcomm.com/policy_and_law/news/2013-dhs-cybersecurity-budget-20120312/
Robertson, A. (2012, May 2). Who supports and opposes CISPA, and why? The Verge. Retrieved from http://www.theverge.com/2012/5/2/2993495/cispa-hr-3523-business-support-opposition
Ruther, T. (2012, April 27). CISPA Late Vote Passes | CISPA Passes In House | CISPA Vote Senete. World Under Control. Retrieved May 19, 2012, from http://worldundercontrol.com/2012/04/27/cispa-passes-house-internet-censorships-closer/
Sasso, B. (2012, April 30). Microsoft denies softening of CISPA support – The Hill’s Hillicon Valley. The Hill – News Alerts. Retrieved May 19, 2012, from http://thehill.com/blogs/hillicon-valley/technology/224587-microsoft-denies-softening-of-cispa-support
Scott, T. (2012, May 17). CISPA passes through House: Controversial bill re-opens privacy debate. Concordiensis. Retrieved from http://www.concordy.com/article/science-and-technology/may-17-2012/cispa-passes-through-house-controversial-bill-re-opens-privacy-debate/4800/
Strohm, C. (2012, February 21). Napolitano Counters Industry on Cost of Cybersecurity Bill. BusinessWeek: Retrieved from http://www.businessweek.com/news/2012-02-21/napolitano-counters-industry-on-cost-of-cybersecurity-bill.html
The Leveson Inquiry. (n.d.). Retrieved April 4, 2012, from http://www.levesoninquiry.org.uk/
The NSA’s ECHELON System. (n.d.). Retrieved April 3, 2012, from http://www.hermetic.ch/crypto/echelon/echelon.htm
United Nations. (n.d.). The Universal Declaration of Human Rights. Retrieved April 6, 2012, from http://www.un.org/en/documents/udhr/
US Congress. (2011, November 30). H.R. 3523: Cyber Intelligence Sharing and Protection Act of 2011 – GovTrack.us. GovTrack.us. Retrieved April 6, 2012, from http://www.govtrack.us/congress/bills/112/hr3523
Warman, M. (2012a, April 2). Digital surveillance “practically impossible.” Telegraph.co.uk. Retrieved from http://www.telegraph.co.uk/technology/news/9180624/Digital-surveillance-practically-impossible.html
Warman, M. (2012b, April 2). Web surveillance: Q&A. Telegraph.co.uk. Retrieved from http://www.telegraph.co.uk/technology/news/9180277/Web-surveillance-QandA.html
Whitehead, T. (2012a, April 1). Email monitoring: New powers to record every phone call and email “echoes China.” Telegraph.co.uk. Retrieved from http://www.telegraph.co.uk/news/uknews/law-and-order/9179117/Email-monitoring-New-powers-to-record-every-phone-call-and-email-echoes-China.html
Whitehead, T. (2012b, April 1). Email monitoring: New powers to record every phone call and email “echoes China.” Telegraph.co.uk. Retrieved from http://www.telegraph.co.uk/news/uknews/law-and-order/9179117/Email-monitoring-New-powers-to-record-every-phone-call-and-email-echoes-China.html
Whitehead, T. (2012c, April 2). Data watchdog questions case for email snooping. Telegraph.co.uk. Retrieved from http://www.telegraph.co.uk/news/uknews/law-and-order/9181471/Data-watchdog-questions-case-for-email-snooping.html
Whitehead, T. (2012d, April 2). New powers to record every phone call and email makes surveillance “60m times worse.” Telegraph.co.uk. Retrieved from http://www.telegraph.co.uk/technology/news/9180191/New-powers-to-record-every-phone-call-and-email-makes-surveillance-60m-times-worse.html
Whitehead, T. (2012e, April 3). Taxpayers must foot £200 million bill to have their emails snooped on. Telegraph.co.uk. Retrieved from http://www.telegraph.co.uk/news/uknews/law-and-order/9181326/Taxpayers-must-foot-200-million-bill-to-have-their-emails-snooped-on.html
Wilhelm, A. (n.d.). Microsoft reaffirms its support of CISPA, snuffing the idea that it was wavering. The Next Web. Retrieved from http://thenextweb.com/us/2012/05/01/microsoft-reaffirms-its-support-of-cispa-snuffing-the-idea-that-it-was-wavering/
Center for Democracy & Technology | Keeping the Internet Open, Innovative and Free. (n.d.). Retrieved May 24, 2012, from https://www.cdt.org/about
Echelon (signals intelligence) – Wikipedia, the free encyclopedia. (n.d.).Wikipedia. Retrieved April 3, 2012, from http://en.wikipedia.org/wiki/Echelon_(signals_intelligence)#cite_note-0
Tor Project: Anonymity Online. (n.d.).Tor Project. Retrieved May 19, 2012, from https://www.torproject.org/index.html.en
USA Patriot Act. (n.d.).Financial Crimes Enforcement Network. Retrieved April 3, 2012, from http://www.fincen.gov/statutes_regs/patriot/

, , , , , , , , , , , Middle East, Security, The Americas, Thoughts

3 Comments → “CISPA & CCDP: Digital Surveillance Laws to Rule them All”

  1. Ahmed 10 years ago   Reply

    Viewing this from the UAE

    • Dr.Shem 10 years ago   Reply

      Thanks Ahmed, glad to hear that it’s visible again. Can I ask which ISP you’re using?

  2. Ahmed 10 years ago   Reply

    Du :)

Leave a Reply