CISPA & CCDP: Digital Surveillance Laws to Rule them All
New digital snooping laws being discussed in the U.K. and U.S. are generating a lot of negative sentiment from advocates of privacy and human rights groups. The new surveillance laws would allow service and platform providers to collect, store and even sell data to third parties and permit its perusal by various security services.
In the U.K., the new laws would allow phone calls, browsing history, text messages, emails as well as activity on sites such as Facebook and Twitter to be logged and made available for searching in a central national database. The U.S. is seeking even more draconian powers that would enable corporations to exchange, consume and gather private information on internet users.
CISPA & CCDP: Same S*it, Different Shovel
Although the U.K. Communications Capabilities Development Programme (CCDP) and U.S. Cyber Intelligence Sharing and Protection Act (CISPA) differ on some minor points, it is generally understood that both governments are pursuing similar surveillance agendas.
In a recent petition to stop the U.S. bill, Avaaz.org stated that:
“CISPA would give private companies and the U.S. government the right to spy on any of us at any time for as long as they want without a warrant. This is the third time the U.S. Congress has tried to attack our Internet freedom.”
We already touched on Reporters sans Frontières recently released Internet Enemies Report in which they discussed countries with poor records of privacy protection or even outright censorship and media control. Their report stated that “Internet content filtering is growing but Internet surveillance is growing even more. Censors prefer to monitor dissidents’ online activities and contacts rather than try to prevent them from going online.”
We were interested to understand how such surveillance measures in countries that are already employing these practices might affect the citizens and shape their digital lives.
The United Arab Emirates (UAE), for instance, has a country-wide firewall that censors and logs all internet activity. In addition to the firewall censorship policies, social networking sites like Twitter and Facebook are subject to round-the-clock monitoring by dedicated teams in Dubai and other emirates.[1]
Security experts, however, say that this type of surveillance is ineffective against anyone who has a genuine need to keep their digital life away from prying eyes. Any such snooping activities can be rendered ineffective by easily-implemented countermeasures and only traffic generated by everyday citizens would be captured.
Expert Opinion on Cyber-Surveillance
Robin Toselli, a Dubai-based senior security specialist, said that “there are dozens of different ways people can thwart the proposed system and remove big brother from the equation completely.” He pointed out that securing web browser communications by means of TLS certificates[2], similar to those used by online banking, and encrypting your emails, can already remove 99% of potential areas of snooping.
“They [the government] might still be able to find out your browsing history or block access to sites which they classify as dangerous, but as long as you use SSL they can’t see the contents of the transaction,” Toselli added.
Masking browsing history can also be achieved by using any of the freely available anonymous proxy services. A simple internet search for “anonymous proxy” will reveal plenty of providers. Of course, the government might be blocking access to these and it could take some trial and error to find a provider that is available. The proxy service hides browsing habits from anyone listening in and can also be used to circumvent website access and censorship restrictions.
Dubai has laws in place which ban the use of VoIP (voice over internet protocol) software, such as Skype, but because many types of these applications can utilize the SSL protocol, they are therefore difficult to completely eliminate without also affecting legitimate commercial traffic. The Skype website itself is not blocked in Dubai, but the download of the software is. Anyone who has the application installed prior to reaching Dubai can continue to use the service without restriction.
The use of VPN (virtual private network) services can also provide a secure and encrypted tunnel to a restriction-free internet node. “It’s quite pointless trying to enforce these types of systems because people will always find ways to get around them,” Toselli said.
There are alternatives which are just as effective, if not more so than a proxy service. The Tor Project, originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory, is a network of virtual tunnels that allows people and groups to improve their privacy and security on the internet by masking their identity, source and the websites they connect to. Messages are repeatedly encrypted and then sent through several network nodes called onion routers. Like someone peeling an onion, each onion router removes a layer of encryption to uncover routing instructions, and sends the message to the next router where this is repeated. This prevents these intermediary nodes from knowing the origin, destination, and contents of the message.[3]
Who Supports and Stands to Profit from Snooping?
The U.S. government is currently trying to amend its National Security Act of 1947 to allow for greater sharing of “cyber threat intelligence” between the U.S. government and the private sector, or between private companies. The Cyber Intelligence Sharing and Protection Act, also known as H.R. 3523, has passed the House of Representatives by a vote of 248 to 168 and will now move to the Senate for further approval.
Internet service providers like AT&T and Verizon and companies like Facebook, IBM, Intel, Oracle and Symantec are all supporting this bill. And for good reason, there is big money involved in data mining and its supply to paying customers. This is perhaps the first large step in privatizing the intelligence gathering sector. Earlier rumors that Microsoft had distanced itself from CISPA were rejected in late April — “Microsoft’s position remains unchanged,” said Christina Pearson, a Microsoft spokeswoman, in a statement to The Hill.
“We supported the work done to pass cybersecurity bills last week in the House of Representatives and look forward to continuing to work with all stakeholders as the Senate takes up cybersecurity legislation.”
— Christina Pearson, Microsoft
Considering that Microsoft is one of the largest providers of free internet-based services such as Hotmail, MSN, Live & Bing, this is certainly worrying news. Furthermore, companies like Facebook, which already store large chunks of our private information, could stand to profit from sharing details with 3rd parties as well as governments.
What is curious, is that most people seem to be okay with posting intimate details on sites such as Facebook and storing their private emails on platforms provided by Google, Yahoo and Hotmail, and yet, start to object the moment this information is to be shared with governments — indicating a clear stance on what is (and what isn’t) acceptable.
We asked Page Dowsling, a German public relations executive, on how the Dubai firewall and censorship laws have affected her online life. “I like to watch TV shows online and some of the sites are blocked, but not all. I mostly go on Facebook to connect with friends, use email, read online newspapers and blogs, but these don’t seem to be censored.”
Having lived in the country for just over a year, Dowsling seems to have adapted to her new but limited digital life. “I accept that I live in a country where things are the way they are and I’m only here temporarily. It’s up to the local Emirati to decide what is going on in their country.”
After outlining the details of what CISPA and CCDP are trying to achieve and by what means, Ms. Dowsling appeared shocked. “What do you mean they will be able to share my information?” Ms. Dowsling exclaimed. “I don’t think it’s right that my personal information would be distributed. Even though my social life would suffer, I’d disconnect from Facebook immediately.”
What are the Flaws in CISPA?
The Center for Democracy and Technology, a nonprofit public policy organization, lists these major flaws in CISPA:
- The bill has a very broad, almost unlimited definition of the information that can be shared with government agencies notwithstanding privacy and other laws;
- The bill is likely to lead to expansion of the government’s role in the monitoring of private communications as a result of this sharing;
- It is likely to shift control of government cybersecurity efforts from civilian agencies to the military;
- Once the information is shared with the government, it wouldn’t have to be used for cybesecurity, but could instead be used for any purpose that is not specifically prohibited.
The Electronic Frontier Foundation (EFF) stated that CISPA’s description of cybersecurity is so broad that “it leaves the door open to censor any speech that a company believes would ‘degrade the network.'” Furthermore, the inclusion of “intellectual property” means that companies and the government would have “new powers to monitor and censor communications for copyright infringement.” According to the EFF, CISPA “creates a ‘cybersecurity’ exemption to all existing laws.”
“There are almost no restrictions on what can be collected and how it can be used, provided a company can claim it was motivated by ‘cybersecurity purposes,'” the EFF added.
“That means a company like Google, Facebook, Twitter, or AT&T could intercept your emails and text messages, send copies to one another and to the government, and modify those communications or prevent them from reaching their destination if it fits into their plan to stop cybersecurity threats.”
— Electronic Frontier Foundation
The estimated $751 million U.S. Cybersecurity budget for 2013 is not only an attack on universal human rights, but is highly doubtful to deliver on its promise of bagging the bad guys.
As the population grows more tech savvy and freely available tools permit for complete anonymity and privacy, it is very unlikely that these snooping laws will provide any useful security intelligence on their intended targets. Ultimately, the snooping laws would merely infringe on the rights of unwary individuals who have no reason to hide their online activities or friend lists. Anyone with a legitimate need to stay anonymous and secure has all the tools and technology at their disposal to do so irrespective of what the governments do.
The world is eagerly watching the situation in the U.S. because approval by the Senate would mean that only Obama holds the final veto vote to stop CISPA becoming law and setting a dangerous precedent for the rest of the globe.
N.B.: It is reported that this post has since been banned and censored for anyone trying to access it from the UAE.
Footnotes
- As reported by Major Salem Obaid Salmeen, Dubai’s deputy director of anti-electronic crimes unit. ^
- Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. ^
- To prevent an adversary from eavesdropping on message content, messages are encrypted between routers. The advantage of onion routing (and mix cascades in general) is that it is not necessary to trust each cooperating router; if any router is compromised, anonymous communication can still be achieved. This is because each router in an OR network accepts messages, re-encrypts them, and transmits to another onion router. An attacker with the ability to monitor every onion router in a network might be able to trace the path of a message through the network, but an attacker with more limited capabilities will have difficulty even if he or she controls routers on the message’s path. http://en.wikipedia.org/wiki/Onion_routing ^
Viewing this from the UAE
Thanks Ahmed, glad to hear that it’s visible again. Can I ask which ISP you’re using?
Du :)