Your phone is a gateway for spying on you by anyone - Eric King,data security expert
At a time when people can be watched, tracked and monitored every minute of the day it’s not a surprise that market for international surveillance is thriving. Is the government doing more than just uncovering our secrets? Who else can spy on us? Is privacy gone forever? Well, our guest today is committed to exposing the world of unlawful snooping. Eric King from Privacy International is on Sophie&Co today.
Sophie Shevardnadze:The opposition protesters in Kiev received texts telling them to leave certain areas. Now the phone companies deny any involvement. Do you have any idea how that happened?
Eric King: As I understand, the rumors immediately afterwards were that something called MZ-catcher was used. This is a fake mobile phone base station that authorities can use to identify people in the local area then also send text messages afterwards. However, there were reports since then that show secret code orders showing that telecommunications companies themselves were actually involved.
SS: But are there any other ways to control protest using technology?
EK: A whole range. The question I suppose is what the objective of the authority is. Maybe to find out who the people are. As I mentioned, technologies called MZ-catchers are very effective tool to finding out the unique identifiers on someone’s SIM card and on their mobile phone to find out who is there. So if you imagine that 20 years ago you might have needed a police officer to stop and arrest someone or to stop and search them and ask for ID to get a full list of everyone who is there, now a very affordable piece of equipment can be deployed. You can set the radius of how far you want to kind of scoop up. And then you get a list of every single mobile phone there, which can be tied back to an individual. So it is an exceptionally powerful tool at unmasking anonymous protest.
SS:So once I am a protestor what should I do not to be tracked on? Just turn the phone off or take out the battery? What’s there to do?
EK: Well, the advice on this is very difficult. Many protests can get violent on both sides. There are numerous ways in which accidents can occur at which point you do want the ability to communicate. However if you are concerned that your attendance is likely to cause you distress or harm at a later point, you do not want to be taking your mobile phone to the protest.
That’s not strong advice. It is got to be a decision that individuals make on a basis of full information. And that’s one of the reasons why we push for more transparency about surveillance technology that are used and the laws which regulate how and when they can be used. It’s Privacy International’s perspective that MZ-catchers should never be used at a legitimate protest. It seems outrageous to us that people protesting for their rights in the most part can so quickly and so easily be added to a database. We think it’s about ripe for abuse.
SS:But just how easy it is to gain access to such technology as MZ-catch for example?
EK: Progressively, they are very, very easy to purchase. There are surveillance trade shows around the world that allow you to go in and buy that technology. Many companies only sell to law enforcement. But we also know that criminal gangs can also get access to that technology. So it is not necessarily just the police that you need to be concerned about but corporate actors or criminal actors as well.
The technology itself is also very affordable. We know of some companies that sell this technology for as cheap as 250 pounds [US$421], although they can go up to 20,000 [$33,750]. Again this is why we need more discussion about how and when these technologies can be used. Not only by police forces but also to ensure that these police forces are protecting people against corporate actors or criminal actors using that exact same technology. At the moment the police and others don’t like talking about it but as a result is that everyone’s privacy and everyone’s security is being left disregarded.
SS:But in your work have you uncovered instances where a certain technology would be used to undermine an existing government for example? And where, if so?
EK: Undermining a government?
SS:An existing government, yes.
EK: I mean, they can be. I haven’t followed it particularly closely, but I’m aware that last week in Ireland a number of police officers had their phone calls intercepted. And that was wired with the use of the MZ-catcher. We still, as I understand, don’t know who the actor is who deployed it. There was another circumstance a few weeks ago. I believe it was American and European diplomats in relation to Ukraine who were having very full and frank conversation that was also intercepted. You can’t ever pin this stuff down for certain, but MZ-catch is the kind of thing that could be used. Likewise, we know that the American NSA run a similar operation using again the technologies similar to MZ-catchers, but not necessarily the same one to incept Angela Merkel’s phone.
So it is being used regularly by states. Also by other actors against states. Unfortunately, the technology is out there. And again that’s why we need our state institutions to talk about them so that we can be all better protected.
SS:But the UK is one of the biggest exporters of such technology to countries like Bahrain and Yemen. Is this just a case of…is it like modern dayarms trade? Could you compare it to that?
EK: We are always very cautious referring to technologies as weaponry. Ten years ago states tried to control cryptography, which is very similar. It had very negative effect on everyone’s ability to communicate securely. But certainly these technologies can be used very effectively by governments who wish to repress their people. That technology is very affordable. And if you imagine as a dictator you had a choice between buying a nationwide surveillance system allowing you, for example, to remotely switch on a microphone of anyone’s in your country’s mobile phones or buying or one-sixth of a tank, what would you select?
So this technology could be used to great effect to monitor and control. And I think that states have learned how to be less eventually oppressive. We are seeing a new way of keeping control and of keeping in power. And it involves shooting people less and spying on people more. And certainly, surveillance plays a very-very impactful role in a whole range of military activities. It always has been but now it is almost being taking to its extreme with things like drone-strikes.
Western intelligence and spying and surveillance provide the overwhelming evidence for action to go and allow governments to target people subsequently. Without mass surveillance, without spying it does not seem that a drone program would be supportable because they would not be able to target and identify people.
SS: Who sells the most and who buys the most?
EK: Many surveillance companies only sell to law enforcement agencies and governments. Some don’t, but most of them make that choice. In terms of the countries that are exporting that sort of technology, it’s those that you would expect to have, you know, large industry base and that historically have been very powerful geopolitically. Russia exports a lot of surveillance technology. The UK exports a lot of surveillance technology. France does, America does, Israel does. China does as well.
SS: Is there such a thing as shadow market for surveillance technology?
EK: For a long time it has been. I mean the entire market has been shadow in the sense that we didn’t know much about it. It was very unregulated. There was not any political discussion or debate about it. The policy on it was weak. Thanks to a number of acts over the last few years, we have now the best understanding we have ever had over what this market place looks like, who is purchasing it and who is selling it. And now that we have got some controls in place I hope that more transparency can be brought to this industry and area as a whole.
I think critically it will also help us make better decisions about how we want our own states to be conducting surveillance activities. These companies have not created this market place out of nowhere. There has been demand. There has been demand for decades. In many circumstances of states wanting some similar capabilities to those that Russia, UK and the US exercise already, and so it’s them purchasing that sort of similar capability. I hope that by exposing this industry and by holding it to account we are also going to have a more informed discussion about how some of these other states conduct their own surveillance activities and how we bring those activities under control as well.
SS:With methods like face identification, mobile phone monitoring and surveillance drones, why is it still so difficult to catch terrorists and criminals?
EK: A very good question. I think one of the things that’s been interesting with the Snowden revelations is that governments have been quick to say that the release of all this information has expressly assisted terrorists. In the UK, I think the line by one of a senior spy chief was that the terrorists who will be rubbing their hands with glee. I don’t see any basis for that. As someone who spent a few years previously advising NGOs who were taking litigation against governments, I wanted to make sure that their communications were secure against surveillance so that their litigation against government for human rights abuses would be as powerful as they could be.
I have gone myself through every single document release trying to understand how I might be able to regulate or change my behavior to escape the dragnet surveillance that we know is going on. And I haven't been able to find a single thing I can change about how I act to evade my behavior or otherwise. And of course we knew that terrorists were already very well aware of the kind of surveillance capabilities that were going on though. They might not have known the code names of the programs. There is a reason why it took Osama Bin Laden as long as it did for him to be caught: because he did not touch a single piece of technology. So the idea that the terrorists have been assisted by this is ludicrous in my eyes. The list of the evidence we have seen so far...what it has done is that it allowed us to have a proper debate about the role surveillance plays in societyand to see where there have been excessive and if agencies have gone too far.
SS:Can terrorists put their hands on these surveillance programs?
EK: Certainly. They can attempt to buy it. I mean as always it depends on your definition of terrorism and terrorist in any circumstance. But in the same way as they are able to purchase weaponry and arms...you have got a similar capability. I suppose the thing that would constrain them is that by nature they are not state actors, which means that the effectiveness of their ability to surveil is going to be exceptionally constrained. Surveillance technology is not always a singular piece of information, of technology, that you can walk around [with] and use at any point. It's tapping mass infrastructure. That is why large countries have much larger surveillance capabilities because they have access to the communication networks that private conversations flow through.
SS: Now we'll talk about the onion networks which direct your traffic through hundreds of thousands of relays supposedly concealing your personal information. Is that effective? Does it really work?
EK: Sorry, an onion network? Something like TOR?
EK: As we understand it - yes, it's very effective. It is hiding or anonymizing [sic] your IP address, from where you are communicating. It is very effective not just against the state actors but a whole range of individuals that might have a privileged network access. So they have the ability to see your communications as they flow through the network. And there is whole range of actors that might very that kind of capability but right through the websites that you are visiting or forums or anything else. You may not want them to know that you are looking at that as well. There’s hundreds of reasons of why that might be a case. You might be looking for a new job and you might not want people to work out that you are because probably you’re connecting from your workplace. You might be someone that is inquiring about rape victim support, but not want that to linked back to you. So there is a whole range of reasons why anonymity is important to, kind of, the functioning of democracy and onion-routing is a way that you can help to protect yourself online.
SS:But also all those encrypted networks and services can provide a platform for drug and arms selling websites, right? Is there a middle ground between total freedom and total control?
EK: There are ways that you can use that technology for criminality, but that's the same with the telephone or anything else. I don't think that in [its] nature it fundamentally changes law enforcement’s ability to gain access to information and investigate using traditional police sources.
SS: You know, you wrote up at Snowden, so before his revelations were made did you have any idea about the scope of global government surveillance that was going on?
EK: The Snowden releases have kind of confirmed privacy advocates and others who have been following this area for a long time, sort of our worst fears. Surveillance is inherently secretive or at least has been traditionally and it makes it very difficult to confirm anything that is going on. So it is always based on pieces of information.
That said, the extent of the spying is certainly shocking and many of the elements and details within it have taken me by surprise. The length to which national security agencies are going to defeat encryption technologies, putting in ‘back doors’ into the standards that we use every day is shameful. And the justifications by governments for why they do it I think also are very disappointing. Rather than recognizing just how far this has gotten and seeing the damage that has been done and changing course, people just point fingers and say “everyone does it, so why can’t we?” Which seems to me a remarkably childish response at mass violations for human rights.
SS:But doesn't it seem like governments are going to cut back or wrap up their programs of surveillance. So who is at the most at risk from surveillance? Is it the general public or just the high-profile figures?
EK: Well, unfortunately, we are all at risk. We have no idea who state agencies may want to target. There has been no information that has been released as part of that, for the most part. What we do know is that every single person is now a target, at least in the identification of NSA and GCHQ. They say that they need to intercept everything to work out who they do want to target or not which means that all of or the communications are scooped up and analyzed and sorted, and stored and filtered and queried, and with our fundamental rights suffering as a result. So I think that one thing that we have concretely learned is that everyone is being targeted and everyone's rights are being violated every day.
SS:So except the MZ-catch tell us about the most amazing technology that is out there in the market today. Something that you know I could never imagine could exist.
EK: Well, one of the things that I was shocked at when I first learned about was the success of commercial malware and spyware that is being used to target people. So this is crudely a form of hacking, where you deploy a piece of software to someone's mobile phone or to the computer, which , if successfully infected, then allows the adversary to take complete control. This means that any encryption that you’re kind of employing is being made redundant because every message that you type is being logged via the keyboard. Tools and technologies to hide your IP address or others online also get made very ineffective. And it turns your mobile phone for example into the ultimate spying device.
SS:Is there any way you can know that you can know that you are being spied on or that you are being watched and surveilled?
EK: The short answer is no. there are ways in which you can do sophisticated forensic analysis to try and determine whether your computer has been infected. But it requires expert knowledge and significant demand of time. So on a day-to-day practical level for most people it is beyond the scope to be able to concretely work out whether or not you are being placed under direct surveillance. However, what I must reiterate is that nature of how surveillance works now means that everyone's communications are already being intercepted by at least one state actor.
The UK's TEMPORA program intercepts the communication of as many people as it can process, as they flow through the United Kingdom. The releases that we have seen from 2007 show that they already have extraordinary capability to record then all metadata for 30 days and all content for three days. We can only assume that the capability has increased. So it's no longer a theoretical question about whether or not you are being targeted by surveillance. Your communications are being intercepted somewhere.
SS:Things like fingerprint phones or voice-controlled stuff, that’s presumably making our lives easier - are those also helpful to anyone who is monitoring us?
EK: Regrettably with so many kinds of forms of commercial technology that we are all using to improve our lives, it can build an additional surveillance risk. It means that more data than previously you keep on your person and write in a notebook or speak to someone who stands close to you is now being transmitted. And that means that it is flowing through the communications networks that state actors and others can have access to.
Likewise, security has not always been the priority that it needs to be within building those sorts of tools. One of the big areas that needs to be improved is that commercial actors building the technology and the tools that we use every day, to give us a better quality of life and to help fix the small problems need to put security back at the top of the agenda. It's no longer a theoretical risk that our communications are being intercepted. We know they are, and it is their duty to ensure that communications that we make to and from those services and their servers are protected and encrypted.
SS: For instance, we know that the NSA collaborates with applications popular within smart phone users. Angry birds, for instance. Everyone is playing that. Is it spying on us?
EK: Well, from what we have learned it is not that angry birds are collaborating with the national security agency. It's that Angry Birds transmitted information that they were collecting on your phone back to their servers. And they were doing this at purposes of advertising for the most part. They wanted to learn more about what you are doing so that they can sell out to you a part of their free services. What NSA was able to do is to piggyback on that information to collect additional information that otherwise was not being transmitted.
SS:And how exactly this is helping to catch terrorists and criminals?
EK: That's a very good question but I'm afraid not the one I am in position to answer. I don't understand how the majority of the capabilities that we have seen being released will do particularly effective job at preventing terrorist attacks. Many of them may be needed, but without a democratic debate and public acknowledgement of what is being done I think that they are illegitimate. Particularly the hacking that has been taking place by whole range of state actors. I think at the moment it has to stop. At no point if we give - the public - authority to states to conduct that sort of equipment. And we are all suffering as the result as the tools that we rely on to communicate securely are being weakened in the name of catching terrorism, but it's being done in secret and without our consent.