Actual terrorists(like 9/11 type, well funded) know better than to even touch anything digital for comms. They literally get a drone strike for having called a known terrorist or for going to a wedding other terrorists with cell phones go to.
For home grown terrorism, how many school shootings happen when the people who know the shooter literally tell police/fbi beforehand about the state of the shooter. Are school shooters not terrorists? They have a social/political gripe and the terror is their way to get their voice out, avenge (like jihad) or inflict change. So why are they failing so bad even after almost 20 years of patriot act?
Politicians don't want to be blamed because they know the next terrorist attack will happen soon and it can't be prevented,except the politicians that gut the patriot act will be blamed for it. On the flip side,information on voters,tracking them like this helps politicians
A lot has changed in the almost 10 years since SOPA, we are fully into the disinformation age and strategies that worked 10 years ago are not going to work now.
Well for security minded folks, the fact they can't use traditional comms (likely because of existing snooping techniques) is a good thing.
Now, does all that snooping and invading countries increase the background desire and willingness for bad guys to do terrorist-type things, almost certainty.
I do stats for a living, and while I think it's good to back up claims with data when possible, inductive reasoning is still a validate tool for understanding the world.
The logic is that active, dedicated terrorist groups already know: "They literally get a drone strike for having called a known terrorist or for going to a wedding other terrorists with cell phones go to."
The reasoning that knowing this information you would be very careful about what you communicate over the internet is very sound to me. To convince me that this reasoning is incorrect would require an abundance of data to the contrary.
You assume that every terrorist (or most terrorists) acts rationally and has the knowledge you know. That is a huge assumption for your reasoning to work.
I think terrorists make mistakes (or take risks), and I'm not convinced that we catch all of those either.
Once again, that is just your opinion, presented as fact. Personally I would argue that people acting rationally stay away from the terrorism business.
If you were in their shoes and america exterminated your family,how would you react? Killing civilians is evil and horrible but in their case they are being very rational.
If terrorists know not to touch digital comms, then how would they get caught by being at a wedding with other terrorists with cell phones? Do terrorists use cell phones or not?
The claim directly conflicts with the supporting anecdote.
> inductive reasoning is still a validate tool for understanding the world.
And here it has led you astray. Terrorist organisations have propaganda mouthpieces, and use social media like any other. One of my previous jobs involved building network analysis tools to identify and locate terrorists combing through their Twitter feeds.
For some, you could easily identify the point in their lives when they were radicalized, and trace connections to others who were also, and identify the people they had in common.
Inductive reasoning opens room for questions, not answers, because it does not account for unknown information.
You are talking about the past when they were radicalized,if this happened online then you are right but I thought it was clear that I meant internet usage for organizing and planning terrorism. Propaganda and radicalization is a dragnet, you will catch many but the one cell that recruits in person and communicates on paper only by code will succeed. It's not a volume game,it's a binary game.
I'm not really sure why you think this needs substantiation.
The logic goes like this:
It would be utterly stupid for terrorist groups to rely on digital communications simply because of how well locked down the various government agencies have made it.
We assume that they are not utterly stupid.
I don't think it's a crazy statement or needing further justification. I doubt terrorist groups are that sophisticated but I would assume they have plugged the simplest holes.
A little searching will reveal some of the opsec apparently used by Osama bin Laden. Use of couriers with thumb drives rather than risk electronic communications, and other things.
Do you know many terrorists who use digital communication to back your claim?
What the above is talking about well known, even privacy-aware people tend to not use digital communication that much, no facebook, or other social media, no smartphones. In the post-Snowden era, I am not sure why somebody thinks otherwise.
3 letter agencies have the means, the reason, the legitimacy, and the resources to penetrate every type of telecommunication, the worst-case just trojan the entire GSM infrastructure if necessary. The USA conducted thousands of drone strikes. What do you think drives locating the target?
> Do you know many terrorists who use digital communication to back your claim?
Yes. In fact I don't know of a single terrorist who doesn't use digital communication of some kind.
I'm slightly confused because you seem to be justifying your belief that no terrorists use digital communication on the back of examples of terrorists identified and killed via surveillance of their digital communication use
I think the distinction isn't generally don't use it all - they are perfectly fine with recruiting and claiming responsibility with it. Instead it is in op sec. The San Bernadino shooters shot their personal phones beyond recovery and the FBI precedent fishing expedition was to theie work phones which they started with access to.
> Actual terrorists(like 9/11 type, well funded) know better than to even touch anything digital for comms. They literally get a drone strike for having called a known terrorist or for going to a wedding other terrorists with cell phones go to.
Terrorists don't use cell phones because terrorists use cell phones?
Even the stupid ones slip through! It takes one smart cell to repeat 9/11. The way you catch them is by targeted surveillance not by dragnet collection of information. The IC does this all the time,they do a powergrab make noise about it, achieve nothing and retain their power. Look at wmds in iraq,torturing,drone bombing,mass surveillance.
Theatrics to make it look like they are doing enough. Truth is, if someone immigrated or gets radicalized without detectio, the IC is relying on them not having good opsec. Spying on everyone (instead of with a warrant) , E2EE subversion,and these silly laws won't give them additional capacity when the actual terrorists and mass shooters that slip through already have bad opsec,don't use mainstream platforms or E2EE
>Actual terrorists(like 9/11 type, well funded) know better than to even touch anything digital for comms
Then why is terrorist content discussed so much in content moderation circles, specifically the fact that content moderators are viewing it so often it induces PTSD in them?
ISIS has put out high definition videos of executions. That's the opposite of "not touching digital comms"
They're not doing that to plan things, it's used intentionally for PR. Drive fear into those that watch it and recruit others who are excited. Pretty clear those are different.
>ISIS has put out high definition videos of executions. That's the opposite of "not touching digital comms"
I don't think you're being fair to the context. They've been showboating killing online for decades. But showboating should not be conflated using digital communications to coordinate their efforts. I'm not saying they don't use digital communications. But this is hardly proof of that.
Terrorism is violence with the intention of creating fear to further a political goal. If a kid feels victimized and wants to hurt the people they feel responsible, that's not terrorism. If a kid wants to hurt bullies with the intention that it will make other bullies afraid and so reduce the overall amount of bullying in schools then that would fit the definition.
By your definition (which I think is overly broad), most police officers are terrorists, and so is anyone that engages in self defense, or even jurors that vote “guilty” in the hope of deferring future crimes.
You either need to narrow the definition or carve out explicit exceptions. If you are carving out exceptions, the definition is just “people we don’t like”.
I guess that is pretty close to the definition prosecutors like to use in the US.
"Individuals acting in support of the rule of law" is generally the exception, but there is something useful in the implications you've brought up. That is, the uncomfortable proximity unlawful judgment and execution has to lawful judgment and execution; they're both ideologically-driven.
That they're similar in this manner doesn't mean that we can't have laws and law enforcement because they're inherently violent and tyrannical or anything, but it does inform how seriously and dispassionately we should approach their means and ends. I don't think that it's particularly radical to call an abuse of judicial power terrorism. What else to call, for example, a judge who robs entire communities of their youth in exchange for backroom deals with private prisons?
> If a kid wants to hurt bullies with the intention that it will make other bullies afraid and so reduce the overall amount of bullying in schools then that would fit the definition.
You have no evidence that most school shooters communicated such a goal (although there might be an outlier). Or if you do, I'm curious what it is.
Terrorists have a tangible goal, typically coupled with demands, not some hidden intention you make up to shoehorn a person into the definition. Even Elliot Rodger, who had a "manifesto", did not communicate any sort of demands or goals.
Which is one of the reasons for the shift in US politics from treating combatants as combatants. Terrorism is now just a word for anyone who disagrees with us. Whereas acknowledging the organization as a hostile state within an established state means that we have to actually treat it like a war, or treat the combatants like criminals and put them on trial. The term "terrorist" is now just a label that gets applied to anyone who is too inconvenient to treat as a criminal.
The prototypical school shooters (the Columbine duo) filled their notebooks with misogynistic, white supremacist screeds. If you ever thought it strange the hysteria over video game violence and Satanism that emerged from that attack, it's because your instincts were correct. The media was reticent to cover what was really driving their violence because the conversation would have been uncomfortable for the sizable portion of Americans who agreed with their views on women and minorities but felt no need to shoot up a high school.
Unfortunately, the narrative that resulted colored later discourse with less-than-accurate assumptions about the nature of mass school shootings. They're overwhelmingly not carried out by bullied loners, but instead by entitled, ostracized bullies who aren't stopped because they don't fit the American conceptualization of who commits violence. To that point, even high-profile black and brown mass shooters tend not to be gangbangers or whatever, but men with military or law enforcement backgrounds.
> To that point, even high-profile black and brown mass shooters tend not to be gangbangers or whatever, but men with military or law enforcement backgrounds.
Inst that simply because men with military or law enforcement backgrounds are more violent in general?
In most school shootings,they are not diagnosed with any mental illness. By that logic jihadist terrorists are sociopathic and mentally ill as well. You are right about their lack of interest in affecting change in governmental politics but they are many times (not always) trying to affect change in social politics. They prepare well ahead of time,plan out their actions and advertise their gripe against society.
Are you sure about that? Because when I read about school shootings, they were being done by individuals who were displaying plenty of red flags and signs they are not ok mentally.
I cant recall one who would act like normal person and multiple disturbed ones.
Terrorism has been removed of its meaning since 2001.
Terrorism means using violence or threat of violence to influence social or political decisions.
Not everything bad is terrorism.
A mentally ill person going on a murder-suicide rampage after beijg ignored by a girl is not a terrorist. A person acting in their self-interest in a way that contributes to systemic racism or oppression is not a terrorist.
Hunting or threatening people of a certain race or gender or orientation or hobby to scare them and others away is terrorism. Blowing up buildings to pressure decision makers into a policy change is terrorism.
Maybe manipulating a single individual via threats or minor violence could be considered small scale terrorism (but their are better words, like harassment or abuse or stalking or assault).
Trying to change the behavior of a group of people by using violence is what I’d consider to be terrorism.
By that definition, some school shooters would qualify as terrorists. When they target a category of people (like athletes) who haven’t bulled them, they’re trying to scare all people away from becoming athletes.
I’d say, if you target specific people who directly hurt you, you’re seeking revenge.
If you target a category of people, you’re saying that those people who haven’t done anything to you are targets and you’re trying to influence their behavior through fear.
Their perception is that everyone in that group did hurt them. School shooters frequently blame everyone in the school for not helping them, and for having a higher social status than they do. I think their motivation is to flip the social hierarchy so they are at the top, and to punish people they think have wronged them (i.e. basically everyone).
The fact that it strikes fear into the rest of the nation is ancillary. They're usually more interested in the notoriety they gain than trying to create some kind of policy change.
When a girl ignores him,he attacked not that girl but a social group out of misogyny or some other socio-political perception of injustice. So it is still terrorism. The point of the attack is to affect political(at the social level) change.
This really is similar to jihadist terrorism,jihadism took away american's privacy and mass shooters with gripes against american socio-politics have americans living in trauma over active shooter drills and gun toting teachers. Not only are they both terrorism, they both won!
Al-qaeda is eradicated but they won, I fear many would credit 9/11 as the begining of the end of america. Much like insurgent warfare,terrorism will be studied as a means of warfare where due to extreme imbalances on weaponry and digital surveillance the only way to fight is by terrorizing your enemy. War is horrible but terrorism is a cancerous form of war where destroying your enemy does not translate to success.
The term terrorism refers to intended effect by the perpetrator. If the goal is to effect change by creating fear, it is terrorism. If the goal is revenge for perceived wrong doing, it is not terrorism.
I would argue most school shootings are also not terrorism. They do create fear, but my impression is that the intended goal is revenge rather than fear. It would be hard to frame them as terrorists; most of them leave behind notes expressing a clear desire for revenge but mentioning no kind of policy changes they want.
I do think most of the race/religion inspired mass shootings were terrorist acts though. Their goal seemed to be spreading fear in those communities.
Al-qaeda is eradicated but they won, I fear many would credit 9/11 as the begining of the end of america. Much like insurgent warfare,terrorism will be studied as a means of warfare where due to extreme imbalances on weaponry and digital surveillance the only way to fight is by terrorizing your enemy. War is horrible but terrorism is a cancerous form of war where destroying your enemy does not translate to success.
Won what? As far as I know, they didn't achieve their goal of driving out the Americans out of the Middle East. The loss of privacy and rights is incidental to their goals.
When we look at the kinds of things these surveillance powers are used for, it's a glimpse of how it's abused. Thanks to FOIA requests, we found that the Boston Regional Intelligence Center was using their surveillance capabilities to spy on Occupy Boston during the Boston Marathon that was bombed, despite the ostensible aim of the center being to coordinate local and federal intelligence capabilities and despite the FBI receiving a tip from Russia that the Tsarnaevs were up to something. If we want to make the world safer, we should focus on making responsible and strategic use of the intelligence we have than to grant new powers.
> If we want to make the world safer, we should focus on making responsible and strategic use of the intelligence we have than to grant new powers.
Always look at the incentives. The Boston Bombing intelligence "failure" is not a failure of intelligence. We got exactly what the incentives were set up to deliver. The system works, it's just not spec'd out to deliver what people think it is.
A mostly law abiding protest group that dares loudly complain about the government "doing it wrong" is an actual threat to law enforcement because it is a threat to the status quo. The voters might listen to them. The voters might install politicians who make promises of "doing it right" which usually includes allocating resources on things other than law enforcement. Drug treatment instead of drug crime task forces for example. That's a real risk to law enforcement agencies and gets treated as such.
On the other hand you have two dudes with some bombs. Worst case they kill a couple hundred people and make the public hate them in the process. Sure that makes you look like incompetent fools but the public already thinks of you that way so you don't lose anything. No politician is going to get elected on a promise of turning your organization upside down because you failed to catch some lone wolves. Maybe you can even find a way to blame someone/something else and get some extra power out of it. Those guys were not a real risk to the organizations tasked with stopping people like them and were likewise ignored.
That said, as much as it pains me to defend the MA state police the failure mode of the status quo they have settled into is pretty benign. The false positive rate on terrorism is so high and they are so eager to LARP as combat troops that if they did thoroughly follow up on every tip they got they'd likely have a much higher body count than the real terrorists. Doing unethical things to maximize their incomes and minimize their work (the gripe most people have with the MA state police) is pretty harmless by comparison.
As new technologies emerge and proliferate, they'll inevitably be used by criminals to harm citizens, businesses, and the local community. I can tell you firsthand (at least for murderers in Chicago, where I work as a crime analyst), encryption definitely helps killers get away with murder (based on the number of incriminating texts I've seen in instances where, with legal authorization (ie a search warrant approved by a judge), it's been possible to access an unwilling suspect's phone).
I'm not arguing that we should get rid of encryption, (nor am I saying it's even possible to defeat encryption at scale, so it was probably a bad example to go with when call detail records would have been better, but I should really be working right now), rather, I'm saying we should let law enforcement keep up with the level of technology, but we should have strong auditing processes and don't allow for situations like the FISA/FISC situation where proceedings are nearly always literally one-sided (only prosecution, defense is necessarily excluded from the proceeding) [0].
New powers will be required to deal with new situations. The SARS-CoV-2 virus, for example, has killed more Chicagoans in the past 2 months than homicide has in the past 3 years, and that is also ravaging the economy as people are correctly afraid of going out in public. Currently most people are isolating because we don't have a more precise way of separating the infected from the uninfected, but China's digital contact tracing QR-code scheme provides a much more precise separator (and per an episode of This American Life [1] that I just listened to, it actually made at least the interviewee more comfortable being in public because they knew infected or risky people were separated out). If legislators implemented very tight controls over who could use the data (and how) and there was (sufficiently) transparent and rigorous auditing, we could save lives, jobs, and businesses. I know the public won't go for it because the public justifiably doesn't trust the government to prevent abuse of this system, but I would love to live in a world where we could develop and deploy technical solutions to major problems and be confident that the technical solution would not be abused.
There is probably also an issue of too much information. All these massive efforts generate data that is barely ever used as the time and resources just aren't there.
I would be surprised if many of the common public believed that warrantless searches of anyone are reasonable, while exempting federal elected officials from the same law.
Now's a good time to call you senator (if they voted against this) and tell them that they fucked up by weakening your rights and freedoms.
Then, get a VPN or better use Tor as much as you can.
They’re voting on an amendment to exempt candidates for federal office from warrantless surveillance. It is expected to pass.
That way, the executive branch can tamper with state and local elections with impunity.
The supreme court just heard oral arguments in a case where Trump’s lawyers argued he was allowed to shoot people for no reason in public. (Really. This is not hyperbole.)
Presumably the next step is to (perhaps selectively) cancel elections (or some ballots) because “emergency”, and then refusing to step down if the resulting impeachment somehow succeeds (which it won’t).
I think your last point is a bit of a leap, but I agree we have seen constant undermining of the institutions built to make the United States a free country during this administration.
What I find most interesting is the complete hijacking of a large portion of the conspiracy crowd such that this is all permissible to them, as long as it keeps the Other out of the power structure.
I’m not sure it’s that big of a leap. Gore won the vote in Florida, but the courts installed Bush. The ballots were illegally transported from Ohio to Indiana and back, and then favored Bush in 2004 in a way that was a statistical anomaly. Both those elections were the first I can remember where the exit polls didn’t match the outcome of the election (and the bias was only in crucial districts in swing states).
2016 was a total catastrophe of an election. The courts intervened in one primary earlier this year, in bid to get a conservative judge elected. That backfired, fortunately.
The Senate is intentionally blocking funding for election security, and now, with COVID, they’re refusing to provide funding to allow mail in ballots in many states.
Some of the leaders responsible for underfunding the election have publicly said they are withholding the funding because the republicans will lose if there is high turnout this fall.
Do you have any simpler resources on how to do it?
If it were simpler to run a relay on a provider that allows it, and it doesn’t cost much (say $10 a month) to give Tor users a little more speed, that’d be helpful. The last time I looked at the documentation, it seemed quite involved and complex (of course, I wouldn’t want the security of Tor users to be compromised due to any misconfiguration).
If there were something for Tor like Sandstorm for web apps or Algo for WireGuard, more people could run relays and help everyone.
I spent maybe an hour researching based my in criteria. You can host just an exit (most helpful), or a couple of relays (aim for 100mbps+, and decent bandwidth). You can get a lot for $5/month for each relay.
A point from Enlightenment Now that I wish was better understood.
Groups that use terrorism to get their way almost always fail. This should not surprise us. Terrorism is the last available option for a weak interest group that has no better way to make their will felt. Therefore as scary as it is to face, the fact that they are resorting to it is evidence that they are underdogs and we should not be surprised that they later fail.
Given that fact, the extreme efforts that we take to drive the nail even farther into terrorism is overkill.
I thought for many terrorist groups, exciting such “extreme efforts” was exactly the goal. Al-qaeda hopes the US would abandon its principles and be provoked into making bad decisions, leading to its downfall. They had a multigenerational view of the effort. Seems by the state of things, they are winning?
There is a popular narrative along that line, but no. It is quite clear that this wasn't their goal.
Their plan was to lead the USA into a war in the Middle East. There they would demonstrate that we could hit hard but had no staying power, and so could be beaten. Once that was demonstrated, they would be able to create a religious caliphate that could sweep away the corrupt secular rulers that were oppressing Muslims and recreate the religious empire that used to exist.
We in fact gave them the war that they wanted in Iraq. We did hit hard. We were then sucked into a protracted operation. And as we looked to exit they created the caliphate and named it ISIS. It has since been defeated. Even if things are not going as we hoped in the Middle East, they are more dramatically not going as they hoped either.
> Groups that use terrorism to get their way almost always fail.
Totally untrue. When the US used atomic bombs to level cities in Japan, that was terrorism. The goal was to strike fear into the regime and the people for an unconditional surrender. It was not an attack against the military or government, it was an act of terrorism.
When the US uses drone strikes to blow up weddings, that's terrorism. They are not actively engaged in a military conflict, even if there is allegedly some 'terrorist' they are trying to kill.
The communist revolutions in various places heavily employed terrorism.
I actually think there may be a legitimate criticism here if you define demonstrating nuclear weapon/asymmetric warfare capability as employing terror toward political ends and stop there.
I'd tread carefully there though. That's a lot of sensitive history you're coloring with a rather unattractive brush. There is a lot that prevents that particular viewpoint from being convincing without dragging down a lot of the framework of Western political discourse, however, to the point you may find astonishingly few people willing to entertain it. In the West, it is generally accepted that application of violence is justifiable. Those examples you called up fit within that justifiable envelope, in the first case, near unanumously, and in the latter case, it fit enough for majority buy in, but with significant controversy as well.
Point being, the label of terrorism in the eyes of Western political discourse necessarily connotes violence of an unjustifiable or unsanctioned by the majority nature. I'm curious on your view of the Civil War. Would the secession and war waged by the Southern States (or by the Union retaking them) also qualify as terrorism?
> Those examples you called up fit within that justifiable envelope, in the first case, near unanumously
I don't think this is true at all. Maybe if we define the West as America, but even then I think that's a stretch. I can say anecdotally in my circles that the trading of unwitting Japanese civilian lives en masse in exchange for American military lives is looked on with disgust.
I also think it's important to be aware that much of the available intelligence at that time and reasoning behind it was classified, allowing the perpetrators to establish a narrative that went unchallenged for decades. For instance most Americans are completely unaware that the Japanese were actively trying to negotiate a surrender before Hiroshima was bombed. Most Americans are unaware that a ground invasion of the Japanese mainland was not being seriously considered, this ignorance let the government establish the false narrative you allude to. And most Americans aren't aware that American leadership intercepted communications indicating that the Japanese intended to surrender unconditionally if the Soviets entered the war, which happened on the day that Nagasaki was bombed.
We had to murder them is still what's being taught in schools today. In the USA, the ends always justify the means. CIA Black Sites? Indefinite detention? Extrajudicial assassination of citizens? Torture?
It's okay, these people are terrorists and don't deserve any rights.
I'm sympathetic toward your reasoning; and Floegipoky also makes a good point as well.
I've become increasingly uncomfortable with the power that classification confers to the executive branch to shape the national discourse; but I don't know as that will realistically change without an unprecedented shift in Congressional and Executive sentiment.
As to the narrative still being taught in schools; I certainly don't have a great answer for that one either.
We have to teach them something, and you certainly don't have the most room within a child's worldview for being able to address the type of nuance the historically correct narrative creates without difficulty. At least that is the assumption I'm led to by assuming that there is a compelling reason the "System" has converged on the solution it has (locking the knowledge outside of normal curricula, and requiring extra independent digging to get at the truth of it, notionally done on the student's own initiative once they get older).
You run into the indoctrination outcome more often than not; but you should have an eventual consistency effect over the timescale of generations. That doesn't seem fundamentally unreasonable to me. Pain in the ass? Yes. Fraught with hazard to the stability of the national identity? Assuredly. However, if we respect that we the Citizenry represent the standard bearers of national truth, then we must be the ones to change the history books; just as those who came before us did.
> I certainly don't have a great answer for that one either.
Would you be okay sending your children to an education establishment that was pro-Nazi? Probably not.
Start treating the system for what it is: evil. Quit letting meaningless current affairs dominate the political dialogue. Speak out against the war criminals.
> Those examples you called up fit within that justifiable envelope
All terrorists feel justified, or they wouldn't do what they do.
> the label of terrorism in the eyes of Western political discourse necessarily connotes violence of an unjustifiable or unsanctioned by the majority nature
That's not true. There's a definition for terrorism, and it's the use of violence against non-combatants to create fear for the purposes of political change. Most people don't actually know the definition, so they're easily confused.
> Would the secession and war waged by the Southern States
How would secession qualify as terrorism? The battles were mainly among two military parties. Also, the term "Civil Warm" is a misnomer. The most neutral correct term is "War Between the States." Military conscription and execution of defectors, while terrible, also not terrorism, just despotic.
Didn't say anything about definitions. I'm speaking in a descriptive sense of the "way-of-life" that the word has become a nominative signpost for. That frequently differs from the strict dictionary definition; and those that stick strictly to the dictionary are not the vast majority of the populace. It doesn't make them 'wrong' either. Language flows like a river; and at best one can end up in the same spot one came to before, but the overall state and meaning are constantly evolving.
>RE: Civil War/War of Northern Aggression/War of State's Seceession
Eh... The folks who's ancestors were among the victims of Sherman's March to the Sea may beg to differ that the conflict was largely constrained to being between just the military. Again, very fluid and slippery if you're going to allow Hiroshima/Nagasaki as being an act of terrorism. The entire concept of terrorism is so murky and ambiguous that I'm of the opinion it is evolving to become the rhetorical boogeyman of our generation; something kept around to scare people into falling in line.
I don't like it... And I try to make sure kids understand it when they seem capable of it. It's just such a damn complicated swamp to navigate through.
What I meant was asymmetric use of violence where a much weaker force uses their ability to show up unexpectedly and cause damage to cause fear and terror far out of proportion with the true damage that they are capable of inflicting. Those are the defined underdogs.
This is as opposed to war where a force capable of large sustained violence actually engages in sustained violence (though often by following certain rules of conduct - see the Geneva conventions) to force an enemy to capitulate. This use of force may indeed cause terror but does not indicate an inherent weakness in the force using the tactic.
As a practical matter who do they get this "browsing history" from? I see a lot of people suggesting folks use a VPN.
But if they're getting the history via companies like Google, they'd link together your records just as easily.
I see VPNs often being touted as anonymity tools, when it's my understand not all VPNS have multiple users sharing one IP.
(Ex: it's my understanding that an Algo VPN might obscure your geographic location, it's an IP unique to you. Not clear on how a commercial service like Tunnelbear works - many services tout no logging but seem to stay mum on if IPs are shared)
If any of the above is incorrect, please feel free to jump in and reply but it looks to me like moving as much browsing over to Tor as possible is the best move if you're worried about anonymity and not simply someone owning the wifi you are connected to.
Pseudo-anonymity is sufficient for those whose life is not in danger (like a journalist or dissenter). Personally identifying yourself to websites is an optional use of the Internet, as is participation in ad networks such as Google and Facebook. You are correct that ad networks have more information than your ISP does. The VPN will protect you from your ISP. Pseudo-anonymity is what protects you from ad networks.
An easy implementation is to provide no personally identifiable information while using the web, and siloing the personally identifiable information when necessary. 1 email for your bank accounts and unemployment registration that uses your real name. A variety of differing emails and logins for all other websites.
>You are correct that ad networks have more information than your ISP does. The VPN will protect you from your ISP.
So to be clear, they'd get the data from the ISP? I'm not surprised DNS queries get saved but whole URLs is another thing.
I guess I shouldn't be surprised, but I am a little bit, that they'd expend the $$$ to store that info longer than necessary for core business functions.
>An easy implementation is to provide no personally identifiable information while using the web, and siloing the personally identifiable information when necessary. 1 email for your bank accounts and unemployment registration that uses your real name. A variety of differing emails and logins for all other websites.
I do this + throw the banking and personal email into Firefox containers.
Guerillamail is really useful for creating stuff like a HN account though it's sadly abused often enough many sites won't let you register using it anymore:
No one should accept the state's justifications on the basis of terrorism for expanding its surveillance powers. Terrorism from the middle east comes from US imperial intervention there, if they wanted to stop "terrorism" they would stop terrorizing the middle east. Instead, expansions of the police agency powers are probably aimed at surveiling political targets that have become disfavored.
The bait and switch the USG loves to use, and in fact all governments love to use, is to point to a (possibly nonexistent) external enemy and use that to scare the population into accepting ever increasing authoritarian measures domestically.
I'm curious at how the article implies that DoH is going do anything. I'd imagine CloudFlare, etc. would comply with FBI requests just as much as your local ISP.
Factor in co-operation from CDN's and really that covers a vast array of data that the US Government could access.
The main practical problem is that the NSA and similar agencies currently collect absolutely everything. Regardless of warrants, constitutional amendments, or senators banging their fists on the table, these agencies operate with impunity and they know it.
DoH pragmatically reduces their ability to conduct such global surveillance. "Pervasive Monitoring is An Attack".
We speak of man's laws and nature's as though they were the same kind of thing but they really, really aren't. I can no more magically replay the session keys from last week's Wikipedia visit in response to a court order, a warrant or the US Constitution itself than I could dance on the surface of the sun if they required that.
The idea here isn't that Public Enemy Number One today is protected from surveillance, but instead that you today are protected from the hypothetical surveillance of your past that might be authorised if some day you become Public Enemy Number One.
For one cloudflare is a lot more reputable than most US ISPs. Cloudflare explicitly says "We committed to never writing the querying IP addresses to disk and wiping all logs within 24 hours." https://blog.cloudflare.com/announcing-1111/
If gov tried to force CF to change that they would likely put up a huge public legal fight to prevent it whereas ATT / Verizon and Comcast would bend over backwards to secretly comply while also simultaneously seeing if they could inject some ads into the pages you visited.
Also worth noting that cloud flare is a large driving force behind encrypted SNI which is the last nail in the coffin for putting ISPs in the dark when your average consumer is browsing the net. https://blog.cloudflare.com/encrypted-sni/
Basically when you connect over https using TLS 1.2 to a site that is hosted on a shared server or behind a load balancer, your browser must tell it in clear text which host name it is trying to connect to. Encrypted SNI in TLS 1.3 also encrypts this info such that if you are also using DoH or DNS over TLS to encrypt DNS query then the ISP can only see the IP of server you connect to which is often going to be a huge cloud provider's load balancer that might serve hundreds or more different sites throughout the day / at the same time.
Literally the next para in that blog - "we committed to retaining KPMG, the well-respected auditing firm, to audit our practices annually and publish a public report confirming we're doing what we said we would."
In addition Mozilla put them through a rigorous process when selecting them as their default DoH provider which included them contractually agreeing to adhere to their stated policy. https://wiki.mozilla.org/Security/DOH-resolver-policy
Committing the initial capital to form a FEC recognized national political party "The Privacy Party" to begin direct opposition to this and related activities.
If you are interested in collaborating or learning more:
The libertarian party also considers taxation to be unethical confiscation of private property, and advocates for the privatization of most-to-all government-provided services. If either of those are anathema to you, its hard to vote Libertarian.
The executive branch (under GWB, Obama and Trump) has argued the law is ambiguous. Since congress just considered this amendment and rejected it, it will be harder for the Supreme Court to rule that the executive branch misinterpreted the law when it concluded that 100% digital surveillance is OK.
We already have secret courts and indefinite pre-trial detention in the US. This is another small step in the creation of a police state.
The precedent this vote created only took 37 votes in a chamber that is skewed much further right than the electorate. It would take about 55% of the vote to get the senate to be 50% democrat. That would give them enough procedural control to stop this sort of thing (if they bothered; they didn’t under Obama...)
This is not democracy in action. This is democracy in its death throes.
Define 'your' browsing history. Where I live you can buy a SIM card with cash, load it with credit and surf on a 3G/4G network, without having to register the SIM or attach your legal name to it in any way.
I can also encrypt my phone, turn on permanent incognito mode, disable Javascript, and have uBlock Origin running to stop trackers. Good luck trying to pin my legal name to a particular website visit. Then there's the fact that 3G/4G uses vague carrier-grade-NAT IPV4 addresses so countless others all share the same IP address enabling you to 'hide among the crowd' (providing the useragent is something common that many people use like Safari on an iPhone5)
I remember listening to a podcast where some guy was describing how the FBI (I think?) had a map of the 5 most frequently contacted phone number and the average rate of contact for those numbers for all landline and cellphone users in the early 2000s.
They were able to de-anonymize burner phones by mapping what numbers they were contacting, who those numbers were contacting and who the 2nd hop numbers were contacting.
Given that this was the technology 2 decades ago, I’m going to guess that similar behavioral fingerprints have been collected for all sorts of data. I wonder if it’s possible to fingerprint someone from the frequency of the top 5 websites someone visits and the time at which they are most actively browsing a website.
Edit: I found the podcast from my notes. Episode 265 of the James Altucher Show
> Where I live you can buy a SIM card with cash, load it with credit and surf on a 3G/4G network, without having to register the SIM or attach your legal name to it in any way.
Where is that? My experience in Europe and Thailand is that I have to sign documents and show a proof of identity.
So then you're committing fraud or whatever. Once again, law abiding people bear the burden while bogeyman-with-beard just gives a false number.
One of the general difficulties with the government threat actor is that law abiding people have to thread the needle of both technical protection and legal requirements.
Determine who you actually are based on the location pattern of the sim card, which they'll end up doing at automated scale since it's so easy to record a fake ID. Prosecution for just that seems unlikely, but rather selective enforcement.
I was in Croatia a few years ago and bought a SIM card at a TISAK kiosk on the beach. Similarly I’ve had my UK SIM card for three years and never had to show my ID.
And remember: metadata is everything. It makes the actual content of the communication discoverable and indexable. The information of what you're saying and doing is not actionable without being able to find it / categorize it at scale.
Don't take that for actual closeness. In many votes including this one, Senators may want to vote against leadership but will only do so if permitted. So if, say, 5 more Democrats had insisted on voting yes to make the amendment pass, McConnell would have told 5 more Republicans that they were disallowed from voting against it, and the amendment would have failed by... one vote.
The dynamic here is that Republican politicians often want to present themselves to constituents as being against the police state or big government, but the party/party leadership wants to pass measures such as this. So the individual politicians are accommodated to the extent that they don't interfere with the party passing what it wants.
You see a similar dynamic in quite a lot of votes.
FYI, no warrant is needed to set up a pen register on a person of interest. That's where LEOs request that the Post Office record the envelope metadata of all your correspondence.
ISTM that pen registers not requiring warrants is reasonable -- I'm not sure it's good for society, but it is reasonable.
ISTM that keeping track of cleartext metadata emitted by personal devices on the public Internet is exactly like a pen register.
DNS w/ QName minimization, DoH/DoE, and preferably DNSCurve, are techniques that can reduce the visibility of various metadata involved in gathering browsing history.
So, this amendment lost by one vote, and Bernie Sanders didn't vote. Does anyone know what happened? I've understood him as having been against most of the Patriot Act since its inception.
Perhaps it's because Section 215 is already expired and Sanders doesn't plan to vote for its renewal, so he doesn't see a point in voting for an amendment that makes said renewal more likely to pass?
I am absolutely no fan of Bernie Sanders. I disagree with him on a majority of policy matters.
However, this popular media framing, which blames the failure of this amendment on Bernie Sanders, is unhinged. It's not just this Register article; you'll see the same sniping at Sanders specifically in most articles that carry a negative opinion on the PATRIOT Act.
Being absent for the vote is shameful, sure. But how about laying the blame somewhere more meaningful? For example, on us Californians who re-elected Feinstein despite knowing she is absolutely abysmal on privacy. Californians like myself should carry this shame, not Sanders and Vermont voters. We Californians are sorry for voting so blindly and continuously re-electing terrible senators.
As somebody else explained, if he had showed up to vote against it the amendment almost certainly would have still failed by 1 vote. The party whips would have just required one of the other "no"s to switch. The reality is that party leadership controls exactly what gets voted on and when, and to a large extent predetermines who is allowed to vote yes and no. The rest is just theater.
I do most of my browsing in private mode anyway. I'm usually pretty careful to never put things onto websites that I don't want people to find publicly as well. The US has no strong privacy protections, so you should just assume that nobody has your best interest in mind. This includes HN, Reddit, and the FAANG giants. Although Apple is probably the only one that isn't strongly incentivized to violate your privacy.
> I do most of my browsing in private mode anyway.
What do you think “private mode” is, exactly?
I’ll tell you what it is: It’s a mode where your local web browser doesn’t save its history, which only means that people who has physical access to your device cannot see this saved history. Your ISP can still see everything of consequence, and your DoH provider can see most of it.
It's complete unethical bullshit to call it "private" browsing. It's intentionally misleading and I guarantee most users assume it's, you know, private, because it's called "private".
Same with Google. It's naive to think that if you are "logged out" in "private mode" they aren't saving your queries. It's not difficult to know who's searching if you have access to an IP address and browser fingerprint information.
I think you may be overestimating the technical proficiency of the government. When they talk about browsing history, they're probably quite literally referring to looking at your web browser history. Yes, they might also subpoena your ISP for data, but if the ISP isn't collecting it in a way that is 100% correlated with your computer and browser (which is pretty hard with a NAT), then they only have a weak case at best. It probably wouldn't hold up in court.
I don't think you understand what's going on. Private browser has no visible difference to server or the party listening to your communication in the middle. The only effect it has is that it doesn't persist your browser history upon closing it.
There's a big difference between what's possible in theory and the reality of current practices. I think many people in this thread are missing that point.
Missing the point that this is already going on? Or missing the point that the amendment to the patriot act didn't pass and that this will keep going on?
Do you honestly think major ISPs haven't been deploying commercial DPI gear to datamine their customers' traffic, and selling the results to surveillance companies like LexisNexis?
Maybe I'm ahead of the adoption curve here, but I see no overall reason they wouldn't be.
Systems intended to "learn" your preferences won't accumulate preferences in the private window. Could they? Probably yeah, but they don't, and that's valuable. If someone asks me about a sovereign citizen video on Youtube I can watch it in a Private window without filling my YT suggestions with sov cit crap for the next week.
It's also really useful for testing. For example building my WebAuthn implementation I hit "Cancel" a lot. In your ordinary session the browser soon remembers this site tried a WebAuthn registration, the user hit "Cancel" so let's suppress that because it'd be annoying if sites harass you with such requests over and over. Subsequent attempts soon just silently fail - that makes it really annoying to debug the backend. Maybe a refresh will fix it? Maybe I should wait five minutes? Who knows.
But the browser intentionally doesn't remember what happens in a Private window. I can hit Cancel to check that works as expected, then open a fresh Private window and registration still works fine there instead of silently failing.
Likewise I had a Cookie bug, where a typo meant enduring session cookies that were supposed to be cleared sometimes weren't. Private windows don't preserve cookies, so I could walk through all the steps to reproduce from a "fresh start", try something, then just throw that Private window away and make a new one for the next experiment.
None of this is impossible without Private windows of course, but it was more inconvenient when we didn't have them.
Indeed. Even worse, Chrome calls this "incognito mode", which is even less accurate. This isn't incognito. The joke about calling it "porn mode" was way more honest.
This doesn't work so well when you a) disallow tracking cookies and b) don't use your ISP's DNS servers.
I used to work directly with these big ISPs, and I can assure you they aren't very sophisticated. Even if they log every IP you send a packet to, and they know every domain that points to each of those IPs, they can't know exactly what you requested or which particular website you visited provided these websites use HTTPS.
I wonder how big a hosts file could get before it degraded performance?
You can still do DNS over VPN. That is, I could set up an unbound cache on a VPS and secure my traffic to that server using wireguard or openvpn. This just pushes the eyeballs out of my home and into someone else's datacenter, though.
I'm guessing that the time required to open the hosts file for reading would eclipse the amount of time required to parse it and do a linear search on the entries. I would think that the file would have to be measured in the hundreds of megabytes for performance to be a significant consideration, but I haven't benchmarked it.
This is true, but it requires deep packet inspection, and that's something which usually isn't on by default. They might enable it for specific clients under some circumstances, but I haven't heard of ISPs logging that level of detail permanently. I suppose the could run a service that just inspects DNS packets, pulls out the domains, and correlates them with each client, but I haven't heard of that being deployed in the wild (although perhaps that's changed).
Their DNS severs, however, and definitely doing this, and they sell that data to 3rd parties.
TLS SNI also leaks the domain name, but again that would require deep packet inspection to extract and correlate with the clients. Definitely possible, but probably not deployed.
DNS blocking is an affordable technology deployed in many countries. For example in the UK if you use the sort of large ISP advertised on TV it has DNS blocking.
With DNS blocking if you try to look up a "forbidden" FQDN you get back either a bogus NXDOMAIN or A records chosen by the blocker.
DoH bypasses DNS blocking pretty cheaply. DNSSEC would detect it and stop but doesn't bypass it. Tor bypasses it but at considerable cost.
The (eventually indefinitely delayed) UK government plans to institute mandatory censorship of the Internet relied on DNS blocking as their backstop. The idea was if anybody anywhere in the world didn't voluntarily agree to obey censorship rules, they'd be blocked in the UK. The government would just accept that some proportion of users would install Tor to bypass that restriction. DoH means "some proportion of users" potentially becomes "everybody with a modern browser" and that was not palatable.
DPI is available on inexpensive routers now and has been an option on Cisco/Fortigate/Palo Alto/Ubiquiti gear for ages. I have no doubt that it is heavily used at most IPSs.
There's a big different between the data being available vs. being put to use. ISPs have no incentive to put a bunch of effort into collecting data from the 1% or less of their customers which don't use their DNS servers. Thus, it's extremely unlikely they run packet inspection on every packet just so that they can collect browsing history from people who are privacy conscious.
The scheme (https) is implied but isn't transmitted anywhere. An adversary can infer you used HTTPS because it was port 443 and looks like TLS traffic.
The hostname (www.duckduckgo.com) is somewhat implied by the destination IP address on the connection, and is also transmitted in the clear as part of TLS Server Name Indication so that the receiving server knows which service you wanted. In TLS 1.2 and earlier the site's certificate is also transmitted in the clear (but this is fixed in TLS 1.3). Encrypting SNI is a work-in-progress.
The path and query string are encrypted. An adversary can't discover what they are, nor can they tamper with them successfully. The total overall amount of data sent is not hidden, but clients can (though most do not) add padding to hide exactly how much of this was "real".
The fragment identifier (#foo) is not transmitted anywhere it remains only on the client (web browser).
Headers, body and so on of both request and response are encrypted, and the same caveat about an adversary knowing how much data was transmitted and when applies.
This is a really good summary! A few months back I was hunting for an answer as to whether url/query parameters were encrypted with HTTPS. The answer space was strangely sparse for something so critical.
The answer is obvious† to somebody who knows how it works, so it's probably in a category of questions where there's not a lot of overlap between people who might ask and people who might be in a position to answer.
I remember when I answered a Stack Overflow question about how Domain Validation for certificates in the Web PKI work thinking that just a year or two earlier the answer would be hazy and probably get marked unsatisfactory even though it was true - because it was so vague and few people would be in a position to confirm it. As it happened they'd asked after the Ten Blessed Methods were formally required and so those are the answer, written down in black and white in a document I could offer as a reference for anyone to look at.
† The hostname part is less obvious than the rest it's fair to say because HTTP's Host header is just a header and thus encrypted, and you need extra insight to realise SNI needs to exist.
If a CA is compromised (which was very rare, even under historically more lax oversight than today) the bad guys would need to issue themselves a cert from this compromised CA, get it logged, and then from an on-path position use the certificate to MITM you and capture your URL which presumably they wanted very badly as this seems like a really expensive approach.
The CA does not have the ability to decrypt eavesdropped HTTPS traffic for example.
> Although Apple is probably the only one that isn't strongly incentivized to violate your privacy.
With their transition from selling widgets to services I wonder how much longer that will be true. And considering their attempt at iAds the privacy incentive is more historical accident than an unchangeable, core culture.
