The NSA probably is building profiles on many people. But so are Google, Facebook, etc. The real problem is not the NSA (well, not just the NSA) - it's the inherent design of the internet. We're trying to live private lives on public networks, and we're going to have to go through some serious growing pains before that is resolved.
Isn't that a little drastic? The fact that my 4096-bit-gpg-encrypted mail has been stored by them doesn't mean my communication is pwned: the idea with strong encryption is exactly you cannot trust the transmission channel! And besides it doesn't take in account OTR for chat.
> The fact that my 4096-bit-gpg-encrypted mail has been stored by them doesn't mean my communication is pwned...
Maybe not today. Maybe not tomorrow. However, if they ever manage to get hold of your secret key (or crack the encryption scheme you're using), they'll be able to decrypt and read all your old email.
How safe is your secret key? Is it on a computer than you connect to the Internet with? How do you know it hasn't already been purloined by malware? Have you ever left it alone at home or in a hotel room? Or carried it through an international border?
As for GPG, how do you know the NSA haven't been multiplying every single number together with every other single number for the past forty years to build a gigantic rainbow table that they just have to grep through to find the factors of any number?
$ grep 4294967296 products.txt | head -20
65536 x 65536 = 4294967296
131072 x 32768 = 4294967296
262144 x 16384 = 4294967296
524288 x 8192 = 4294967296
1048576 x 4096 = 4294967296
2097152 x 2048 = 4294967296
4194304 x 1024 = 4294967296
8388608 x 512 = 4294967296
16777216 x 256 = 4294967296
33554432 x 128 = 4294967296
67108864 x 64 = 4294967296
134217728 x 32 = 4294967296
268435456 x 16 = 4294967296
536870912 x 8 = 4294967296
1073741824 x 4 = 4294967296
2147483648 x 2 = 4294967296
4294967296 x 2 = 8589934592
4294967296 x 3 = 12884901888
4294967296 x 4 = 17179869184
4294967296 x 5 = 21474836480
$
The idea of Total Informational Awareness has been shouted about for years. there is only ONE next step: stand up against the NSA in entirety. We must make a move that is truly going to force reform.
Some people owe me up-votes for all those down-votes they gave me six+ months ago when I stated one must assume a zero privacy environment when engaging technology today.
I'm just happy I knew what the Internet was like before mosaic and the www emerged. It seems so quaint now.
Edit - How long until people ditch their Black Amex cards and go back to cash for some privacy restored? A short decade ago it wasn't so uncommon to carry a few bucks. How many people really want banks and the government knowing all of their consumption habits in addition to the timing of their consumption?
All in the name of fraud prevention! Just carry a few bucks and no worries again!
> We have to assume that the NSA has everyone who uses electronic communications under constant surveillance.
We don't have to assume anything except that which is provided by evidence. If you have the evidence, then allow it to present itself. Assumption leads to conspiracy theory and inaccurate information. I really don't think that's what this cause really needs.
Is it just me or does Bruce Schneier's posts read more like propaganda than journalism? It's pretty awful and I'm surprised HN is eating it up. He tip toes on fear mongering through exaggeration, e.g. in OP getting people more hyped up and fearful of the NSA because they're tracking EVERYONE... except, it's only an assumption. Calls to action should not be based on assumptions.
I think he's mostly shortcutting conclusions. Not jumping, just cutting corners. As for evidence: we know from Schneier's previous posts that he actually has some hard evidence, having been provided yet-unknown-number of Snowden documents. In this case I'm willing to give him the benefit of the doubt. We can't, at the moment, know what the documents contain or what they prove. We do know that there are still more stories coming out based on the material.
I think the technical term for withholding the evidence in this case is "embargo".
> fearful of the NSA because they're tracking EVERYONE... except, it's only an assumption.
"Only"? Really? How about the known fiber taps? The splitter rooms?[1] The fact that the NSA tried to belittle their activities by stating that they are "only touching 1.6% of all internet traffic"?[2] Their stated application of three degrees of separation? (Sorry, can't find a reference for this one now.)
Considering that 1.6% of traffic can easily skip all the video and torrent traffic, it leaves quite a lot of communication data to trawl through. I don't remember seeing any good figures so I don't know how much of the global internet traffic routes through US but I guess it's a fair chunk.
Oh brother, its as if some people have learned nothing from the last 6 months (or are actively shilling... apparently you only comment on NSA stories).
When it comes to your personal privacy and security, you must assume that anything that is reasonably possible is being carried out by your adversaries. The recent leaks prove that the NSA will do absolutely anything within its power to further its goal of total information awareness.
All of the NSA revelations could have been predicted (and were predicted) by anyone with some technological skill and a little bit of foresight. If you wait until proof is presented to you, you have already lost; your privacy and security have already been compromised. The game is to think ahead and protect yourself from all possible current and future attacks. There are some people who's very freedom depends on such foresight.
In another context jonnybgood might instead be called a "skeptic" or perhaps even "capable of applying critical thinking skills" rather than dismissed as a "shill". Instead of mocking him for not paying attention over the last 6 months, you should go back and examine all of the leaked documents. You'll note that they speak quite a bit to the capabilities of the NSA, but don't reveal much about who they're targeting, why and what the ultimate goal of targeting would be. If you disagree, I challenge you to actual provide a leaked document that shows the NSA is specifically targeting ordinary citizens like the GP was calling for, rather than a secondary article from Greenwald, Schneier, etc., that makes broad assertions that because a spying agency with collecting foreign intelligence has the technical capability to conduct the most invasive possible infractions on the privacy of people it is not charged with collecting against, they must indeed be doing so. Your armed local police force has the technical capability of detaining citizens indiscriminately without regard to whether or not they violated the law, then summarily executing them without trial. That doesn't mean that's their job.
In another context skepticism would be warranted. This isn't such a context. The very nature of the problem of securing one's privacy demands the type of anticipatory thinking I describe. Skepticism that johnnybgood is advocating is a losing strategy from the start.
I agree - securing one's privacy is an incredibly important problem. That said, none of the leaks show any technology that wasn't publicly known beforehand (e.g.: packet sniffing, man-in-the-middle attacks, stored personal records obtained from internet/telecommunications companies, etc.). The fact that these are used on a much larger scale might be surprising to some, but not novel. We've known for a long time that large, well-funded intelligence organizations operate on a much larger scale than any lone or small group of hackers could. If you worry about your privacy on the internet, the solutions to these problems were known beforehand (e.g.: encrypt your traffic, authenticate those you communicate with, limit personal data stored in the cloud, etc.).
Claiming that the NSA is an active threat to the privacy of Americans without the evidence to back it up is counter-productive. Schneier himself has written quite a bit about the importance of properly identifying your threats in the process of establishing good security. I guarantee that spokeo.com and similar sites have more dossiers on Americans that the NSA does, and I'd be willing to bet that information from those sites have been used more frequently for nefarious purposes against ordinary citizens. The NSA has the capability to target you - this leads to overblown articles making the leap from "the NSA collects massive amounts of metadata" to "the NSA collects massive amounts of American's metadata", incendiary discussion forums calling for the immediate shutdown of the NSA, imprisonment of top NSA officials, fear mongering about the NSA brought up in situations that have nothing to do surveillance, etc. What they don't have is the motive (seeing as how they're an agency charged with the gathering of foreign intelligence) or legal authority to spy on Americans. The evidence stating that they are actively spying on Americans just isn't there. Until credible evidence shows that NSA is invading the privacy of ordinary people, I'm going to worry about the credible threats.
It creeps me out that I can Google my name and find 6 different websites willing to sell me my current and previous addresses, e-mail address, phone numbers, names of family members, etc. that they harvested from public records; it bothers me that anyone with a Pineapple device can trick my cell phone into connecting to actively hostile network if I forget to turn off the Wifi; it bothers me that I can turn on Collusion in Firefox and see that my browsing activity is reported to 40 different companies across every web page I surf to unless I turn off Javascript and frequently delete all of my cookies; it scares me that I get spam e-mail sent from the compromised accounts of people I know personally that tries to redirect me to malicious web sites; two years ago someone got my debit card number and pulled a little over $2000 out of a bank in Shenzhen - I worry about the security of sites I purchase from over the internet, which ATMs I draw from, what that waiter is doing when he disappears after I hand him my card. I consider myself a pretty paranoid person. At this point I don't feel threatened by the NSA (if I worked for a foreign government I would probably have a different opinion).
I'm going to continue using every reasonable means to protect the privacy and integrity of data. I'm not going to do it because of the NSA - I'm going to do it because the internet is a security nightmare, and there are lots of people out there who would do lots of things to my data without any regard to my well being.
Out of all the threats you mentioned, the NSA is the only one that can imprison me if it decides I've done something it doesn't like. The worst part is that the data they're collecting can be used retroactively X years down the line if the government so chooses to. And this herein lies the danger. You may trust your government now to use the information they gather legitimately, but do you trust it indefinitely? You shouldn't in principle, even ignoring all the practical reasons that the government has shown itself incapable of using such power only for good.
BTW, it has been revealed that the government stores information indiscriminately; but only through a court order or some other "probably cause" will they actively search the records of an American communicating with another American. This information is also stored for X amount of years (i've heard various years cited, from 2 to 10). Using encryption also flags your communication as "potentially foreign" and thus open to analysis. It was also unclear from the articles I've read whether internet metadata is covered under privacy laws. Massive amounts of information regarding individuals can be mined from just web addresses. So yes, Americans are targeted in the laymen sense of the word. Sure, the NSA has legalese that they use to justify how their actions don't target Americans, but its pretty transparent.
So yeah, go ahead and worry about the threat of someone finding an old address of yours. I'll continue to worry about the orwellian surveillance state that is being constructed right before our eyes.
The NSA is not a law-enforcement agency. Unless we find credible evidence otherwise, I'm going to continue operating under the assumption that there is no click-here-to-send-this-person-to-jail button at the NSA. To be handed a jail sentence as a result of NSA spying, the process looks more like this:
- NSA analyst stumbles across you, most likely in the course of pursuing a foreign intelligence target, but maybe as part of a vast domestic spying program as some believe (I haven't seen enough credible evidence to believe this)
- NSA analyst finds credible evidence within that collection to suggest that you were engaged in criminal activity
- NSA is able to convince the FBI (or other legitimate law enforcement agency) that you were engaged in criminal activty
- The FBI opens an investigation into you; if preliminary investigation yields suspicion, they request a warrant from a judge to gather more information
- If the FBI finds sufficient evidence of a crime, they obtain a warrant for your arrest and detain you for trial
- Evidence independently obtained by the FBI is presented to a jury of your peers. As of yet, there's no precedent for admitting evidence by the NSA. To the court it's the equivalent of an anonymous tip, and the NSA has a history of not wanting to reveal its sources and methods anyways.
- A jury of your peers decides whether or not you are guilty of a crime. A judge sentences you.
So yes, you can get sent to prison based on NSA spying. It's a long process with independent review by multiple parties. I'll be very concerned regarding this process if the first step is broken, which is what everyone is up in arms over. I don't see the evidence yet that this step is broken, or even applicable in most cases [1].
Why am I afraid of people getting my addresses, phone numbers, etc.? My wife testified to put a violent man in prison some years ago. As a result, I have more concern than most that there are people who would want to do my family harm. I don't like that $15 will tell you where my wife, kids and I sleep at night or give contact information to harass us. Old information would allow someone to take out a line of credit in my name, leaving me to sort out the financial mess. Other people I know in legal and law enforcement positions are accutely aware of the threat of being retaliated against outside the courts for perceived wrongs.
[1] I have to run to work, and I'd be insulting your argument if I just left it at that - I'll write up an explanation of my views on the Section 215 collect when I get home. I appreciate the discussion - thank you for actually giving thoughtful answer rather than just a snide remark dismissing me.
My apologies for not getting back to you two days ago when I originally said I would - a close family member was in car accident and that took precedence over commenting on HN. That said, here's the response I promised:
You bring up a good point with regards to data retention. There's no way for me to know that 10 years down the line, the government won't devolve into some totalitarian nightmare and use that data they collected indiscriminately against me for nefarious purposes. I'd like to point out that this issue exists regardless of who controls the data. Data that, for example, Google collects on me now could be used against me 10 years down the line - maybe they start selling the data to credit bureaus or insurance agencies; maybe they get hacked and I end up getting my identity stolen or blackmailed or just plain robbed; maybe someone working for Google just decides that they don't like me and wants to make my life a living hell. The issue of having your confidence betrayed and privacy lost apply to every company you deal with, every company those companies deal with, etc., not just the NSA. I've never seen a website that posted its data retention policy, and even if it did I have no way of verifying that they follow it.
Based on Snowden's leaks, declassified court documents and public statements, we know that the NSA has some sort of internal compliance department to catalogue every time they screw up and collect against legally protected communication, they receive some degree of oversight from the DoJ and FISC, and they're at least supposed to be sending semi-annual compliance reports to the intelligence committees in Congress. The same can't be said for the millions of internet sites that collect our data. Maybe that's not enough oversight for the NSA - I won't argue with that. The NSA derives its legal authority to collect from the laws passed by elected representatives in Congress. If you don't like the fact that the NSA collects this data, write to your representatives and ask for them to revise or repeals the laws. If you think the collection may be vital to national security but are concerned about its misuse, call for more independent oversight with more transparency. I have absolutely no problem with you doing that, so long as you do so using informed opinions based on concrete evidence.
This gets back to the original argument that jonnybgood was making and I was defending: most of the articles that appear regarding the NSA are overhyped with a healthy dose of fear mongering. Articles that would be more accurately titled something like "The NSA collects vast amounts of data using X" instead are presented as "The NSA collects vast amounts of Americans' data using X". They conflate collection authorities and present it as fact to the audience. For example, the NSA is permitted by law (under certain interpretations - the EFF is looking to challenge this in court) to collect American cell phone metadata under Section 215, but is expressly forbidden from collecting American data under FAA 702 authorities. Leaked slides show that the PRISM program is their mechanism for collecting FAA 702 data. Any article claiming that the NSA is collecting such-and-such data against Americans but then goes on to cite PRISM as evidence is conflating the evidence. By presenting flawed or hyped up analysis to the public, all they do is stir up hype, anger, fear and distrust in the government.
