June 10, 2004

Big and Brotherly

The White House administration has apparently defied the US Congress and kept the controversial "Total Information Awareness" going as a secret project. A politics journal called Capitol Hill Blue has exposed what it claims is the TIA project operating with no change.

Whether this is all true, or just another anti-Bush story by Democrat apologists in the leadup to the election, is all open to question. Republican apologists can now chime in on cue. While they are doing that, here are some of the impressive claims of monitoring of the US citizen's habits:

  • cellphone calls, indexed by serial numbers, matched with billing records
  • key word monitoring - the old echelon thing
  • use of private contractors to get around prohibitions on federal spying
  • trains, planes, and automobiles. Oh, and hotels reservations.
  • satellite TV - program purchases on adult movies reported to DOJ.

If you're looking for the fire, that's an awful lot of smoke. What does all this mean? Well, for one, it should start to put pressure on the open source crypto community to start loosening up. Pretty much all of that can be covered using free and easy techniques that have otherwise been eschewed for lack of serious threat models. I speak of course of using opportunistic cryptography to get protection deployed as widely as possible.

This could take as back to the halcyon days of the 90s, when the open source community fought with the dark side to deploy crypto to all. A much more noble battle than today's windmill tinting against credit card thieves and other corporately inspired woftams. We didn't, it seems, succeed in protecting many people, as crypto remains widely undeployed, and where it is deployed, it is of uncertain utility. But, we're older and wiser now. Maybe it's time for another go



From Capitol Hill Blue

What Price Freedom?
How Big Brother Is Watching, Listening and Misusing Information About You
By TERESA HAMPTON & DOUG THOMPSON
Jun 8, 2004, 08:19

You're on your way to work in the morning and place a call on your wireless phone. As your call is relayed by the wireless tower, it is also relayed by another series of towers to a microwave antenna on top of Mount Weather between Leesburg and Winchester, Virginia and then beamed to another antenna on top of an office building in Arlington where it is recorded on a computer hard drive.

The computer also records you phone digital serial number, which is used to identify you through your wireless company phone bill that the Defense Advanced Research Projects Agency already has on record as part of your permanent file.

A series of sophisticated computer programs listens to your phone conversation and looks for "keywords" that suggest suspicious activity. If it picks up those words, an investigative file is opened and sent to the Department of Homeland Security.

Congratulations. Big Brother has just identified you as a potential threat to the security of the United States because you might have used words like "take out" (as in taking someone out when you were in fact talking about ordering takeout for lunch) or "D-Day" (as in deadline for some nefarious activity when you were talking about going to the new World War II Memorial to recognize the 60th anniversary of D-Day).

If you are lucky, an investigator at DHS will look at the entire conversation in context and delete the file. Or he or she may keep the file open even if they realize the use of words was innocent. Or they may decide you are, indeed, a threat and set up more investigation, including a wiretap on your home and office phones, around-the-clock surveillance and much closer looks at your life.

Welcome to America, 2004, where the actions of more than 150 million citizens are monitored 24/7 by the TIA, the Terrorist Information Awareness (originally called Total Information Awareness) program of DARPA, DHS and the Department of Justice.

Although Congress cut off funding for TIA last year, the Bush Administration ordered the program moved into the Pentagon's "black bag" budget, which is neither authorized nor reviewed by the Hill. DARPA also increased the use of private contractors to get around privacy laws that would restrict activities by federal employees.

Six months of interviews with security consultants, former DARPA employees, privacy experts and contractors who worked on the TIA facility at 3701 Fairfax Drive in Arlington reveal a massive snooping operation that is capable of gathering - in real time - vast amounts of information on the day to day activities of ordinary Americans.

Going on a trip? TIA knows where you are going because your train, plane or hotel reservations are forwarded automatically to the DARPA computers. Driving? Every time you use a credit card to purchase gas, a record of that transaction is sent to TIA which can track your movements across town or across the country.

Use a computerized transmitter to pay tolls? TIA is notified every time that transmitter passes through a toll booth. Likewise, that lunch you paid for with your VISA becomes part of your permanent file, along with your credit report, medical records, driving record and even your TV viewing habits.

Subscribers to the DirecTV satellite TV service should know - but probably don't - that every pay-per-view movie they order is reported to TIA as is any program they record using a TIVO recording system. If they order an adult film from any of DirecTV's three SpiceTV channels, that information goes to TIA and is, as a matter of policy, forwarded to the Department of Justice's special task force on pornography.

"We have a police state far beyond anything George Orwell imagined in his book 1984," says privacy expert Susan Morrissey. "The everyday lives of virtually every American are under scrutiny 24-hours-a-day by the government."

Paul Hawken, owner of the data information mining company Groxis, agrees, saying the government is spending more time watching ordinary Americans than chasing terrorists and the bad news is that they aren't very good at it.

"It's the Three Stooges go to data mining school," says Hawken. "Even worse, DARPA is depending on second-rate companies to provide them with the technology, which only increases the chances for errors."

One such company is Torch Concepts. DARPA provided the company with flight information on five million passengers who flew Jet Blue Airlines in 2002 and 2003. Torch then matched that information with social security numbers, credit and other personal information in the TIA databases to build a prototype passenger profiling system.

Jet Blue executives were livid when they learned how their passenger information, which they must provide the government under the USA Patriot Act, was used and when it was presented at a technology conference with the title: Homeland Security - Airline Passenger Risk Assessment.

Privacy Expert Bill Scannell didn't buy Jet Blue's anger.

"JetBlue has assaulted the privacy of 5 million of its customers," said Scannell. "Anyone who flew should be aware and very scared that there is a dossier on them."

But information from TIA will be used the DHS as a major part of the proposed CAPSII airline passenger monitoring system. That system, when fully in place, will determine whether or not any American is allowed to get on an airplane for a flight.

JetBlue requested the report be destroyed and the passenger data be purged from the TIA computers but TIA refuses to disclose the status of either the report or the data.

Although exact statistics are classified, security experts say the U.S. Government has paid out millions of dollars in out-of-court settlements to Americans who have been wrongly accused, illegally detained or harassed because of mistakes made by TIA. Those who accept settlements also have to sign a non-disclosure agreement and won't discuss their cases.

Hawken refused to do business with DARPA, saying TIA was both unethical and illegal.

"We got a lot of e-mails from companies - even conservative ones - saying, 'Thank you. Finally someone won't do something for money,'" he adds.

Those who refuse to work with TIA include specialists from the super-secret National Security Agency in Fort Meade, MD. TIA uses NSA's technology to listen in on wireless phone calls as well as the agency's list of key words and phrases to identify potential terrorist activity.

"I know NSA employees who have quit rather than cooperate with DARPA," Hawken says. "NSA's mandate is to track the activities of foreign enemies of this nation, not Americans."

© Copyright 2004 Capitol Hill Blue

Posted by iang at June 10, 2004 04:57 PM | TrackBack
Comments

> Although employees who work in the building are supposed to keep their
> presence there a secret, they regularly sport their DARPA id badges around
> their necks when eating at restaurants near the building. The straps
> attached to the badges are printed with "DARPA" in large letters.


That's the main DARPA building. For driving directions, see the DARPA web site:
http://www.darpa.mil/body/information/location.html
It's not very surprising that folks there wear DARPA badges.

Should we congratulate Hampton and Thompson on their "discovery"? Or should we chip in and buy them each a new tinfoil hat?

I imagine parts of the article are actually true. But then again, a stopped watch gives the correct time twice a day.

More-reliable accounts of TIA are readily available. A useful compendium is:
http://www.eff.org/Privacy/TIA/
including:
http://www.eff.org/Privacy/TIA/20030520_tia_report.php
http://www.eff.org/Privacy/TIA/20030523_tia_report_review.php
http://www.eff.org/Privacy/TIA/20031003_comments.php
et cetera.

Posted by: John Denker at June 10, 2004 10:04 PM

The stream of bad news coming from the US looks with every passing day more like the Rhine in Rotterdam than like a moutain stream. This latest bit is particularly appalling for a reason that you may or may not have noticed, namely that it involves DARPA. Now, DARPA used to be a perfectly respectable research agency with a penchant for risk-taking that made it especially useful in an environment where research agencies have all but forgotten the meaning of risk-taking and only want to paper their ass. Thus, notwithstanding the fact that the Pentagon stood behind DARPA and that you had to be vigilant about a gradual drift into out- and-out weapons research, many basic researchers gladly did business with DARPA. Now it appears that it has been debased into another CIA-style latrin where the US govt has its filthy work done. The mind reels. Will there be no end to this nightmare?

Posted by: Olivier at June 12, 2004 06:24 PM

Thoughts. There must be a movement or a community someplace, working to deliberately increase its use of the dreaded keywords, and everything else possible, to fill up the governments' databases with false positives. With some effort, the people countering Ashcroft might even be able to create big surges in " intelligence chatter".

Sigh. Too bad we can't trust them. Based on the actions of Bush/Cheney and Ashcroft, the DHS and TIA are a bigger threat to Americans than foreign terrorists. Not to mention the fact, there wouldn't be terrorists attacking buildings in NY at all, if the Bush/Cheney and company wasn't killing muslims by the thousands, in the middle east. And even if the DHC and TIA makes those buildings safer in NYC , why should *my* liberties be the price to be paid? When does NYC and these global corporations who caused the hate and the killing, pay their own bills?

Regarding federal logging of porn purchases, one must wonder why. To find people with predisposition to porn? and profile their flavors of porn? To find suspects in various types of sex crimes?

Whatever the reasons, this kind of database will obviously be used by some of its actors, to blackmail people. For example, people in high places, people in business, etc. "Hey- you're a vice president of [insert global corporation.] And you're watching these titles? Well, I want your company to (buy my product, contribute to my campaign, etc.etc.)

Posted by: Todd at June 12, 2004 06:26 PM

Yes, I should stress in general that it is not really proven that DARPA are doing the TIA in secret. But it's a worrying development.

Todd, you are way ahead of this threat :-) Except in the issues of money, *any* basic encryption techniques will secure the infrastructure such that massive hoovering techniques will be stymied. It doesn't make anyone "secure" (think of Adi Shamir's first law of cryptography here: there are no secure systems!) but it moves the threat from a hoovering level to a targeting level.

Most people who are targetted are probably somewhat aware of this threat. The danger to civil society now is to the huge number of people who are going to be sucked up by the hoover.

Posted by: Iang at June 13, 2004 05:38 AM

I am watching this development for some time now and with increasing wariness, almost fear. I have been following the Flight Passenger Data affair (EU/USA) in some detail and I'm wondering how the according institutions in the US plan to process all the Terabytes of data, how they plan to match it and how they plan to make their inference engines more reliable. Because that's what it is: inference. They have several possibly unrelated facts, try to squeeze them into a pattern and see if it matches. Big deal, big danger to the individual.

I'm happy to see that both prominent US citizens are standing up and warning against this. I'm also happy to see that more and more "normal" citizens are getting wary and warn against this, too.

Posted by: Axel at June 14, 2004 03:12 AM

Another thing I should stress is that FC is not about politics and the state and bib brother per se. We are definately keen on real threats to the applications of finance.

In this context, we have, firstly, identity theft. This is likely to become massive once this sort of identity / credit builds up in the US economy. Pretty much all serious fraud, and most successful fraud happens inside. And, inside the TIA is going to a huge group of users, and they are going to do huge fraud. We FCers are going to have to protect our customers from that.

Secondly, the Internet itself will face a threat, which it will defeat. As the pressure mounts to route traffic into TIA, so the response will arise to divert the traffic safely past TIA. Out of this area will come new developments, new directions. TIA and the respone to it will describe a new generation of security software systems. Much as the 90s was obsessed with crypto export regulations, and the RIAA created Kazaa and Limewire, I think TIA will have important unintended consequences.

Posted by: Iang at June 14, 2004 05:40 AM

Point taken about the political implications - I'll make sure to keep that down ;-)

However, the focus was different over here in Europe. Export regulations played only a role insofar as we made fun of the annoying regulations in the US :-)

Posted by: Axel at June 15, 2004 02:25 AM