I am a fan of data driven analytics and enjoyed working with brilliant minds in massive computing, network infrastructure, and targeting for 20 years now. It´s a fundament of private communication and changed the way, businesses and even governments interact. In any sense: Data has become vital to our life.
But we have a problem, once an evil party misuses this power in bad interest. Therefore, it´s important to stay on top of what´s the 2020 State of Surveillance. Edward Snowden is certainly an authority in this space. Ubiquitous data collection needs professionals and ethical discourse.
Are you aware at all of the current state of surveillance and what if anything has changed since your revelations? Yeah, I mean the big thing that’s changed. Since 2013 it’s now mobile-first everything. Mobile was still a big deal right and the intelligence community was very much grappling to get its hands around it and to deal with it but now people are much less likely to use a laptop then use a desktop than then use, you know, God any kind of wired phone then they already use a smartphone. And both Apple and Android devices, unfortunately, are not especially good at protecting your privacy right now.
You got a smartphone right you might be listening to this on a train somewhere and in traffic right now or you Joe right now you get a phone somewhere in the room, right? The phone is turned off or at least the screen is turned off it’s sitting there it’s powered on.
And if somebody sends you a message the screen blinks to life. How does that happen right how is it that if someone from any corner of the earth dials a number your phone rings and nobody else’s rings how is it that you can dial anybody else’s number and only their phone rings right every smartphone every phone at all is constantly connected to the nearest cellular tower every phone even when the screen is off you think it’s doing nothing you can’t see it because radio frequency emissions are invisible it’s screaming in the air saying here.
I am here. Here is my IMEI, I think it’s an individual manufacturers equipment identity and IMEI individual manufacturers subscriber identity. I could be wrong on the breakout there but the acronyms are the IMEI and the IMSI and you can search for these things they’re too globally unique identifiers that only exist anywhere in the world in one place right this makes your phone different than all the other phones.
The IMEI is burned into the handset of your phone, no matter what’s in the card you change to it’s always gonna be the same and it’s always gonna be telling the phone network it’s this physical handset the IMESI is in your SIM card, right and this is what holds your phone number right it’s the basically the key the right to use that phone number and so your phone is sitting there doing nothing you think but it’s constantly shouting and saying I’m here who is closest to me, that’s a cell phone tower.
And every cell phone tower with it’s big ears is listening for these little cries for help and going all right. I see Joe Rogan’s phone. I see Jamie’s phone. I see all these phones they’re here right now. And it compares notes with the other network towers and your smartphone compares notice with them to go who do I hear the loudest and who you hear the loudest is a proxy for proximity for closeness distance right they go whoever I hear more loudly than anybody else that’s close to me, so you’re gonna be bound to this cell phone tower and that cell phone tower is gonna make a note a permanent record saying this phone this phone handset with this phone number at this time.
And was connected to me right and based on your phone handset and your phone number they can get your identity right because you pay for this stuff with your credit card everything. And even if you don’t right it’s still active it’s your house overnight is still active, you know on your nightstand when you’re sleeping it’s still whatever the movements of your phone are the movements of you as a person and those are often quite uniquely identifying it goes to your home it goes to your workplace other people don’t have it sorry.
Anyway it’s constantly shouting this out and then it compares notes with the other parts in that work and when somebody is trying to get to a phone it compares notes of the network compares notes to go where is this phone with this phone number in the world right now and to that cell phone tower that is closest to that phone it sends out a signal saying we have a call for you make your phone start ringing so your owner can answer it and then it connects it across this whole path but what this means is that whenever you’re carrying a phone whenever the phone is turned on there’s a record of your presence at That place that is being made and created by companies it does not need to be kept forever and in fact there’s no good argument for it to be kept forever but these companies see that as valuable information, right this is the whole big data problem that we’re running into and all this information that used to be a femoral right where were you when you were eight years old, you know, where were where did you go after you had a bad breakup, you know, who did you spend the night with who’d you call after all this information used to be ephemeral meaning it disappeared right like like the morning do it would be gone no one would remember it but now these things are.
Stored now these things are saved it doesn’t matter whether you’re doing anything wrong doesn’t matter whether you’re the most ordinary person on earth because that’s how bulk collection which is the government’s euphemism for mass surveillance works, they simply collect it all in advance in hopes that one day it will become useful and that.
Was just talking about how you connect the phone network, that’s not talking about all those apps. That are contacting the network even more frequently right, how do you get a text message notification, how do you get an email notification, how is it the Facebook knows where you’re at, you know, all of these things, these analytics?
They are trying to keep track through location services on your phone through GPS, even just what wireless access points you’re connected to because there’s a global constantly updated map. They’re actually many wireless access points in the world because just like we talked about every phone has a unique identifier that’s globally unique.
Every wireless access point in the world, right? You cable modem at home, whether it’s in your laptop. Every device that has a radio modem has a globally unique identifier in it. And this is a standard term. You can look it up. And these things can be mapped when they’re. Broadcasting in the air because again like your phone says to the cell phone tower.
I have this identifier the cell phone tower responds and says I had this identifier and anybody who’s listening they can write these things down and all those Google Street View cars that go back and forth right there keeping notes on whose Wi-Fi is active on this block, right? And then they build a new giant map.
So, even if you have GPS turned off, right as long as you connect the Wi-Fi those apps can go well, I can connect to Joe’s Wi-Fi. But I can also see his neighbor’s Wi-Fi here and the other one in this apartment over here and the other one of the apartments here and you should only be able to hear.
Those for globally unique Wi-Fi access points from these points in physical space, right? The intersection in between spreads the domes of all those wireless access points and it’s a proxy for location and it just goes on and on and on and we can talk about this for four more hours.
We don’t have that kind of time. Can I ask you this? Is there a way to mitigate any of this personally, I mean is they mean shutting your phone off doesn’t even work right? Well, if it does in a way it’s just no I’m the thing with shutting your phone off that is a risk is how do you know any phones actually turned off?
It used to be when I was in Geneva, for example working for the CIA. We would all carry like drug dealers phones, you know, the old smartphones the or sorry old dumb phones, they’re not smartphones. And the reason why was just because they had removable battery packs where you could take the battery out, right?
And the one beautiful thing about technology is if there’s no electricity in it, right? If there’s no go-juice available to it if there’s no battery connected to it. It’s not sinning anything because you have to get power from somewhere you have to have power in order to do work.
But now, Your phones are all sealed right. You can’t take the batteries out. So there are potential ways that you can hack a phone where it appears to be off, but it’s not actually off. It’s just pretending to be off whereas in fact it’s still listening in and doing all this stuff.
But for the average person that doesn’t apply, right? And I got to tell you guys they’ve been chasing me all over the place. I don’t worry about that stuff, right? And it’s because of their applying that level of effort to me. They’ll probably get the same information through other routes.
I am as careful as I can and I use things like fair decades I turned devices off but if they’re actually manipulating the way devices display, it’s just too great a level of effort even for someone like me to keep that up on a constant basis also if they get me I only trust phones so much so there’s only so much they can derive from the compromise and this is how operational security works you think about what are the real threats that you’re facing that you’re trying to mitigate.
And the mitigation that you’re trying to do is what would be the loss what would be the damage done to you if this stuff was exploited much more realistic than worrying about these things that I call voodoo hacks right which is like next-level stuff and actually just a shout out for those of your readers who are interested in this stuff.
I wrote a paper on this specific problem, how do you know on a phone is actually off how do you know when it’s actually not spying on you with a brilliant brilliant guy named Andrew Bunny Huang he’s an MIT Ph.D. and I think electrical. Engineering called the introspection engine that was published in the Journal of Open Engineering you can find it online and it’ll go deep down in the weeds. I promise you as you want we take an iPhone 6 this was back when it was fairly new and we modified it so we could actually not trust the device to report its own state, but physically monitor its state to see if we spy on you but for average people right this academic that’s not your primary threat your primary threats are these bulk.
Collection programs, your primary threat is the fact that your phone is constantly squawking to these cell phone towers is doing all these things because we leave our phones and a state that is constantly on you’re constantly connected right airplane mode doesn’t even turn off Wi-Fi really anymore just turns off the cellular modem.
But the whole idea is. We need to identify the problem. And the central problem with smartphone use today is you have no idea what the hell it’s doing at any given time like the phone has the screen off you don’t know what it’s connected to you don’t know how frequently it’s doing it Apple and iOS, unfortunately, makes it impossible to see what kind of network connections are constantly made on the device and to intermediate them going.
I don’t want Facebook to be able to talk right now, you know, I don’t want Google to be able to talk right now. I just want my secure messenger app to be able to talk. I just want my weather app to be able to talk but I just checked my weather and now I’m done with this so I don’t want that to be.
Able to talk anymore and we need to be able to make these intelligent decisions on not just an app by app basis but a connection by connection basis right you want let’s say you use Facebook because you know for whatever judgment we have a lot of people might do it.
You want it to be able to connect to Facebook’s content servers yeah you want to be able to message a friend you want to be able to download a photograph or whatever but you don’t want it to be able to talk to an ad server you don’t want it to talk to an analytic server that it’s monitoring your behavior right you don’t want to talk to all these third-party things because Facebook cramps their garbage and almost every app that you download and you don’t even know what’s happening because you can’t see it right and this is the problem with the data collection used today.
Is there an industry that is built on keeping this invisible. And what we need to do is we need to make the activities of our devices, whether it’s a phone, whether it’s a computer or whatever more visible and understandable to the average person, and then give them control over it.
So like if you could see your phone right now. And at the very center of his little green icon that’s your you know handset or it’s a picture your face whatever and then you see all these little spokes coming off of it that’s every app that your phone is talking to right now or every app that is active on your phone right now and all the hosts that it’s connecting to and you can see right now what’s every three seconds your phone is checking into Facebook and you can just poke that app and the boom.
It’s not talking to Facebook anymore. Facebook’s not allowed Facebook speaking privileges have been revoked, right? You would do that. We would all do that. If there was a Button on your phone that said do what I want, but not spy on me. You would press that button. That button does not exist right now And both Google and Apple, unfortunately, apples a lot better at this than Google.
But neither of them allow that button to exist. In fact, they actively interfere with it because they say it’s a security risk. And from a particular perspective, they actually aren’t wrong there. But it’s not enough to go, you know, we have to lock that capability off from people because we don’t trust they would make the right decisions.
We think it’s too complicated for people to do this. We think there are too many connections being made. Well, that is actually a Confession of the problem right there. If you think people can’t understand it if you think there are too many communications happening if you think there’s too much complexity in there it needs to be simplified just like the President can’t control everything like that.
If you have to be the president of the phone and the phone is as complex as the United States government we have a problem, guys. This should be a much more simple process. It should be obvious and the fact that it’s not and the fact that we read story after story year after year saying all your data been breached here this company’s spying on you here this company’s manipulating your purchases or your search.
Results or they’re hiding these things from your timeline not where they’re influencing you or manipulating it all these different ways that happen as a result of a single problem. And that problem is the inequality of available information. They can see everything about you. They can see everything about what your device is doing and they can do whatever they want with your device.
You on the other hand owns the device. Well rather you paid for the device, but increasingly these corporations own it increasingly. These governments own it and increasingly we are living in a world where we do all the work, right? We pay all the taxes we pay all the costs but we own less and less and nobody understands this better than the youngest generation.
Well, it seems like our data became a commodity before we understood what it was. It became this thing that’s insanely valuable to Google and Facebook and all these social media platforms before we understood what we were giving up they were making billions of dollars and then once that money was earned and once everyone’s accustomed.
To this. Situation, it’s very difficult to pull the reins back, it’s very difficult to turn that horse around. If precisely because the money then becomes power, right? The information then becomes influence. That also seems to be the same sort of situation that would happen with these mass surveillance dates once they have the access it’s going to be incredibly difficult for them to relinquish that.
Yeah, I know you’re exactly correct and this is the subject of the book. I mean, this is the permanent record and this is where it came from. This is how it came to exist. The story of our lifetimes is how intentionally by design a number of institutions both governmental and corporate realized it was in their mutual interest to conceal their data collection activities to increase the breadth and depth of their sensor networks that were sort of spread out from.
Society. Remember back in the day intelligence collection in the United States even used to mean sending an FBI agent right to put alligator clips on an embassy building or sending in a somebody disguised as a workman and they put a bug in a building or they built a satellite listening site, right?
We called these foreign set or foreign satellite collections. Around the desert somewhere they built a big parabolic collector and it’s just listening to satellite emissions, right? But these satellite emissions. Is the satellite links were owned by militaries they were exclusive to governments, right? It wasn’t affecting everybody broadly also valence was targeted because it had to be.
What changed with technology is that surveillance could now become indiscriminate. It could become dragnet, it could become bulk collection which should become one of the dirtiest phrases in the language. If we have any kind of decency, but we were intentionally. This was intentionally concealed from us, right? The government did it; they used classification.
Companies did it; they intentionally didn’t talk about it. They denied these things were going they they said you agreed to this and you didn’t create nothing like this. I’m sorry, right? They go, we put that terms of service page up and you click that. You click the button that said I agree.
Because you were trying to open an account so you could talk to your friends. You were trying to get driving directions you were trying to get an email account. You weren’t trying to agree to some 600 page legal form. They even if you’ve read you wouldn’t understand and it doesn’t matter even if you did understand because one of the very first paragraphs and it said this agreement can be changed at any time unilaterally without your consent by the company, right?
They have built a legal paradigm that presumes records collected about us do not belong to us. This is a sort of one of the core principles on which mass surveillance from the government’s perspective in the United States is legal. And you have to understand that all the stuff we talked about today government says everything they do is legal, right?
And they go so it’s fine. Perspectives of public should be well, that’s actually the problem because this isn’t okay. The scandal isn’t how they’re breaking the law. S that they don’t have to break law. And the way they say, they’re not breaking the law is something called the third party doctrine.
A third-party doctrine is a. A legal principle derived from a case and I believe the 1970s called Smith versus Maryland. And Smith was this knucklehead who was harassing this lady making phone calls to her house and when she would pick up he just I don’t know who sits there heavy breathing whatever like a classic creeper.
And you know, it was terrifying this poor lady. So, she calls the cops and says one day. I got one of these phone calls and then I see this car creeping past my house on the street and she got a license plate number. So, she goes to the cops and she goes is this the guy.
And the cops again, they’re trying to do a good thing here. They look up his license plate number and they find out where this guy is and then they go well what phone numbers registered to that house and they go to the phone company and they say, can you give us this record?
The phone company says yeah sure and it’s the guy the cops got their man, right? So they go arrest this guy and then in court his lawyer brings all this stuff up and they go.
You did this without a warrant. That was sorry that was the problem was they went to the phone company, they got the records without a warrant they just asked for do they subpoenaed it right some lower standard of legal review. And the company gave it to him and got the guy they marched to jail.
And they could have gotten a warrant, right? But it was just expedience they just didn’t want to take the time the small-town cops. You can understand how it happens. They know the guys creep really just want to get them off to jail. And so, they made me sleep with the government doesn’t want to let go.
They fight on this and they go. It wasn’t actually they weren’t his records and so because they didn’t belong to him he didn’t have a fourth amendment right to demand a warrant issued for them. They were the company’s records and the company provided them voluntarily and hence no warrant was required because you can give whatever you want without a warrant as long as it’s yours.
Now, here’s the problem. The government extrapolated a principal in a single case of a single known suspected criminal who had they had really good reasons to spend suspect was their guy. And use that to go to a company and get records from them and establish a precedent that these records don’t belong to the guy they belong to the company.
And then they said well if one person doesn’t have a fourth amendment interest in records held by a company no one does. And so the company then has absolute proprietary ownership of all of these records about all of our lives. And remember this spectacular 1970s, you know, the internet hardly exists in these kinds of contexts smartphones, you know, don’t exist the modern society.