In general it's a good thing that more and more people are aware of the necessity for good security practices for all online interactions - but the belief that individual technological efforts can defeat large-scale corporate and nation-state monitoring is pretty silly. At best you'll just have an added layer of security against things like theft of credit card information by criminal gangs.
If you actually want to do something like communicate with a journalist while hiding your own endpoint from exposure you have to go to fairly ridiculous lengths, such as acquiring a laptop used only for that purpose and which has no associated identifying information, use random open Wifi networks to log onto, and have a decent understanding of the concepts of public-key, asymmetric and symmetric cryptography.
Note that there is simply no way for two known parties on the internet to hide the fact that they are communicating with one another from government-corporate managers of the Internet - although it's possible to keep the content hidded, to some extent, unless your passwords get compromised, which seems fairly easy to accomplish for such actors via keylogger malware installed through backdoor attacks using secret zero-day exploits and so on.
The only real solution is the passage of data privacy laws that provide criminal penalities and which allow class-action lawsuits against corporations and governments that engage in warrantless mass surveillance or the retention and aggregation of customer's personal data in searchable databases.
This site and many guides like it are intended to help people avoid mass surveillance rather than targeted surveillance. Confounding the two threat models seems intended to confuse and exasperate people.
So, let's say the NSA is collecting data on every person on the web, and they're able to see who is using these 'mass surveillance avoidance tools' and who isn't. The former category then actually stands out and becomes targets of more intensive surveillance because they're using tools that allow them to hide surveillance to a limited extent. Using such tools would flag the 'strong-selector' metadata collection system for further (targeted) examination, i.e.
This is of course what an outfit like the STASI or Gestapo would do, isn't it? If you're actually trying to hide from surveillance, the best tactic is to hide in plain sight, maintaining a cover story consisting of bland normal online presence that doesn't draw extra attention.
Of course living in an authoritarian panopticon and having to hide in this manner is an undesirable situation, and the solution is not technological, but rather political in nature. One basic issue is transparency, i.e. the public should be able to see what the intelligence agencies and corporations are up to with their surveillance programs. This is why Snowden's exposure of PRISM, XKEYSCORE, TRAFFICTHIEF, etc. was in the public interest, i.e. legitimate whistleblowing.
These are good points, but political solutions (by which I mean political changes within the system) are almost certainly never going to happen. More unrealistic than a technological solution addressing this, even.
Instead, social/cultural solutions might be the key. If only a few people use these mass surveillance avoiding tools, then yes, they become targets. But if almost everyone uses them and they become ubiquitous, the landscape changes some.
> These are good points, but political solutions (by which I mean political changes within the system) are almost certainly never going to happen.
I don't think political solutions are impossible, but if they are then our government is incapable of executing the public will. I think the key to generate this type of change is to tell a very compelling and broad story about why the current situation is unacceptable. Discussing {history lesson} or {personal security risk} doesn't seem to be a strong enough narrative. A very strong narrative can turn public opinion and force action by lawmakers. Over the last 100 years there has been a number of examples of popular opinion becoming so massive that the political system has to do something they clearly did not want to do.
* The draft is now reserved for emergency use only. Previously it was used for Korea and Vietnam, which were more about global power projections than direct threats to the US.
* The role of the US Military is moving away from World Police and limiting itself to more directly protect American interests. Troop deployments are highly scrutinized by the public and impact Presidential approval ratings.
* Cannabis went from the poster child for war-on-drugs to essentially unenforced federally and openly cultivated/traded/consumed in large regions of the country. Rules on Magic Mushrooms, MDMA, and Ketamine are beginning to loosen to.
* The end of COVID lockdowns and mask mandates in the US was largely determined by grassroots actions instead of top-down decisions.
Quite right. Look no further than Snowden to understand that our legislature is complicit in these deep-state surveillance activities. They don't even want to change, let alone have the ability to.
The logic that anybody we can't see should be a suspect would then target our grandmas with landline phones who buy their groceries with cash or live in nursing homes. It would be a colossal waste of resources and detract focus.
The methods of the STASI were extremely crude and different to what is available today. They relied on human informants and collected lots of paper.
Or they can just filter for age, likelihood of technical proficiency (indicated by such things as education, prior employment, family, peer group, etc), and likelihood of “effective political concern” (or whatever we might call a person’s affinity for independence, skepticism, distrust of authority, knowledge of past authoritarian transgressions, knowledge of current authoritarian capabilities, and access and willingness to non-technical resources, eg time or money, needed to act on their concerns)
Here is where it kind of comes full circle on mass surveillance. If you do not have those data points, you cannot filter on them. Even if someone was once sloppy on real ID social media platforms, old data is less useful.
Good thing I only have a Google account and a bank account and link nothing else to me online. Try as I might, no search engine seems to know I exist.
Sure some genius might think their model has got me nailed but even when I had a Twitter a decade ago and asked for my data Twitter had my age, gender (details I had in my profile btw) and number of kids I have wrong.
The problem with tech companies is they’re run by people and people are pudding brains who believe in magic. The problem with AI, as Chomsky said, is people will believe it. It’s true because they’ve been believing these other terribly inept systems they built, whether technological or social.
Your point is valid, but in this context, going to the next level of targeting will require them to probably burn 0day to achieve it. If that's the case, not even the NSA can afford to do that en masse. And if they did for some reason decide to make that policy, it would be a gold mine for foreign governments to setup honeypots to collect every 0day in the NSA's arsenal like pokemon.
I think the lesson to be learned from e.g. the Cambridge Analytica scandal is that given enough computational power, mass surveillance is indistinguishable from targeted surveillance.
I feel like I should be putting on my tinfoil hat saying all of that, but the reality is that these systems are less and less throttled by the availability of human brains to process the data the automated surveillance systems collect. We made a mistake in thinking that labor costs could ever be an effective guard rail for these tools.
> This site and many guides like it are intended to help people avoid mass surveillance rather than targeted surveillance. Confounding the two threat models seems intended to confuse and exasperate people.
The important thing to keep in mind - and one that I find most nontechnical people don't realize - is that over time mass surveillance and targeted surveillance trend to being the same thing.
Centuries, or even decades, ago mass surveillance was a dictators dream but merely a fantasy. There was no way to do it, not enough people or time, so it was impossible. You could only do targeted surveillance against selected groups or people.
With current technology these are starting to merge. You can actually spy on everyone all the time and store it for later perusal whenever you need to perform a dragnet search in the future.
We're not there 100% quite yet but every year more activities are online and more bandwidth and storage capacity makes it more and more viable to monitor everything and everyone all the time.
The legal and cultural framework to deal with this does not exist. Laws and mindsets are still focused only on targeted surveillance and cover things like search warrants.
> Note that there is simply no way for two known parties on the internet to hide the fact that they are communicating with one another from government-corporate managers of the Internet
Not entirely true. I could post a message on a popular forum like HN, where the message contains a hidden message.
Steganography is a real thing. I've often wondered about those meme powerhouses, like on Facebook.
I used to collect thousands of memes and just blast them to my mother indiscriminately. Then I wondered whether silly-looking memes could be carrying secret messages, or just nasty hidden stuff. I decided to stop helping traffick in that stuff.
Has anyone read/seen Mother Night? That's a real good example of how secret communication can hide in plain sight.
Steganalysis is the process of trying to separate cat pictures from cat pictures with steganographic information added. It's quite possible to do this well under ideal conditions -- where you know the proportion of the two a priori -- but much harder in real life.
In World War II, German spies used a technique called the "microdot" to embed secret messages within seemingly innocuous documents. The microdot technique involved shrinking the text of a message to the size of a small dot (about 1 millimeter in diameter) and then placing it within the text or image of a cover document, such as a letter or newspaper article. The recipient would need a microscope to read the tiny message.
The Least Significant Bit method is used frequently for the legitimate use of watermarking image, video and audio IP. It is a simple technique that embeds the watermark data into the rightmost bit of a binary number (LSB) of some pixels of the cover image.
It is also very common for malware to hide it's configuration data or payload within image files. (ZeusVM, Zberp, NetTraveler, Shamoon, Zero.T)
In 2010, the Colombian government commissioned a pop song called "Better Days" that received nationwide airplay. Hidden within the song was a Morse code message for FARC hostages (some of whom were soldiers and trained in Morse) that help was on the way.
> The criminal complaint alleges that on or about July 5, Zheng, an engineer employed by General Electric, used an elaborate and sophisticated means to remove electronic files containing GE’s trade secrets involving its turbine technologies. Specifically, Zheng is alleged to have used steganography to hide data files belonging to GE into an innocuous looking digital picture of a sunset, and then to have e-mailed the digital picture, which contained the stolen GE data files, to Zheng’s e-mail account.
If they didn't we would never know, would we? We must do something like the Border Patrol does when they seize like 1kg of drugs and use that to assume that 1,000kg got through.
Maybe that explains some 'word-salad' speeches by our VP. She really is sending a hidden message to somebody who has the secret decoder ring. Then again, maybe not...
Most media now have secure drop and guides on usage.
In the UK atleast such as this BBC page[0]. As do the Guardian, Bloomberg and many more Im sure.
I appreciate that it is an involved process as you say but it doesn't seem excessive especially if you can use your smartphone now that tor browser is on android and iOS.
This might hinder small time criminals and companies at best from finding out who snitched on them. But in an authoritarian regime with state level resources or just a sufficient level of corruption or even just a media corp run by boomers that is vulnerable to phishing, you can't count on discretion for these things. Secure tunnels and end2end encryption are worthless if the endpoints are easy to compromise. The above comment is right that at the very least you should use bespoke hardware that was never associated with you or anyone you know in any shape or form (in addition to the things mentioned on that site). And even then you'd have to make sure that the info you leak can't be traced back to you, at which point it becomes a game of intelligence and counter intelligence. For example, if an organisation suspects their people are leaking info to the press, it could begin to place targeted (mis)information among employees to uncover them. This was done at Tesla last year to track and eventually bust leakers.
It's dangerous to assume phishing vulnerability is solely a Boomer thing. Tech literacy is unevenly distributed even among younger generations, and the upcoming generations that grew up on Chromebooks and tablet computing aren't that much more tech literate than old folks on the aspects of OpSec that matter. "Kids these days" don't even really understand how file systems work.
The laws don't really stop it either. The 4th amendment in the United States hasn't prevented huge dragnet style data collection and partnerships with private entities to provide access to whatever data the government wants.
Laws like the Bank Secrecy Act where passed specifically to state that 4A doesn't apply if the data is collected from a third party and not the individual directly. Nonsense but we're here.
BSA was an outgrowth of Third Party Doctrine was it not?
They already had law enforcement integration and judicial precedent dismantling the 4th Amendment.
...Now that you have me thinking about it...sigh... Yeah. I think I see where you are coming from. Funny how you can take an Act name, and map the actual outcome to the exact opposite of what the name would imply in layman's terms.
The expression of power is in who gets to decide the exception to the rules. Real power is rarely beholden to rules. That's why whistleblowers who call out illegal programs are treated like the criminal, because the laws essentially don't matter when dealing with things at that high of level.
Powerful people can lie, cheat, and steal and face zero repercussions. They hold institutional power so groups like the police will protect them regardless of laws being broken. It's not illegal for a corporation to either literally or metaphorically kill someone, because there is no body that will hold them accountable, but it is illegal to assassinate a CEO and systems will pull all stops to hold the assassin accountable.
Its the real reason why Western style democracy ends up being a busybox for people who like rules. The people who can grant endless exceptions have addresses and beds where they rest their heads but people without power cannot decide on an exception to the rules, regardless how dangerous and damaging that person is.
In the U.S. qualified immunity is a creation of the judicial system, and those decisions could presumably be reversed by statute if the political will comes to exist.
No need to invoke qualified immunity; the data privacy laws that have been passed (e.g. the GDPR) make explicit carveouts for government surveillance. Yes, the carveouts are for the jurisdiction's own government only, but that's the one you should be most worried about mass surveillance from in most cases.
> but the belief that individual technological efforts can defeat large-scale corporate and nation-state monitoring is pretty silly.
Nation states may have a lot of budget, but they still have a budget. Mass survelience needs to have low per user cost to succeed. It is entirely reasonable to assume small changes if widely adopted could make mass surveilence ecconomically unfeasible.
The only real solution is the passage of data privacy laws
Even your own example — a whistleblower talking to a journalist — illustrates that the fear is not of people who abide by laws, but people and organizations that don't care about the laws.
I'm not saying that there shouldn't be laws. But like almost everything involving human beings, the solution is not an if-then binary choice.
You mean you want the same government that is interested in putting back doors in phones and other surveillance techniques to pass laws that keep them from doing so?
Every organisation I've worked in has had comprehensive processes for deleting personal data and only storing what is necessary due to e.g. https://www.gov.uk/data-protection
Without such laws, every business would store as much data as they could indefinitely, because $$.
All of this is besides the point that was made; your fatalistic view point suggests we should make no attempt at effective governance because there are powers that oppose us. There are countries which are more democratic than others, and the population of such countries tend to have a better quality of life and more rights.
Yes, our government is not a single homogenous entity. We can theoretically (and sometimes actually) use our legislative representatives to change the behavior of other parts.
The clipper chip idea flopped, right? So have a few other stupid, draconian, privacy-defeating bills since.
But yeah, it may not be realistic to think that we can stop the expansion of surveillance powers for TPTB and erosion of rights for the average citizen, given the consistency and persistence of the proponents of such crap. When I look at trends of the past 20 years, it seems like wherever the law has fallen short of placing everyone under a microscope, private industry has conveniently stepped in to become the 1984-telescreen service providers instead of the government.
Corporations are the governments private enforcement contractors. They’ll control the internet and we’ll work for them, and they’ll work for government.
See! Government involved in your life!
Nice job building a firewall between society and government control.
At the end of the day it’s all people. The semantic bubbles do nothing to change its all just people looking to externalize effort to live simpler themselves.
"the government" is not one person with a concrete ideology, it is an amalgamation of hundreds of people who all want different things and are theoretically beholden to their voter base.
"The government", like any other large corporation, is an entity in and of itself, and not a mere aggregation of the people who run it. It has institutional culture etc, and given what it is, said institutional culture tends to lean heavily towards a highly centralized, hierarchical approach to anything it perceives as a problem; and tends to perceive anything that threatens the applicability of this approach as a problem in its own right.
The government in the US is not beholden to “the people”.
Because of the setup of the electoral college, 2 senator per state where RI has the same number of Senators as California and gerrymandering, it is very much about the will of the minority.
That’s not to mention all of the things that get done by unelected officials and judges with lifetime tenure.
We should push for laws and resist new acts that curtail our rights of privacy and free expression, but that is not a solution. We are generally on our own in making our choices of technology to use. If you go on using proprietary services and networks hoping that someday laws will suddenly fix all the problems, you are seriously deluded or naïve.
You mean... like some sort of a... a Constitution...
One with lines like:
"The Congress shall make no law..."
"The People shall..."
"...shall not be infringed."
"All powers not mentioned here are reserved for the States, or ultimately, the People."
We're beyond the point where good faith can be assumed, and we're down to brass tacks. Our judiciary has shown they are more than willing to creatively reinterpret precedent as they see fit. Our Executive is acting more and more like a dictator with an entire corpus of executive based lawmaking at his disposal (Administrative Law). The Legislature has abdicated responsibility for reigning in excesses in the interest of the little people rather than established incorporated interests and high value donors.
And the People are left with a choice. Amongst all this dysfunction, what should they do?
If you actually want to do something like communicate with a journalist while hiding your own endpoint from exposure you have to go to fairly ridiculous lengths, such as acquiring a laptop used only for that purpose and which has no associated identifying information, use random open Wifi networks to log onto, and have a decent understanding of the concepts of public-key, asymmetric and symmetric cryptography.
Note that there is simply no way for two known parties on the internet to hide the fact that they are communicating with one another from government-corporate managers of the Internet - although it's possible to keep the content hidded, to some extent, unless your passwords get compromised, which seems fairly easy to accomplish for such actors via keylogger malware installed through backdoor attacks using secret zero-day exploits and so on.
The only real solution is the passage of data privacy laws that provide criminal penalities and which allow class-action lawsuits against corporations and governments that engage in warrantless mass surveillance or the retention and aggregation of customer's personal data in searchable databases.