U.S.-China Surveillance

The San Franciscos Chronicles’ “TheTech Chronicles,” along with a number of other media outlets, is reporting that Google has will “halve the time it stores logs of user web searches” from 18 to 9 months. Charitably, one could call this a misleading statement, but it really is just plain wrong. Google keeps its search logs indefinitely. It only “anonymizes” search logs after the set period of time, and just what anonymization means is up to Google. When Google first announced 18 month policy in March of 2007, I reprinted this section of the Google blog’s FAQ that helps illustrate the limitations:

Will governments be able to subpoena server log data after it is anonymized? Will anonymized data still be able to identify an individual user by cookie or IP address? Google does comply with valid legal process, such as search warrants, court orders, or subpoenas seeking personal information. Logs anonymization does not guarantee that the government will not be able to identify a specific computer or user, but it does add another layer of privacy protection to our users’ data.

Will this policy change make it more difficult for law enforcement to prevent and detect crime or child exploitation? No, current laws allow the government to request that companies preserve user data. We regularly comply with such laws.

What happens to the logs at the end of the expiration date? Are they deleted? At the end of the expiration date we will still keep server logs but they will be anonymized.

At the time, the process of anonymization involved deleting the first four digits of the IP address and altering associated individual cookie data in an unspecified way. With the new 9 month policy, Google states that it might do something different. The only thing that this policy means is that your search logs data older than nine months will not be used for services like “automatic search correction,” which corrects typos on the fly based on your prior search patterns, or to serve you ads. It does not mean that your personal search behavior older than 9 months won’t be accessible to state policing organizations.

Just in time for the Olympics, the Guardian is reporting a development in how the Tor network diffuses that appears, at least temporarily, to obviate any established methods of web censorship. The Tor network was developed by the US Naval Research laboratory to anonymize (but not necessarily encrypt) Internet traffic. The Chinese government has been able to constrain the diffusion of Tor nodes in China by simply blocking the servers where Tor software is distributed. This new development renders such a strategy ineffective:

Instead of joining the Tor network directly, thereby revealing your intention, you first connect to a computer set up by your friends or colleagues, who then introduce you to the Tor network (a “virtual bridge”, they call it). Because the Chinese cannot know in advance who these friends of yours will be (technically speaking, their IP address), they cannot pre-empt by blacklisting. Once you do connect through the bridge to the Tor network, it is almost impossible for surveillance agencies to know that you are using Tor.

I’ve been following this fascinating story about a major breakdown of propaganda controls at the the popular newspaper, Beijing News. The paper, apparently inadvertently, published a photo of Tiananmen victims taken by Pulitzer Prize-winning photographer Liu Heung Shing in its July 25th print edition. The whole story of how it happened and the predicament it has caused for government authorities just days before the Olympics is covered in detail by Newsweek’s Melinda Liu in her Countdown to Beijing blog.

There’s an excellent, informative article by David Bandurski about what has become known as China’s “Fifty Cent Party” in the latest issue of the Far Eastern Economic Review. This growing group of state-financed “web commentators” has been attempting to monitor and influence public opinion via online chat rooms and BBSs since the spring of 2005, when administrators at Nanjing University employed a team of “zealous students” at 50 mao (7 cents, US) per post to help sell the launch of a new BBS that was replacing a highly popular but now banned board. The technique spread across Jiangsu province, was adopted nationally, and is now practiced on a daily basis by a team Bandurski estimates exceeds 280,000 in number. Here are some excerpts:

… the Party found itself increasingly in a reactive posture, unable to push its own messages. This problem was compounded by more than a decade of commercial media reforms, which had driven a gap of credibility and influence between commercial Web sites and metropolitan media on the one hand, and old party mouthpieces on the other.
….

China’s Culture Ministry now regularly holds training sessions for Web commentators, who are required to pass an exam before being issued with job certification. A Chinese investigative report for an influential commercial magazine, suppressed by authorities late last year but obtained by this writer, describes in some detail a September 2007 training session held at the Central Academy of Administration in Beijing, at which talks covered such topics as “Guidance of Public Opinion Problems on the Internet” and “Crisis Management for Web Communications.”

It is worth noting that this practice is hardly unique to China. Just a few months ago, the New York Times published a story (April 20) about the Pentagon’s use of “message force multipliers” to make sure that its preferred take on the Iraq War dominated the television airwaves.

Hidden behind that appearance of objectivity, though, is a Pentagon information apparatus that has used those analysts in a campaign to generate favorable news coverage of the administration’s wartime performance, an examination by The New York Times has found.

The effort, which began with the buildup to the Iraq war and continues to this day, has sought to exploit ideological and military allegiances, and also a powerful financial dynamic: Most of the analysts have ties to military contractors vested in the very war policies they are asked to assess on air.

It’s safe to say that the analysts deployed by the Pentagon are making more than fifty cents per message.

More details:

INTERNATIONAL RED CROSS

WORLD VISION

U.S. TAX DEDUCTABLE TO CHINESE RED CROSS

IN CHINA/IN CHINESE

From today’s Seattle Times:

Microsoft device helps police pluck evidence from cyberscene of crime
By Benjamin J. Romano
Seattle Times technology reporter

Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

More than 2,000 officers in 15 countries, including Poland, the Philippines, Germany, New Zealand and the United States, are using the device, which Microsoft provides free.

“These are things that we invest substantial resources in, but not from the perspective of selling to make money,” Smith said in an interview. “We’re doing this to help ensure that the Internet stays safe.”

Law-enforcement officials from agencies in 35 countries are in Redmond this week to talk about how technology can help fight crime. Microsoft held a similar event in 2006. Discussions there led to the creation of COFEE.

Smith compared the Internet of today to London and other Industrial Revolution cities in the early 1800s. As people flocked from small communities where everyone knew each other, an anonymity emerged in the cities and a rise in crime followed.

The social aspects of Web 2.0 are like “new digital cities,” Smith said. Publishers, interested in creating huge audiences to sell advertising, let people participate anonymously.

That’s allowing “criminals to infiltrate the community, become part of the conversation and persuade people to part with personal information,” Smith said.

Children are particularly at risk to anonymous predators or those with false identities. “Criminals seek to win a child’s confidence in cyberspace and meet in real space,” Smith cautioned.

Expertise and technology like COFEE are needed to investigate cybercrime, and, increasingly, real-world crimes.

“So many of our crimes today, just as our lives, involve the Internet and other digital evidence,” said Lisa Johnson, who heads the Special Assault Unit in the King County Prosecuting Attorney’s Office.

A suspect’s online activities can corroborate a crime or dispel an alibi, she said.

The 35 individual law-enforcement agencies in King County, for example, don’t have the resources to investigate the explosion of digital evidence they seize, said Johnson, who attended the conference.

“They might even choose not to seize it because they don’t know what to do with it,” she said. “… We’ve kind of equated it to asking specific law-enforcement agencies to do their own DNA analysis. You can’t possibly do that.”

Johnson said the prosecutor’s office, the Washington Attorney General’s Office and Microsoft are working on a proposal to the Legislature to fund computer forensic crime labs.

Microsoft also got credit for other public-private partnerships around law enforcement.

Jean-Michel Louboutin, Interpol’s executive director of police services, said only 10 of 50 African countries have dedicated cybercrime investigative units.

“The digital divide is no exaggeration,” he told the conference. “Even in countries with dedicated cybercrime units, expertise is often too scarce.”

He credited Microsoft for helping Interpol develop training materials and international databases used to prevent child abuse.

Smith acknowledged Microsoft’s efforts are not purely altruistic. It benefits from selling collaboration software and other technology to law-enforcement agencies, just like everybody else, he said.

Benjamin J. Romano: 206-464-2149 or bromano@seattletimes.com

Copyright © 2008 The Seattle Times Company

The Information Office of China’s State Council released an English-language report on human rights in the US today. Section III of the report, On Civil and Political Rights, deals with issues of surveillance and data privacy. Here are some excerpts:

From January 2005 to September 2007, Verizon provided data to federal authorities “on an emergency basis” 720 times. The records included Internet protocol addresses as well as phone data. In that period, Verizon turned over information a total of 94,000 times to federal authorities armed with a subpoena or court order. The information was mainly used for a range of criminal investigations including counter-terrorism investigations (The Washington Post, October 16, 2007).

In August 2007, the United States’ National Intelligence Director Mike McConnell revealed that fewer than 100 people inside the United States are monitored under the Foreign Intelligence Surveillance Act (FISA) warrants. However, he said, thousands of people overseas are monitored (The Associated Press, August 23, 2007). The FBI is embarking on a 1 billion U.S. dollars effort to build the world’s largest computer database of peoples’ physical characteristics, called Next Generation Identification, a project that would give the government unprecedented abilities to identify individuals in the United States and abroad. The increasing use of biometrics for identification is raising questions about the ability of Americans to avoid unwanted scrutiny (FBI Prepares Vast Database Of Biometrics, The Washington Post, December 22, 2007).

Statistics show that the government’s illegal dragnet electronic surveillance has put sensitive personal information from millions of people at risk. 477 breaches into government databases were found in 2006 alone. More than 162 million records were reported lost or stolen in 2007, triple the 49.7 million that went missing in 2006 (USA Today website, December 10, 2007). In July 2007, the Homeland Security Department granted more than 4 million U.S. dollars to install 175 video cameras on the streets of cities including St. Paul, Madison (Wisconsin State) and Pittsburgh. The Boston Globe estimated that up to hundreds of millions of dollars were being spent by the department to install new surveillance systems around the country, accelerating the rise of a “surveillance society” (The Boston Globe, August 12, 2007).

According to a report today in the London-based online journal, The Inquirer, net cafe patrons in metropolitan Beijing must register with their real names starting later this year. Beijing, to my knowledge, becomes the second Chinese city (Xiamen was the first, in the wake of the successful PX Chemical plant protest) to attempt to impose a regional real name registration policy since the state’s acquiescence to public rejection of a formal national policy in May of last year.

It is worth noting that these kinds of initiatives are not unique to Chinese politics. Last fall, Donald Kerr, the principal deputy director of U.S. national intelligence, stated that no American should expect to speak or act today without casting a data shadow that is visible to the federal government. Last week, Kentucky lawmaker Tim Couch submitted a bill that would “would require anyone who contributes to a website to register their real name, address and e-mail address with that site.”

Although the current Beijing government initiative focuses only on net cafe users and not people going online from work or home, there is a long history of failed state government attempts to have customers of net cafes register their real names. With the Olympics fast approaching, the stakes may be a bit different. This bears watching.

Update: the original story, in Chinese, is at CE.CN (China Economics Network), dated March 11.

CNN journalist John Vause today is reporting a meeting with Chinese hackers in Zhoushan city who say they have hacked into sensitive computer systems all over the world, including the Pentagon. Although the hackers claim to have been paid by the Chinese government, they could just as easily have been acting independently. Below are some excerpts and a link to the full story. It will be interesting to see if and how this story plays in the broader MSM and whether it will be used to argue for greater US government monitoring of the Internet.

Arranging a meeting with the hackers took weeks of on-again, off-again e-mail exchanges. When they finally agreed, CNN was told to meet them on the island of Zhoushan, just south of Shanghai and a major port for China’s navy.

The apartment has cement floors and almost no furniture. What they do have are three of the latest computers. They are cautious when it comes to naming the Web sites they have hacked.

But eventually Xiao Chen claims two of his colleagues — not the ones with him in the room — have hacked into the Pentagon and downloaded information, although he wouldn’t specify what was gleaned. CNN has no way to confirm if his claim is true.

“They would not publicize this,” he says of someone who hacks the U.S. Defense Department. “It is very sensitive.”

This week, the Pentagon said computer networks in the United States, Germany, Britain and France were hit last year by what they call “multiple intrusions,” many of them originating from China.

……

Beijing hit back at that, denying such an allegation and calling on the United States to provide proof. “If they have any evidence, I hope they would provide it. Then, we can cooperate on this issue,” Qin Gang, a spokesman for the Chinese Foreign Ministry, said during a regular press briefing this week.

But Xiao Chen says after the alleged Pentagon attack, his colleagues were paid by the Chinese government. Again, CNN has no way to independently confirm if that is true.

His allegations brought strenuous denials from Beijing. “I am telling you honestly, the Chinese government does not do such a thing,” Qin said.

But if Xiao Chen is telling the truth, it appears his colleagues launched a freelance attack — not initiated by Beijing, but paid for after the fact. “These hacker groups in my opinion are not agents of the Chinese state,” says James Mulvenon from the Center for Intelligence Research and Analysis, which works with the U.S. intelligence community.

“They are sort of useful idiots for the Beijing regime.”

He adds, “These young hackers are tolerated by the regime provided that they do not conduct attacks inside of China.”

Full story.

The Fourth Amendment:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

It’s been a week since the Senate voted 68-29 to push forward a revised FISA bill that would retroactively immunize telecommunication companies and Internet service providers from prosecution for illegal wiretapping. A number of close friends and associates engaged in voicing their shock and dismay at this blatant disregard for law. While I appreciate, in a sense, this general form of upset with the rising surveillance state, I find it equally dismaying that people have chosen to lock on to this one issue “telecom immunity,” as somehow being the defining struggle. It’s a tiny, tiny component of a much larger problem. A problem that threatens democracy and individual autonomy.

In January, Privacy International released its second annual international privacy index, the result of a survey of 47 countries. Not only was the U.S. among four new countries to join the the UK, Russia, Malaysia and China as endemic surveillance societies, but U.S. privacy protections are actually ranked below China in statutory privacy protection and “surveillance of medical financial, and movement.” Last week, the Washington Post reported that customs agents at U.S. borders reserve the right to temporarily sequester laptops, cell phones and other electronic devices and download data stored on those devices, and engage in this practice with some regularity. Now Amtrak has announced that travels on its trains nationwide will be subject to random searches of their carry on bags.

According to the courts, Americans do not have a reasonable expectation of privacy for most of the web sites they visit on the web. More specifically, any specific website visited that has its own top level domain name and its own unique IP address are registered with your service provider and may be accessed by the government without a court order. (see US v Forrester, 2007).

Virtually all the personally identifiable information (PII) produced in cyberspace can easily be transmogrified into ‘evidence’ even if it was gathered illegally (see US v Jarrett, 2003, p. 7). Ones Facebook profile can be used as evidence in both civil and criminal charges.

The Privacy Act of 1974, which was intended to strictly limit the sharing of data between federal data bases, has all but been abandoned. Vast federal “systems of records” (National Directory of New Hires, National Center for Education Statistics, mtDNA Population Database, National Crime Information Center) are increasingly interconnected with state and private data sources in massive clearing houses such as the Investigative Data Warehouse (IDW) and OneDOJ. This practice of information sharing is being institutionalized within new “fusion centers” popping up all over the country. This dismantling of the Privacy Act is officially denied using the following rationale: data sharing across departments in the government is now a matter of “routine use” during the War On Terror.

According to Donald Kerr, the principal deputy director of U.S. national intelligence, no American should expect to speak or act today without casting a data shadow that is visible to the federal government.

Barring some radical reinterpretations of online space and boundaries, the Fourth Amendment seems doomed to irrelevancy. “Reasonable expectation” of privacy is always relative and will easily accommodate the surveillance “function creep” without limit. The only hope for resistance is a public with a reinvigorated sense of privacy and its connection to true individual autonomy.

As we watch what happens in the House, we must keep in mind that the battle against excessive state surveillance will not be won or lost with this bill. Most importantly, people whose interest in privacy values have been rekindled with this recent Senate betrayal should not feel victorious if this latest attempt at immunity is somehow scuttled. While the public sphere has been focused on the importance of wiretapping, it appears to have neglected the rapid emergence of a dossier society, highly reminiscent of Kafka’s The Trial.

The whole dossier continues to circulate, as the regular official routine demands, passing on to the highest Courts, being referred to the lower ones again, and then swinging backwards and forwards with greater or smaller oscillations, longer or shorter delays….No document is ever lost, the Court never forgets anything. One day – quite unexpectedly – some judge will take up the documents and look at them attentively….And the case begins all over again?” asked K. almost incredulously. “Certainly” said the painter. (Kafka, The Trial, 1925, cited in Solove, 2004, pp. 36-37)

While we fight what appears to be a losing battle over real-time wiretapping we have lost control over our papers and effects, and thus the construction of our own identity. It’s time to look beyond FISA.