Tag Archives: metadata

Vuvuzela Messaging System Hides Metadata With Spam

Posted on by Alexander Neil
Reply

There are lots of ways people try to protect their privacy in the modern world, where techniques like encryption are under fire. While hiding message content can be effective, the ability to collect a mass of metadata can be just as invasive to your privacy if a company, government body or nefarious element were able to gain access to when, where and to whom you communicated with. A team of researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have come up with a system named “Vuvuzela”, after the popular (and annoying) plastic horn, that adds noise to any messages sent, rendering them untraceable.

Vuvuzela relies on a number of nodes to function, similar to Tor router for internet traffic, it relies on fewer nodes and more traffic. A sender deposits an encrypted message in a secure “dead drop” server, which can then be retrieved by its receiver. On top of that, traffic is not controlled by the user sending a message, instead message circulation takes place over 10-20 seconds, so as not to allow attackers to detect and track messages being sent. A user stopping sending or joining a chat may also cause hackers to be able to trace activity based on the number of messages sent. This is where the spam comes into effect. All of the server nodes that are part of Vuvuzela send junk messages to random inboxes at the same time that messages are propagated normally, hiding the activity of normal users. It is even resilient against a server being compromised or knocked offline, as the noise can be enough to obfuscate messages even with only a few nodes remaining. As a result, the only data that Vuvuzela exposes is the amount of nodes engaged in a chat.

It may seem like the holy grail of privacy at this point, but the assurance of data being hidden comes at a price, namely speed. Vuvuzela, while still in early development, is incredibly slow due to the timed sending of messages. In a test run by the researchers at MIT, they simulated 1 million users generating 15,000 messages per second. With this volume of data, the average time for a message to be delivered was 44 seconds, a time that many would consider unacceptable for every day or commercial use. For those in high-risk situations where their communication privacy is paramount, a small delay is not a massive trade-off.

NSA to End Blanket Mobile Surveillance by Deadline

Posted on by Gareth Andrews
Reply

In recent years, we have had several revelations in regards to how and what our governments and our agencies do in order to “protect us”, this has at times included activities which go against the very laws and principles that the countries they swore to protect were founded on. One such group was the NSA, who as revealed by Edward Snowden, were mass recording and tracking their own citizens phones and emails, all without government or legal process followed; this is set to change.

As of 0459 GMT November 29th 2015, the NSA will be required to request records from telephone companies, rather than being able to directly record or access them via wire or in the middle. The records they can request will only contain who called who and when, they will not include recordings of the calls contents.

This change is a result of the USA Freedom Act that will allow the NSA to continue using Americans phone calls, but with limitations. Court orders must be gathered before accessing the metadata (the information about the calls) and must be related to a specific case, unlike before where the NSA was gathering every piece of information regarding your phone activity (and others) just “in case”.

With changes like this, the rights to privacy and security against misuse of the system are being built up more and more as we live in a world where no data is safe, be it held by a company or a government.

NSA Kept E-Mail Metadata Program After Claiming it Ended in 2011

Posted on by Ashley Allen
Reply

Following the massive leak of surveillance data by whistleblower Edward Snowden in 2013, it was revealed that the US National Security Agency (NSA – its headquarters pictured above) had been collecting e-mail metadata as part of a program it claimed ended in 2011. However, a lawsuit filed by the New York Times has revealed that the NSA effectively continued the program from 2011 onwards, just under a different rules, and under less scrutiny from the Foreign Intelligence Surveillance Court (FISC) than the previous iteration.

The New York Times filed a Freedom of Information Act lawsuit against the NSA – the newspaper is one of the greatest proponents of the FOIA, and has used it to investigate the treatment of Guantanamo Bay detainees and the secret interpretation of the Patriot Act – through which it obtained records that the NSA ended its e-mail records program, which was authorised under the Pen Register and Trap and Trace (PRTT) provision, as “other authorities can satisfy certain foreign intelligence requirements” that its own system “had been designed to meet.”

The new method allowed the NSA to bypass much of the oversight it was under by FISC, which included the following rules:

“The databases could be queried using an identifier such as an email address only when an analyst had a reasonable and articulable suspicion that the email address was associated with certain specified foreign terrorist organizations that were the subject of FBI counterterrorism investigations. The basis for that suspicion had to be documented in writing and approved by a limited number of designated approving officials identified in the Court’s Order. Moreover, if an identifier was reasonably believed to be used by a United States person, NSA’s Office of General Counsel would also review the determination to ensure that the suspected association was not based solely on First Amendment-protected activities.”

The two new methods that the NSA exploited to continue collecting e-mail metadata without the above oversight were:

  • Obtaining data collected by foreign intelligence agencies, such as the UK’s GCHQ, and;
  • Using the Foreign Intelligence Surveillance Act Amendments of 2008 to collect the metadata of non-citizens of home soil without a warrant, which included e-mails sent to and from US citizens.

The NSA and Office of the Director of National Intelligence did not respond to the New York Times’ request for comment on these revelations.

Online Digital JPEG images May Soon Be Subject To DRM

Posted on by Christopher Files
Reply

Oh what fresh hell is this? If you thought the pitfalls of DRM (Digital Rights Management) had finally dawned on the tech industry, then well no, no it has not. Considering an initiative which has been launched by the Joint Photographic Experts Group with the aim of attempting to persuade people of the benefits of shoe-horning DRM into regular images which are found on the Internet is in fact a good idea; Hint, no it’s not.

The concept of metaphorically locking down images is technically not new when you consider the “professional version of the JPEG format which is JPEG 2000 already has a DRM extension called JPEC”. But usage of JPEG 2000 is targeted towards highly specialized applications that include medical imaging and cinema image workflows. The fore mentioned photographic experts group quite likes the idea of essentially implementing this idea and therefore “backporting DRM to legacy JPEG images.”

If someone somewhere incorporated DRM into a particular image, said digital photo could not be copied for say illustrative purposes, If that happens then the term “Fair Use” for consumers would need to be quickly redefined. An interesting fact which has been examined concerns the possible benefits of cryptography within JPEG images, this includes the possibility of “allowing the optional signing and encryption of JPEG metadata”. By doing this, it offers a potential safeguard to consumers who would have the option to “digitally sign identifying personal metadata with the aim of encrypting it against access by unauthorized users.”

From my perspective it seems rather pointless to lock down images in this way, consumers have a right to share, post and access images (legal ones) without the fear of restrictions. A perfect example of this is by the Electronic Frontier Foundation, who pointed out that this could, in theory, mean consumers could be stopped from “reposting photos from an online catalogue to a Pinterest account.” What would be the point of stopping consumers from essentially offering a company free advertising by conveying their products to friends and followers.

It looks as if this notion is not up for immediate consideration, but it’s still worth keeping an eye on, you never know what could be taken seriously; just look at TPP.

Thank you eff for providing us with this information.

Image courtesy of destructoid

GCHQ’s Karma Police Has Been Watching Everyone Online

Posted on by Ashley Allen
Reply

The British intelligence services have been engaging in a mass surveillance program, the likes of which have never before been known, which has been recording the online browsing habits of “every visible user on the internet”. Through its program, dubbed Karma Police, the UK government’s intelligence and security organisation GCHQ has been collecting metadata on every person with an online footprint since 2009, documents obtained by The Intercept have revealed.

Karma Police, which was operating independent of any judicial oversight, collated the websites visited, usernames, and passwords, amongst other information, like instant messaging conversations, e-mails, mobile phone communications, and social media behaviour in what it calls “pattern of life”, on whoever it pleased in one of its data centres in Cornwall.

One report reveals how GCHQ, concerned about a pirate radio station broadcasting passages from the Quran, used Karma Police sub-program Blazing Saddles to identify and track its listeners by tracking them through Yahoo, Skype, and Facebook. One particular Egyptian listener attracted GCHQ’s attention, with surveillance records on the man showing that his internet activity included “Redtube, as well as Facebook, Yahoo, YouTube, Google’s blogging platform Blogspot, the photo-sharing site Flickr, a website about Islam, and an Arab advertising site.” Actions undertaken without warrants, without oversight, and without our knowledge.

‘This is what you get when you mess with us,’ indeed.

Thank you The Intercept for providing us with this information.

Image courtesy of Privacy International.

US Senate Rejects Metadata Surveillance Review Legislation

Posted on by Gareth Andrews
Reply

Edward Snowden revealed that the US intelligence agencies was monitoring and collecting information outside of their jurisdiction, collecting data in what has been judged as an illegal action. With the actions previously claimed to be covered under section 215 of the Patriot Act, the legislation is largely in debate given that it expires at midnight on the 1st June 2015.

The USA Freedom Act is designed to renew parts of section 215 while also taking into consideration some objections regarding the mass collection of information. The new act ends the mass collection of phone data (such as the length of calls, who the calls are between and the duration of the call), but does not provide some of the reform which have been asked for. Some of the actions have been left out of the USA Freedom act are the deletion of information not related to cases, such as those found innocent of crimes, or the placement of a privacy advocate at the Foreign Intelligence Surveillance Court.

The Senate rejected the measure (57-42 votes) and also rejected a 60-day extension to the current patriot act with 54-45 votes. With the senate in recess for the duration of Memorial Day, the senate will reconvene for a session on May 31st, just hours before the debated legislation expires.

Groups like the Electronic Frontier Foundation, who are active speakers about digital privacy, have spoken out about their opinions, stating that they believe the USA Freedom Act does not do enough to reform the surveillance programs to something legal and meaningful to the public.

Senator Ron Wyden issued a statement shortly after the vote saying

“A decade after intelligence leaders secretly created a program to violate the privacy of millions of law-abiding Americans, we are on the verge of finally shutting it down. I’m confident that when Americans and the US Congress debate mass surveillance in the light of day we will finally close the door on the worst violations of Americans’ privacy”

With people speaking out so actively about the topic, and feeling so passionately about it, the topic is sure to be one for debate and discussion not just among politicians but citizens as well. With government making changes to current legislation to avoid legal action and to continue what have been deemed as illegal surveillance programs, America is not the only government in the world discussing mass surveillance, and I am sure it will not be the last.

Thank you Ars Technica for the information.

Image courtesy of Wikipedia.

Australian Police Commissioner Thinks Metadata Should Be Used to Prosecute Pirates

Posted on by Jeremy Tate
Reply

Australian’s, are you a little bit afraid that your metadata details could be used to prosecute you in a court of law? Well, a new and in-depth interview with the Australian Federal Police Commissioner has revealed that you should be. Australia’s Federal Police Commissioner Andrew Colvin let loose in an interview with ABC Radio Melbourne that metadata should be used to prosecute pirates. Mr Colvin responded to journalists with “Absolutely. Any interface or connection someone has over the internet, we need to be able to identify the parties to that collection. Illegal downloads, piracy, cyber crimes, cyber security. Our ability to investigate them is pinned to the ability to retrieve metadata,” said the Police Commissioner.

After the comment was made, it was obvious that the cat was out of the bag. Australia’s Minister for Communications Malcom Turnbull tried to pick up the pieces, stating “A lot of internet piracy, downloading and sharing material is done by way of file-sharing, but the way that works is a torrent stream is created in which there are a whole number of computers with their own IPs that are sharing this pirated content. What the rights owners do is they use different programs to participate in the swarm and identify the IP addresses of the computers infringing copyright, and then they seek from the ISPs via subpoena the account details of the holder. They do this pretty much in real-time so the two year holding of data doesn’t make a big difference in terms of copyright infringement, they’re dealing with the here and now. The police commissioners interests tend to be much longer. It is relevant and it happens all the time.”

It’s a fairly big slip up by the Australian Government for not only fiercely relying the already hotly debated topic of metadata collection, but also for its projected transcended use against online users and citizens.

Thanks to Gizmodo for providing us with this information.

Image courtesy of TechAres.

BitTorrent releases Decentralised Voice and Text App “Bleep”

Posted on by Jeremy Tate
Reply

Data mining and user security is as important as ever, with the vast array of documentation leaks over the last 24 months leaving many bewildered by the intense surveillance of their private online data. BitTorrent has taken the golden opportunity to release its decentralised communication platform titled “Bleep”. The application aims to protect anonymity and metadata of the user from prying eyes, and has been in invite-only beta testing stages for a couple of months now. From today onwards, you’ll be able to download and use it to your heart’s content – with the app becoming available for Windows, Mac and Android platforms.

Bleep is fairly simple to setup and get using; allowing users to import their Google address book or email and SMS contacts through to the client. If you have an account already setup – you can now also move it through to your Android device and instantly receive any messages across all platforms with it. With that said, the app is still in an Alpha stage – and as such, a few bugs and niggles exist throughout the experience. Sending photos in offline mode isn’t possible without setting the app to work in a “Wi-Fi Only” mode – you also cannot swap to an existing account from Android through to the desktop, and even though you can receive messages on multiple devices – they won’t all be seen across all devices yet.

To get started, all you need to do is signup to create a new Bleep account – or you can use your existing email or mobile number. In staying with the theme, signups for the service can be completely anonymous – void of any personal details or information.

Bleep is available to download here.

Thanks to Bleep for providing us with this information.

 

Canadian CSEC Not Too Different From NSA-like Actions, Says Leaked Snowden Report

Posted on by Gabriel Roşu
Reply

Recent Snowden leaks reveal that Canada is as good at spying as any other agency there is (yes NSA, you are not the biggest and the baddest). It appears that the documents reveal spying operations and bulk data collection, as well as user tracking in an airport.

The Communications Security Establishment Canada (CSEC) has used a Wi-Fi system over a period of two weeks back in May 2012 to monitor and collect all phones and laptop connected to the wireless hotspot. And the news confirms that Canadians were not spared as well. They then used the data to further track the same users at other airports in the country and even at U.S. airports for more than a week, as their devices appeared on other Wi-Fi networks.

“The document shows CSEC had so much data it could even track the travellers back in time through the days leading up to their arrival at the airport, these experts say,” CBC News writes.

Of course, neither the CSEC nor Boingo, the company who offers the Wi-Fi services in some Canadian airports denied collaborating or allowing such actions to take place. According to the presentation, this was a trial run for CSEC, which was developing a new surveillance program together with the NSA. In a different pilot project, the CSEC said in the presentation that it obtained access to two communications systems with more than 300,000 users and that it would have been able to “’sweep’ an entire mid-sized Canadian city to pinpoint a specific imaginary target in a fictional kidnaping.”

The agency said that the technologies used were “game-changing,” and that the system could be employed to monitor “any target that makes occasional forays into other cities/regions.” According to sources that talked to CBC News, “the technologies tested on Canadians in 2012 have since become fully operational.” The document also reveals that CSEC intended to share its advancements with spy agencies from the U.S., U.K., New Zealand and Australia.

Still, security experts say that the data collection trial has been illegal. However, CSEC states that they have not spied on Canadians and that the collected metadata during the operation (not what was stated in the leaked documents) has been done through legal authorization.

Thank you BGR for providing us with this information

What Happens When The Government Wants To Monitor Via ISP

Posted on by Shane Blume
Reply

What happens when internet service providers (ISP) work with the Government? All of your incoming and outgoing traffic is monitored, and snatched up, that is what happens. Who really knows what criteria needs to be met for the Government to take an interest in one person. I am sure that ISP don’t make it a habit to bring individuals to the attention of the Government, it’s bad for business.

When the Government wants to monitor someones internet traffic they must contact the ISP and serve them a warrant in order to legitimately be able to monitor anyone’s traffic. Once an ISP has received a warrant, it is their duty to provide the Government with what the warrant is demanding.

In one case Pete Ashdown, CEO of the Utah based ISP XMission, he then will check the warrant for a court signature, then he passes the warrant to his attorney in order to verify the validity of said warrant.

If a warrant is valid a government agency will install their little black box, essentially a server box, to someone that is unfamiliar with a server room, might not notice a difference. Employees who work in a server room will likely notice a difference right away.

What does the little black box do exactly? I am not entirely sure, and it seems like it just writes data to a drive in which the Government is able to access at a later date and analyze. It could essentially track each and every keystroke that goes out to the web, as well as every website accessed, times spent on the websites, possibly even monitor any and all text messages, email, VOIP calls, etc. Or it might just keep simple metadata, there is no real telling what kind of information they are gathering on individuals.

BuzzFeed reported on this very topic, giving us a little more information on how it all works.

Image from CamKnows