Data and Goliath (11 page)

Technology has greatly enhanced the FBI’s ability to conduct surveillance without
a warrant. For example, the FBI (and also local police) uses a tool called an IMSI-catcher,
which is basically a fake cell phone tower. If you’ve heard about it, you’ve heard
the code name StingRay, which is actually a particular type of IMSI-catcher sold by
Harris Corporation. By putting up the tower, it tricks nearby cell phones into connecting
to it. Once that happens, IMSI-catchers can collect identification and location information
of the phones and, in some cases, eavesdrop on phone conversations, text messages,
and web browsing. The FBI is so scared of explaining this capability in public that
the agency makes local police sign nondisclosure agreements before using the technique,
and instructs them to lie about their use of it in court. When it seemed possible
that local police in Sarasota, Florida, might release documents about StingRay cell
phone interception equipment to plaintiffs in civil rights litigation against them,
federal marshals seized the documents.

It’s hard to keep track of all the US government organizations involved with surveillance.
The National Counterterrorism Center keeps track of the Terrorism Identities Datamart
Environment, the US government’s central repository of international terrorist suspects.
The institution maintains a huge database of US citizens, keeping tabs on 700,000
identifiers (sort of like people, but not really) in 2007, and is where the various
watch lists come from. The procedures for getting on these lists seem very arbitrary,
and of course there’s no recourse once someone gets on one. Boston Marathon bomber
Tamerlan Tsarnaev was on this list.

There are also Organized Crime Drug Enforcement Task Forces for drug-related investigations,
and a Comprehensive National Cybersecurity Initiative for computer threats. The Bureau
of Alcohol, Tobacco, and Firearms is building a massive database to track people and
their friends. Even the Pentagon has spied on Americans, through a little-known agency
called the Counterintelligence Field Activity, closed in 2008. In 2010, the Naval
Criminal Investigative Service monitored every computer in the state of Washington
running a particular file-sharing program, whether associated with the military or
not—a clear violation of the law.

Outside of the federal government, a lot more surveillance and analysis of surveillance
data is going on. Since 9/11, the US has set up “fusion centers” around the country.
These institutions are generally run by state and local law enforcement, and are meant
to serve as an information bridge between those groups and national agencies like
the FBI and DHS. They give local police access to previously unavailable surveillance
capabilities and data. They were initially supposed to focus on terrorism, but increasingly
they’re used in broader law enforcement. And because they’re run locally, different
fusion centers have different rules—and different levels of adherence to those rules.
There’s minimal oversight, probably illegal military involvement, and excessive secrecy.
For example, fusion centers are known to have spied on political protesters.

Joint Terrorism Task Forces are also locally run, nebulously defined, and shrouded
in extreme secrecy. They’ve been caught investigating political activists, spreading
anti-Islamic propaganda, and harassing innocent civilians.

Taken as a whole, there’s a great deal of overenthusiastic, ideologically driven surveillance
going on in the US.

Across the Atlantic, the NSA’s UK equivalent is GCHQ. It conducts extensive spying
on its own citizens and worldwide, both from its own country and from remote listening
posts in Oman, Cyprus, and elsewhere. It has a very close partnership with the NSA,
and is increasingly conducting mass surveillance inside its own borders. Other countries
listening in on their own citizens and the citizens of other countries include Germany,
France, Denmark, Australia, New Zealand, Israel, Canada . . . and probably every other
country with enough money to have an intelligence budget. The government of Australia
has claimed that its surveillance of Indonesia helped thwart several terrorist threats
in that country.

We know much less about government surveillance in other countries; but don’t assume
that they aren’t doing these same things just because whistleblowers there haven’t
brought those stories to light. Other governments are doing much the same thing to
as much of the Internet as they can get their hands on, often with fewer legal restrictions
on their activities.

Russia collects, stores, and analyzes data from phone calls, e-mail, Internet use,
social networking, credit card transactions, and more. Russia’s System for Operative
Investigative Measures, or SORM, is built right into its Internet. We saw a glimpse
of how extensive this system is during the 2014 Sochi Olympics, where the Russian
authorities monitored pretty much everything that happened online. Crime and terrorism
provide justifications for surveillance, but this data is also used against Russian
journalists, human rights activists, and political opponents.

China, too, attempts to monitor everything its citizens do on—and, increasingly, off—the
Internet. China also uses location information from mobile phones to track people
en masse. It turns mobile phones on remotely to eavesdrop on people, and it monitors
physical spaces with its 20 to 30 million surveillance cameras. As in Russia, crime
is the ostensible excuse for all this snooping, but dissent is a major reason as well.
TOM-Skype is a Chinese video and texting service, a joint venture between Microsoft
and the Chinese company TOM Online. Messages containing words like “Tiananmen,” “Amnesty
International,” and “Human Rights Watch,” as well as references to drugs and pornography,
are copied and saved. More than 30,000 Internet police conduct the monitoring.

We got additional glimpses of global Internet monitoring a few years ago, when India,
Russia, Saudi Arabia, the UAE, and Indonesia all threatened to ban BlackBerry if the
company didn’t allow them access to user communications. BlackBerry data is generally
encrypted, which prevents eavesdropping. BlackBerry cut a deal with India whereby
corporate users were allowed to keep their data secure, but the government would be
able to track individual users’ e-mails, chats, and website visits. We don’t know
about
the deals it may have struck with the other countries, but we can assume that they’re
similar.

Smaller countries often turn to larger ones to help them with their surveillance infrastructure.
China helped Iran build surveillance into its own Internet infrastructure. I’ll say
more in Chapter 6 about Western companies helping repressive governments build surveillance
systems.

The actions of these and other countries—I could fill a whole book with examples—are
often far more oppressive and totalitarian than anything the US or any of its allies
do. And the US has far more legal controls and restrictions on government collection
than any other country on the planet, including European countries. In countries like
Thailand, India, and Malaysia, arresting people on the basis of their Internet conversations
and activities is the norm. I’ll talk about risks and harms in Chapter 7; right now,
I want to stick to capabilities.

GOVERNMENT HACKS

Electronic espionage is different today from what it was in the pre-Internet days
of the Cold War. Before the Internet, when surveillance consisted largely of government-on-government
espionage, agencies like the NSA would target specific communications circuits: that
Soviet undersea cable between Petropavlovsk and Vladivostok, a military communications
satellite, a microwave network. This was for the most part passive, requiring large
antenna farms in nearby countries.

Modern targeted surveillance is likely to involve actively breaking into an adversary’s
computer network and installing malicious software designed to take over that network
and “exfiltrate” data—that’s NSA talk for stealing it. To put it more plainly, the
easiest way for someone to eavesdrop on your communications isn’t to intercept them
in transit anymore; it’s to hack your computer.

And there’s a lot of government hacking going on.

In 2011, an Iranian hacker broke into the Dutch certificate authority DigiNotar. This
enabled him to impersonate organizations like Google, CIA, MI6, Mossad, Microsoft,
Yahoo, Skype, Facebook, Twitter, and Microsoft’s Windows Update service. That, in
turn, allowed him to spy on users of these services. He passed this ability on to
others—almost certainly in the
Iranian government—who in turn used it for mass surveillance on Iranians and probably
foreigners as well. Fox-IT estimated that 300,000 Iranian Gmail accounts were accessed.

In 2009, Canadian security researchers discovered a piece of malware called GhostNet
on the Dalai Lama’s computers. It was a sophisticated surveillance network, controlled
by a computer in China. Further research found it installed on computers of political,
economic, and media organizations in 103 countries: basically a Who’s Who of Chinese
espionage targets. Flame is a surveillance tool that researchers detected on Iranian
networks in 2012; we believe the US and Israel put it there and elsewhere. Red October,
which hacked and spied on computers worldwide for five years before it was discovered
in 2013, is believed to be a Russian surveillance system. So is Turla, which targeted
Western government computers and was ferreted out in 2014. The Mask, also discovered
in 2014, is believed to be Spanish. Iranian hackers have specifically targeted US
officials. There are many more known surveillance tools like these, and presumably
others still undiscovered.

To be fair, we don’t have proof that these countries were behind these surveillance
networks, nor that they were government sponsored. Governments almost never admit
to hacking each other’s computers. Researchers generally infer the country of origin
from the target list. For example, The Mask target list included almost all the Spanish-speaking
countries, and a bunch of computers in Morocco and Gibraltar. That sounds like Spain.

In the US, the group charged with hacking computers is the Tailored Access Operations
group (TAO) inside the NSA. We know that TAO infiltrates computers remotely, using
programs with cool code names like QUANTUMINSERT and FOXACID. We know that TAO has
developed specialized software to hack into everything from computers to routers to
smartphones, and that its staff installs hardware “implants” into computer and networking
equipment by intercepting and infecting it in transit. One estimate is that the group
has successfully hacked into, and is exfiltrating information from, 80,000 computers
worldwide.

Of course, most of what we know about TAO and the US’s hacking efforts comes from
top-secret NSA documents provided by Snowden. There haven’t been similar leaks from
other countries, so we know much less about their capabilities.

We do know a lot about China. China has been reliably identified as the origin of
many high-profile attacks: against Google, against the Canadian government, against
the
New York Times
, against the security company RSA and other US corporations, and against the US military
and its contractors. In 2013, researchers found presumed–Chinese government malware
targeting Tibetan activists’ Android phones. In 2014, Chinese hackers breached a database
of the US Office of Personnel Management that stored detailed data on up to 5 million
US government employees and contractors with security clearances.

Why? A lot of this is political and military espionage, but some of it is commercial
espionage. Many countries have a long history of spying on foreign corporations for
their own military and commercial advantage. The US claims that it does not engage
in commercial espionage, meaning that it does not hack foreign corporate networks
and pass that information on to US competitors for commercial advantage. But it does
engage in economic espionage, by hacking into foreign corporate networks and using
that information in government trade negotiations that directly benefit US corporate
interests. Recent examples are the Brazilian oil company Petrobras and the European
SWIFT international bank payment system. In fact, a 1996 government report boasted
that the NSA claimed that the economic benefits of one of its programs to US industry
“totaled tens of billions of dollars over the last several years.” You may or may
not see a substantive difference between the two types of espionage. China, without
so clean a separation between its government and its industries, does not.

Many countries buy software from private companies to facilitate their hacking. I’ll
talk more about this kind of business relationship in Chapter 6. For now, consider
an Italian cyberweapons manufacturer called Hacking Team that sells hacking systems
to governments worldwide for use against computer and smartphone operating systems.
The mobile malware installs itself remotely and collects e-mails, text messages, call
history, address books, search history data, and keystrokes. It can take screenshots,
record audio to monitor either calls or ambient noise, snap photos, and monitor the
phone’s GPS coordinates. It then surreptitiously sends all of that back to its handlers.
Ethiopia used this software to sneak onto the computers of European and American journalists.

It’s a reasonable assumption that most countries have these hacking capabilities.
Who they use them against, and what legal rules control that use, depends on the country.

GOVERNMENT ATTACKS

When we first started getting reports of the Chinese breaking into US computer networks
for espionage purposes, we described it in very strong language. We labeled the Chinese
actions “cyberattacks,” sometimes invoking the word “cyberwar.” After Snowden revealed
that the NSA had been doing exactly the same thing as the Chinese to computer networks
around the world, the US used much more moderate language to describe its own actions—terms
like “espionage,” or “intelligence gathering,” or “spying”—and stressed that it is
a peacetime activity.