transcript: Reigning in the Surveillance State (an ACLU Town Hall event)

Delayed publishing of a transcript I made from the March 11 ACLU event at the Seattle Town Hall. This is all from my own notes at the time so is probably missing pieces and adding inaccuracies – there is a video of the event available to check, but I haven’t done so myself. Putting it up anyway because transcripts are way more usable than videos.

Activist technology researchers = hackers

Phones are designed from the ground up to be logged to the government.

FBI tried to control encryption tech, eventually they allowed pgp encryption to be exported. Twenty years later nobody uses it because it is unusable. FBI predicts that unbreakable encryption will lead to invulnerable criminals.

Apple says there is no way for them to ever decrypt an iMessage you send, and turns this encryption on by default. Whatsapp also uses great encryption, says nobody can eavesdrop on it. And people use this all the time even without looking for encryption. (Chris recommends an app called Signal – free and encrypted. But requires you to get your friends on it.)

And Microsoft? Cooperated with prism for skype, outlook.com, says they were required to comply. Says that their tools offer the same level of security as a regular call aka not much.

How will the government respond to people using these encrypted tools?

Chris knew that other governments were buying hacking tools. He looked up whether the FBI was doing it and confirmed in 2012 that they were. He found they could hack into your computer, use webcams without turning on that light, etc. The first court order allowing it was made in 2002 and this court order was released to the public in 2012.

Besides the FBI, local police now have DHS grants to afford this stuff. Drones, stingray, etc – all DHS funds. Suppliers like Raytheon etc built them for the military but that’s a finite market, so expand into the domestic police market. He says I think reasonable people can debate on whether these tools are appropriate for use in Afghanistan etc, but that we can agree that tools developed for a hostile warzone are not appropriate in a domestic environment (paraphrase not quote). And because the money is federal, they don’t have to go to the city council or local authorities and debate the value of it and ask for money. The argument the police use is that if they debated it publicly then it would tip off the bad guys. And that’s the conflict in the are of surveillance. And besides no debate that means no oversight, even the courts granting warrants to use this don’t know what they’re going to do.

Re: Tacoma police using stingray saying they always get court orders, but the judges say they have never heard of this. The judges were mad and have made the police be more specific – after some frontpage stories. And similar around the country, but only so far around cell phone tracking, not computer hacking. And we won’t get that until someone proves it is happening.

Question time:

Q: Come to our march on April 14 to protest police violence which is genoicde against black and poor people

A: Really damn good redirect by Chris back to surveillance disproportionately affecting the poor – whatsapp, encrypted messaging, available by default on expensive Iphones but not at all on cheap Walmart phones.

 

Q: So you’ve told us that this is bad, but is using WhatsApp actually reigning it in? And how is it so much more important today than 100 years ago than when telephone operators had party lines? Is it because people buy in to the line that it is for our own safety that theres no uproar?

A: is about economics. If the government really care about you they will line your house with cameras. But probably nobody in this room is worth $1million in surveillance tools to anyone. So what we are doing by using signal is raising the cost of surveillance. And about uproar it is probably because it is abstract to people, until you have red light cameras and webcams enabled on children’s school iPads.

 

Q: big data is not a government thing but it finds stuff.

A: effectively they have had all our secrets for decades, but now they can find it and connect it. With facial recognition for instance you can suddenly connect so much more connection between all our personalities. Chris is much more worried about facial recognition tech than big data per se.

Q: what do you expect from social media companies regarding surveillance?

A: it’s really difficult to get companies to do something against their interest. Getting them to retain less data is against their business model and I haven’t been very successful there. And realistically i don’t expect them to change that until they find another way to make money. Google is trying desperately to find another way to make money but until they are out of advertising they will need your data.

 

Q: who do we make FoIArequests to to find out who is giving our police money?

A: DHS (within which most of the grants are handed out by FEMA) and the Department of Defense. Expect them to take a long long time, so also file the requests against your local agency receiving the money. And in Washington our state public records act is much stronger than FoIA.

 

Q: New research at uw shows that watching power consumption at a house can tell the difference between two different TVs of the same model being turned on, and Chris thinks that power data is under protected. What is the ACLU doing about this?

A: This is a state level fight, the ACLU has so far done best in California in concert with the EFF – results there includes power companies releasing reports on police requests, which shows us that the most requests are made in San Diego.

 

Q: metadata is not protected by encryption, what to do there?

A: we don’t have great tools for that yet except e.g Tor, or tunneling, but those are kind of slow and not good enough for say video chat, and also none of them can protect you from the cell tower knowing who you connected to.

 

Q: ?? Missed it

A: so phones have encryption keys that are supposed to protect your communication with the cell tower. Recently GCHQ hacked these from Gemalto which provides SIM cards to ATT and RFID passport chips. So we can’t trust the phone network for privacy even if they kind of wanted to provide it. And remember that this eavesdropping ability of having the keys will eventually be available to your local police

 

Q: the EU is way ahead of us, can we get data protection like them?

A: haha realistically lol not from Congress (note: not an exact quote). Technology has the ability to protect us where the laws never will. But we rely on these mega corporations to provide it and so we have to get them to play along. And if you get a law passed for a specific state or industry then often those protections will be built in for everyone because its easier for the company to do that.

 

Q: There is a bill proposed by a guy in congress, not passed (yet..)?  (Russ Feingold?)

A: there are a number of bills about this. They are hard to get passed. The NSA stuff is outside congress anyway, is ruled by executive order. I think we need a massive overhaul of that system and my job of lobbying companies is way easier.

Q cont: I think people don’t understand that we have laws today since 2012 that allow indefinite detention of Americans and the ACLU isn’t doing enough.

 

Q: back to the smart meters, Seattle city light is planning to put them in place over the next couple years, and we have privacy concerns and also safety concerns with fires and with frequencies and we have fliers outside.

 

Q: what about Amazon and their contracts with the CIA? Maybe people should be protesting them? And can you address the argument the FBI used that they use this against bad guys?

A: I regularly communicate with lawyers at all tech companies but it is very difficult with Amazon. Other companies like Apple are now publishing transparency reports but nothing from them. We should maybe be focusing on them more, especially as they provide a storage and copying back end now.

For the second, I think it’s important to distinguish between domestic and foreign use. For domestic, like stingray, you can’t target that to an individual and it’s unacceptable. Internationally, is very hard because the government says there are terrorist. But we know since Snowden that they use it not on terrorists but in interesting people, like a phone company in Belgium. And I think that spying on engineers everywhere shouldn’t be an acceptable tactic.

 

Q: something about Linux? (missed it)

A: I use Linux and I have less and less trust in closed source software and peorple are working on reproducible builds where you can verify that the code you are downloading came from the source code published online.