Navigating Risks to Digital Security
By Collin Anderson
Journalists, civil society and activists face a variety of security and privacy risks when communicating online, ranging from hacking by criminal organizations to information requests to companies by government officials. This diversity of threats is important not only to understanding the myriad of risks to digital communications but also to helping individuals and organizations to make sound decisions about the communication devices and tools they use.
There is a tendency to focus on one specific aspect of surveillance and censorship–for example, network spying–when in fact there are many methods that can be used to capture information about individuals. A journalist may maintain strong practices when communicating with sources over encrypted channels, such as Tor or TextSecure, yet these efforts are useless if their devices are compromised through malware.
There are ample parallels between basic forms of Internet surveillance and telephone eavesdropping. On the Internet, data flows over a telecommunications network that can therefore read the content of traffic. Hence in reality, the Internet falls very short of a “cloud.” Rather, the Internet is physically connected by a set of infrastructural projects that require significant capital investment and that are highly regulated by governments.
In 2011 when the Taliban sought to regulate mobile phone companies in Afghanistan, it began to destroy cellphone towers and threaten employees. After a few months, the companies began to comply with Taliban demands that the networks turn off their services at certain hours. However, physical threats and violence are unnecessary if authorities can simply deny companies access to wireless spectrum if they do not comply with the law, which inevitably includes provisions for so-called “lawful interception.”
Yet unlike telephone services, the Internet involves more third parties, often more legal jurisdictions, and more opportunities to spy on users by capturing access to devices or passwords. Third-party companies, like ISPs, retain significant information about the content of communications and personally-identifiable information, such as IP addresses, often because such information is either core to their commercial revenue model (advertising and data analytics) or because they are required by law to collect these data. These companies are susceptible to compliance requests from courts, prosecutors, intelligence agencies and other law-enforcement entities that mandate the disclosure of such information under threat of prison, fines or closure. As with telephone companies, there is a great deal of pressure among third-party operators to comply with such demands.
Moreover, one does not need to sit in the middle of the flow of Internet traffic to capture data and content if it is possible to install surveillance software (malware) on a target’s device or deceive them into providing their password through a fake login page (phishing).
A burgeoning market for surveillance as a turn-key service provides sophisticated infrastructures to governments a comparably marginal costs. Malware and phishing are used not only by intelligence agencies to track user communications but also for criminal purposes like financial fraud or stalking. For this reason, being aware and prepared is essential even if one does not feel that they might be targeted for their professional activities or activism.
Yet it is important to note that that are a number of companies which produce such technologies often with little consideration for their potential for abuse. Hacking Team and Gamma International, are two vendors of such products that have either directly or indirectly, been used in violation of human rights. For instance Gamma International markets FinSpy, a type of malware marketed to law enforcement agencies around the world, which enables users to spy on computer and mobile phone communications.
Gamma International’s FinSpy is used in authoritarian regimes and in democratic states alike, from Turkenistan to the United States. According to a 2013 report by by Citizen Lab, FinSpy is used in more than a dozen EU-member and candidate states: Austria, Bulgaria, Czech Republic, Estonia, Germany, Hungary, Latvia, Lithuania, Macedonia, Netherlands, Romania, Serbia, Turkey and the UK.
Security of Gmail and other Internet services
Questions regarding the safety of any particular service are largely determined by whether content sitting on external servers is held privately and transmitted securely. Yet given how much data is held by companies about who we are, who we talk to, what we talk about and where we are, there is a great deal of trust being placed in the hands of others—often without consideration for why we trust them at all. Even if one trusts Google completely, the content of these communications is often one password away.
The safety of Gmail is related to the strength and confidentiality of that password, and whatever steps a user takes beyond that. Google’s account services supports two-factor authentication, which makes logging in require access to a code that is received through SMS, phone, a smartphone application or a digital USB key. This means that an account cannot be accessed without a separate physical device, making phishing much more difficult.
The active engagements of Google’s security team and the wealth of security enhancements to Google services are heartening. These features provide sophisticated protection against hacking and phishing. Chrome ties into Gmail in a way that reinforces their use of web encryption by reducing the likelihood that forged credentials can be used be used to impersonate Google. This measure helped detect an unprecedented attack against Iranian users in August 2011 and end it more quickly that what might have otherwise occurred.
Yet Google is a large company with a strong commercial interest in maintaining a presence in as many markets as possible around the world. It therefore has to comply with the domestic laws in which it is allowed to operate. In 2010 and 2011, Google and Twitter reportedly received highly secretive National Security Letters targeting the communications and personal information of volunteers and supporters of the organization. Most users, in even sensitive situations, may not be at risk of running afoul of American national security agencies, however, these reports do not reveal details about the reasons for government requests or the targeted accounts. Countries enter into Mutual Legal Assistance Treaties (MLATs), agreements between governments that facilitate the exchange of information relevant to criminal investigations which can be used to solicit personal information from signatory countries.
Compliance with requests for data
A company’s compliance with government requests is not limited to countries in which that company has an office, or to countries that would be considered liberal democracies. The most infamous example of this principle is the case of Shi Tao, a Chinese journalist sentenced to prison in 2005 for releasing information on the Communist Party to a foreign website. While Shi had opened a pseudonymous account with Yahoo! in order to communicate with his contact, the email provider’s Chinese subsidiary had facilitated his arrest by providing information that revealed his identity to the government.
The impact of this event changed the way many American companies handled their Chinese operations, such as limiting the retention of personal information in the country and asserting more control over compliance process. However, the principle remains the same: companies that want to operate in markets are susceptible to demands by governments that have the power to block their company’s access. There is ample reason to remain concerned about disclosure and regulation of content by governments outside of the United States and Western Europe. Recent decisions by Twitter to restrict content on blasphemy, suicide, corruption and foreign affairs, content that would otherwise be legal in most Western countries, upon demand of the governments of Turkey, Russia and Pakistan reinforce this risk.
At the same time, legal compliance with government requests is an extremely opaque area. Civil society organizations have sought to increase accountability and to understand the nature of government information requests through promoting adoption of Transparency Reports. These are regular disclosures by the companies of the number of legal requests received aggregated by country and type of request, with information on the rate of compliance with the request (see, for instance, Transparency Reports for Twitter and Facebook).
If we use Google as an example, we see that they produce information for about two thirds of all requests, however, the number of requests and the rate of compliance differs substantially for each country. In the United States, the largest source of requests, Google received 12,539 requests for user data specifying 21,576 accounts (since requests can list multiple accounts), and acting on 84% of those. In Hungary, Google acted on none of the 17 requests covering 23 accounts. However, in Russia, Google received 93 requests covering 114 accounts, and released user data on 10% of these cases. Similar reports exist for a number of other technology companies, and even telecommunications providers have begun to produce their own Transparency Reports.
Snowden’s disclosures about international surveillance practices have fueled the growth of an industry that purports to help consumers mask their communications from intelligence agencies. Claims are different from privacy that is assured based on technologies, and promises that a piece of software has ‘military-grade encryption’ does not mean that the company capable of living up to these promises, or that even the product is securely designed. These claims either fail on technical merit or are impossible to verify because of the proprietary nature of the platforms. On top of this problem, these products are often provided for free by companies that have to pay salaries to developers and generate a profit for investors. They have an incentive to use these communications for commercial gain, and cases such as Whisper demonstrate that this can conflict with promises of privacy.
The same principle applies as with telecommunications networks and Google, if one company holds the keys, they will encounter legal challenges. After Snowden was found to have used the mail provider Lavabit, the United States sought to compel the company to change its service to include a backdoor. Lavabit took the principled decision to shut down the company and face legal risk, however, not all providers may be willing to take these same steps.
As a principle, software that is open source, decentralized and transparent in their operations are more trustworthy than closed alternatives. Moreover, the same basic principles of privacy threats apply to encryption tools – even if the communications tools are safe, often the devices used are vulnerable.
This article was originally published as part of our Journalism in Europe: Discussion Series.