2. Why am I talking about this?
•Great real-world example bringing together
a lot of what we’ve already learned.
•Law and ethics as well as tech!
•Because it’s our patrons and potential
patrons being spied on.
•That puts it squarely in the category of “our problem.”
•The library world needs a strategy on this
kind of thing and doesn’t have one.
•That means you’re not exempt from worrying about it. Libraries tend to look to
newer practitioners to react to stuff like this.
3. How do we know what we
know about this?
•Massive classified-document leak from
contractor Edward Snowden.
•Pretty classic example of security failing from within! Records managers,
this is common and you need to be concerned about it!
•Why did he do it? Because he considered
the NSA’s actions unethical invasion of
privacy, and thought the rest of us needed
to know.
•Agree or not, it’s a very librarianly motivation.
•You need to ask yourself whether you’re that brave. It matters.
4. So what is the NSA
collecting?
•Domestic phone call records, landline
and cellular.
•This is the oft-mentioned “metadata.” Actual content of calls is not (as far
as we know!) collected.
•As much Internet traffic as they can get
their hands on.
•Including supposedly-private encrypted traffic.
•Not just “metadata” (that would be logs, I suppose), but the actual
content transferred/stored. Email, social media, video, uploaded files,
databases, name it.
5. How did they get it,
without anybody realizing?
•(via Ars Technica, http://arstechnica.com/tech-policy/2013/09/let-us-count-the-wayshow-the-feds-legally-technically-get-our-data/ Categories mine.)
•Social engineering
•A company volunteers to help (and gets paid for it)
•A company complies under legal duress
•Spies infiltrate a company
•Spies coerce upstream companies to weaken crypto in their products/install backdoors
•Actual technology breakage
•Spies copy the traffic directly off the fiber (sometimes without owner’s knowledge)
•Spies brute force the crypto
•Spies compromise a digital certificate
•Spies hack a target computer directly, stealing keys and/or data, sabotage.
6. Notes on the social
engineering factor
•The Patriot Act and its NSLs and gag
orders made a huge difference here.
•So librarians who protested the Patriot Act weren’t “hysterical!” I like to
think of us as early-warning signals...
•Not just companies compromising crypto
•Standards bodies, too. NSA has representatives on crypto-related
standards bodies, e.g. at NIST. This is worrisome!
7. On “metadata”
•You are your patterns of communication!
•Who you talk to, when, how often
•From where (your phone’s location is part of cellular metadata)
•The NSA’s database ties this directly to you.
•Even if it didn’t, you might well be identifiable!
•This is called “reidentification” and we will discuss it in more detail next week.
•Not just the NSA, not just cell phones!
•Check out license-plate databases sometime. Am I ever glad I don’t own a car.
•So if anybody says “it’s just metadata,” don’t
buy it. Metadata is a big deal.
8. Other things we know
•Judicial oversight of the NSA is... um. Not
rigorous, shall we say.
•The data have been abused by NSA
employees. In creepy and gross ways.
•The NSA has repeatedly lied, including to
Congress, about:
•what data it has collected
•who has access to the data it has collected
•what is being done with those data
•There’s probably lots more we don’t know!
9. Some principles of security
we can derive from this
•Retained data is vulnerable data.
•Can’t misuse data you ain’t got!
•The easiest (sometimes only) way to
break a security system is to break the
people who implement it.
•Security is a function of law and norms,
not just code.
•As usual, vulnerable populations get hurt
the most.
10. Meager signs of hope?
•Dark Email Alliance
•replacing totally-insecure SMTP email-sending protocol with something better
•headed by someone who shut down his secure-communications company
rather than let the government have his clients’ encrypted data. Downright
librarianly, that man.
•Very, very angry US allies
•Go Dilma Rousseff!
•IETF working on securing Internet
infrastructure standards
•Legislation (currently “USA Freedom Act”)
11. What can we do?
•Don’t miss the elephant for the circus.
•Lots of faff in the media about Snowden. It doesn’t matter what we think of
Snowden! What matters is the NSA!
•The usual citizen things: stay informed, contact
your legislators, vote.
•Educate. Discuss. Provide a venue for
education and discussion.
•Libraries: protect your employees! protect your
computers and networks! (as best you can)
•Library organizations: amicus briefs
•The ACLU has already sued.
12. Something to think about
•The Internet was designed and built by
engineers, physicists, military people.
•It therefore exhibits many of their values: e.g. technical elegance.
•What if librarians and archivists had built
it? How would it be different? Would it
be better?
•Can we build that Internet NOW?