By Bill Blunden, the author of several books, including “The Rootkit Arsenal” and “Behold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex.” He is the lead investigator at Below Gotham Labs. Originally published at Alternet
Yet another report has surfaced describing how tools created by the companies selling software that can damage and hack into people’s computers are being deployed by U.S. security services. While the coverage surrounding this story focuses primarily on federal agencies it’s important to step back for a moment and view the big picture. In particular, looking at who builds, operates, and profits from mass surveillance technology offers insight into the nature of the global panopticon.
A report published by Privacy International as well as an article posted by Vice Motherboard clearly show that both the DEA and the United States Army have long-standing relationships with Hacking Team, an Italian company that’s notorious for selling malware to any number of unsavory characters.
Federal records indicate that the DEA and Army purchased Hacking Team’s Remote Control System (RCS) package. RCS is a rootkit, a software backdoor with lots of bells and whistles. It’s a product that facilitates a covert foothold on infected machines so intruders can quietly make off with sensitive data. The aforementioned sensitive data includes encryption keys. In fact, Hacking Team has an RCS brochure that tells potential customers: “What you need is a way to bypass encryption, collect relevant data out of any device, and keep monitoring your targets wherever they are, even outside your monitoring domain.” Note: Readers interested in nitty-gritty details about RCS can check out the Manuals online.
It’s public knowledge that other federal agencies like the FBI and the CIA have become adept at foiling encryption. Yet this kind of subversion doesn’t necessarily bother high tech luminaries like Bruce Schneier, who believe that spying is “perfectly reasonable” as long as it’s targeted. Ditto that for Ed Snowden. Schneier and Snowden maintain that covert ops, shrouded by layers of official secrecy, are somehow compatible with democracy just so long as they’re narrow in scope.
But here’s the catch: RCS is designed and marketed as a means for mass collection. It violates the targeted surveillance condition. Specifically, a Hacking Team RCS brochure proudly states:
“’Remote Control System’ can monitor from a few and up to hundreds of thousands of targets. The whole system can be managed by a single easy to use interface that simplifies day by day investigation activities.”
Does this sound like a product built for targeted collection?
So there you have it. Subverting encryption en masse compliments of Hacking Team. The fact that there’s an entire industry of companies just like this should give one pause as there are unsettling ramifications regarding the specter of totalitarian control.
Corporate America is Mass Surveillance
Throughout the Snowden affair there’s a theme that recurs. It appeared recently in a foreword written by Glenn Greenwald for Tom Engelhardt’s book Shadow Government:
“I really don’t think there’s any more important battle today than combating the surveillance state [my emphasis]. Ultimately, the thing that matters most is that the rights that we know we have as human beings are rights that we exercise.”
There’s a tendency to frame mass surveillance in terms of the state. As purely a result of government agencies like the CIA and NSA. The narrative preferred by the far right is one which focuses entirely on the government (the so-called “surveillance state”) as the sole culprit, completely ignoring the corporate factions that fundamentally shape political decision making.
American philosopher John Dewey once observed that “power today resides in control of the means of production, exchange, publicity, transportation and communication. Whoever owns them rules the life of the country,” even under the pretense of democratic structures.
There are some 1300 billionaires in the United States who can testify to this fact. As can anyone following the developments around the secretive Trans-Pacific Partnership.
Dewey’s observation provides a conceptual basis for understanding how business interests drive the global surveillance apparatus. Mass surveillance is a corporate endeavor because the people who inevitably drive decisions are the same ones who control the resources. For example, the backbone of the internet itself consists of infrastructure run by Tier 1 providers like Verizon and Level 3 Communications. These companies are in a perfect position to track users and that’s exactly what they do.
Furthermore when spying is conducted it’s usually executed, in one form or another, by business interests. Approximately 70 percent of the national intelligence budget end up being channeled to defense contractors. Never mind that the private sector’s surveillance machinery dwarfs the NSA’s as spying on users is an integral part of high tech’s business model. Internet companies like Google operate their services by selling user information to the data brokers. The data broker industry, for example, generates almost $200 billion a year in revenue. That’s well over twice the entire 2014 U.S. intelligence budget.
From a historical vantage point it’s imperative to realize that high tech companies are essentially the offspring of the defense industry. This holds true even today as companies like Google are heavily linked with the Pentagon. For decades (going back to the days of Crypto AG) the private sector has collaborated heavily with the NSA’s in its campaign of mass subversion: the drive to insert hidden back doors and weaken encryption protocols across the board. Companies have instituted “design changes” that make computers and network devices “exploitable.” It’s also been revealed that companies like Microsoft have secret agreements with U.S. security services to provide information on unpublished vulnerabilities in exchange for special benefits like access to classified intelligence.
In a nutshell: contrary to talking points that depict hi-tech companies as our saviors, they’re more often accomplices if not outright perpetrators of mass surveillance. And you can bet that CEOs will devote significant resources towards public relations campaigns aimed at obscuring this truth.
A parting observation: the current emphasis on Constitutional freedom neglects the other pillar of the Constitution: equality. Concentrating intently on liberty while eschewing the complementary notion of equality leads to the sort of ugly practices that preceded the Civil War. In fact there are those who would argue that society is currently progressing towards something worse, a reality by the way that the financial elite are well aware of. When the public’s collective misery reaches a tipping point, and people begin to mobilize, the digital panopticon of the ruling class will be leveraged to preserve social control. They’ll do what they’ve always done, tirelessly work to maintain power and impose hierarchy.
NOTES:
i The Later Works of John Dewey, 1925-1953, Volume 9: 1933-1934, Essays, Reviews, Miscellany, and A Common Faith, Southern Illinois University Press, 2008, page 76.
Just to be clear, they’re bypassing encryption, not “beating” it.
Beating it would be actually breaking the encryption of the data en route, not at one of the endpoints. The would mean a) compromising keys/certificates either by direct acquisition or calculation, and b) tracking traffic across whatever medium is in use, no so easy in many cases, even with the full cooperation of service providers.
This software bypasses encryption by accessing un-/de-encrypted data at the point of user interaction (on the client side, in most cases), by essentially seeing/recording/transferring what the user sees/does/has.
The distinction is important. Not saying that encryption technology goes un-violated, or un-threatened, but that this is a much more direct method, and a more direct violation; having or being able to make a key to your door is one thing, actually sitting in your house watching you and taking notes and copying your stuff is something else. Residents with their own doors don’t need your door keys to come and go.
My question is: given the inability of anyone or even any computer to monitor all this stuff in real time, why the dragnet? They’re looking for needles in solar systems, eavesdropping on the planet in this way. The mountains of data could never be parsed in a lifetime.
My only guess is, intimidation. It’s an incredibly elaborate and expensive means of generating a chilling effect among the populace. That all this data gives them deep knowledge or situational awareness strikes me as unlikely, unless their computers and operators/analysts are way better than anything we’ve ever seen or heard of. The whole thing seems like an exercise in megalomania intended more to frighten the masses than to enlighten the elites as to who is doing what and what is going on.
I could have sworn i read claims that Hoover kept dirty laundry files on major DC players.
And i have sometimes wondered if similar collections are used to intimidate and blackmail the world over…
I don’t wonder, I’m certain of it. The spooks and their sponsors are running the whole show most likely.
Not necessarily intimidation since they were more than happy to keep all this criminal activity more or less out of the public consciousness prior to Snowden. More like, it is a convenient pump to transfer money to the security state while at the same time conveniently giving those in power plenty of information to blackmail intransigent politicians and political dissenters. Likely the powers that be weren’t quite aware before of just how passive and gullible American consumers are, and so the intimidation thing was just a happy accident.
Government workers, like people working in any organization, look for ways to justify (and augment) their paycheck. Consequently, they hype (or invent) anything that can be spun as a threat, to secure their jobs and pad their stats.
In 2011, Nature reported that “pre-crime” detectors were being field-tested in the United States. The more dangerous the perceived threat, the more detectors the government buys, and the more people or corporations that get paid to run them, tweak them, repair or upgrade them, and analyze their data.
In order to detect thought crimes, the U.S. government needs to analyze everyone, which (by design) costs a lot of money.
Ned, that’s a pretty broad generalization. I personally would limit that to the upper levels of the three-letter-acronym execs like those in the DEA, NSA, TSA, FBI, CIA, etc. The vast majority of government workers are just another set of wage slaves.
Don’t forget we already have “pre-crime” detection in full production, together with pre-crime judge, jury, and executioner (the judge, jury, and executioner in this case are all the same person: HRH Obomba). Every Tuesday His Royal Highness sits down with his nasty little picture book of people Le Roi deigns are the next to be executed for crimes they may commit sometime in the future. As reported by the NYT, Le Roi makes comments like “she looks a little young” before selecting that week’s victims. Unfortunately the execution method (drone missile) is only 4% accurate (by their own numbers), that is to say 4% of the time they think they killed someone they think might commit a crime sometime in the future. As for the other 96%: Vive Le Roi!
“My only guess is, intimidation.”
Of course. All powerful states pursue that imperative, regardless of which simplistic political narrative each may rely upon to expand its control. That’s merely a choice among flavors. But it’s all the same ice cream.
The irony is that all such cleverly woven political narratives promote the plainly obvious lie that an increasingly powerful state will deliver correspondingly greater “protection” of its citizens from abuse. It never works out that way in real life, of course, because power corrupts.
There is no substantial difference between a protection racket operated by the state and a protection racket operated by private mobsters — apart from the vital difference that voting for one gangster rather than another is voluntary consent to be systematically abused by one or the other.
An increasingly powerful state, what does that even mean? More MIC probably if looked at sensibly. I still think it’s all the U.S. really has in power anymore. I mean what kind of less powerful state is even possible in a world where capital USES and REQUIRES the state and owns the political system. Yes sure crumbs to the proles can be reduced but the real power remains. I’m sure one could debate the requires as in “is it necessary or just desirable for this economic system to have the state do your bidding?”, but where would the economic system be without bailouts including trillion dollar fed bailouts and not just to banks? Some form of the existing economic system might still exist, it might not be pretty either, it might be even uglier for all I can predict, but it probably wouldn’t be this seamless recovery and then some of profits, more corporations would have gone under etc..
This is one application, but the fact that spy agencies are striving for exhaustiveness in their collection of information, that they are developing “big data” analytical tools, and that they are consistently focusing on “before the fact” actions mean that they are attempting something else.
It is not for uncovering threats, detecting “lone wolves”, or preventing terrorist attacks: the last 15 years have demonstrated that all that NSA wizzardry is basically useless in this regard.
The goal is to identify organizations, formal or informal — through the network established by communication between their members. After all, a lone wolf is not that dangerous even when successful. On the other hand, the impact of a successful grassroot organization can be quite powerful.
Thus, if you know that certain persons communicate regularly together (via e-mail routing traces, CDR from mobile networks), visit the same web site frequently (via IP logs), exchange files through the same Internet repository (via server access journals), meet together regularly (via GPS and wireless tower traces, travel records), and so on and so forth, then an organization has been revealed through its dynamic structure.
By the way: in the 1980s, business process re-engineering was a major topic in information science. To achieve it, a first step was to determine how an organization was really structured — and rarely updated official static organigrams were not that useful. Methods were developed to analyze the flow of information (forms, documents, files, etc) between employees and departments to determine the operational structure of the firm, before reorganizing it. The whole menagerie of spy acronyms perform something similar nowadays on the entire populace.
It is nothing new: in its time, the Okhrana (the tsarist political police) devoted considerable resources to identify clandestine organizations and map their structure — by collecting and processing a mass of data on personal relations of suspects (family, professional, private relations), their communications (mostly letters), when and where they met, etc. Not with electronic snitches, of course, but with flesh and blood ones. Victor Serge wrote a short book on that topic (“What everyone should know about State repression”).
Once an organization has been uncovered, the second phase is to record, transcribe, translate and interpret its actual communications, not just the “meta-data”.
The last phase is to spy on it: plant microphones, tail its members, infiltrate the organization itself, etc.
Techniques like Tor, VPN, anonymous e-mail and data storage accounts make phase 1 a pain for spies. Techniques like encryption and steganography make phase 2 a pain for them.
This particular piece of software is not for dragnet use, don’t confuse this with traffic collection and analysis and mountains of data.
This is for spying on (or obtaining data from) specific people who have already been identified as targets for investigation. And it’s a very manual process, by the way, labor intensive and requiring several human operators. It does no analysis of harvested data.
Not to say that more automated systems aren’t in use or can’t be created, but this is not that. This is something your local law enforcement could use, it’s not very high tech in the sense of big data or mass harvesting. It’s not much different from ye olde wire tap of the POTS era. And it should be regulated by similar legal constraints of search and seizure. The question one should first ask is, are those legal procedures being followed, or are those laws being compromised by the introduction of “new technology” (which does much the same thing as the old one)? If it’s got the NC folks barking in a completely different forest, imagine how bamboozled a judge might be.
I pretty much agree with that. Even with powerful algorithmic search engines, etc., this Big Data haystack must be making it hard to find too many needles. Yet, for the suppression of political dissent, Big Data is all too effective. Show up to a #Black Lives matter protest and you will likely be photographed. Facial recognition software can then be used to identify you. From there, it is child’s play for the alphabet agencies to monitor the activism of the formerly anonymous geology professor from Indiana, and her accountant cousin from Brooklyn, who brought her to the rally.
Chances are slim, in the above scenario, that the watchers will actively mess with these people’s lives. So long as they limit their further activism to a few indignant facebook posts, and maybe writing a check to Bernie Sanders, they may never even know that they are on the radar. The moment our mild-mannered professor in Bloomington starts actively trying to shake things up, in local Indiana or University politics, and threatens to get traction, that’s when she’ll start running into some very stormy weather.
I know for a fact there are damning pics of me if they really are watching all the needles in the haystack. And not because it’s made that much difference. But it is what it is.
That’s a Bingo! The Russians jumped up and down yelling at the US three times about the Boston Bombers: “It’s them! It’s them!”. The FBI was too busy parsing Grandma’s Facebook posts about her latest Pineapple Upside-Down Cake to notice.
That’s the most hideous fact about the Surveillance-Industrial Complex: it doesn’t work.
Well, if it worked, then its funding would flatline, instead of constantly increasing. It’s a self-licking ice cream cone…
‘Concentrating intently on liberty while eschewing the complementary notion of equality leads to the sort of ugly practices that preceded the Civil War.’
Chattel slavery was problematical for many reasons, including the need for intensive management and supervision. Who needs personnel headaches?
Thanks to the income tax, first test-driven during Lincoln’s war and adopted permanently in the annus horribilis of 1913, we’re all slaves now. ‘Self reporting’ means we’re responsible for polishing our own shackles.
Got Brasso?
Chattel slavery was problematical for many reasons, including the need for intensive management and supervision. Who needs personnel headaches?
Well, the folks who got rich off cotton sales, for one.
All things considered, if the various agencies are so good with gathering data on everyone, regardless of type of device used in the communicating between peoples, then why is there the so-called “War on Terrorism”, with no end in sight? Seems like it’s an exercise in futility, never to be achieved, though it makes good sound bites to put the “fear” in most peoples minds.
with no end in sight?
To you that’s a bug, to the government, its a feature…
I just saw the second in the documentary I first learned here on NC “The Power of Nightmares” – and the only question I have is: the documentary seems to imply that the neoconservatives inadvertently empowered Islamism…..while it seems to me just as plausible to argue that with the philosophy that people need a “cause” (ironically, a philosophy that both the Islamists and neoconservatives shared) that the support of Islamism (by neocons) was purposeful – after all, the Soviets had collapsed, a new enemy was needed.
The purpose is not to keep tracks on us tiney people. If they happen across some relevant information, that would be a tiny benefit.
They want to keep challenges to their power fully under their control, and that they have mounds of secrets in their files on this who have dirty career limiting secrets, keeps those who could control the secret police under the secret police’s control.
The President’s Analyst, 1967? Huh? But now, with some pretty damn good assumptions, about what we are thinking at any given moment, position, conversations, a couple good cameras, all our spending & vital signs. https://www.propublica.org/article/privacy-tools-the-best-encrypted-messaging-programs
But the beauty of American capitalism (I say that sarcastically), and the weakness of the above analysis, is the simple fact that the earning (working) classes generally enthusiastically endorse their own enslavement by the system, so it’s pointless to think the American people are suddenly going to rise up and fight back against surveillance, income inequality, or any other troubling structural features of the American capitalist landscape. We have all been brainwashed since Kindergarten with the “best country on earth”, “land of the free”, “land of opportunity” mantras, and no lay person seriously believes he or she lives under any threat of enslavement by plutocratic forces who mean them harm; in fact the mere idea of such a thing is rejected by most people as patently absurd. Even though it’s already
happeninghappened.Well said. I agree. IMO (anecdotal) most citizens simply aren’t paying attention and/or don’t care, don’t think any of this applies to them or their lives. If they have any consciousness about the spying, etc, they either accept it on the brain-dead notion that it’s “keeping them safe,” or the other false trope “well if you have nothing to hide, then it doesn’t matter.” My general observation is that most citizens aren’t connecting the dots.
Was out hiking this weekend with friends, and we observed some bridges and roads (back country areas) that were woefully in need of repair – looked like next good storm w/floods (as happens) will take them out. Plus camp sites that used to be in good nick are now basically a mess and not maintained. I said something about “our money is spent only on war.” Mostly not heard by my friends, who seemed to just “accept” the transformation of our country to third world status.
Lambs easily led to slaughter or something…
Do kids still get the freedom and democracy schtick in schools? I was under the impression it was just multiculturalism these days. As far as the civic high school SOP we all got in the late 20th, there were some good points: people expected the political process to be acommodating, they expected social justice, decent regulation, etc.
Good Q. Not sure. Have lost touch with someone who teaches 5th and 6th grade (has done both in different years). That person happens to be very rah-rah, USA is the BEST NATION ON EARTH!!!111!!!, go USA USA USA! I’m know that person was heavily indoctrinating the students with this claptrap and other tropes like ‘you can be anything you want.’ Don’t know about other teachers, nor what the corporatized school agendas call for.