Posts about nsa

NSA by the numbers

Fear not, says the NSA, we “touch” only 1.6% of daily internet traffic. If, as they say, the net carries 1,826 petabytes of information per day, then the NSA “touches” about 29 petabytes a day. They don’t say what “touch” means. Ingest? Store? Analyze? Inquiring minds want to know.

ATTNSA

For context, Google in 2010 said it had indexed only 0.004% of the data on the net. So by inference from the percentages, does that mean that the NSA is equal to 400 Googles? Better math minds than mine will correct me if I’m wrong.

Seven petabytes of photos are added to Facebook each month. That’s .23 petabytes per day. So that means the NSA is 126 Facebooks.

Keep in mind that most of the data passing on the net is not email or web pages. It’s media. According to Sandvine data for the U.S. fixed net from 2013, real-time entertainment accounted for 62% of net traffic, P2P file-sharing for 10.5%. The NSA needn’t watch all those episodes of Homeland (or maybe they should) or listen to all that Cold Play — though I’m sure the RIAA and MPAA are dying to know what the NSA knows about who’s “stealing” what since that “stealing” allegedly accounts for 23.8% of net traffic.

HTTP — the web — accounts for only 11.8% of aggregated up- and download traffic in the U.S., Sandvine says. Communications — the part of the net the NSA really cares about — accounts for 2.9% in the U.S.

So by very rough, beer-soaked-napkin numbers, the NSA’s 1.6% of net traffic would be half of the communication on the net. That’s a fuckuvalota “touching.”

And keep in mind that by one estimate 68.8% of email is spam.

Screenshot 2013-08-10 at 8.02.09 PM

sandvine-top-traffic-apps

And, of course, metadata doesn’t add up to much data at all; it’s just a few bits per file — who sent what to whom — and that’s where the NSA finds much of its incriminating information. So these numbers are meaningless when it comes to looking at how much the NSA knows about who’s talking to whom. A few weeks ago on Twitter, I showed that with the NSA’s clearance to go three hops out from a suspect, it doesn’t take very long at all before this law of large numbers encompasses us all and our cats.

If you have better data (and better math) than I have, please do share it.

* “Reach out and touch someone” art inspired by Josh Stearns

Tech companies: Whose side are you on?

I wrote this for the Guardian. I’m crossposting it here for my archive. The post is all the more relevant a day later as Google, Apple, AT&T, and Public Knowledge attend a secret White House meeting about secrecy. I’d have a lot more respect for them if they refused, given the condition.

Technology companies: Now is the moment when you must answer for us, your users, whether you are collaborators in the U.S. government’s efforts to collect it all — our every move on the internet — or whether you, too, are victims of its overreach.

Every company named in Edward Snowden’s revelations has said that it must comply with government demands, including requirements to keep secret court orders secret. True enough. But there’s only so long they can hide behind that cloak before making it clear whether they are resisting government’s demands or aiding in them. And now the time has come to go farther: to use both technology and political capital to actively protect the public’s privacy. Who will do that?

We now know, thanks to Snowden, of at least three tiers of technology companies enmeshed in the NSA’s hoovering of our net activity (we don’t yet know whether the NSA has co-opted companies from the financial, retail, data services, and other industries):

(1) Internet platforms that provide services directly to consumers, allowing government to demand access to signals about us: Google with search, mail, calendars, maps; Facebook with connections; Skype with conversations, and so on.

In its first Prism reporting, the Washington Post apparently unfairly fingered nine of these companies, accusing the NSA and FBI of “tapping directly into the central servers” that hold our “chats, photographs, e-mails, documents, and connection logs.” Quickly, the companies repudiated that claim and sought the right to report at least how many secret demands are made. But there’s more they can and should do.

(2) Communications brands with consumer relationships that hand over metadata and/or open taps on internet traffic for collection by the NSA and Britain’s GCHQ, creating vast databases that can then be searched via XKeyscore. Verizon leads that list, and we now know from the Süddeutsche Zeitung that it also includes BT and Vodafone.

(3) Bandwidth providers that enable the NSA and its international partners to snoop on the net, wholesale. The Süddeutsche lists the three telco brands above in addition to Level 3, Global Crossing, Viatel, and Interroute. Eric King, head of research for Privacy International, asked in the Guardian, “Were the companies strong-armed, or are they voluntary intercept partners?”

The bulk data carriers have no consumer brands or relationships and thus are probably the least likely to feel commercial pressure to protect the rights of the users at the edge. The telephone companies should care more but they operate as oligopolies with monopoly attitudes and rarely exhibit consumer empathy (which is a nice way of saying their business models are built on customer imprisonment).

A hodgepodge alliance of U.S. legislators is finally waking up to the need and opportunity to stand up for citizens’ rights, but they will be slow and, don’t we know, ineffective and often uninformed. The courts will be slower and jealous of their power. Diplomacy’s the slowest route to reform yet, dealing in meaningless symbolism.

So our strongest expectations must turn to the first tier above, the consumer internet platforms. They have the most to lose — in trust and thus value — in taking government’s side against us.

At the Guardian Activate conference in London last month, I asked Vint Cerf, an architect of the net and evangelist for Google, about encrypting our communication as a defense against NSA spying. He suggested that communication should be encrypted into and out of internet companies’ servers (thwarting, or so we’d hope, the eavesdropping on the net’s every bit over telcos’ fibre) but should be decrypted inside the companies’ servers so they could bring us added value based on the content: a boarding pass on our phone, a reminder from our calendar, an alert about a story we’re following (not to mention a targeted ad).

Now there are reports that Google is looking at encrypting at least documents stored in Google Drive. That is wise in any case, as often these can contain users’ sensitive company and personal information. I now think Google et al need to go farther and make encryption an option on any information. I don’t want encryption to be the default because, in truth, most of my digital life is banal and I’d like to keep getting those handy calendar reminders. But technology companies need to put the option and power of data security directly into users’ hands.

That also means that the technology companies have to reach out and work with each other to enable encryption and other protections across their services. I learned the hard way how difficult it is to get simple answers to questions about how to encrypt email. The industry should work hard to make that an option on every popular service.

But let’s be clear that encryption is not the solution, probably only a speed bump to the NSA’s omnivorous ingesting. At the Activate conference, Cerf was asked whether the solution in the end will be technical or institutional. No doubt, institutional, he answered. That means that companies and government agencies must operate under stated principles and clear laws with open oversight.

Before Snowden’s leaks, technology CEOs would have had to balance cooperation and resistance just as the nation supposedly balances security and privacy. But now the tide of public opinion has clearly shifted — at least for now — and so this is the moment to grab control of issue.

If they do not assert that clear control, these technology companies risk losing business not only from skittish consumers but also from corporate and foreign-government clients. The Cloud Security Alliance polled companies and found that 10% had canceled U.S. cloud business and 56% were less likely to do business with U.S. providers. “If businesses or governments think they might be spied on,” said European Commission Vice President Neelie Kroes, “they will have less reason to trust the cloud, and it will be cloud providers who ultimately miss out.”

Besides taking action to secure technology and oversight within their companies and the industry, right-thinking technology companies also need to band together to use their political capital to lobby governments across the world to protect the rights of users and the freedom and sanctity of privacy and speech on the net. They must take bold and open stands.

To do that, they must first decide on the principles they should protect. In my book Public Parts, I proposed some principles to discuss, among them:
* the idea that if any bit on the net is stopped or detoured — or spied upon — then no bit and the net itself cannot be presumed to be free;
* that the net must remain open and distributed, commandeered and corrupted by no government;
* that citizens have a right to speak, assemble, and act online and thus have a right to connect without fear;
* that privacy is an ethic of knowing someone else’s information and coming by it openly;
* and that government must become transparent by default and secret by necessity (there are necessary secrets). Edward Snowden has shown us all too clearly that the opposite is now true.

I also believe that we must see a discussion of principles and ethics from the technologists inside these companies. One reason I have given Google the benefit of the doubt — besides being an admirer — is that I believe the engineers I know inside Google would not stay if they saw it violating their ethics even if under government order.

Yonathan Zunger, the chief architect of Google+, said this after the Guardian’s and Glenn Greenwald’s first revelations were published:

I can tell you that it is a point of pride, both for the company and for many of us, personally, that we stand up to governments that demand people’s information…. I can categorically state that nothing resembling the mass surveillance of individuals by governments within our systems has ever crossed my plate. If it had, even if I couldn’t talk about it, in all likelihood I would no longer be working at Google.

In the end, it’s neither technologies nor institutions that will secure us from the inexorable overreach of government curiosity in the face of technical capability. Responsibility for oversight and correction begins with individuals, whether whistleblowers or renegade politicians or employees of conscience who finally remind those in power: “Don’t be evil.”

Give up on the net?

Die Zeit asked a handful of people to answer their question, in essence: Have big companies and the NSA ruined the internet? Or to quote the email to me: “Have all the hopes concerning the internet been destroyed?” Here’s my answer in English; the German translation is here.

The battle for control — and the soul — of the internet has only just begun.

I doubt the net’s creators realized how subversive it was to connect anyone to anyone, bypassing the institutions that mediated those connections: from media to government, universities to retailers. These institutions are now circling wagons to protect their prerogatives: copyright for media, secrecy for government.

But as much as they want to take charge of it, the internet is less about institutions than individuals. Now anyone who’s connected can speak to, find, join, and act with a public. Anyone can find information, learn, sell, and create.

Yes, large new institutions are born to serve these needs and opportunities: Google to connect us with information, Facebook with each other, Twitter with everyone. They and we are negotiating norms and ethics regarding privacy, transparency, and control, a process that’s progressing.

Then enter government. It may portray itself as the protector of privacy but it is instead the greatest threat to privacy, for it can gather information and use it against us as no one else can. It abuses the net.

The problem Edward Snowden uncovered in the NSA is not technology. The issue is transparency. The NSA demonstrates that secrecy corrupts and absolute secrecy corrupts absolutely.

We must engage in the discussion Snowden finally sparked about the principles of a free and open society, which we must protect in the face of the new opportunities technology presents to, in the words of NSA chief Keith Alexander, “collect it all.”

Those principles, which I proposed in my book Public Parts, include:
* An ethic of privacy, compelling governments and companies not to steal our data without our knowledge.
* The ideal that government must be open by default and secret by necessity; today, it is the opposite.
* The right to connect, speak, assemble and act online as off.
* The understanding that if any bit on the net is stopped, detoured, or spied upon by any institution then no bit — or the net itself — can be presumed to be free.
* And agreement that the net must remain open and distributed, controlled or corrupted by no government.

Matters of principle

Prism
America is supposed to be a nation governed by principles, which are undergirded by the Constitution and the Bill of Rights and carried into law. The discussion about the government and its capture of *our* data should be held on the level of principles.

* Privacy: Our direct and personal communication in any medium and by any means — mail, email, phone, VOIP, Twitter DM, and any technology yet to be invented — should be considered private, as our physical mail is, and subject to government intervention only through lawful warrant. That is not the case. Thus it is quite reasonable to be disturbed at the news that government can demand and receive communication we believe to be private. Government may call itself the protector of our privacy but it is our privacy’s worst enemy.

* Transparency: The actions of government should be known to citizens. I argue in Public Parts that our institutions should be public by default, secret by necessity; now they are secret by default and open by force. There are necessary secrets. There is a need for intelligence. There I agree with David Simon. I saw people die before me on 9/11 and I fault intelligence or not stopping it.

But we are left out of the discussion of where the line of necessity should be. If President Obama believes in the transparency he talks about and if he now says he welcomes the debate about security and freedom then it should have occurred *before* government took the actions now being reported and not by force through leaks. There I agree with James Fallows that this leak is not harmful — what bad guys didn’t already realize that their phones could be tracked? — and will be beneficial for democracy.

* Balance of powers: The best protection of our nation’s principles is the balance of powers. Yes, Congress passed the Patriot Act and yes, a FISA court does approve the executive branch’s actions. But both our representatives and our justices are prevented from sharing anything with us, as are the companies that are forced to be their accomplices. The true balance of powers is the exercise of democracy by citizens, but without information we have no power and government has it all.

* Freedom of speech and of the press: Information comes to the public from the press, which is now anyone with information to share. And citizens exercise power through speech. But in its jihad against leaks… that is whistleblowers… that is reporting… that is journalism and the public’s right to know, the White House is chilling both the press and speech. I pray that Glenn Greenwald doesn’t have a Verizon phone.

This discussion is less about privacy and more about transparency and speech. The principles most offended here are those embedded in the First Amendment for those are the principles we rely upon to take part in the debate that is democracy.

I am asking for government to behave according to principles. I am also asking companies to do so. Twitter — whose behavior toward developers and users can sometimes mystify me — is apparently the platform most stalwart in standing for its users’ rights as a matter of principle. They apparently refused to make it easier for government to get data. Now one could argue that helping government thwart terrorists is also behaving according to principle. But again we and these companies aren’t allowed to have that debate. So I’d now advise following what is apparently Twitter’s route in only responding to demands, nothing more. And I’d advise following Google’s example in revealing government demands for information (though under FISA, once again, they’re not allowed to reveal — even by a count — them all).

There is much debate and sometimes conspiracy theorizing swirling around about what Google, Facebook, et al did and didn’t provide to government. I take Larry Page’s and Mark Zuckerberg’s statements at their literal word and agree with Declan McCullagh that I so far see no evidence that these companies handed the keys to their servers to the NSA. We know and they have long said that they comply with government orders, whether in the U.S. or China.

Though some are attacking him on this issue and though I often disagree with him on the state of the news business, I again say that I agree with David Simon on the unsophisticated and emotional interpretation of this news. Since the initial New York Times report on NSA “warrantless wiretapping,” I have understood that one of government’s goals is to use data to find anomalies but to do that it has to have a baseline of normal behavior. We’re the normal. This has been going on for sometime, as Simon says; we just haven’t known how.

Are we as a nation OK with allowing government to make such an analysis to find the terrorists’ anomalous behaviour or not? That’s a discussion that should occur according to principles, properly informed about the risks and benefits. Are we OK with government using that same data to fish for other crimes — like, say, leaking a PowerPoint to the Guardian? I am not. Are we OK with government treating whistleblowers and leakers as traitors — starting with Bradley Manning? I am not. I agree with Bruce Shneier: “We need whistleblowers.” Are we OK with government having access to our private communications without warrants? I say: most definitely not, as a matter of principle.

Under a regime of secrecy, assuming the worst becomes the default in the discussion. We assume the worst of government because they keep from us even activities they say are harmless and beneficial. We see people who want to be suspicious of technology and technology companies assuming the worst of them because, after all, we can’t know precisely what they are doing. I agree with Farhad Manjoo about the danger. People in other nations — I’m looking at you, EU — already distrust both the American government and American technology companies, often in the past for emotional reasons or with anti-American roots but now with more cause. You can bet we’ll hear governments across Europe and elsewhere push harder for legislation now in process to require that their citizens’ data be held outside the U.S. and to European standards because, well, they assume the worst. We’ll hear calls to boycott American-made platforms because — even if they try not to go along — their acquiescence to our government means they cannot be trusted. This is bad for the net and bad for the country. The fault lies with government.

This is a story about transparency and the lack of it. It is a story about secrecy and its damages. It is a story about principles that are being flouted. It should be a discussion about upholding principles.

The trouble with content

Yesterday, I got to speak about speaking with the speakers of the National Speakers Association in Indianapolis. How meta.

I was more controversial than I thought I’d be. For I suggested — and demonstrated — that speakers would do well to have conversations with the people in the room and not just lecture them. I said I’ve learned as a speaker that there is an opportunity to become both a catalyst and a platform for sharing. I talked about my wish to do a project built around events and conversation — process as product — with a book perhaps as an afterthought, a result. And I talked about testing a business model with Kickstarter that could help speakers and the people formerly known as the audience wrest back control of events from conference organizers and speakers’ agents.

Some liked what I said. Some didn’t. And even those who liked it said on Twitter and in the hall that it was disruptive and controversial.

When I went into the room to have a conversation with these speakers — Oprahing — I heard this from some of them: We create content. That content has value. Implicit in this: We don’t want to share the stage with the audience. And I would ask whether that means they don’t sufficiently value the audience and the wisdom it brings.

That is precisely what I have heard over the years from newspapers, magazine, and media people: We create content. We control content. It’s ours. Pay us for it. We don’t want to lose control of it by opening up.

This made me see this content worldview as a problem, a seduction.

If you think that all you do is create and sell content, then you box yourself in and cut yourself off from other opportunities, including acting as a platform for sharing knowledge. That’s the problem news organizations have had. Apparently, so do some speakers.

Now, of course, content can have value. But that’s a high bar to jump. It’s proving to be more and more difficult to extract that value. If you make a great movie or write a great novel or sing a great song, then that’s unique and I’ll agree that it has value (though, of course, it’s getting harder to get paid as much as you used to for those creations). Still, if what you do is unique and great, it’s possible. Hard, but possible.

News is not unique. That’s why my industry has gotten in such trouble holding onto the idea that it creates content. Period. The attention they used to hold captive is now free to roam anywhere, including to an abundance of free competitors. I’d warn speakers, too, that some of them could be replaced by a YouTube video or a Google+ Hangout, unless they embrace these threats as opportunities.

Oh, yes, there’s still a business in content. But it’s an increasingly difficult business to survive in. It’s a limiting business. It’s an expensive business. It’s a business with more and more competitors and more and more price pressure. It’s a business that still requires blockbusters but they are harder to come by. It’s a business in which the bar to success is constantly rising.

Are you *sure* you want to be in the content business?