– Leave Your Cellphone at Home (n+1):
Interview with Jacob Appelbaum
From OCCUPY Gazette 4, out May 1.
Earlier this year in Wired, writer and intelligence expert James Bamford described the National Security Agency’s plans for the Utah Data Center. A nondescript name, but it has another: the First Intelligence Community Comprehensive National Cyber-security Initiative Data Center. The $2 billion facility, scheduled to open in September 2013, will be used to intercept, decipher, analyze, and store the agency’s intercepted communications—everything from emails, cell phone calls, Google searches, and Tweets, to retail transactions. How will all this data be stored? Imagine, if you can, 100,000 square-feet filled with row upon row of servers, stacked neatly on racks. Bamford projects that its processing-capacity may aspire to yottabytes, or 1024 bytes, and for which no neologism of higher magnitude has yet been coined.
To store the data, the NSA must first collect it, and here Bamford relies on a man named William Binney, a former NSA crypto-mathematician, as his main source. For the first time, since leaving the NSA in 2001, Binney went on the record to discuss Stellar Wind, which we all know by now as the warrantless wiretapping program, first approved by George Bush after the 2001 attacks on the twin towers. The program allowed the NSA to bypass the Foreign Intelligence Surveillance Court, in charge of authorizing eavesdropping on domestic targets, permitting the wholesale monitoring of millions of American phone calls and emails. In his thirty years at the NSA, Binney helped to engineer its automated system of networked data collection which, until 2001, was exclusively directed at foreign targets. Binney left when the organization started to use this same technology to spy on American citizens. He tells of secret electronic monitoring rooms in major US telecom facilities, controlled by the NSA, and powered by complex software programs examining Internet traffic as it passes through fiber-optic cables. (At a local event last week, Binney circulated a list of possible interception points, including 811 10th Avenue, between 53rd & 54th St., which houses the largest New York exchange of AT&T Long Lines.) He tells of software, created by a company called Narus, that parses US data sources: any communication arousing suspicion is automatically copied and sent to the NSA. Once a name enters the Narus database, all phone calls, emails and other communications are automatically routed to the NSA’s recorders.
The NSA wasn’t the only intelligence-gathering agency to have its domestic surveillance powers expanded in the wake of September 11th. The USA PATRIOT Act, for instance, allows the FBI to spy on US citizens without demonstrating probable cause that its targets are engaged in criminal activities. Under Section 215 of the Act, the now infamous National Security Letters—which formerly required that the information being sought pertain to a foreign power or agent of a foreign power—can compel the disclosure of sensitive information held by banks, credit companies, telephone carrier, and Internet Service Providers, among many others, about US citizens. The recipient of an NSL is typically gagged from disclosing the fact or nature of the request.
It’s no secret that, whereas the Fourth Amendment prevents against unreasonable search and seizure, concerns over “national security” occasioned its disregard and the violation of privacy rights of even the most ordinary citizens. Activists have all the more reason to worry, repeatedly turning up as the subject of terrorist investigations. For instance, in 2006 the ACLU revealed that the Pentagon was secretly conducting surveillance of protest activities, antiwar organizations, and groups opposed to military recruitment policies, including Quakers and student organizations. Relying on sources from the Department of Homeland Security, local police departments, and FBI Joint Terrorism Task Forces, the Pentagon collected, stored, and shared this data through the Threat and Local Observation Database, or TALON, designed to track terrorist threats. Or take Scott Crow, a self-described anarchist and veteran organizer in the global justice movement, who, as the New York Times reported last year, is one of dozens of political activists across the country to have come under scrutiny from the FBI’s increased counterterrorism operation. The FBI set up a video camera outside his house, monitored guests as they came and went, tracked his emails and phone conversations, and picked through his trash to identify his bank and mortgage companies, presumably to send them subpoenas. Others to have been investigated included animal rights activists in Virginia and liberal Roman Catholics in Nebraska. When in 2008, President Obama took the reigns from George W. Bush, there was an expectation that much, or at least some, of this activity would be curbed. Yet, as Bamford’s article attests, the goverment’s monitoring and collection of our digital data remains steadfast.
When the Occupy protests started in mid-September of last year, I relied on data-generating technologies increasingly, more so than I had ever before. Within a few weeks I had joined multiple OWS-related listservs; I’d started following Twitter with unprecedented commitment; I spent more hours on Facebook than I care to acknowledge. I doubt I am the only one. At the same time, there was a widespread sense of precaution—just because we were engaging in legal activities, covered by our First Amendment rights, no one, it seemed, should presume herself exempt from the possibility of surveillance. Sensitive conversations took place in loud bars, never over email. Text messages were presumed unsafe. In meetings, cell phone batteries were removed on occasion. Nevertheless, it was easy to feel unimportant (why would anyone watch me?) and equally easy to let standards relax—especially when it meant reclaiming conveniences that, once enjoyed, we’re difficult to give up. Leaving a trail of potentially incriminating digital data seemed inevitable. But how bad could it really be? And was there no way to use these same tools while safeguarding our privacy?
In late April, I sat down with the independent security researcher, hacker, and privacy advocate Jacob Appelbaum, who knows a thing or two about the surveillance state. Appelbaum is one of the key members of the Tor project, which relies on a worldwide volunteer network of servers to reroute Internet traffic across a set of encrypted relays. Doing so conceals a user’s location, and protects her from a common form of networking surveillance known as traffic analysis, used to infer who is talking to whom over a public network. Tor is both free (as in freedom) and free of charge. Appelbaum is also the only known American member of the international not-for-profit WikiLeaks.
Resnick: The recent article in Wired describes where and how the NSA plans to store its share of collected data. But as the article explains, the Utah facility will have another important function: cryptanalysis, or code-breaking, as much of the data cycling through will be heavily encrypted. It also suggests that the Advanced Encryption Standard (AES), expected to remain durable for at least another decade, may be cracked by the NSA in a much shorter time if they’ve built a secret computer that is considerably faster than any of the machines we know about. But more to the point—is encryption safe?
Appelbaum: Some of it is as safe as we think it can be, and some of it is not safe at all. The number one rule of “signals intelligence” is to look for plain text, or signaling information—who is talking to whom. For instance, you and I have been emailing, and that information, that metadata, isn’t encrypted, even if the contents of our messages are. This “social graph” information is worth more than the content. So, if you use SSL-encryption to talk to the OWS server for example, great, they don’t know what you’re saying. Maybe. Let’s assume the crypto is perfect. They see that you’re in a discussion on the site, they see that Bob is in a discussion, and they see that Emma is in a discussion. So what happens? They see an archive of the website, maybe they see that there were messages posted, and they see that the timing of the messages correlates to the time you were all browsing there. They don’t need to know to break a crypto to know what was said and who said it.
Resnick: And this type of surveillance is called …?
Appelbaum: Traffic analysis. It’s as if they are sitting outside your house, watching you come and go, as well as the house of every activist you deal with. Except they’re doing it electronically. They watch you, they take notes, they infer information by the metadata of your life, which implies what it is that you’re doing. They can use it to figure out a cell of people, or a group of people, or whatever they call it in their parlance where activists become terrorists. And it’s through identification that they move into specific targeting, which is why it’s so important to keep this information safe first.
For example, they see that we’re meeting. They know that I have really good operational security. I have no phone. I have no computer. It would be very hard to track me here unless they had me physically followed. But they can still get to me by way of you. They just have to own your phone, or steal your recorder on the way out. The key thing is that good operational security has to be integrated into all of our lives so that observation of what we’re doing is much harder. Of course it’s not perfect. They can still target us, for instance, by sending us an exploit in our email, or a link in a web browser that compromises each of our computers. But if they have to exploit us directly, that changes things a lot. For one, the NYPD is not going to be writing exploits. They might buy software to break into your computer, but if they make a mistake, we can catch them. But it’s impossible to catch them if they’re in a building somewhere reading our text messages as they flow by, as they go through the switching center, as they write them down. We want to raise the bar so much that they have to attack us directly, and then in theory the law protects us to some extent.
Resnick: So if I were arrested, and the evidence presented came from a targeted attack on my computer, and I knew about the attack, I would have some kind of legal recourse?
Appelbaum: Well, that’s an interesting question. What is the legal standard for breaking into someone’s computer because they were at a protest? Congratulations, take that to the Supreme Court, you might be able to make some really good law. I think the answer is that it’s a national newsworthy incident—nobody knows the cops break into people’s computers. The cops break into someone’s house, the Fourth Amendment is super clear about that—it can’t be done without a warrant.
Resnick: In January of last year, it was reported that the records for your Twitter account— along with those of Julian Assange, Private Bradley Manning, Dutch hacker Rop Gonggrjp, and Icelandic lawmaker Brigitta Jonsdottir—were subpoenaed by the US government. What is perhaps most notable in this case is not that the accounts were subpoenaed, but that the orders, usually gagged and carried out in secret, became public knowledge. Twitter contested the secrecy order and won the right to notify you. Several months later, the Wall Street Journal revealed that Google and the Internet service provider Sonic.net, had received similar orders to turn over your data.
Appelbaum: Twitter notified me. But as for Google and Sonic.net, I read about it in the Wall Street Journal like everybody else. So now I can talk about it because it was in a public newspaper. Those are “2703(d) administrative subpoenas,” and they asked for IP addresses, and the email addresses of the people I communicated with, among other things. The government asserts that it has the right to get that metadata, that “signaling” or relationship information, without a warrant. They get to gag the company, and the company can’t fight it, because it’s not their data, it’s my data, or it’s data about me, so they have no Constitutional standing. And the government asserts that I have no expectation of privacy because I willingly disclosed it to a third party. And in fact my Twitter data was given to the government—no one has really written about that yet. We are still appealing but we lost the stay, which means Twitter had to disclose the data to the government, and whether or not they can use it is pending appeal. Once they get the data, it’s not like it’s private or secret—and even if they can’t use it as evidence, they can still use it in their investigations.
Resnick: In January of this year, the Twitter account of writer and OWS protester Malcolm Harris was subpoenaed by the Manhattan District Attorney’s Office. I think it’s safe to assume these incidents are not anomalies. In which case, is there a way to use social media sites like Twitter without putting our private data at risk? Because these sites can be very useful tools of course.
Appelbaum: In the case of something like Twitter, you can use Tor on the Android phone—we have a version of Tor for Android called Orbot—and Twitter together and that’s essentially the best you’re going to do. And even that isn’t particularly great. Twitter keeps a list of IP addresses where you’ve logged in, but if you use Tor, it won’t know you are logging in from your phone. It’s powerful, but the main problem is that it’s kind of complicated to use. On your computer, you can use the Tor browser, and when you log into Twitter, you’re fine, no problem all—your IP address will trace back to Tor again. So now when the government asserts that you have no expectation of privacy, you can say all right, well I believe I have an expectation of privacy, which is why I use Tor. I signal that. And the private messaging capability of Twitter—don’t use it for sensitive stuff. Twitter keeps a copy of all its messages.
Resnick: During the perceived wave of Internet activism throughout the 2009 Iranian election protests, a new proprietary software called Haystack received a lot of media attention. Haystack promised Iranian activists tightly encrypted messages, access to censored websites, and the ability to obfuscate Internet traffic. You later tested the software and demonstrated its claims to be false. For those of us who don’t have your technical skill set, how can we assess whether a particular tool is safe to use, especially if it’s new?
Appelbaum: First, is the source code available? Second, if the claims are just too good to be true, they probably are. There’s a thing called snake oil crypto or snake oil software, where the product promises the moon and the sun. When a developer promises that a proprietary software is super secure and only used by important people, it’s sketchy. Third, are the people working on this part of the community that has a reputation for accomplishing these things? That’s a hard one, but ask someone you know and trust. How would you go on a date with someone? How would you do an action with someone? Transitive trust is just as important in these situations.
Another thing to look at is whether it’s centralized or decentralized. For example Haystack was centralized, whereas Tor is decentralized. Also, how is it sustained? Will it inject ads into your web browser, like AnchorFree, the producer of the Hotspot Shield VPN? Or is it like Riseup.net, whose VPN service monetizes not through your traffic, but through donations and solidarity and mutual aid? And if they can inject ads, that means they can inject a back door. That’s super sketchy—if they do that, that’s bad news. So you want to be careful about that.
Finally, remember: The truth is like a bullet that pierces through the armor of charlatans.
Resnick: What should we know about cell phones? It’s hard to imagine going to a protest without one. But like all networked technologies, surely they are double-edged?
Appelbaum: Cell phones are tracking devices that make phone calls. It’s sad, but it’s true. Which means software solutions don’t always matter. You can have a secure set of tools on your phone, but it doesn’t change the fact that your phone tracks everywhere you go. And the police can potentially push updates onto your phone that backdoor it and allow it to be turned into a microphone remotely, and do other stuff like that. The police can identify everybody at a protest by bringing in a device called an IMSI catcher. It’s a fake cell phone tower that can be built for 1500 bucks. And once nearby, everybody’s cell phones will automatically jump onto the tower, and if the phone’s unique identifier is exposed, all the police have to do is go to the phone company and ask for their information.
Resnick: So phones are tracking devices. They can also be used for surreptitious recording. Would taking the battery out disable this capability?
Appelbaum: Maybe. But iPhones, for instance, don’t have a removable battery; they power off via the power button. So if I wrote a backdoor for the iPhone, it would play an animation that looked just like a black screen. And then when you pressed the button to turn it back on it would pretend to boot. Just play two videos.
Resnick: And how easy is it to create something like to that?
Appelbaum: There are weaponized toolkits sold by companies like FinFisher that enable breaking into BlackBerries, Android phones, iPhones, Symbian devices and other platforms. And with a single click, say, the police can own a person, and take over her phone.
Resnick: Right—in November of last year, the Wall Street Journal first reported on this new global market for off-the-shelf surveillance technology, and created “Surveillance Catalog” on their website, which includes documents obtained from attendees of a secretive surveillance conference held near Washington, D.C. WikiLeaks has also released documents on these companies. The industry has grown from almost nothing to a retail market worth $5 billion per year. And whereas companies making and selling this gear say it is available only to governments and law enforcement and is intended to catch criminals, critics say the market represents a new sort of arms trade supplying Western governments and repressive nations alike.
Appelbaum: It’s scary because [accessing these products is so] easy. But when a company builds a backdoor, and sells it, and says trust us, only good guys will use it… well, first of all, we don’t know how to secure computers, and anybody that says otherwise is full of shit. If Google can get owned, and Boeing can get owned, and Lockheed Martin can get owned, and engineering and communication documents from Marine One can show up on a filesharing network, is it realistic to assume that perfect security is possible? Knowing this is the case, the right thing is to not build any backdoors. Or assume these backdoors are all abused and bypass them so that the data acquired is very uninteresting. Like encrypted phone calls between two people—it’s true they can wiretap the data, but they’ll just get noise.
When Hillary Clinton and the State Department say they want to help people abroad fight repressive governments, they paint Internet freedom as something they can enable with $25 million. Whereas in reality the FBI makes sure that our communications tech isn’t secure. This makes it impossible for people like me to help people abroad overthrow their governments because our government has ensured that all their technology is backdoor ready. And in theory, they try to legitimize state surveillance here, and there they try to make it illegitimate. They say, “In over-there-a-stan, surveillance is oppressive. But over here, it’s okay, we have a lawful process.” (Which is not necessarily a judicial process. For example, Eric Holder and the drones . . . sounds like a band, right?)
Resnick: Okay, so one thing I’ve heard more than once at meetings when security culture comes up is that . . . well, there’s a sense that too much precaution grows into (or comes out of) paranoia, and paranoia breeds mistrust—and all of it can be paralyzing and lead to a kind of inertia. How would you respond to something like that?
Appelbaum: The people who that say that—if they’re not cops, they’re feeling unempowered. The first response people have is, whatever, I’m not important. And the second is, they’re not watching me, and even if they were, there’s nothing they could find because I’m not doing anything illegal. But the thing is, taking precautions with your communications is like safe sex in that you have a responsibility to other people to be safe—your transgressions can fuck other people over. The reality is that when you find out it will be too late. It’s not about doing a perfect job, it’s about recognizing you have a responsibility to do that job at all, and doing the best job you can manage, without it breaking down your ability to communicate, without it ruining your day, and understanding that sometimes it’s not safe to undertake an action, even if other times you would. That’s the education component.
So security culture stuff sounds crazy, but the technological capabilities of the police, especially with these toolkits for sale, is vast. And to thwart that by taking all the phones at a party and putting them in a bag and putting them in the freezer and turning on music in the other room—true, someone in the meeting might be a snitch, but at least there’s no audio recording of you.
Part of informed consent is understanding the risks you are taking as you decide whether to participate in something. That’s what makes us free—the freedom to question what we’re willing to do. And of course it’s fine to do that. But it’s not fine to say, I don’t believe there’s a risk, you’re being paranoid, I’m not a target. When people say that they don’t want to take precautions, we need to show them how easy it is to do it. And to insist that not doing it is irresponsible, and most of all, that these measures are effective to a degree, and worth doing for that reason. And it’s not about perfection, because perfection is the enemy of “good enough.”
I would encourage people to think about the activity they want to engage in, and then say, Hey, this is what I want to do. Work together collaboratively to figure out how to do that safely and securely, but also easily without needing to give someone a technical education. Because that’s a path of madness. And if people aren’t willing to change their behaviors a little bit, you just can’t work with them. I mean that’s really what it comes down to. If people pretend that they’re not being oppressed by the state when they are literally being physically beaten, and forced to give up retinal scans, that’s fucking ridiculous. We have to take drastic measures for some of these things.
The FBI has this big fear that they’re going to “go dark,” which means that all the ways they currently obtain information will disappear. Well, America started with law enforcement in the dark; once, we were perceived to be innocent until proven guilty. And just because the surveillance is expanding, and continues to expand, doesn’t mean we shouldn’t push back. If you haven’t committed a crime they should have no reason to get that information about you, especially without a warrant.
Resnick: Are there any other tools or advice you would suggest to an activist, or anyone for that matter?
Appelbaum: Well, it’s important to consider the whole picture of all the electronic devices that we have. First, you should use Tor and the Tor browser for web browsing. Know that your home internet connection is probably not safe, particularly if it’s tied to your name. If you use a Mac or Windows operating system, be especially careful. For instance, there’s a program called Evilgrade that makes it easy for attackers to install a backdoor on a computer by exploiting weaknesses in the auto-update feature of many software programs. So if you have Adobe’s PDF reader, and you’re downloading and installing the update from Adobe, well, maybe you’ll get a little extra thing, and you’re owned. And the cops have a different but better version of that software. Which is part of why I encourage people to use Ubontu or Debian or Linux instead of proprietary systems like a Mac or whatever. Because there are exploits for everything. If you’re in a particularly sensitive situation, use a live bootable CD called TAILS—it gives you a Linux desktop where everything routes over Tor with no configuration. Or, if you’re feeling multilingual, host stuff in another country. Open an email account in Sweden, and use TAILS to access it. Most important is to know your options. A notepad next to a fireplace is a lot more secure than a computer in some ways, especially a computer with no encryption. You can always throw the notepad in the fireplace and that’s that.
For email, using Riseup.net is good news. The solutions they offer are integrated with Tor as much as possible. They’re badass. Because of the way they run the system, I’m pretty sure that the only data they have is encrypted. And I’d like to think that what little unencrypted data they do have, they will fight tooth and nail to protect. Whereas, yes, you can use Tor and Gmail together, but it’s not as integrated—when you sign in, Gmail doesn’t ask if you want to route this over Tor. But also, Google inspects your traffic as a method of monetization. I’d rather give Riseup fifty dollars a month for the equivalent service of Gmail, knowing their commitment to privacy. And also knowing that they would tell the cops to go fuck themselves. There’s a lot of value in that.
For chatting, use software with off-the-record messaging (OTR)—not Google’s “go off the record,” but the actual encryption software—which allows you to have an end-to-end encrypted conversation. And configure it to work with Tor. You can bootstrap a secure communication channel on top of an insecure one. On a Mac, use Adium—it comes with OTR, but you still have to turn it on. When you chat with people, click verify and read the fingerprint to each other over the telephone. You want to do this because there could be a “man in the middle” relaying the messages, which means that you are both talking to a third party, and that third party is recording it all.
As for your cell phone, consider it a tracking device and a monitoring device and treat it appropriately. Be very careful about using cell phones, but consider especially the patterns you make. If you pull the battery, you’ve generated an anomaly in your behavior, and perhaps that’s when they trigger people to go physically surveil you. Instead, maybe don’t turn it off, just leave it at home. Because, as I said earlier, in a world with lots of data retention, our data trails tell a story about us, and even if the story is made of truthful facts, it’s not necessarily the truth. On a cell phone, you can install stuff like OStel, which allows you to make encrypted voice-over-the-Internet calls, or PrivateGSM—it’s not free, but it’s available for BlackBerries, Android phones, iPhones and so on. Which means that if they want to intercept your communication, they have to break into your phone. It’s not perfect. Gibberbot for the Android allows you to use Tor and Jabber—which is like Google Chat—with OTR automatically configured. You type in your Jabber ID, it routes over Tor, and when you chat with other people, it encrypts the messages end-to-end so even the Jabber server can’t see what’s being said. And there are a lot of tools like that to choose from.
Another thing to consider is the mode in which we meet. If we want to edit something collaboratively, there’s a program called Etherpad. And there’s a social networking application called Crabgrass, and hosted at we.riseup.net. It’s like a private Facebook. Riseup still has a lot of the data, but it’s private by default. So it’s secure, short of being hacked, which is possible, or short of some legal process. And if you use it in a Tor browser, and never reveal information about yourself, you’re in really good shape. Unlike Facebook, which is like the Stasi, but crowdsourced. And I mean that in the nicest way possible. I once had a Facebook account—it’s fun and a great way to meet people. But it is not safe for political organizing, especially when you’re part of the minority, or when you’re not part of the minority, but you are part of the disempowered majority.
As a final thought, I’d say just to remember that a big part of this is social behavior and not technology per se. And a big part of it is accepting that while we may live in a dystopian society right now, we don’t always have to. That’s the tradeoff, right? Because what is OWS working toward? The answer is, something different. And if we want an end to social inequality, the surveillance state is part of what we have to change. If we make it worthless to surveil people, we will have done this. So, it needs to be the case that what we do doesn’t hang us for what we wish to create.