Big brother is watching you

Published October 2007 Communications Engineer

Imagine teaching Biology to 9th graders and realising that the material for this day’s lesson, be it on HIV or contraception, has been blocked by your friendly ISP’s (Internet Service Provider) web content filter as falling into the ‘pornography’ category of its software. In fact, all websites containing the word ‘sex’ get routinely blocked, be they about online escort agencies or anthropology.

Imagine two burly types appearing at your door with questions regarding the email you sent to your overseas friend last week. Yes, you did mention in your message how unhappy you were with the elections in your country, but you clearly remember sending it just to him. How did these guys hear about it?

Imagine being exposed in your local newspaper as an admirer of communism, or fascism, or as having bad breath, venereal disease or fondness for marijuana? You had kept these secrets to yourself, merely satisfying your urge for knowledge on the Internet at home. You did not sign up to any mailing lists, did not create any accounts or logins – how did this information get out?

These and many other scary scenarios are becoming reality with ever worrying frequency. Not only people are unaware of the dangers they face when using the Internet, they are actively nonchalant to the fact that ALL email they send and the Internet sites they visit are being recorded, and this information is being stored by global corporations and governments for reasons of homeland security, financial benefit etc.

Where did it all go wrong? How did the Internet – a revolution in global communication, inclusiveness and understanding turn into a watchdog ready to pounce on us for a wrong word here, a bit of curiosity there?

The first bits…

The foundations of today’s Internet were laid in the 70’s by the people working for ARPA (Advanced Research Project Agency) in the United States. Robert Khan demonstrated the ARPANET during a Computer Communications Conference in 1972 and laid the first stone for the grand daddy of the Internet.

As opposed to traditional media, where information is sourced, rationed, edited and summarised – on the Internet people choose what they want. They are not fed political propaganda, celebrity news or sports round-ups unless they choose them. Users select what they want to read, who they want to communicate with and which truth is the right one for them. We hear of events minutes after they happen without any journalist present at the scene. Unsurprisingly, this has caused a major headache for the countries wishing to maintain political, social and religious freedoms of their citizens within their grasp and influence.

Who bytes?

The Internet was built to be an open platform, connecting the world through a protocol that made communication easy, instantaneous and following similar international principles. Computer software was written to assist us in the tasks of browsing the Web and conversing with each other. Considerations for data privacy, possibilities for Internet surveillance and censorship were not given great attention when creating these systems for the digital world of tomorrow. And we have been catching up ever since.

In essence, the Internet is just a bigger version of your office network. It is also just a bunch of computers, connected by cables, and assisted by servers, routers and modems. Even though your message on the Internet may cross an ocean via an underground cable, bounce off two different satellites and be delivered to someone’s mobile phone on a moving train – the system resembles an updated version of the telephone exchange. And if you are a wire tapper, or a jealous boyfriend, or someone with influential friends in the telecommunications community – all you need to do is create an additional receiver on the channel or router to hear the entire conversation that goes on. The same with the Internet. Anyone can intercept and read your message on its way around the computers of the world. And so it happens.

Internet surveillance systems have been implemented at national levels for some time. In 1998, the Russian government passed a law stating that all ISPs must install a computer black box with a link back to the Russian Federal Security Services (FSB) to record all Internet activity of its citizens at their own cost. The system is known as SORM-2. The United States introduced a similar system – CARNIVORE. China’s ‘Golden Shield’ project was announced on 2001. Rather than relying solely on the national Intranet, separated from the global Internet by a massive firewall, China is preparing to build surveillance intelligence into the network, allowing it to ‘see’, ‘hear’ and ‘think’. A global surveillance system known as ECHELON (reportedly run by the United States in cooperation with Britain, Canada, Australia and New Zealand) was set up at the beginning of the Cold War for intelligence gathering and has developed into a network of intercept stations around the world. Its primary purpose, according to the report, is to intercept private and commercial communications, not military intelligence.

Internet data is not only being monitored, it is also stored and often for a long time. In 2005, the European Union, under pressure from the Council of Europe, introduced legislation that obliges all member countries to retain Internet traffic data for a minimum of two years (although they can also choose to hold it for longer periods). In the UK, the Regulation of Investigatory Powers Act (RIP) which came into force in 2000 allowing “…security services, such as MI5, to monitor people’s Internet habits through the collection of communications data”. This data is not website or email content, but users’ “clickstream” – the websites and chatrooms they visit and the addresses of emails they send and receive”. The second part of the Act gives government ability to demand your passwords, should the communication data you send be encrypted. Failure to comply could see you facing up to two years in prison.

Surveillance and monitoring techniques have passed from the hands of intelligence personnel to the hardware and software systems, operated by private companies and government agencies. Phone bugging and letter opening has been superseded by technology that allows monitoring of everyone and everything at once. Now, we are all under suspicion as a result of surveillance and filtering systems our governments install on the Internet. The technology does not often differentiate between users as it waits for certain keywords to appear in our email and Internet searches and, when triggered, alerts surveillance teams or blocks our communications.

For example, when surfing the Internet in Iran, if you were to type in any of the following words into the Google search engine, your query will be blocked and fail:

condom

annmarie

chandice

chastity

bath

belly

dita

ebony

Apart from feeling puzzled while guessing how someone searching for the word ‘bath’ could be plotting to undermine the current Iranian government, you have to bear in mind that the above words are for English languages web searches, and if you wish to surf in Farsi from Iran, you would encounter many other words, including ‘woman’, ‘human rights’ and so on.

Service providers and intelligence agencies are able to pinpoint an Internet operation from your computer to the house where you live because every time we are on the Internet we receive what is known as an IP address. It acts as a unique identifier, like a postal address, to pinpoint our computer on the global network. Any IP address can be traced back to your Internet Service Provider and, more often than not, they keep a list of which client gets what IP address at a given time. In most countries ISPs are obliged to cooperate with the local government and provide details of who was browsing under what IP. This methodology was used to crackdown a worldwide Internet paedophile ring in June this year.

Whilst we may all agree that using this technology for the purpose of catching paedophiles and terrorists, the problem arises when we realise that these methods are being used to trace and punish a wide variety of Internet users around the world operating within international legislations and moral covenants. You and I are not exempted.

Writing this article in a local café with a wireless Internet connection for its customers, I was able to perform some surveillance of my own. Choosing the unsuspecting café punters sitting around the room on their Apple laptops, I switched on a ‘sniffing’ program that I had downloaded for free from the Internet a few minutes ago. Within 30 seconds I was able to read that Roger was writing to Jessica about meeting up next week at this very café to discuss some sort of a publishing event. If I were up to malice, I could have written Jessica another email, purporting to be Roger and change our place of meeting…

Biting back…

Newton’s third law of motion states that ‘For every action there is an equal but opposite reaction’. It applies to the Internet as well. In lieu of the surveillance and censorship infrastructures described above, the Internet community has come up with many options of bypassing these blocks and protecting your privacy. Tools range from a simple webpage that will help you to circumvent the censorship rules in your country to installing on your computer an anonymity system that would nullify the majority of sophisticated surveillance and filtering systems.

Whenever you cannot access a website from your country, you could ask another computer on the Internet to do it for you. This is known as using a proxy server, as this intermediary computer becomes a proxy between you and your desired website. There are numerous proxy services on the Internet, the easiest of which are web-based proxies. This means that all you need is to access a website, from which you can continue to browse the Internet unrestricted by your in-country censorship rules. A popular free service is provided by Peacefire (www.peacefire.org), and if you sign up to their mailing list, you will receive news of all new web-based proxy sites they are setting up every fortnight or so.

If you have a group of friends in a country where the Internet is not censored, you could ask them to install a proxy server on their computer for you to use. A recent program, released by the CitizensLab in Toronto, has made this process incredibly simple and quite secure. The program is called Psiphon (http://psiphon.civisec.org) and will allow anyone with an Internet connection and the Windows operating system to install a web-based proxy on their computer. You can then provide a friend with your computer’s IP number and password for accessing your proxy. Since this system is based on closed trust networks (e.g. you and your group of friends), it is quite difficult for the surveillance agencies to detect and block.

A more sophisticated approach would be to join one of the anonymity networks that exist on the Internet. Browsing the Internet through such a network would disguise your true identity from any computer or website and will probably make any filtering and data retention in your country innefective. One such network is Tor (http://tor.eff.org) an abbreviation for The onion router, with an interface in many different languages and a huge team of supporters and contributors around the world. Originally developed by the US Naval Research Laboratory to assist defence and intelligence services in anonymous Internet browsing, it is currently maintained by a worldwide collective of security and anonymity specialists.

Tor relies on a large network of servers, provided by volunteers around the world. There are currently around a thousand such servers. When you join this network, your create a random circuit passing through three or more Tor servers, negotiating a separate set of encryption keys for each along the way. This ensures that no single server used to create your circuit can trace your final and original destination. Using three Tor servers in your circuit is the minimum requirement for the anonymity of your connection. Imagine that you send a letter to a friend and package it in several different envelopes writing a different address on each one. The letter will be sent around and not one of the addressees along the route will know both the origin and final destination of the letter, but only the previous address it came from and the next one it will be going to. Should any of the addressees wish to open the letter, they would not be able to read its content, as it will be encrypted with a password that relies on other two addressees (servers) to decode.

When you are using Tor, the ISP or the national surveillance agencies do not know what websites you are looking at and hence cannot prevent you from doing so. The website that receives your query does not know where this query originated. You are even hidden from the anonymity system itself – i.e. no one in the Tor network can successfully pinpoint you to a certain location. There are over one hundred thousand clients using the Tor network to increase the privacy and anonymity of their Internet browsing.

There are many other tricks and methods to achieve a level of privacy and security on the Internet. They include different types of encryption – a way to make your information completely unreadable to all but the intended party; steganography – hiding text in a picture or sound file or even in other text; choosing good passwords to protect your Internet accounts and so on. There is not enough space in this article to dwell upon them all, but you could refer to numerous publications and blogs out there on the Internet.

Please note that in the world of security nothing is 100% guaranteed. You must be aware of the security provided by the tool you choose and its possible vulnerabilities. In other words, should you wish to increase the security and privacy of your operations, you must take time to study the possible risks and outcomes yourself, in order to decide which is the right tool for you and when you should refrain form using it.

Last bits…

This article touches but a tip of the Internet security iceberg. I hope it makes you feel a little worried for this is often the only way to bring about change in your habits and processes. If security and privacy are important to your work and leisure activities, then don’t feel too comfortable next time you sit down behind a computer. There is a Big Brother out there and he is probably watching you.

Many do not agree with the way the Internet is being reigned and controlled. Start fighting back for that very basic reward – your rights.