It’s been a while since Edward Snowden started revealing details about the global surveillance operations of the NSA. I’ve been meaning to write down a few thoughts for a long time, but didn’t quite find the time; however they still seem interesting enough now, so let’s go.

1. Insulting the whole world

It hardly makes sense to begin without stating that these actions are insulting, disrespectful and abusive to every human being (who uses a phone, or the Internet) on the planet.

How dare the American government think they are entitled to listen in on everyone’s phone conversations, read everyone’s emails and track all other online activities.

This also goes for everyone defending these actions. How dare you?!

The reporting from the American side often makes distinctions between surveillance of American citizens, and surveillance of those who are not such citizens. Sometimes it sounds as if American citizens are more worthy of some kind of better treatment. That is of course also insulting, disrespectful and abusive.

2. Spam

When I first heared of the extensive surveillance systems, I thought, well, if they really have this much equipment and so many resources, it would be nice if they could solve a real problem: namely email spam, blog post spam, and similar.

However, they do not occur to be working on that.

One concludes that this is not high on their priorities.

3. Bittorrent

Early on, one could read that the NSA stayed away from analyzing Bittorrent traffic. Which makes a lot of sense, since there is so much of it.

On the other hand, this leaves quite a gap to set up communication channels.

4. Pair programming

Within the first few weeks there were reports that the NSA switched to Pair-programming, pair administration, etc. Basically, don’t let anyone touch the systems without someone else watching. Take turns. Call it “Access Control Layer 1?”

The reports I read, didn’t point out how natural such a policy is. It is also not necessarily more expensive, some software companies use pair programming to avoid costly mistakes, programming bugs, etc.

So one wonders whether the original access  control did not have this additional layer in order to actually allow unauthorized access. After all, Mr. Snowden did not access the system for personal gain; how many others with access were not that noble? How much easier to avoid laws and cut corners without such a layer.

Also, has this policy been reverted in the mean time? It would be possible to do so without issuing a press release, of course.

5. An extra button

Also early on, it was reported that the data that passes through the NSA’s system is enormous. On the other hand, if you look at any particular person, the data traffic they generate will most of the time be quite managable.

So I am guessing that if anyone shows up in manual surveillance (an operator inspects certain communications), they will have a button within their user interface, “Track this individual closely”. Save all that traffic for later viewing. I would estimate that adding 100 people per day would be easy to manage in terms of traffic.

6. Germany

I follow German news of course. When it was first revealed that the NSA was listening in on phone calls of the German chancellor, I thought, well at least governments have the resources to set up communications based on One-time pad encryption. Also, Germany has local chip factories  to make sure the chip does what is desired by the owner, and not what the NSA desires.

(I find the response of European governments quite weak, I think it is underestimated how easy it is to argue with Americans)

7. Logging

In the wider context of privacy on the Internet (user profiling using cookies, etc), it had occurred to me a long time ago, that such policies should also cover web server logs. After all, such logs capture some information about individuals, sometimes not too much, but in the aggregate, I think it would be useful to look into stronger protection. Such protection, in one of my thoughts, would consist in having people, and organizations, be granted a “License to Log”. Such a license would be lost in the case of illegal activities, irresponsible behaviour, and so on.

These kinds of thoughts seem to be totally useless now.

8. Metadata

It hadn’t occurred to me that what they call “metadata” is useful, but now it does seem intuitive that it is very helpful. Basically every person is placed in a circle of their acquaintances, in circles of similarities according to many different categories.

This is similar to Facebook asking users to list their favourite books and music, etc. Facebook will also benefit from this as similar metadata of its users (Who to show which ads, as the most basic example).

9. Cost

One can only feel sorry for the average American. Basically these surveillance systems cost each tax payer a few hundred dollars a year. Without any benefit to them, it would seem.

10. Balance of powers

I often hear praise for the American democracy and how there is a balance of powers.

Cannot be spotted here. It’s rather obvious that there is no supervision of the NSA. Last week it was reported that a senator inquired whether they as senators are also covered by the systems. Asking the question itself was already revealing, needless to say the answer was disappointing.

One can make the case for secret courts in democracies, but I think it is obvious that these should be only used extremely sparingly. That is not the case here.

−

Ok, that’s all for now. You probably have your own thoughts about this. I’m sorry I couldn’t include links everwhere. Please share below, add corrections or other comments, if you could!

Let me start with mentioning that I’m writing this post on March 24, 2013. This kind of stuff is sure to change over time.

One of the things about the Internet is that it doesn’t have location built in. You don’t get to know where someone was when they wrote you an email, website operators don’t get to know where their visitors are when they visit the site. People don’t get to know where the craigslist servers are which put all those bytes together that make up a listing, and so on, and so on.

So people try to approximate. Because it is deemed to be useful information: country, region, city, latitude, longitude, ZIP code, time zone data and more. Even if it is not absolutely reliable, you can still derive some information, some picture. Different services are available, some free, some quite inexpensive, and some quite expensive. Most come in a form of a database file that you download, after paying for a license to use the data. Periodic updates to the database are made available. Web services are also available; this is where  an IP address is submitted, over the Internet itself, to the service provider, and they immediately respond with their location data for this address. You can read more about IP Address Location at wikipedia.

Of course, these services don’t work when people use so called proxies and VPN‘s. In fact, proxies are set up precisely for the purpose of fooling services which are ordinarily restricted by location (e.g. for accessing Netflix or Spotify from non-US locations) into handing over the goods. Such proxies are not particularly costly to use.

Now, when you look at determining location for mobile devices, these models become quite questionable. Surely the network is not aligned with city boundaries, and surely a mobile device’s Internet address does not change smoothly as you move about. Of course, you can move faster than a database update.

So I thought I’d try out different IP Address location services – with my mobile device, using the “Data Plan,” not our home’s router or Wifi. I was in Vancouver, British Columbia, most definitely, the whole time.

Results

So, you see, some got it right, and some did not. (I didn’t even bother to read or record the latitude/longitude that were given in some cases.)