The dick* pic guide to government surveillance

* and boob

I had a conversation with a family member recently about my growing interest in cybersecurity and they responded with ‘I’ve got nothing to hide so I’m not worried’. Basically, let the government watch them if it stops terrorists; it’s all good.

For someone who grew up in the 1980s Cold War (but also basically made a second career out of Web 2.0), it’s about how much they are watching, centralised files, a culture of fear, lack of freedom, potential abuse of political power – and trying to understand the trade-offs of privacy versus security when we put our info out there.

I don’t think I have anything to hide either – except when I do – but it’s not about having something to hide, it’s about having something to protect. We’re not just talking about status updates knowingly shared on Facebook, Twitter, etc; the info at risk is also the stuff you think you are keeping private: phone calls, files and photos stored in the cloud, SMS, email.

Getting people to care about surveillance and infosecurity is apparently an issue, with cybersecurity events often struggling to attract an audience. Calling it infosec or cybersecurity is a kiss of death, according to a friend who runs such events. (It’s true: I’m going to an evening event in London because it’s a CryptoParty in a bar with beer sponsors, etc, whereas a day-long ‘cybersecurity roadshow’ in Birmingham was a much harder sell.)

To help with the ‘who cares’ issue, I finally got round to watching John Oliver’s 2015 ‘Last Week Tonight’ interview in Moscow with Edward Snowden – a deliciously awkward affair in which Oliver played a rude, dumb American asking Snowden’s nice, intelligent whistleblower to explain in layman’s terms (‘Can I share my dick pics or not?‘) why they should give a shit about increasing government surveillance powers and his 2013 revelations.

If you haven’t seen it, it’s well worth a watch. My notes below…

Notes: Government Surveillance: Last Week Tonight with John Oliver (HBO)

  • Section 215 of the Patriot Act (created post 9/11, and extended/renewed) requires businesses to hand over ‘any tangible things'(eg telephone records) to protect against international terrorism.
  • Snowden in 2013 revealed this to be used for the mass scooping up of data.
  • Government says it doesn’t abuse its powers + there are restrictions on how/when they can employ surveillance, eg, through the FISA Court, which grants surveillance warrants.
  • Reality is that FISA rarely rejects an application. From 1979 to 2013, it has approved 35,434 application for surveillance and rejected only 12.
  • Snowden: “NSA has the greatest surveillance capabilites that we have ever seen. Now, what they will argue is that they dont use this for nefarious purposes against American citizens. In some ways that is true but the real problem is that they are using these capabilities to make us vulnerable to them, and then saying, well, I have a a gun pointed to your head but I won’t pull the trigger – trust me.”
  • Is anyone having the conversation about where the limits should be, eg, reform of Section 215. Public debate not happening (that care issue again).
  • Oliver asks if it is possible for the public to have a conversation about something that is so complicated we don’t fundamentially understand it? He shows Snowden a video that shows Americans getting upset about the government sharing and looking at their dick pics. The rest of the interview is framed through this simple analogy.

Can they see my dick?

Section 702 surveillance – yes – through bulk collection if an emailed image crosses a border in some way and is caught on a database.

Executive Order 12333 – yes – the NSA uses this order when others aren’t aggressive enough, so if a Gmailed pic is sent even to a fellow American, it will be stored on Google server, and Google may move this data from data centre to data centre – the US government can capture that if it moves outside of US even temporarily.

PRISM – yes – it captures your info with the agreed help/involvement of government deputies/sheriffs such as Yahoo, FB, Google.

Upstream collection – yes – they can ‘snatch your junk’ as it transits the internet.

MYSTIC – if describing your junk on the phone, yes. Collects content as well in some countries, eg, The Bahamas.

Section 215 metadata – no, but can tell who you are sharing junk pics with (eg a penis enlargement centre).

So what next?

Snowden says: “You shouldn’t change your behaviour because a government agency somewhere is doing the wrong thing. … If we sacrifice our values because we are afraid, we don’t care about those values very much.”

My take is:

  • Keep doing what you’re doing but send/share your stuff via more secure platforms
  • Try to understand the lay of the political and digital landscape and don’t give away freedoms that are at risk.
  • Figure out the trade-offs and fight back against government surveillance where it is an invasion into privacy/freedom – I’m not saying terrorist and other threats shouldn’t be addressed, of course not, but scaling up government powers shouldn’t be done thoughtlessly or in knee-jerk reaction to modern threats without a thought for historical ones that threaten all our civic freedoms. Debate publicly and find the line.