Sunday, October 6, 2013

Content and Context



Everything you do on the Internet is recorded and analyzed by the NSA. If any special services ever take an interest into you, even by accident, they can pull the record of all your online activities of the past several years.

Software solutions like Palantir are already in use, which allow services (CIA, FBI, NSA, DHS, DoD, etc.) to connect to many databases and profile you, build a tree of your acquaintances, find out which websites you visited, what you bought online or in supermarkets with your credit card, where your car plates have been recorded by traffic cameras and at which date and time, etc. For info: NSA currently intercepts about 2 billion emails every day and the center they're building in Utah will give them a highly increased capacity.

So maybe you would like to protect your privacy, as is guaranteed by many countries' constitutions, despite USA's disregard for its own constitution. This article is aimed at explaining the 2 aspects of privacy online: content and context.


Content

Content is exactly what it means. It's the content of your emails. It's the video streams you receive from YouTube or the content of web pages that you browse. It's what you say and what your friends say when you're talking on Skype. In order to protect your content when you are connected to the internet, the only way is called ciphering.

I discussed it a bit in my article about Certificate Authorities (CA) and when you're connected to a website with the site address starting with HTTPS, then you can consider that ciphering is activated for that site. Not for the other sites. But for this one, yes.

Ciphering is about using a code that makes your data unintelligible except for yourself and the people you let in on the secret code. If you're not familiar with Cryptography, here's an easy 2000 years old example: in a given message (eg. the word "secret") replace any letter by the letter that is 3 positions further in the alphabet. "A" becomes "D", "B" becomes "E", etc.
S => V
E => H
C => F
R => U
E => H
T => W

The word "secret" has become "vhfuhw" which is not intelligible and you need to know how my cipher works (if I shared the secret with you) in order to get back to the original message.

From what we've discovered about the NSA's spying program over the past 4 months, ciphering is the way to go. The NSA's spying can be summed up in these 2 manners of spying:

  • picking up all of the "open" content from everybody (bad for privacy)
  • cracking codes of targeted suspects (the only legitimate use of spying)
This leaves some room for privacy for "normal" people who choose to use ciphering and are not suspect of anything.



Context

Context is everything other than content. If you remember the news of 4 months ago, Verizon provides NSA every day with "meta data" of all the phone calls received and emitted by everybody. Meta data is context. It includes (but is not limited to):

  • Caller SIM card number
  • Caller name
  • Caller home address
  • Caller geographic location at the time of the call
  • Caller's successive locations during the call if moving
  • Time of the call
  • duration of the call
  • Receiver SIM card number
  • Receiver name
  • Receiver home address
  • Receiver location at the time of the call

The context of 1 single call is not very relevant most of the time. But if you have the context for all the calls a person makes and receives over several months, you can draw a map of this person's network of relations, figure out that person's interests if she makes calls to specific sorts of shops or professional practitioners. Many calls to a doctor or even a medical specialist could hint at the kind of health problems this person may have. If the person repeatedly makes phone calls or sends texts to another person late at night, it can suggest a romantic relationship. Based on the time information and successive locations during the call, it's possible to figure out if you're a fast walker or fast driver, which allows for guesses about your personality. Your locations may also show if you use public transports. If you call from luxury shopping malls or from low-price supermarkets, it hints at your personal income and lifestyle. Then when comparing this inferred lifestyle to the lifestyle  of your network of relations, more can be guessed about your socio-cultural environment.

...context can tell a lot about you, and so far I've only discussed the context of phone calls. The context of your internet browsing is also gathered by ISPs (Internet Service Providers) and availed to the NSA. Since they know all the websites you browsed (even if you used the "privacy mode" of your browser), they can know which journalistic organizations you take your news from, which is a strong indication of your political leanings. Your personal interests will also be clearly visible and reveal everything about you. If you watch porn online, then it will be clear whether you like men or women, and if you're into any kind of fetish. If you browse computer websites, a clear pattern should emerge suggesting your level of proficiency with each operating system, each programming language, and each computer-related subject (databases, security, reverse-engineering, cracking, etc.). If you like guns, football, fashion, cooking, TV series, anything... it will appear clearly from the websites and pages listed as your history... This is context.

Currently, the best way of hiding online context is Tor



About Tor


Tor has been created for the very purpose of protecting context. Here's how it works and why it's built like that.

You don't want your ISP to know which website you're connecting to. So instead, you have to connect via some other remote computer. Your ISP will know that you are using Tor but they won't know which website you're browsing from your metadata and they won't be able to read your content because it's ciphered (encrypted).

If there was a single computer between you and the website you want to browse, then that computer will know your context and will be able to associate your identity to the websites you want to access. So, there needs to be at least 2 remote computers between you and your destination website.

The third computer is a necessary extra layer of security. When you access a web page via Tor, the final computer connecting to your website will have knowledge of the data exchanged with the website. And you cannot know who is operating this final computer (aka "exit node"). Let's imagine that Tor used only 2 computers between you and the internet! If the exit node is controlled by the NSA, they will know the identity of the 1st computer and they can check with your ISP if your computer connected to that 1st computer. But when you add the 3rd layer, even if it is compromised by NSA, they will not be able to establish a link between the 1st and 2nd computer and therefore they can't link the content back to you.

Final point: the group of 3 computers via which you connect to the internet will change every 10 minutes.

The people in charge of Tor propose 2 separate ways of using Tor: the simple way and the hard way. The simple way is called "Tor Browser Bundle" and you can find it on the download page of the Tor project website. It's a standalone program that can even run from a USB memory stick.

Late addition: Tor is efficient, as revealed by the following article from The Guardian.


Conclusion

If you come across technical articles about NSA's internet eavesdropping, you should keep in mind the separation of content and context. It will be helpful for understanding how things work. And if you decide to use solutions like Tor, you must keep in mind that both context and content need to be secured since compromising one could compromise the other.

If you care about privacy, you may want to give Tor a try. Undoubtedly, Tor users are still a minority but as the network grows, it becomes safer and safer. Also, I have not discussed the reasons for using Tor and only mentioned concerns for privacy. Some people use it to circumvent the repression by their government (peace or human rights activists in authoritarian states). And some other people use it for hiding criminal activities. This is a complex discussion in and of itself so I won't cover it here.

I hope this was informative.

No comments:

Post a Comment

Creative Commons License
Erik Lallemand's blog by Erik Lallemand is licensed under
a Creative Commons Attribution 3.0 Unported License.