Sunday, June 16, 2013

PRISM explained

For the past 10 days, 2 subjects have been covered by all newspapers in the world:

  • Nelson Mandela's hospitalization (again)
  • NSA's secret spying program: PRISM

Wishing all the best to Mandela, I'll however focus on PRISM. This secret program has been revealed to the public through 2 newspapers (the Guardian and the Washington Post) by ex-NSA-contractor Edward Snowden, as he thought (quite rightfully so) that the Constitution of the USA and its provisions (1st, 4th and 5th amendments) was more important than a few people in high places being able to spy on everybody's private life.

Also, before continuing, it is important to avoid confusion: Snowden revealed 2 secrets. One of them is PRISM, which I'll get to in a minute. The other one is the collection of all phone calls' metadata from all phone operators in the USA by NSA. Metadata = caller name, caller location (if possible), time of call, call duration, SIM card id number (IMSI), call receiver's name and phone number and location, etc. This Metadata scandal deserves, IMHO, more attention than PRISM from the point of view of Americans but since I'm not an American, I'll focus on PRISM. So the 2 scandals must not be confused with each other.

PRISM consists in the NSA installing servers within the premises and datacenters of Google, Microsoft, Yahoo, Facebook, Apple... all those American companies that host plenty of data on plenty of people. The reason to have their servers directly within the premises of those IT giants is to facilitate the transfer of data from the official servers to the NSA server. It's easier for a transfer of massive amounts of data, and it's also safer since nobody else can intercept the data between Facebook and the NSA's machine.

When it comes to laws and security agencies, the USA makes a big difference between American citizens and all the other people in the world. That's why it's ok for the USA to murder 100,000 civilians in Iraq (women, children...) even after it's been revealed that Iraq had nothing to do with Al-Qaeda, but it's not OK to kill 1 single American. Same concept goes with PRISM: it's not OK to spy on a single American without a warrant, but it's open-bar for grabbing the emails, web searches, private Facebook conversations (even the data you thought you had deleted from Facebook which Facebook only hides but does not really delete), and absolutely everything. Everything should also include the web pages you visited which include those Facebook/Twitter buttons allowing you to "share" the information, even if you didn't click those buttons... because having these buttons included in a page implies that the website communicates with Facebook (which you did not log out from) and knows your FB account and tells FB where you've been. So yeah... FB knows those raunchy websites you've visited but don't worry! They won't tell anyone... but the NSA.

At this point, usual people start thinking about 2 things:
  • If you've done nothing wrong, you have nothing to hide.
  • That's a lot of data. They can't possibly go through so much stuff

The first point is a common mistake and is even a pretty nasty and dangerous remark, when you get to the bottom of this vast and complicated subject. I'll treat it in a later article, but the common retort to that is: if you have nothing to hide, why don't you walk naked in the street? Or would you be OK if the government installs video cameras in all the rooms of your house, which will be active 24/7? I'll leave this at that for now.

The question of the amount of data has several answers. The first thing is that if it's correct that they can't process fully so much data, all the data is kept on hard drives anyway and it's never going to be deleted. If they don't have enough computing power today, they might have enough in 10 years and then all the data will be fed to the new computer again in 10 years. For people who are familiar with history and World War 2, the same method was used 70 years ago with secret messages. Before Alan Turing (from UK) cracked the encryption code of the Germans, a lot of secret messages were recorded but could not be decoded. After the code was cracked, the allies of UK decoded these previous messages that had been archived.

Also, even though it's a lot of data, some tools are developed which are intended to process such Big Data. For instance, Palantir can analyze your messages and your likes to establish the type of relation you have with your FB friends. It can even guess whether you are straight or gay, whether you are attracted to one of your FB friends, it can figure out your real age (in case you did not give FB the true information), your political affiliations, build a psychological portrait of you in more ways than even you know about yourself... Sounds like science-fiction? Well, it's not. But that's not today's topic.

So OK... PRISM can know that Harry loves Sally from their FB likes and that Hannibal Lecter's emails reveal an unhealthy personality... what's the big deal? First of all, the revelation of this program makes it officially known to the public. There was a strong presumption of its existence in the past, but since it was not proven, it was impossible for people to sue for the violation of their rights. Some rights are granted by the constitution of the USA even to non-citizens who are present on American ground. Also some provisions of the Declaration of Human Being Rights were probably disregarded. But as long as it was not official, the judges always replied that if something was secret, there was no possible way to sue.

Also, an important point is the active cooperation of these IT giants. You might think that they have to comply with whatever the government or the NSA demands... that's wrong. The law (a secret court order, mind you!) only says they have to provide some data. But they didn't have to let the NSA copy the data wholesale from everybody in the world. This must be interpreted as a strong and official signal that these companies don't like you and that given the opportunity, they choose to betray you. Also, considering past exploits from the NSA with Echelon, it is likely that employees of big foreign companies have their correspondance specially analyzed in order to provide services of industrial espionage to the Chamber of Commerce who will relay the information to the American companies competing on the same sector. In the past, such practices allowed the NSA to know the secret dealings between Airbus and a foreign airline and then gain the market for Boeing. And on and on in other sectors.


 - Hopefully this clarified the subject if you had read about it in some newspaper
 - PRISM is meaningful but it is only a tiny part of NSA's programs
 - What will happen to Edward Snowden is unknown. USA will certainly attempt to kidnap him and if they succeed, he's in for some serious trouble like Julian Assange and Bradley Manning (who has been submitted to psychological torture during a very long time). At the same time, China will probably propose Snowden money and protection against a handful of more secrets.
 - If you work for an important company which has American competitors, you should be extra careful not to mention any work-related subject on any of the communication media provided by these American companies. Even worse would be to host your professional documents on Gdrive, Skydrive, Google Docs, or Microsoft Office 365.
 - What other options do you have? These other options are well known. The problem is: these other options certainly lack some of the refinements and some of the comforts of the most popular tools developed by the IT giants. Can you, will you, give up some comfort in order to stand up to gross abuses and violations of democracy? Most people that I know will not give up any comfort. Resistance is painful.

No comments:

Post a Comment

Creative Commons License
Erik Lallemand's blog by Erik Lallemand is licensed under
a Creative Commons Attribution 3.0 Unported License.