Welcome to the SecAware blog

I spy with my beady eye ...

12 Mar 2020

NBlog March 12 - reflecting on privacy

Anyone who read Orwell's masterpiece or saw the film "1984" appreciates the threat of mass surveillance by the state a.k.a. Big Brother. Anyone who has followed Ed Snowden's revelations knows that mass surveillance is no longer fanciful fiction. There are clearly privacy impacts from surveillance with implications for personal freedoms, assurance and compliance. At the same time, surveillance offers significant social benefits too, in other words, pros and cons which vary with one's perspective. Big Brother sees overwhelming benefits from mass surveillance and has the power, capability and (these days) the technology to conduct both overt and covert mass or targeted surveillance more or less at will. 

The same thing applies to other forms of surveillance and other contexts: many of us gleefully carry surveillance devices with us wherever we go, continuously transmitting information about our activities, conversations, locations, contacts and more. We may call them 'smartphones' but is that really a smart thing to do? Drug dealers and other criminals appreciate the value of burner phones, essentially buying a modicum of privacy. What about the rest of us? Are we wise to rely on the technologies, the phone companies and the authorities not to invade our privacy? 

Some of us are introducing IoT things into our homes, seduced by the convenience of being able to tell our smart TV to order a pizza without even getting up from the sofa. Evidently people either don't even consider the privacy implications, or accept them presumably on the basis that they own and chose to introduce the surveillance devices, and could just as easily stop and remove them (fine in theory, doesn't happen in practice).

Then there are the surveillance devices we use to monitor, track or snoop on various others: baby monitors, nanny-cams, commercial and home CCTV systems, webcams, dashcams, audio bugs, covert cameras, spyware, keyloggers and more. Surveillance tech is big business, both retail, commercial and governmental/military. 

Need to know where a recent arrival from China has been? Simply collect the surveillance jigsaw pieces into a credible sequence and despatch the hazmat teams.

Overt surveillance in the form of obvious CCTV camera installations are just the tip of the iceberg. Covert cams and bugs are already snooping on us in changing rooms, toilets, video-conference facilities, courts and more. Essentially any areas where the general public have access at some point are highly vulnerable - cabs and public transport (including Ubers and hire cars, plus used cars and commercial fleets), hotels, guest houses/rooms (including AirBnB), meeting rooms, lobbies/reception areas, waiting rooms (and GP surgeries plus A&E), cafes and restaurants, gyms and other leisure/spots facilities, beaches, pools and more. Google's Street View demonstrated the awesome capability to capture, process and publish 360-degree photography from a global fleet of spy-cars, while military and private drones, news and police helicopters, surveillance satellites and spy-planes fly eyes in the skies. There are myriad opportunities to install and monitor electronic surveillance devices, all the way back up the supply chain to the silicon. Aside from burglars and spies, owners, workers, maintenance people, security guards, cleaners, visitors and opportunists can access and optionally bug supposedly private areas too, and geo-tagging vehicles, people, clothing and goods (not just IT devices) is already happening.

Online services, cloud, networks and comms generally are all vulnerable to traffic analysis and metadata if not content snooping, despite encryption, while social media disclosures (such as this very blog) flow forth like the Amazon in flood. 

We haven't - yet - seen the same obvious meteoric rise of counter-surveillance but I presume that will follow once the personal implications of ubiquitous surveillance become clearer to the average person, or indeed the average business person and information security pro. It's already home turf for the spooks of course.

And then there's counter-counter-surveillance techniques, for example carefully placing crude bugs that are designed to be found and removed relatively easily from the boardroom, leaving the more sophisticated ones undetected and operational (at some point - network triggering is trivial these days). Deliberate misinformation or deception is another one (fake news), plus obfuscation or 'hiding in plain sight'. 

Blending in with the crowd is not so easy as surveillance capabilities become more widespread and, well, capable, including facilities for storing, organising and searching for items of interest among the big data. So another possible response is to let it all hang out - being deliberately open, living life as if there is no privacy (cue Carly Simon's "We have no secrets") ... a ploy favoured equally by those who do have something to hide. That's why politicians refer to 'public policy': it's not just about policy matters that affect the general public, it's also about the things they are prepared to reveal or claim openly, as opposed to ...

Looking back over what I've just written, I'm struck by the distinctly sinister, underhand, duplicitous undercurrent. Maybe that's just a consequence of my professional infosec background and paranoia, but what do you think? Do you yearn for privacy lost? Do the hacker group Anonymous have a good point? Is  "oversight" an ironic term for a broken control? Is Snowden hero or traitor? Does GDPR even matter, in the grand scheme of things? Or is this all blah - move along, nothing to see here?

No comments:

Post a Comment