A friend of a friend asked:
Can anyone recommend credible, well-sourced books that go into real detail about what the security services are able to do, surveillance-wise? Reading that they have the ability to turn a mobile phone into a remote microphone without it being switched on seemed far-fetched, but I really want to know more – it’s so easy to cross over into “conspiracy theory” type stuff, but the Snowden revelations recently make me think the whole damned lot might be true.
It’s a short question, with few clear answers, and a lot of conjecture. So here’s an effort with what I’ve seen, read and inferred, and has nothing to do with what my day job may say in any formal statement. The very short answer is “no”, we don’t yet know. That will take a year or so to understand what we have now, and all the implications: this will take time. But that’s not helpful for now.
In terms of books, GCHQ by Richard Aldrich, and Classified by Christoper Moran are both good for the UK, but can only look backwards. For more contemporary writings (both books are a couple of years old now), see the pages of the Guardian, or this more historical piece by Adam Curtis. However, that’s not the answer that was being looked for. There isn’t a good answer, but there are some questions that can be looked at in different ways to get closer.
For that, we must distinguish between three similar things.
- What are “they” legally able to do?
- What are “they” technically able to do?
- What are “they” in practice able to do?
All three are different constraints, and have different levels of clarity.
An officer of the state may be legally and technically able to watch me typing this sentence, or you reading it (it’s not even over SSL), but in practice, they are unlikely to physically do either of those things. It has been believed for many years that GCHQ has the legal and technical ability to tap any cable running out of the UK, and in theory, that would scale to do all of them. One of Snowden’s big revelations is that they are, in fact, tapping all of them, constantly, legally, in practice, and using that information in various ways. So they know that you loaded the page, and also how long you had it open for (via google analytics phoning home).
That fact makes the above three questions radically different in practice.
Similarly, it has been believed that some cryptographic protocols could be broken in theory, but that seems to be being done, en-mass. So while your connection to your bank, or your share trading house, or your doctor – may be secure from most attackers, the largest governments can break it. As an aside on that note, for obvious reasons, US privacy law considers the URLs of medical websites given to you by your doctor as medically sensitive information (but the UK does not).
There are a number of questions about legalities, currently, mostly focussed on the NSA. Where there was a legal barrier to the NSA doing mass surveillance of Americans, and therefor the redefining of every part of the law to make it a meaningless safeguard in practice, but one that sounds good in statements but doesn’t stop anything. Some concerns come from the “secret intepretation of the PATRIOT Act” where the legislation was read one way by the public, but there was a classified interpretation of various words which meant that it was used in ways that were far from obvious. That’s long been hinted at, but it is now known. The difference between a visionary and a lunatic with a tin foil hat is only a few fragments of confirmation (quote book).
The US may take pride in the fact that “we are a nation of laws, not of men” – John Adams. The UK, however, is something slightly different.
The one thing that has come out of all this, is that the NSA has gone to very great lengths to not get caught. Large operations are becoming are harder to hide, and public opinion, especially of to an organisation that demands loyalty but offers none, – millenials, snowden, manning.
In practice, the traditional view is that “the moral arc of the universe may be long, but it bends towards justice”. When those travelling the path are GPS tagged and their emails all get snooped, the route followed looks much more like a drunken walk. But that doesn’t mean you don’t make it in the end.
There is lots more that could be said on this topic, but the main requirement now, is to start walking.
Does your email provider use TLS for email transmission? If you don’t know, ask them. Also, ask the big sites you use to contact your politicians. Do 38degrees? they use Blue State Digital; Do Blue State Digital? (no) Do ORG? They use engaging Networks (who don’t either). It may not be perfect, but it’s better than nothing. And political campaigns are where this starts.