Transcript Types of Surveillance Technology Currently Used by Governments

Types of Surveillance
Technology Currently Used
by Governments and
Corporations
Jeffrey Aresty
President, Internetbar.org
www.internetbar.org
www.cyberspaceattorney.com
March 2006
Introduction

At present, users obtain various online
identities (“IDs”) from





E-mail
ISPs
URLs
IDs function on the Internet in anonymous
space—an online “ID” does not actually
identify the person connected with the ID
Anonymity facilitates theft, fraud, and abuse
2
Introduction



In contrast, in the works are efforts to create
a new layer of identity
Focusing on the user, the new system would
not require multiple online IDs, but would be
characterized by a single sign-on
The system, called an “open security,” would
be more secure and trustworthy, reducing
theft, fraud, and abuse
3
Introduction


In part because we do not yet have security
on line, governments and corporations can,
and do, breach privacy with technology
Intrusions fall into two categories



Cyberspace intrusions
Breaches of privacy in the physical world
Increasing capacity and tendency to use
technology to connect new and old
technologies for surveillance
4
Real-World Technologies that
Intrude on Privacy




Cameras
Eavesdropping
Face-Recognition and
other Biometrics
“No Fly” and Similar
Watch Lists




Odor Prints
Radiation Detection
Technology
RFID
Smart Video
Surveillance
5
Cameras

Cameras have been used for decades

by governments



to monitor traffic
to detect and prevent crime
by corporations


to surveill private businesses
to detect and prevent crime in retail establishments
6
Cameras

In Britain,
 more than four million closed-circuit (“CCTV”) cameras
 1,800 cameras in railway stations; 6,000 in underground train
network and buses
 CCTV tapes used in July 2005 London bombings investigation

In US,
 5,000 cameras in New York City’s transportation systems
 US Border Patrol uses Remote Video System (“RVS”) along
borders, costing over $64 million in FY2005

Worldwide, video surveillance software sales in 2004 were $147
million; expected to reach $642 million in 2009
7
Eavesdropping



US government has capacity and authority to
monitor e-mail, telephone, pager, wireless
phone, facsimile, computer, and other
electronic communications and
communication devices
Court order is required except in
emergencies and cases of national security
In 2003, 1,442 wiretaps requested, all
granted, intercepting over four million
conversations
8
Eavesdropping

National Security Agency (“NSA”) uses “Echelon”—
global electronic eavesdropping system




Picks up telephone, e-mail, Internet upload
Downloads communications transmitted by satellite,
microwave tower, cable
Information sifted by supercomputers for terrorism
information
Software-defined radio, a wireless technology, makes cell
phones and computers easier to bug and makes
intercepting device compatible with networks
9
Face-Recognition and other
Biometrics





Biometric devices scan, record, and recognize
 Irises
 Voices
 Facial bone structure
Improved picture quality technology enables face-recognition
software to inspect 1/400th of face—size of pores
Infrared technology piggybacked onto face-recognition software
enables three-dimensional “map” of face
Plans for US passports with face-recognition biometrics and
RFID chips
EU requires member states to have face biometrics in passports
in mid-2006
10
Face-Recognition and other
Biometrics



In 2003, biometric face-recognition software resulted
in over 40% false positives
$4.7 billion industry in 2009
Other biometrics:




below-skin fingerprints (capture swirling patterns of
capillaries)
palm scanners that read vein patterns
iris scanners
gait-recognition systems (measure torso’s silhouette and
movement of shoulders and legs to determine individual
signature strides)
11
“No Fly” and Similar Watch Lists




In 2005, 12 separate lists maintained by nine
US governmental agencies
Confusion and lack of leadership in
maintenance of lists; some lists outdated
“List bloat”—lists become unreasonably large
from incentive to add names, sloppiness
Innocent individuals’ names appear
12
“No Fly” and Similar Watch Lists



Access to the lists curtailed in the name of
security—nearly impossible to discover if and
why a name is on the list, much less have it
removed
Lists will connect with government-developed
“Secure Flight”
Related: British government pressing for
creation of comprehensive electronic
population register
13
Odor Prints

Odor-printing technology is based on premise
that each human being has distinct set of
odors that could serve as an identifier
14
Radiation Detection Technology

US Customs and Border Protection (“CBP”)
employs radiation-detection technologies at
official entry points, including



Highly sensitive personal radiation detectors
Radiation portal monitors
Hand-held radiation isotope identifiers
15
Radio Frequency Identification
(“RFID”)




Tiny computer chips use electromagnetic energy in
the form of radio waves to track things from a
distance
Nicknamed “spychips”
Can travel through clothing, backpacks, briefcases,
wallets, walls, and windows without obstruction,
misorientation, or detection
RFID chips read and retain biometric information,
such as fingerprints and photographs
16
Radio Frequency Identification
(“RFID”)

The RFID tag, in use in 2005, contains



RFID tag is




Tiny silicon computer chip with unique ID number
Connected antenna
Thumbnail size
Affixed to plastic surface
Paper thin
Can be embedded into clothing label, where
it is virtually undetectable
17
Radio Frequency Identification
(“RFID”)





“Passive” RFID tags do not have their own internal power
source, but communicate when a reader seeks a signal
from them
“Active” or self-powered RFID tags have a battery attached
and so can actively transmit information
RFID reader emits radio waves, seeking out RFID
tags
RFID easily integrates into existing database
systems
Electronic Product Code—every, single object on
Earth will have its own unique ID number
18
Radio Frequency Identification
(“RFID”)

By 2005 embedded in some











Worker uniforms
Employee and student ID badges
Toll transponders
Animals (pets and livestock)
Warehouse crates and pallets
Gasoline cards
Consumer products such as diapers and shampoo
Library books
Toll collection systems such as EZ-Pass
Keyless remote systems for cars
Keyless remote systems for garage door openers
19
Radio Frequency Identification
(“RFID”)

Predicted to be embedded soon in










Clothing
Passports
ATM cards
Vehicles
US postage stamps
Paintings
Beads
Nails
Wires
Cash
20
Radio Frequency Identification
(“RFID”)

“VeriChip”—glass capsule containing RFID device to be injected
into human flesh for ID and payment purposes
 60 persons in US had VeriChips at end of 2005
 Also, injected into deceased victims of Hurricane Katrina

RFID is predicted to be used by
 Retailers to price products according to customer’s purchase
history and value to store
 Pharmaceutical manufacturers on prescription medications
 Banks to identify and profile customers who enter premises
 Governments to




electronically frisk citizens at invisible checkpoints
track citizens in airports and border-crossing points
track mail sent from point to point through embedded postage stamps
track library materials
21
Smart Video Surveillance


Video surveillance combined with behaviorrecognition software
Uses computer to



“Learn” what “normal” behavior is
Identify unusual activity, such as shifting in one’s
seat on a bus
Work in conjunction with other technology such as
facial-recognition systems
22
Privacy Intrusions in
Cyberspace








Clickstream Data Analysis
Cookies
Man-in-the-Middle Attacks
Pharming
Phishing
Spyware
Voice Over Internet Protocols (VoIPs)
Web Bugs
23
Clickstream Data Analysis

Logs of transactions recently performed on Internet
computers, such as







Addresses of computers that have made requests
Date and time
How computer’s services were used
Which page was visited prior to entrance into Website
How Website was exited
Internet logs also called “Clickstreams”
Can be used to prepare statistics about paths taken
and not taken by Internet users
24
Cookies


Small file placed and stored on user’s computer by
remote computer
Used to track information about how user moved
about Website





Which choices made
Which links clicked
User visits same Website again and cookie, now
written onto user’s computer, provides information
about user’s last visit
Cookies can be used to build user profiles
Internet sites share cookie information with others
25
Man-in-the-Middle Attacks

Computer security breach in which hacker
intercepts, reads, and alters data traveling
along network between two Websites

Also called “TCP hijacking”
26
Pharming





Hacker’s redirection of Internet traffic from
one Website to another
Second Website appears identical to
legitimate site
User is tricked into entering user name and
password into fake site
“DNS poisoning” or “DNS cache poisoning”
used to reroute user
Domain name system’s servers corrupted
27
Phishing


Internet user receives e-mail appearing to be legitimate
and from reputable company, asking user to reply with
updated credit card information
Clicking on link sends user to fake Website, where user
provides

Credit card information
Date of birth
Address
Site password

Social Security number





Also called “brand spoofing”
“Puddle phishing” is phishing specifically targeting a
small company, such as community bank
28
Spyware

Software that sends data about user when
computer is connected to the Internet
29
Voice Over Internet Protocols
(VoIPs)

Method for speaking through computer by
phone or microphone




Analog voice signal converts to digital format
Broadband networks transmit calls in Internet
Protocol (“IP”) packets
Also called Internet telephony
VoIP vulnerable to eavesdropping

A free Internet program captures and converts
transmissions to audio files
30
Voice Over Internet Protocols
(VoIPs)



Is VoIP a communications service or
information service?
In 2005, FCC adopted rules requiring VoIP
providers to allow law enforcement to tap into
Internet phone calls
FBI has authority and ability to conduct
surveillance of broadband users pursuant to
court order
31
Web Bugs



Tiny, invisible image or graphic embedded into
HTML-formatted Website or e-mail message to track
users’ activities
Web bugs present as HTML IMG tags
Provide Website owner with information about hits,
including





IP address of user’s computer
Type of browser used
Time of the hit
Previously set cookies
Also called “HTML bugs” or “clear GIFs”
32
Connectors of Information












Automated Targeting System
Automatic Number Plate Recognition System
CALEA Petition for Rulemaking
Data Mining
ID Cards
Integrated Automated Fingerprint Identification System
Multistate Anti-Terrorism Information Exchange
“Secure Flight” and other Targeting Systems
Sharing/Databases
Terrorist Screening Database of the Terrorist Screening Center
Total Information Awareness
US-VISIT
33
Automated Targeting System
(“ATS”)


US Customs and Border Protection
technology collects and analyzes cargo
shipping data
Distinguishes and identifies high-risk
shipments
34
Automatic Number Plate
Recognition System (“ANPR”)





Britain’s national database
Each camera on a pole or in police van is
supported by a computer
Allows for automatic tracking
Information obtained by camera immediately
cross-referenced with database
In 2006, information could be stored for two
years; projected to be able to store for five
years
35
CALEA Petition for Rulemaking

In August 2005, FCC ruled that Internet
broadband access providers and certain VoIP
service providers must design networks to be
wiretap-friendly pursuant to Communications
Assistance for Law Enforcement Act (CALEA)
of 1994
36
Data Mining


Computer systems that search numerous
databases for correlations between data
Currently used by corporations to determine
consumer preferences
37
ID Cards


Biometric ID cards to be issued starting in 2008 to voluntary
participants in Britain would become compulsory in 2013
Cards contain
 Name
 Gender
 Date and place of birth
 Current and previous addresses
 Immigration status
 Chip containing



Digital photo
Fingerprints
Iris scans
38
Integrated Automated Fingerprint
Identification System (“IAFIS”)

System electronically compares live-scanned
fingerprint with database of previously
captured fingerprints
39
Multistate Anti-Terrorism Information
Exchange (“MATRIX”)


Integration of factual, disparate data from existing sources to Webenabled storage systems to identify and combat criminal activity
Includes
 Aircraft and other property ownership records
 Bankruptcy filings
 Corporate filings
 Criminal history records
 Digital photographs
 Driver’s and pilot’s licenses
 State professional licenses
 State sexual offenders lists
 Terrorism watch lists
 UCC filings
 Vehicle registrations
40
“Secure Flight” and other
Targeting Systems

Secure Flight passenger-screening program





Computer-assisted passenger screening system that
searches databases, matches passenger against FBI
consolidated watch list, and rates passenger with a “threat
level” in red, yellow, or green
Based on tagging, passengers could be scrutinized,
interrogated, or detained
Might incorporate behavioral profiling
Goal is to link in real time to video images—automatic link
between video of terrorist suspect and watch list
Not yet approved in mid-2005
41
“Secure Flight” and other
Targeting Systems


Border Patrol Targeting Systems Enhancement
 Over $20 million budgeted in US Department of Homeland
Security in 2005
 Seeks to develop and refine automated target recognition
systems using latest sensor technology
Semantic Information Fusion
 Seeks to correlate disparate data about human targets, including





Location
Identity
Behavior
Creates composite description of a particular situation
Uses linguistic information and physics-based models of access,
mobility, and visibility to reconstruct past and infer current events
42
Sharing/Databases


Governments increasingly share citizens’
personal information with each other and with
the private sector
“Data . . . are tributaries flowing into one giant
river of databases.” Lee Tien, Electronic
Frontier Foundation (Aug. 8, 2005)
43
Terrorist Screening Database (“TSDB”) of the
Terrorist Screening Center (“TSC”)




Aggregates numerous government watch-lists
In 2005, TSDB had over 200,000 names, ranging
from known terrorists to persons suspected of
having some ties to terrorism
Each name receives one of 28 codes, describing
person’s connection to terrorism
Names are categorized according to the actions
users should take when encountering someone on
list
44
Total Information Awareness
(“TIA”)


Computer surveillance system proposed by
Department of Defense
Would have used data mining and networking
to connect sources of information including




Credit card purchases
Bank transactions
E-mail
Shut down by Congress in 2003
45
US-VISIT


Project of US Department of Homeland
Security to develop biometric-enabled system
for collecting, maintaining, and exchanging
information on foreign nationals
$340 million budgeted for FY2005
46
Conclusion

Government and corporations are using
many technologies for surveillance, invading
privacy in cyberspace and in the real world

Do citizens and consumers care?
What can we do to protect our privacy and to
manage our digital identities and digital
reputations?

47
For more information

Contact Jeffrey Aresty, President,
Internetbar.org,
[email protected]

Articles on privacy-invading technologies and
public attitudes toward privacy invasions are
available now
Article on digital identity will be available soon

48