

NSA Storing Internet Data, Social Networking Data, on Pretty Much Everybody - frrp
https://www.schneier.com/blog/archives/2013/10/nsa_storing_int.html

======
czr80
The NSA probably is building profiles on many people. But so are Google,
Facebook, etc. The real problem is not the NSA (well, not just the NSA) - it's
the inherent design of the internet. We're trying to live private lives on
public networks, and we're going to have to go through some serious growing
pains before that is resolved.

~~~
Zigurd
Facebook might be just as black-hearted about your privacy, but thankfully
they don't have the heads of the IRS or DEA on speed dial.

------
ktr100
So this government shutdown seems to have no effect on the NSA.

[http://www.huffingtonpost.com/norman-solomon/the-nsa-
deserve...](http://www.huffingtonpost.com/norman-solomon/the-nsa-deserves-a-
perman_b_4017195.html)

~~~
mapt
Did it?

[http://www.northeastern.edu/research/raf/files/NSA-Govt-
Shut...](http://www.northeastern.edu/research/raf/files/NSA-Govt-Shutdown.pdf)

~~~
brokenparser
Is there a mirror for this?

------
simgidacav
Anybody looked at [http://www.dailydot.com/politics/flowchart-avoid-nsa-
online/](http://www.dailydot.com/politics/flowchart-avoid-nsa-online/) (linked
by Schneier in the blog post)?

Isn't that a little drastic? The fact that my 4096-bit-gpg-encrypted mail has
been stored by them doesn't mean my communication is pwned: the idea with
strong encryption is exactly you cannot trust the transmission channel! And
besides it doesn't take in account OTR for chat.

~~~
jackgavigan
> The fact that my 4096-bit-gpg-encrypted mail has been stored by them doesn't
> mean my communication is pwned...

Maybe not today. Maybe not tomorrow. However, if they ever manage to get hold
of your secret key (or crack the encryption scheme you're using), they'll be
able to decrypt and read all your old email.

How safe is your secret key? Is it on a computer than you connect to the
Internet with? How do you know it hasn't already been purloined by malware?
Have you ever left it alone at home or in a hotel room? Or carried it through
an international border?

As for GPG, how do you know the NSA haven't been multiplying every single
number together with every other single number for the past forty years to
build a gigantic rainbow table that they just have to grep through to find the
factors of any number?

    
    
      $ grep 4294967296 products.txt | head -20
      65536 x 65536 = 4294967296
      131072 x 32768 = 4294967296
      262144 x 16384 = 4294967296
      524288 x 8192 = 4294967296
      1048576 x 4096 = 4294967296
      2097152 x 2048 = 4294967296
      4194304 x 1024 = 4294967296
      8388608 x 512 = 4294967296
      16777216 x 256 = 4294967296
      33554432 x 128 = 4294967296
      67108864 x 64 = 4294967296
      134217728 x 32 = 4294967296
      268435456 x 16 = 4294967296
      536870912 x 8 = 4294967296
      1073741824 x 4 = 4294967296
      2147483648 x 2 = 4294967296
      4294967296 x 2 = 8589934592
      4294967296 x 3 = 12884901888
      4294967296 x 4 = 17179869184
      4294967296 x 5 = 21474836480
      $
    

Are you paranoid yet? ;-)

PS: Yes, yes, I know... _sigh_

------
samstave
Alexander must be indicted immediately for anyone to regain ANY trust in the
NSA.

Alexander is a criminal, however, so is Holder, Pelosi, Cheney, Bush, Powell,
Obama, etc etc etc etc....

------
samstave
The idea of Total Informational Awareness has been shouted about for ___years_
__. there is only __ _ONE_ __next step: stand up against the NSA in entirety.
We must make a move that is truly going to force reform.

~~~
nwzpaperman
If people believed the NSA was running the free porn sites, there would be
mutiny fo sho!

Edit - No one cares until they're hit where it hurts.

~~~
samstave
[http://www.scribd.com/doc/116008498/Cover-
up-5200-Pentagon-P...](http://www.scribd.com/doc/116008498/Cover-
up-5200-Pentagon-Pedophiles-Caught-Downloading-Kiddie-Porn)

------
return0
So, where is it stored?

------
hrasyid
Thanks, captain!

------
nwzpaperman
Some people owe me up-votes for all those down-votes they gave me six+ months
ago when I stated one must assume a zero privacy environment when engaging
technology today.

I'm just happy I knew what the Internet was like before mosaic and the www
emerged. It seems so quaint now.

Edit - How long until people ditch their Black Amex cards and go back to cash
for some privacy restored? A short decade ago it wasn't so uncommon to carry a
few bucks. How many people really want banks and the government knowing all of
their consumption habits in addition to the timing of their consumption?

All in the name of fraud prevention! Just carry a few bucks and no worries
again!

~~~
dlinder
Data Mining Guy won't put hamburgers on his CC, says insurance companies will
eventually retaliate:
[http://www.economist.com/node/21556263](http://www.economist.com/node/21556263)

~~~
CoreDumpling
Can't we turn the tables on them if we know what's going on?

1) Take out life insurance policy.

2) Pay with credit card at McDonald's and the bar.

3) Get a bunch of speeding tickets.

4) Sell policy to a data mining firm that hopes I die soon.

5) Profit!

------
jonnybgood
> We have to assume that the NSA has everyone who uses electronic
> communications under constant surveillance.

We don't have to assume anything except that which is provided by evidence. If
you have the evidence, then allow it to present itself. Assumption leads to
conspiracy theory and inaccurate information. I really don't think that's what
this cause really needs.

Is it just me or does Bruce Schneier's posts read more like propaganda than
journalism? It's pretty awful and I'm surprised HN is eating it up. He tip
toes on fear mongering through exaggeration, e.g. in OP getting people more
hyped up and fearful of the NSA because they're tracking EVERYONE... except,
it's only an assumption. Calls to action should not be based on assumptions.

~~~
hackinthebochs
Oh brother, its as if some people have learned nothing from the last 6 months
(or are actively shilling... apparently you only comment on NSA stories).

When it comes to your personal privacy and security, you must assume that
anything that is reasonably possible is being carried out by your adversaries.
The recent leaks prove that the NSA will do absolutely anything within its
power to further its goal of total information awareness.

All of the NSA revelations could have been predicted (and were predicted) by
anyone with some technological skill and a little bit of foresight. If you
wait until proof is presented to you, _you have already lost; your privacy and
security have already been compromised_. The game is to think ahead and
protect yourself from all possible current and future attacks. There are some
people who's very freedom depends on such foresight.

~~~
csandreasen
In another context jonnybgood might instead be called a "skeptic" or perhaps
even "capable of applying critical thinking skills" rather than dismissed as a
"shill". Instead of mocking him for not paying attention over the last 6
months, you should go back and examine all of the leaked documents. You'll
note that they speak quite a bit to the capabilities of the NSA, but don't
reveal much about who they're targeting, why and what the ultimate goal of
targeting would be. If you disagree, I challenge you to actual provide a
leaked document that shows the NSA is specifically targeting ordinary citizens
like the GP was calling for, rather than a secondary article from Greenwald,
Schneier, etc., that makes broad assertions that because a spying agency with
collecting foreign intelligence has the technical capability to conduct the
most invasive possible infractions on the privacy of people it is not charged
with collecting against, they must indeed be doing so. Your armed local police
force has the technical capability of detaining citizens indiscriminately
without regard to whether or not they violated the law, then summarily
executing them without trial. That doesn't mean that's their job.

~~~
hackinthebochs
In another context skepticism would be warranted. This isn't such a context.
The very nature of the problem of securing one's privacy demands the type of
anticipatory thinking I describe. Skepticism that johnnybgood is advocating is
a losing strategy from the start.

~~~
csandreasen
I agree - securing one's privacy is an incredibly important problem. That
said, none of the leaks show any technology that wasn't publicly known
beforehand (e.g.: packet sniffing, man-in-the-middle attacks, stored personal
records obtained from internet/telecommunications companies, etc.). The fact
that these are used on a much larger scale might be surprising to some, but
not novel. We've known for a long time that large, well-funded intelligence
organizations operate on a much larger scale than any lone or small group of
hackers could. If you worry about your privacy on the internet, the solutions
to these problems were known beforehand (e.g.: encrypt your traffic,
authenticate those you communicate with, limit personal data stored in the
cloud, etc.).

Claiming that the NSA is an active threat to the privacy of Americans without
the evidence to back it up is counter-productive. Schneier himself has written
quite a bit about the importance of properly identifying your threats in the
process of establishing good security. I guarantee that spokeo.com and similar
sites have more dossiers on Americans that the NSA does, and I'd be willing to
bet that information from those sites have been used more frequently for
nefarious purposes against ordinary citizens. The NSA has the capability to
target you - this leads to overblown articles making the leap from "the NSA
collects massive amounts of metadata" to "the NSA collects massive amounts of
American's metadata", incendiary discussion forums calling for the immediate
shutdown of the NSA, imprisonment of top NSA officials, fear mongering about
the NSA brought up in situations that have nothing to do surveillance, etc.
What they don't have is the motive (seeing as how they're an agency charged
with the gathering of foreign intelligence) or legal authority to spy on
Americans. The evidence stating that they are actively spying on Americans
just isn't there. Until credible evidence shows that NSA is invading the
privacy of ordinary people, I'm going to worry about the credible threats.

It creeps me out that I can Google my name and find 6 different websites
willing to sell me my current and previous addresses, e-mail address, phone
numbers, names of family members, etc. that they harvested from public
records; it bothers me that anyone with a Pineapple device can trick my cell
phone into connecting to actively hostile network if I forget to turn off the
Wifi; it bothers me that I can turn on Collusion in Firefox and see that my
browsing activity is reported to 40 different companies across every web page
I surf to unless I turn off Javascript and frequently delete all of my
cookies; it scares me that I get spam e-mail sent from the compromised
accounts of people I know personally that tries to redirect me to malicious
web sites; two years ago someone got my debit card number and pulled a little
over $2000 out of a bank in Shenzhen - I worry about the security of sites I
purchase from over the internet, which ATMs I draw from, what that waiter is
doing when he disappears after I hand him my card. I consider myself a pretty
paranoid person. At this point I don't feel threatened by the NSA (if I worked
for a foreign government I would probably have a different opinion).

I'm going to continue using every reasonable means to protect the privacy and
integrity of data. I'm not going to do it because of the NSA - I'm going to do
it because the internet is a security nightmare, and there are lots of people
out there who would do lots of things to my data without any regard to my well
being.

~~~
hackinthebochs
Out of all the threats you mentioned, the NSA is the only one that can
imprison me if it decides I've done something it doesn't like. The worst part
is that the data they're collecting can be used retroactively X years down the
line if the government so chooses to. And this herein lies the danger. You may
trust your government _now_ to use the information they gather legitimately,
but do you trust it indefinitely? You shouldn't _in principle_ , even ignoring
all the practical reasons that the government has shown itself incapable of
using such power only for good.

BTW, it has been revealed that the government stores information
indiscriminately; but only through a court order or some other "probably
cause" will they actively search the records of an American communicating with
another American. This information is also stored for X amount of years (i've
heard various years cited, from 2 to 10). Using encryption also flags your
communication as "potentially foreign" and thus open to analysis. It was also
unclear from the articles I've read whether internet metadata is covered under
privacy laws. Massive amounts of information regarding individuals can be
mined from just web addresses. So yes, Americans are targeted in the laymen
sense of the word. Sure, the NSA has legalese that they use to justify how
their actions don't target Americans, but its pretty transparent.

So yeah, go ahead and worry about the threat of someone finding an old address
of yours. I'll continue to worry about the orwellian surveillance state that
is being constructed right before our eyes.

~~~
csandreasen
The NSA is not a law-enforcement agency. Unless we find credible evidence
otherwise, I'm going to continue operating under the assumption that there is
no click-here-to-send-this-person-to-jail button at the NSA. To be handed a
jail sentence as a result of NSA spying, the process looks more like this: \-
NSA analyst stumbles across you, most likely in the course of pursuing a
foreign intelligence target, but maybe as part of a vast domestic spying
program as some believe (I haven't seen enough credible evidence to believe
this)

\- NSA analyst finds credible evidence within that collection to suggest that
you were engaged in criminal activity

\- NSA is able to convince the FBI (or other legitimate law enforcement
agency) that you were engaged in criminal activty

\- The FBI opens an investigation into you; if preliminary investigation
yields suspicion, they request a warrant from a judge to gather more
information

\- If the FBI finds sufficient evidence of a crime, they obtain a warrant for
your arrest and detain you for trial

\- Evidence independently obtained by the FBI is presented to a jury of your
peers. As of yet, there's no precedent for admitting evidence by the NSA. To
the court it's the equivalent of an anonymous tip, and the NSA has a history
of not wanting to reveal its sources and methods anyways.

\- A jury of your peers decides whether or not you are guilty of a crime. A
judge sentences you.

So yes, you can get sent to prison based on NSA spying. It's a long process
with independent review by multiple parties. I'll be very concerned regarding
this process if the first step is broken, which is what everyone is up in arms
over. I don't see the evidence yet that this step is broken, or even
applicable in most cases [1].

Why am I afraid of people getting my addresses, phone numbers, etc.? My wife
testified to put a violent man in prison some years ago. As a result, I have
more concern than most that there are people who would want to do my family
harm. I don't like that $15 will tell you where my wife, kids and I sleep at
night or give contact information to harass us. Old information would allow
someone to take out a line of credit in my name, leaving me to sort out the
financial mess. Other people I know in legal and law enforcement positions are
accutely aware of the threat of being retaliated against outside the courts
for perceived wrongs.

[1] I have to run to work, and I'd be insulting your argument if I just left
it at that - I'll write up an explanation of my views on the Section 215
collect when I get home. I appreciate the discussion - thank you for actually
giving thoughtful answer rather than just a snide remark dismissing me.

