
How the NSA tracks people [video] - znq
https://media.ccc.de/v/SHA2017-402-how_the_nsa_tracks_you
======
jancsika
Here's something that pops in my head every time Binney comes up, but I've
never quite articulated it...

Let's just assume for the moment that outcome X is good while outcome Y is
bad. (I know most people wouldn't agree with that as applied to the NSA's
history of wide-net surveillance, but just stick with me...)

You design a system that technically delivers outcome X. It could technically
deliver outcome Y, but you didn't implement it to deliver that outcome.
However, there is nothing at all preventing outcome Y from being achieved with
your system other than stated policy. Additionally, your system as designed
brings the possibility of outcome Y much closer to fruition at a fraction of
the cost of the quotes from contractors from the time.

It comes to be known that your system has been trivially revised to achieve
outcome Y, and you become a dissident. Now you take on the responsibility of
educating people about what can be achieved with your system, and systems like
it.

I get that part. But here's the question: what was Binney's responsibility in
designing the system in the first place? In interviews I've watched he seems
to justify his contribution to the program by referring to the policy at the
time-- to only use wide-net surveillance data gleaned from the internet on
non-U.S. citizen targets overseas, and nobody ever imagined it would be turned
around to spy on the domestic population.

But has anyone ever asked him if he regrets building a system in the first
place that lowered the cost on a type of surveillance the risks of which are
not well-understood? In that sense I don't see anything different in what he
did than what the Stuxnet authors did. And I'm quite sure if a whistleblower
from that team went public someone would ask why they thought it was
responsible to build it in the first place.

~~~
contingencies
Yes, there is a lesson there for all of us. For a quick (~4 hour) recent
computer game on the same subject (very well executed, IMHO) check out
_Orwell_ :
[https://news.ycombinator.com/item?id=13549725](https://news.ycombinator.com/item?id=13549725)

------
Simon_says
How is Bill Binney still walking around a free man? Surely he had security
clearances and made an oath not to break them. Is it just that he's riding a
fine line and not disclosing classified information?

~~~
FlashGit
I didn't watch the whole thing just jumped around but he has included slides
that are marked 'SECRET//NOFORN' so if that material is accurately classified
at that level (and its disclosure was not authorized), well he probably
shouldn't be presenting to that.

Of course whether those slides would cause 'serious damage' to national
security is a whole other matter or maybe it was 'authorized'.

~~~
TaylorAlexander
Perhaps they were previously leaked through Snowden or others and he's only
included them in his slides? Then he's not disclosing anything. He hasn't
worked at NSA for a loooong time.

~~~
FlashGit
I'm no expert, and you are right he did leave sometime ago, perhaps there were
changes with regards to protecting classified information after he left.

Classified information does not become unclassified just because it is
publicly available if I remember correctly. Either way, I can't comment on
whether including them in his slides is disclosing/divulging or not.

------
bagsam
Apologies if this may sound a little naive, but I can't help but wonder; Can
anything be done about this situation within the next couple of years? Or is
this process of mass data collection just going to continue and reach an
irreversible stage where those agencies' power is out of control?

~~~
bahjoite
One thing that is being done is to reduce the amount of clear text available
for collection: more and more data is encrypted in transit and at rest.

~~~
londons_explore
Gotta be careful with that - make too much encrypted and there will be
pressure to change the law to make encryption illegal.

I think the existing state with e2e encryption easily accessible to those who
care, but not enabled by default in many areas, is probably ideal.

I'd like to see more work on encryption of the metadata - for example, hiding
who is sending messages to who, and when. The who, where and when of
communications leaks nearly as much private data as the content itself.

Currently, tech for hiding who, where, and when isn't easy enough to use.

------
partycoder
The codenames do not provide a material insight, also "what" is being done is
very different to "how". An audience such as CCC would be more interested in
the "how".

It is clear that major Internet companies are colluded with the government,
including hardware manufacturers (Intel).

------
felon123
What I don't understand is with such capabilities, why weren't Michelle
carters texts flagged? Or the heather Mack texts/fb messages. Or the texts
revolving around the death of Tim piazza at penn state? If the capability to
save these people was there, why wasn't it exercised?

~~~
Chardok
He states it in the video: they are incredibly overwhelmed with data coming in
and are just using "old search methods" such as word search that he deems
ineffective.

My understanding is that this bulk data gathering is not as much as preventing
attacks but further securing of power for the strange amalgamation that we
would call the federal government.

~~~
QAPereo
Even if they cared, they wouldn't risk burning a source/method over a couple
of teenagers potentially harming themselves or each other. This apparatus
isn't about helping police, it's about state control, ostensibly of things
like immigration and terrorism, but realistically as you say it's pure power.

------
bitexploder
For the public source of this information, rewind to 2013:

[https://www.washingtonpost.com/investigations/us-
intelligenc...](https://www.washingtonpost.com/investigations/us-intelligence-
mining-data-from-nine-us-internet-companies-in-broad-secret-
program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html)

[https://cryptome.org/2014/01/nsa-prism-
dk.pdf](https://cryptome.org/2014/01/nsa-prism-dk.pdf)

You have to put together what we know about PRISM with recent testimony.

[https://en.wikipedia.org/wiki/Jewel_v._NSA](https://en.wikipedia.org/wiki/Jewel_v._NSA)
is extremely important here. The NSA argues it can collect virtually every
scrap of data flowing across US communications systems and that it does not
violate your rights because as long as no one is looking at it your 4th
amendment rights aren't violated. So to "look" at the data they get a secret
FISA warrant. Jewel was defeated in court with the same tired argument of
Clapper et. al -- "Your facts are inaccurate, but we won't tell you how
because it is a state secret. Case dismissed. You let us worry about
protecting your privacy within our walled garden."

NSA directors have a long history dating back to 2002 with Hayden of
misleading congress and then saying "oops, sorry about that." It is a naked
power game between congress and the executive branch and a bit of political
chicken because the intelligence committees can only go so far before the
president/white house can say the legislative branch is undermining your
freedom and aren't tough on terror.... which will not go well for anyone at
reelection time if it sticks.

The back and forth goes on. The picture painted, and I can't dig everything up
is that, essentially, the NSA collects almost everything that happens on US
soil. It has a legal fiction via executive orders (see Snowden emails) that
let it do this. And then if searches of this data turn up anything interesting
(since automated computer searches don't require a warrant under this legal
fiction) they then apply for a secret FISA warrant and then humans can "look"
at the collected data. And since no humans were collecting or looking at your
data your 4A rights are fine and safe.

edit: I guess I meant to add this legal construction is why the "how" of their
collection matters so much. Until we have accurate details of the "how" we
can't even begin to argue against them in open court. And since the executive
branch tries its very best to keep the "how" secret (for many not obvious
reasons!) these things are important. I have seen people dismiss the
importance of the technical details as just bits and bytes and what matters is
the politics at play, but the "how" is very important as shown by the failure
of Jewel to win in court due to specious "state secrets" arguments.

------
Sephr
Bill mentions that the current solutions are much more expansive, so it seems
very likely that the NSA uses a private Google Cloud Video Intelligence[1]
installation with TPUs in combination with their current iteration of
TREASUREMAP.

This would enable the NSA to search based on scene descriptions of likely
crimes and get government-ID tagging with GPS. This would serve as an
effective filtering system and increase the productivity of intelligence
operators.

1\. [https://cloud.google.com/video-
intelligence/](https://cloud.google.com/video-intelligence/)

~~~
londons_explore
>very likely that the NSA uses a private Google Cloud Video Intelligence[1]
installation with TPU

Nope.

------
megous
So a quick calculation. 1 zettabyte if stored on 4GB HDD, that's 250 million
hard drives. That's without any redundancy.

Quarterly production of hard drives is around 100-140 million. That's quite a
big slice of global production.

The buying operation of this scale should be visible somewhere on the price
charts.

~~~
Spaztazim
Read a rumor once that the tsunami in the Thailand that "knocked out" HDD
factories several years was used as cover to buy up large amounts.

~~~
trendia
Did non-HDD factories in Thailand experience a similar price increase after
the tsunamis? (I don't know the answer -- I'm just curious)

------
bobsgame
His main point as I understood it seems to be that the problem is the
direction of the organization demands that it continue to grow in that
direction. More data means more power which demands more funding but also
leads to less effectiveness at what they are actually supposed to be doing.
It's really smart that he is confronting the problem by trying to create a
legal framework that can steer the ship in a better direction. I really
appreciate his work.

~~~
trendia
As they say, any bureaucracy will eventually be controlled by people trying to
preserve the bureaucracy rather than those trying to achieve the actual goals
of the bureaucracy.

Or:

> Pournelle's Iron Law of Bureaucracy states that in any bureaucratic
> organization there will be two kinds of people":

> First, there will be those who are devoted to the goals of the organization.
> Examples are dedicated classroom teachers in an educational bureaucracy,
> many of the engineers and launch technicians and scientists at NASA, even
> some agricultural scientists and advisors in the former Soviet Union
> collective farming administration.

> Secondly, there will be those dedicated to the organization itself. Examples
> are many of the administrators in the education system, many professors of
> education, many teachers union officials, much of the NASA headquarters
> staff, etc.

> The Iron Law states that in every case the second group will gain and keep
> control of the organization. It will write the rules, and control promotions
> within the organization.

------
artur_makly
nice doc made about him :
[https://m.youtube.com/watch?ebc=ANyPxKqbOng3dL_bQTCCpf3LIH_8...](https://m.youtube.com/watch?ebc=ANyPxKqbOng3dL_bQTCCpf3LIH_8Awvcc6i2XbuHXC3EkcD_tR4lf60oED6Zv9ficZqrLazyurCLHGuD1vAsZevTHy1eQVrnVQ&v=kbVfub-L5Rs)

------
verytrivial
(That sense of mild threat you feel right now that is preventing you from
either watching the video or commenting here is entirely natural and nothing
to worry about. Go about your day as normal.)

~~~
Bartweiss
I went to the comments instead of the link to take a look at whether there was
a second source that didn't involve hitting a CCC page. Chilling effects
indeed.

~~~
neves
Sorry for the ignorance, but whats the problem with CCC pages?

~~~
Bartweiss
Nothing inherent - the CCC is a great organization.

But it's already come out that searching for Tails or Tor can set off NSA
flags, so I was pointing out that reading Chaos Computer Club accounts of NSA
surveillance practices sounds like another likely way to be flagged.

~~~
type0
> Chaos Computer Club accounts of NSA surveillance practices sounds like
> another likely way to be flagged.

It sure is, meaning that a privacy conscious person is not a friend of a
government and needs to be held in check. It's also quite disturbing that NSA
is surveilling political parties around the World to excerpt pressure on them
and to get geopolitical and economic influence.

------
throwawaymanbot
I think some people need to have some backbone, and less fear.

I looked at it, I didn't feel any chilling effect. From an engineering point
of view its interesting. Maybe I'm too dumb to process fear.

