
South African authorities admit to mass surveillance - iafrikan
https://www.iafrikan.com/2019/09/02/south-africa-mass-surveillance-spying-undersea-fiber-cables/
======
chrisseaton
> worrying is that the SSA has said that such surveillance and data collection
> is "common practice" globally

I think if you believe that any major country is not intercepting all undersea
fibre cable traffic within their reach or even beyond it then you’re being
very naive. I can’t understand how this news would surprise anyone.

~~~
reaperducer
I can imagine a sustainable business could be made operating a fleet of ships
in international waters that pick up undersea cables, taps them, and uplinks
the data in real time to whichever .gov subscribes to it.

The company taking the risk gets a big fat government check every month, and
the governments get to deny they're tapping anyone's data.

~~~
ctack
You can't export the data wholesale from your ship though - you'd need another
cable for that :D So you'd need sift and process that data on the ship.

~~~
reaperducer
_You can 't export the data wholesale from your ship though - you'd need
another cable for that :D_

The key word, though, was "uplink." Go straight to satellite, and let the
intelligence agencies sift through what they want.

~~~
saganus
Are there sat links with enough bandwidth to siphon data off undersea cables?

I have no knowledge of this area but I always thought sat links can't compete
with multi gbps cables.

Maybe I'm wrong though.

------
mikorym
> it also covers information about organised crime

Let's just pause a bit here. In South Africa, if your phone gets stolen and
you go to the police, they may well respond with: "Yes we know the guy, but
we're not going to do anything." [1]

I think that surveillance doesn't have the same twang in South Africa that it
has in the US and EU. Organised crime and unorganised violent crime for that
matter in one thing that a lot of South Africans would like to see better
monitored or "surveilled" if you will.

South Africa has this sort of dichotomy between illiteracy and high level tech
that I think many people outside of Africa are not aware of. There is 60%
youth unemployment [2] and at the same time it's the most developed African
country. I heard a story that some of the surveillance tech that Muammar
Gaddafi used was built by a company in Stellenbosch.

Most middle class people will have some form of armed response and cities
especially are pro-surveillance for crime prevention, many of it by 3rd party
security companies. I think that there is some kind of common sense notion of
how to differentiate between security and privacy that the CIA or NSA could
only dream of. Security means not being robbed; privacy means leave my life
out of yours.

As mentioned in some of the comments, surveillance is not new at all in South
Africa and in fact is much less than under the previous, non-democratic
government.

But to summarise, South Africa is from a "freedom" point of view a really
great country. You can pretty much do things and live the way you want. The
level of crime and incompetency of the police is, however, too much to live
with for some people.

~~~
raxxorrax
To think of surveillance as a solution against violent crime is fantasy
anyway. It wasn't a requirement at least for all other countries getting it to
manageable levels.

Sure, you might catch some guys but as you yourself reported, it may not even
matter if there is evidence.

But the incentive to abuse surveillance is certainly something western nations
have readily helped with their active approval that couldn't even net results
besides more civil resistance.

So I am not pointing the finger on South Africa here.

~~~
mikorym
I think you are right, but I think it's more about people's sentiment. It's
like saying in Washington's time people respected politicians. The question is
then did people's perception change or did policians change? In terms of
surveillance, I don't think people are "pro" surveillance, I think it's just
not a priority.

------
sofaofthedamned
Wasn't it 6 years ago when Snowden made public his revelations and Google said
'nope' and encrypted the lot? Who now sends traffic over these links and
doesn't encrypt them?

So, what value do the SA government have in intercepting these links now?

~~~
dmix
There were plenty of small samples in the various Snowden powerpoint slides of
stuff NSA incepted from the pipes.

It seems a ton of mobile apps are sending information with identifiers over
HTTP (the ID is a key part for them legally to pick it up and store it in a
DB, forever). I notified one developer that was sending real-time GPS data +
an email address highlighted in one of the PPT slide's (just a screenshot of a
spreadsheet-like table) and never got a response from the developer. It was a
small Canadian company with an app with a few million downloads, so I told
Citizenlab about it (don't remember the name, had something to do with sports
IIRC).

This is a chart of TLS traffic sent via Chrome and across Google:

[https://transparencyreport.google.com/https/overview?hl=en](https://transparencyreport.google.com/https/overview?hl=en)

2014 = ~50%

2019 = 94% of traffic encrypted for Chrome users which is great.

Linux users currently have the lowest when using Chrome with 86%. I'm curious
why this is.

Again mobile apps seem to be the biggest problem right now and there was no
red HTTPS sign when they sent your sensitive information over cleartext:

> Mobile devices account for the vast majority of unencrypted end user traffic
> that originates from a given set of surveyed Google services. Some older
> devices cannot support modern encryption, standards, or protocols.

Maybe Google PlayStore should start punishing apps for not using HTTPS? Just
like how Google is trying to make the internet faster by ranking
performant/mobile friendly sites higher.

The app testers should put fake identifying information in the various app
forms + automatically measure the outbound HTTP traffic for cleartext versions
of the IDs.

~~~
icelancer
>> Linux users currently have the lowest when using Chrome with 86%. I'm
curious why the is.

They probably browse quite a few old sites for documentation and tooling that
are just not updated for HTTPS. A forum I post on to this day is still served
over plain ole HTTP and they have no interest in changing.

~~~
ben_jones
Isn’t it more likely to be low grade android devices in poor countries with
outdated government, banking, and education portals?

I doubt kernel hackers make up a large enough demographic to skew the
metrics...

~~~
toomanybeersies
Android is separate from Linux in the report. Developers and tech people make
up a significant (if not majority) share of Linux users.

A lot of popular Linux and developer related pages are HTTP only. I did a
quick Google search for some Linux related tasks, and found plenty of sites
that don't use HTTPS. e.g. man7.org, linuxhowtos.org, linuxcommand.org

The report does break down HTTPS traffic by country, and you're right that
lower income countries do have a lower share of HTTPS traffic.

~~~
dmix
All the major wikis seem to be using HTTPS: Ubuntu, Fedora, Archlinux, Debian,
Majaro, WineHQ, Gnome, KDE, CentOS, OpenSuse

Wikis arent the problem!

------
randomdrake
Can’t believe it’s been over ten years.

2008 was when there were numerous undersea cable disruptions[1]. I wrote about
them when it happened from the best sources I could find at the time[2].

It isn’t surprising to see that surveillance may have occurred as a result.

[1] -
[https://en.wikipedia.org/wiki/2008_submarine_cable_disruptio...](https://en.wikipedia.org/wiki/2008_submarine_cable_disruption)

[2] - [https://randomdrake.com/2008/02/12/the-submarine-cables-a-
co...](https://randomdrake.com/2008/02/12/the-submarine-cables-a-complete-
guide-to-the-2008-internet-outage/)

------
buyx
If there’s any comfort to be had, South Africa’s intelligence agencies are a
shambles, and unable to deal with real-life threats right under their noses.
The idea that they’d be able to do anything actionable with bulk—collected
electronic intel is laughable.

The way things are going, wouldn’t be surprising if whole thing is a corrupt
scheme linked to procurement of storage media.

~~~
bonyt
Is that comforting? It just leaves all the risks associated with an invasion
of privacy with none of the claimed security upsides.

Just because they can’t use it competently doesn’t mean they can’t abuse it.

------
madiathomas
Surveillance is nothing new in South Africa. It is not even a secret. We have
a regulation with a name that fully disclose that your communications can be
intercepted. It is called RICA, which is short for Regulation of Interception
of Communications and Provision of Communication-Related Information Act 70 of
2002 [1].

When you buy a new SIM card, you have to register it using your identification
document and proof of residence. Every legally obtained SIM card is
accountable. That way they wil know they are intercepting communication of the
right person.

[1]
[http://www.justice.gov.za/legislation/acts/2002-070.pdf](http://www.justice.gov.za/legislation/acts/2002-070.pdf)

~~~
mikorym
> legally obtained

As an aside, you and I both know how easy it is to get an activated sim
card... But I agree with you comment; this article is not really "news".

------
mschuster91
The German BND snoops traffic at DECIX. UK snoops on transatlantic cables.
Everyone snoops.

Either we move to full e2e encryption or we organize democratically to tear
down the modern Stasi.

~~~
freeflight
> The German BND snoops traffic at DECIX.

To forward a lot of it to the NSA [0], the same NSA that also messed with
Germanys G10 laws to "legalize" these kinds of practices in the very first
place [1] for exactly that reason.

edit: UK is pretty much also NSA, because unlike the German BND they are at
least part of FiveEyes [2] because real global surveillance is a rather
exclusive club.

[0]
[https://en.wikipedia.org/wiki/Operation_Eikonal](https://en.wikipedia.org/wiki/Operation_Eikonal)

[1]
[http://www.europarl.europa.eu/document/activities/cont/20140...](http://www.europarl.europa.eu/document/activities/cont/201403/20140307ATT80674/20140307ATT80674EN.pdf)

[2]
[https://en.wikipedia.org/wiki/Five_Eyes](https://en.wikipedia.org/wiki/Five_Eyes)

------
blitmap
It's worrying that developing countries can buy off-the-shelf solutions to
surveil its citizens without going through the decades of cultural and social
change other countries have. We asked questions like "Is this ethical?" before
the technology became possible. For them, the tech is here and the social
discussions were never started.

Maybe this is the same thing. We haven't upheld our ideals on privacy anyway.

~~~
raxxorrax
I see few uses in asking if it is ethical, doing it anyway and putting
dissidents in prison, which also happened.

------
api
Assume all Internet connections are party lines and just encrypt all the
things.

~~~
darpa_escapee
Also, assume that states have access to root certificates.

~~~
api
No clue why this is downvoted. I would assume that at least for G7 and orher
"first world" nation states.

------
pigeon888
Not helping the security of the country very much. SA has one of the highest
murder rates in the world.

------
iafrikan
More details on South Africa's bulk interception of undersea fibre cables -
[https://www.iafrikan.com/2019/09/03/murray-hunter-digital-
ri...](https://www.iafrikan.com/2019/09/03/murray-hunter-digital-rights-
surveillance-south-africa-spying/)

------
option
I’m no big fan of recent Google, but huge thank you to them for driving a push
towards https by default

~~~
quickthrower2
Thanks to Let's Encrypt too for making it easier and cheap to SSL your site. I
now see "[http://"](http://") and think "that looks dirty, what's their
excuse?".

~~~
cameronbrown
HTTPS has downsides too, let's not kid ourselves.

~~~
quickthrower2
What is the downside of using https over http?

~~~
luizfelberti
Nobody said the downsides were over HTTP. When talking about state sponsored
espionage, the glaring downside of HTTPS is PKI and buying into the CA model.

------
Apocryphon
Wonder if they have any partnerships with the Five Eyes?

~~~
jonnybgood
Given South Africa is a member of BRICS, it's not likely.

> In addition to commercial motivations, the new fiber optic Silk Road could
> also have geopolitical and strategic implications. Russia and China
> evidently share a desire to shield themselves from U.S. and other Western
> intelligence agencies and probably believe that their own communications –
> both with one another and to and from Europe – will be better protected if
> cables run across their own territory rather than through the Indian Ocean
> or the U.S. The same motivation explains the announced Telebras cable, which
> will connect Brazil to Portugal without any U.S. technology, and the BRICS
> cable project, which will link Vladivostok to Brazil, via China, India and
> South Africa.

[https://thediplomat.com/2015/04/a-fiber-optic-silk-
road/](https://thediplomat.com/2015/04/a-fiber-optic-silk-road/)

------
hairytrog
While interception is common and probably ubiquitous, I think we overestimate
the governments' ability and wherewithal to use all this data. At the end of
the day, only the worst hackers work for government.

------
notinpersia
If traffic is encrypted E2E or OE it should not be a problem that someone
eavesdrop on traffic.

Here is one to make public key crypto practical using AI+Human derived
mnemonics:

Btw, Jack Dorsey’s Twitter account was hacked recently, which is another
interesting story.

[https://docs.google.com/presentation/d/1f2k6fsIkDmIS1WyJAT0l...](https://docs.google.com/presentation/d/1f2k6fsIkDmIS1WyJAT0lXQmDuHIPeo9GDKfP1FY2rVc)

