Digital protest

Now and again, I submit secret text in blog posts using different steganography software found around the web.

I’m a fan of steganography. It’s a really quick and often easy way to quickly share a private message without having to set up a lot of kit and learn how it works. You can use images to send all kinds of  notions that may or may not be worth a 1,000 words. If people acted as much as they talked about being irate over mass data collection, then they’d be communicating this way more often. Use anything. Use silly, stupid methods and really strong ones. Use them for important messages, but use them for inane ones as well.

There’s an ever increasing industry of privacy workshops, seminars, talks and miscellaneous shin-digs.  In one session put on by the New Yorker,  everyone’s favourite live-streaming attendee, Edward Snowden offered a reminder of his quick tips to get more privacy online. It’s good stuff, but the threat is that it all becomes a bit to niche.

Data privacy isn’t just a privacy advocate’s thing, it’s any activist’s concern. Most targeted spying isn’t aimed at people banging on about privacy, but at environmental activists, political activists, human rights activists and people stomping around for actual change. Good people, but I’ve noticed most of them practice awful security. It’s like handing over tactics without a battle. Even if you think your adversary will get it in the end, you at least should be making them earn it.

Some protests look like this:

(April 1, 2009 - Source: FlynetPictures.com)
(April 1, 2009 – Source: FlynetPictures.com)

The protest against governments scooping up your private messages looks like this, though:

pgp

Generally, I work with some of these tools as part of training and helping journalist and various nice NGO types use them to keep from being tracked, arrested and worse. Dissidents need to be using them as well. Some are. A lot aren’t. There’s this idea that “they’re going to watch me anyway.” This is, of course, why they should be taking the situation more seriously. The use of Firechat in Hong Kong was inspired. Firechat + encryption is more inspiring.

The same methods that can help that important work stay secure are also the main protest march routes.  What are we supposed to be protesting? Pop-up ad creator Ethan Zuckerman offers a good, recent explanation/admission:

“I have come to believe that advertising is the original sin of the web. The fallen state of our Internet is a direct, if unintentional, consequence of choosing advertising as the default model to support online content and services. Through successive rounds of innovation and investor storytime, we’ve trained Internet users to expect that everything they say and do online will be aggregated into profiles (which they cannot review, challenge, or change) that shape both what ads and what content they see. …  Users have been so well trained to expect surveillance that even when widespread, clandestine government surveillance was revealed by a whistleblower, there has been little organized, public demand for reform and change. ” — Ethan Zuckerman, The Atlantic

That effects you, even it it’s not your exact cause de jour.

On the street, protest routes look like this:

protest-route
Here’s a well documented route, approved by police and heavily monitored, but hey, you got your message across, right? Right?

On the internet, the protest route looks like this:

So randomized that the police, government and you don't know how you got from A to B, and (if used right), only you know what B you got to.
So randomized that the police, government and you don’t know how you got from A to B, and (if used right), only you know what B you got to (but I’m not sure what Jane’s up to in this chart, though. Tetris?).

There’s another crucial difference here. On the street, people are politely requesting change when demonstrating along a well-marked route. They’re demanding change when they protest and occupy spaces.

But when it comes to anonymity or privacy rights, you’re already living the change by simply using it. You don’t tell someone else to stop monitoring you, you actually make it more difficult for them to do so.

Top photo is from this Guardian story about how Turkish protesters combined protest and crypto.

Join #TheDayWeFightBack in London

keyshareOn 11th February, civil liberties groups and privacy rights folks are organising a global protest against mass surveillance.  I’m still more than a little put out that the EFF’s event page doesn’t include anything in London. Right here in the most surveiled city on the planet,  people are running a mass  ‘Cryptoparty’  at the Free Word Centre at 7 pm.  Find out how to re-privatise your privacy.

Technical agitation

It’s been a while now since I’ve heard or read anything interesting or original on efforts to counter, um, over-reach on the part of the NSA, GCHQ, et al. The common pundit meme on the market is that there is no technical solution, only a policy, or political one. While I applaud the many earnest online petitions and poignant debating points made by various minority party leaders out there, let me just ask: what the hell have you been paying attention to these last decades? A policy solution? Really? Drafted by whom? Voted into law by whom? Enforced by whom? Check and balanced by… you get where this is going. Before descending into a bout of solutionism, let’s look at the problems of policy.

Problem the first: The majority of incumbent policy makers have a defacto bias against weakening government surveillance. It doesn’t work in their favour. Replace them? Ha. Obama the candidate had all sorts of ethical issues about government spying that evaporated once he became Obama the president. Candidates earn their living by rhetorically challenging issues that suddenly become more complex when they actually wield power.

Problem the second: When we’re talking about a policy or political solution, what we’re actually referring to is a legal solution. Or, in other words: ‘There ought to be a law.’ There are a couple of issues with this. The first is this: Laws are themselves technical solutions, and ones fraught with problems. In both network security and safe locks there’s a common truism: You can only create a thing that you can’t break into yourself. A more clever hacker or locksmith will come along and show you what you missed. Lawyers are the technicians in any political solution. What they specialise in are technical challenges. Any law can become circumventable, with the right legal team.

encrypt all the thingsProblem the third: Laws and oversight are laughed at by the agencies we’re talking about. They break them with complete impunity all the time. Copy-and-pasting TechDirt: “NSA analysts have abused their power. Multiple times. The agency has illegally spied on journalists, broken wiretapping laws, viewed President Clinton’s emails and recorded calls from American soldiers back to America, passing around tapes of ones containing ‘phone sex’ or ‘pillow talk.’ That’s just a few instances that we KNOW about.” And they get away with it.

Problem the fourth: If you look at any of the literature made by the companies that peddle spy software to government, one stunning similarity jumps out: It’s all incredibly simplistic and designed for people who don’t understand what they’re looking at. Our elected officials, their appointed advisers and even the people who vote them into office, are amazingly ignorant about both the legal issues involved and the technology used in online surveillance.  When asked about the potential for the NSA to abuse its power, Senate Intelligence Committee Chair, Senator Dianne Feinstein had this to say: “I am not a high-tech techie, but I have been told that is not possible.” Rest easy, public.

Problem the fifth: Intelligence agencies don’t seem to know how it works, either. The NSA’s use of MUSCULAR generated so much junk that analysts told them to start collecting less. If what you’re looking to do is find proverbial needles in hay stacks, then you might not want to dump a bunch more hay on top. It’s still not known what threats, if any, these software solutions have thwarted. It seems like the major coup has been to find out if someone on an anti-U.S. jag ever glanced at some porn.

New tech, old strategy
New tech, old strategy

Still, we have Bruce Schneier, possibly the most super powered of the technical solution set telling us: “The solutions have to be political. The best advice for the average person is to agitate for political change.” Let’s not disagree with that out of hand, but instead look at the key word here: Agitate. And on this particular issue, what are the effective means of agitation?

Maybe it’s a public demonstration, along agreed routes and with cooperation from the local authorities and some chanting and clever signs and accompanying an angry petition. That’s got such a proven track record. Or, maybe we look at the adversary for what it is, and take efforts to actually challenge it. This leads us back to technical solutions, but with a cause. It’s not enough to tell government agencies you don’t want them to see your private communications. You’ve got to show them you don’t want them to see it. Likewise, telling a government you should have access to content is not the same as showing it that you have access, and that you’ll continue to and that its efforts are not just brutish, but futile. This is agitation. It doesn’t require a petition.

Agitate:

If there’s going to be a petition, it should come in the form of millions of people choosing to send messages to one another that look like they don’t want some government agency reading. The political solution is that people need to decide what they want government wonks knowing about them and then act on it.