What EFF is doing

From DevSummit
Jump to: navigation, search

EFF Notes

NSA Spying Cases, The government is collecting far more info than we had initially thought. They collect first and sort out second. efffected people should know that the governments are viraciously collecting using technologies that we still don't know that much about.

In the US from the civil rights era, we know that surveillance was wide spread against activists.

People who are responsible for protecting people's data are more important than ever. We should be energised by the latest revalations.

Three authorities - we don't know everything the governments are doing. Basically these are blanket authorities that were created after Sept 11th.

The Aspiration t-shirts dark side of the moon - are the same logo as prism.

The code names that they have mean nothing. Imagine a parent asking a child 'did you eat cake' and the child responds 'I did not eat it for breakfast'.

It's technically a true statement, and this is coming practice by the government.

Three ways they can get info

1. Section 215 of the Patriot Act (https://www.eff.org/foia/section-215-usa-patriot-act) - Which is phone records, and meta data, which probably means financial. Meta data arguments have roots in the 4th amendment. Meta is the difference between content and non-content. Ideas and distinctions grafted on older technologies are grafter on new technologies where it doesn't make any sense. 215 is about obtaining tangible things, like any log file - but doesn't matter the source and has a wide range - from financial to phone companies. There are at least two kinds of databases that they are using that we don't know anything about. One of the rationale is that the data belongs to the company and not the public.

2. Section 702 of the Foreign Intelligence Surveillance Act (FISA) - How does the government get content and non content AS LONG AS they are targeting a foreigner. Largely communication records. Upstream collection, collecting information upstream. EFF found out about this in 2006. There is an AT&T building on Folsom street in a large room - there is peering station, where communications get handed off to the broader internet. This is about 3 hops up from where the traffic comes into the country. Your communication will get routed through the peering station on it's way to other ISP's, etc. A Fibre optic splitter splits it into two copies, that contains the same information - one copy goes to the address the other gets collected in 641. In terms of spam 90% of internet is spam - copies - so 641 filters all this and 10% gets collected and then comes out of this room. This room has existed since 2001 - we were told that this room has existed from longer than that but there's no evidence.

Everything that was in the patriot act was stuff that had been attempted to be put into law or existed at sometime before 9/11. The rules for these peering stations have existed for awhile. We do not know how to get access to them.

The goal is to collect everything. The US government had missed the falling of the Berlin Wall, Czechoslovakia , most major world events. So they have a bureaucratic mission to collect EVERYTHING.

It used to be that you need a warrant for this type of surveillance but this was done away with FSA.

So they look at it like they are collecting hay to get at the needles.

As long as the target is the foreigner they can collect the info. 703 used to justify access to directly to application providers like google.

3. Executive Order 12333 (https://www.eff.org/deeplinks/2013/10/three-leaks-three-weeks-and-what-weve-learned-about-governments-other-spying) - Foreign collection - Communication that is going on abroad - how they are listening to Angela Merkel. The government is collecting address book at a foreign access point. They can't target US citizens abroad.

They do intercept mobile calls. They think they can break into things, people's computers, laptops, routers - they send spies to break into a telecommunication company. Its very aggressive.

Yet this is an accusation they used to throw against the chinese.

There are the Five Eyes -- England, US, Canada, Australia and New Zealand (http://en.wikipedia.org/wiki/UKUSA_Agreement). We need to break into new ground around transparency to get this stuff to come to light.

Corporate collection is government collection but not the other way around. There is no seperation. Companies are concerned because they are starting to loose face and market share. There is no government collection.

Sabotage - Actively messing up standards, inserting back doors into companies. Actively trying to create protection. Limiting the access that government has access - by putting a lock on your door - encrypting your emails.

The government tried to actively block the creation of new encryption technologies but had to back down when Gore was running, becuase Silicon Valley said "you are hindering the development of the internet.'

Secure all your people. Use strong crypto - help develop the tools - GPG sucks but we need to make them work for mere mortals. Get HTTPS anywhere, crypto is hard but it needs to be everywhere.

PGP sucks for group conversations - though there are encrypted mailing lists just starting to work

We need to convince people that encryption is worth it and important.

Build good tools, use good tools, support development. Be part of the movement.

EFF is an impact place. They take on legal cases - if you have them bring them on.

EFF wants to be the place you can go to for help on these issues, they want to be able to connect people to others. They have a list of lawyers that will take on paid cases.

The biggest leverage point is that everyone is pissed. We have to stop the Feinstein bill.

We need to get to a point where a domino is falling so the rest will.

Remember that we were able to stop PIPA and SIPA - and it worked because everyone on the internet said 'what can I do to stop this'

There are the 13 principles that EFF is launching a campaign TODAY to get people to sign around the world.


Susan's notes:

NSA strategy is to collect everything first and sort out what they need second.

How they do that is secret. Activist groups are nearly always targetted when surveillance is used.

NGOs who hold data should care.

EFF:

The NSA does not have one single name for each program. They use code names, even internally, when they are talking about programs. They have a story to tell us about why they are allowed to lie to us.

section 215: The government is collecting everyone's phone records and "metadata" under section 215, Metadata could be medical records. The record is created by the phone company, the content of the phone calls is created by the user (you). Government can get companies to turn over any log file. Any business that has data in a logfile, the government can get them to turn it over. There are at least two kinds of records, business records and 3rd party metadata records.

Section 702 can get get content and noncontent as long as it is directed at a foreigner, target must be abroad, they can collect a lot of information, and then throw out everything that is not about the forgeier.

How the tech works: The peering station, is the place where yr communications get routed to the end user (fiber active cables), they split the communications via their fiber optics and the information is transported. At the At&T station, before the info gets transported to verizon, it sits in a room, room 641A in SF.

The communication that comes out of the room, is 10%. We don't know where the 10% goes to. This has been going on since 2002.

There are about 20 peering stations in the US. It's a place where ISPs exchange traffic. The information is not confidential at these. Any ISP that can run fiber to that room, can interconnect or exchange traffic there.

Their goal: collect everything (phone or internet traffic) first so that they don't miss anything, then see what they need from that info.

As long as the target is a foreigner, they can collect the info.

Section 703 is used to justify access directly to application providers (google, yahoo, MSFT, etc), Prism program, upstream,

Executive Order 12333: The NSA listening in to communcations that happen abroad. The government is collecting address book, like remote synching, they are tapping in and collecting that data. As long as they aren't targetting americans, they can listen in.

The US Gov't can hack ppl's computers and phones in allied countries, not just ppl we are at war with.

Signals intelligence and code breaking is one of the main ways that the US won WWII. The level of secrecy that was brought to bear around encryption and code-breaking was unprecented. All the Signals intelligence and crypt analysis are still enfocred today that were in effect in WWII.

The idea that corporate information is different that government information is wrong. Government collects the same data as corporatations. The corporations can get any info the government collects. From the governemnt's perspective, there is no separation.

Governemnt collection can include local government collection.

Sabotage of our secutiry systems by the government. They are infiltrating big companies to insert back doors to say a product is secure when it's really not. The government dumbed down cryptography in the 90s and the EFF was successful in letting ppl encrypt their data.