February 26, 2015 Securing the Cyber Frontier
By H. Baloch
The Universal Declaration of Human Rights: "No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence."
We live in a world which has become a manifestation of the era depicted in George Orwell's cult novel 1984. Governments have become exponentially powerful because of their ability to monitor and analyze enormous amounts of data, readily available, on their targets; social media, the Internet, cellular networks, surveillance cameras/CCTV, ATMs and smart IDs augment, manifold, the ability of the state's already omnipresent intelligence agencies.
Every website we visit, every email and instant message we send, every comment posted on social media, every time we make a phone call, whenever we withdraw money from a cash dispenser, or when we cross by a CCTV, we are giving away intelligence. This will soon be the case, in a few months' time at most, when we pass through toll plazas or enter public buildings.
Microsoft, Google, Facebook, Apple, Skype, Yahoo, AOL, Paltalk and Cisco, to name a few, are in agreement with the United States government to furnish the USG with communication logs it deems relevant for security analysis purposes. Facebook is public about accommodating government requests; it releases an annual report called the Global Governments Request Report which can be found on the Facebook site. First published in the first half of 2013, the report gives the number of disclosure requests it receives from governments and the percentage of requests that were positively responded by Facebook. According to Facebook it only divulges details in accordance with the laws of the relevant jurisdictions. Pakistan is extensively amending its cyberspace and security laws and policies to bring in scope any information thought of as valuable by its intelligence apparatus.
Further, social media profiles of users are data dumps, some social networking sites come with powerful embedded tools like Facebook's graph search which allows any Facebook user to search specific details about other users. The timeline feature on Facebook and Twitter are both data archives and can be used for intelligence gathering purposes regarding target users. The state or citizen vigilantes can carry out surveillance, stalking, trolling and Internet bullying through the use of fake social media accounts; Pakistani intelligence agencies and army sympathizers are actively monitoring and trying to counter Baloch liberation activists through the use of fake accounts, groups and pages. Other tools available for mining these massive online databases are free applications or apps available for a small subscription fee.
Research in Motion/RIM's Blackberry smart phones, devices that are known for their impregnable security, according to the Snowden archives were hacked by the US National Security Agency (NSA) in 2009.
Post Mumbai 2008 terrorist attacks, the Indian government asked RIM to provide access to Blackberry messenger and Internet services for surveillance purposes. By 2012 Blackberry agreed to the Indian government's demand following rival Nokia's compliance with the Indian authorities. RIM is a smart phone manufacturer that prioritizes security.
Smart phones can also be compromised through the applications installed on them. Third parties can acquire access to sensitive data through installed applications and so can hackers access the phone's contents through mobile apps.
Further, it does not take an expert to extract sensitive information from a smart phone in case the phone is under physical possession of an unwanted person; smart phones automatically synchronize all contact details available on emails and instant messaging services with those on the phone directory.
Every time we withdraw money from an ATM or use a debit or credit card for making payments or when we participate in online transactions through our bank accounts we are giving away information about our interests, spending behaviors, location and contacts which can be used for finding out connections and even used as data for building correlations.
This is not the full extent of how financial institutes monitor their customers; the surveillance goes further. With an increasingly conflict ridden world the international community has further tightened transaction surveillance regulations to ensure that financial sanctions are enforced. To choke terrorist finances, armies of compliance officers monitor customer details and behavior from the minute a customer submits an account opening application with a bank. Any suspicious activity is disclosed to the government.
The new Pakistani Smart National Identity Card (SNIC), a product of NADRA, comes with an embedded chip which not only stores the card bearer's details but can also used as a radio frequency identity (RFID) for the card bearer. The state is already working on installing RFID readers at toll plazas to keep track of people entering and leaving a certain area within a city or town or an entire province. The SNIC bearer will not even have to be in close proximity with the reader to register her or his presence, the smart chips are activated through induction; provided the transmitters are powerful enough a card bearer can be detected from greater distances, satellites, aerial reconnaissance.
Cellular communications services providers are the weakest link in the chain, with access to crucially sensitive data. Cellular companies can triangulate a user's precise location, track her or his conversations and monitor text messages. The degree of access they provide to the government makes cellular networks riskier as Pakistani intelligence agencies have access to all cellular networks in the country. In the wake of the Peshawar Army Public School massacre, December 2014, the Pakistani authorities increased the powers of law enforcement agencies by concentrating further on cellular and Internet communications. Recently a text message from the authorities was broadcast in Balochistan warning users that all cellular conversations were under surveillance.
Timely and accurate information are game changers, the state's ability to have access to timely information enables it to have a Godlike view of its enemies. Activists must neutralize this advantage by adapting accordingly. Formal technology and cyberspace security teams need to be established with the aim of developing security policies and scrutinizing the security robustness of gadgets and applications. The teams should develop risk mitigation frameworks that should ensure the containment of the threats posed by compromised devices and publish directories of fake accounts. Further, activists must be able to capitalize on this powerful data warehouse available to and for public consumption.
Notes re: the latest on US National Security Agency (NSA) capabilities:
FirstLook.org: How Spies Stole the Keys to the Encryption Castle
Privacy International: Did GCHQ illegally spy on you?
Digital Rights Foundation: Pakistan is a FinFisher customer, leak confirms