When reading the latest iteration of the Electronic Freedom Foundation’s “Surveillance Self-Defense” (SSD) guide on maintaining one’s privacy, one might write it off as another stellar entry for those who enjoy “buzzword bingo.” To do so would be a mistake; while the guide is chock-a-block full of buzzwords, it is also full of advice and guidance of immediate utility for the nontechnical among us (with tidbits the most technical will find of value as well).
Why are we concerned with privacy? After all, the internet scrapers and the wayback machine almost guarantees anything we do online is captured for posterity. Users trade privacy for access regularly on social networks. For those among us who relish a modicum of privacy, rest assured you can lock down your information, conversations and web activity, but it will require an investment of time.
Given the openness in the United States, we are able to garner a peek into why one might want to dig into the SSD by looking at what type of surveillance systems are being sought by law enforcement and government entities. Imagine what is possible elsewhere where laws permit less transparency (Singapore, Russia, UK or China) and the SSD’s advice becomes even more valuable.
Boston Police Department
In October 2016, the Boston Police Department issued an RFP to “Acquire Technology & Service of Social Media Threats.” One response from Verint, (191 pages, revealed itself through a basic search), notes that its bid on the project did not exceed $1,392,669. A deep dive into the collection side of the solution is the need for the police department to have real-time threat awareness. To this end, the solution provider claims the ability to harvest data from the deep and dark web to include the ability to bypass CAPTCHAs and crawl capability across social networks including Facebook, Twitter, YouTube, LinkedIn, Instagram, Flickr, Pinterest, Pastebin and Tumblr. The Massachusetts bid site shows the status of this RFP to be in “bidding status.”
One could make a cogent argument from the side of law enforcement/public safety that such surveillance is desirable, which apparently was the impetus behind the recent proposed legislation in Sweden to adjust its data retention laws. While privacy advocates can robustly argue that the overall invasion of privacy exceeds the need for public safety. The courts will sort this one out.
U.S. Government Employees
Another example comes from a May article in the Clearance Jobs blog, which noted the U.S. government clearance process for “continued evaluation” would now include a social network component. An RFP surfaced calling for expertise in searching across social networks and, apparently, browser histories:
- Micro-blogging websites (examples include Twitter and StumbleUpon)
- Blogging and Forums websites (examples include WordPress, tumblr and LIVEJOURNAL)
- Pictures and Video-Sharing websites (examples include YouTube, flickr and Flikster)
- Music websites (examples include Pandora, lost.fm and iLike)
- Online Commerce websites (examples include eBay, amazon.com and Epinions)
- Dating Network websites (examples include match.com, eHarmony and chemistry.com)
- Geo Social Network websites (examples include foursquare, urbanspoon and tripadvisor)
- News and Media websites (example include the LA Times, CNN and New York Times)
Now, to be fair, within the context of the U.S. government employee/contractor who has a U.S. government security clearance, knowing what is publicly available on an employee with access to state secrets is a prudent counterintelligence tool. You may be assured, every foreign adversary worth its salt is mining this information for its offensive intelligence efforts.
Then we have the recent revelation via the Congressional Record, that the Department of Homeland Security (DHS) Privacy Office has submitted a proposal to augment its processes (comments are open through Oct. 18). Interestingly, to aid in the investigation of criminal activity, DHS proposes to collect information on emigres including their social media handles, aliases and associated identifiable information as part of their A-file or classified electronic file. Social network activities will be reviewed and retained.
The Art of the Possible Meets the Probable—What to Do?
Let there be no doubt, when reading the RFPs and responses, one may think they have stumbled upon the cure for insomnia, but only if they are ready for nightmares. The depth and breadth of the information that can be—and is being—harvested by companies around the globe on behalf of public, private and, yes, criminal enterprises is staggering.
Prudence, therefore, dictates individuals (and companies) educate themselves on how to minimize that which is readily available for scraping and indexing.
And this is the purpose of the SSD: to assist the less technical among us in locking down their presence.
The SSD begins with “assessing your risks.” That makes sense, as most families don’t engage in threat assessments at the dining room table or on their living room floor. But, we all have engaged in the basics of risk and threat assessment, beginning with the lock on the front door.
The SSD then walks the reader through a plethora of overviews, actionable implementations and training modules. These modules touch on a variety of topics including how to use TOR, configuring WhatsApp, repelling phishing and basic cyber hygiene.
To their credit, EFF has translated the guide into 11 languages and has also created overviews, tutorials and video presentations to assist in learning how to maintain your individual privacy.