In an email, I am asked:
Assuming that the current administration is completely unaccountable to law, is it *technically* possible for them to data mine the electronic communications of their political opponents?
This is one of the reasons why privacy advocates have been worried about the growth of the intelligence state: unchecked “black” operations allow the centralization of power, placing the reins of the state in an increasingly small number of small hands. One of the first signs of a state flipping over to totalitarianism is when the power of the state is used to attack opposition parties – that’s a scorched-earth tactic intended to destroy all opposition and leave a single clique as the “last man standing.” When power is centralized enough that one person can step up and grab it, you have the transition from a republic to a dictatorship.It has been technically possible to data mine political opponents for some time. There are clear indications that it has been done, as well. Consider, for example, the case of David Petraeus[wikipedia]: here was a possible political candidate, taken off the national stage by the revelation of a secret affair that had been going on for years. The FBI investigated and determined that Petraeus and his paramour Paula Broadwell had been exchanging sexygrams using a rather clever trick of leaving partially-edited messages in a shared secret webmail account’s “drafts”-box. When the FBI investigated, they apparently collected thirty thousand pages of communications between Petraeus and Broadwell, and used some mumble mumble IP address correlation mumble mumble to determine that Broadwell was on the other side of the connection. The resulting publicity killed Petraeus’ chances of a political career, which – as director of the CIA and a prospective cabinet member – was a serious possibility. The timing was … shall we say – fortuitous? How did the FBI retroactively access years’ worth of emails? The press didn’t ask. How did the FBI get trace data and IP address data to allow attribution to Broadwell? The press didn’t ask. Reading between the lines, it’s pretty obvious that the FBI asked NSA for the communications: NSA collects exactly that kind of material. In another case, NY Governor Eliot Spitzer[wikipedia] was driven out of power in 2008 based on revelation that he had spent over $80,000 on prostitutes over a period of several years. In the Spitzer case, the information the FBI used was collected under the terms of the PATRIOT act’s anti money-laundering provisions[wikipedia], which require banks to, basically, share all transactional data with the intelligence community. There is an interesting technical twist to this: the PATRIOT act provisions say that banks should notify “federal agencies” (which federal agencies, I wonder?) of transactions over the amount of $10,000. Spitzer was caught because he had broken his payments into smaller chunks to go below the $10,000 limit but “automated software” detected that as an apparent attempt to sneak past the banks’ radar screen. The obvious question any nerd would ask is: How can you tell that a smaller bunch of transactions add up to over $10,000 unless you have the smaller transactions? And of course the other question is How did the FBI retroactively access years worth of Spitzer’s expenses to produce the roll-up amount of $80,000? Maybe the FBI didn’t have to ask the NSA for that data, maybe they did, but you can bet that they had access to Spitzer’s SMS messages and call records, from someplace. Spitzer’s departure from politics was significant: his fall from power deprived Hillary Clinton of his vote as a superdelegate.
The Dennis Hastert case, in which Hastert “structured payments” of blackmail money to conceal a crime, is – for all intents and purposes – the same sort of situation as the Spitzer case. Where did the financial evidence for that come from? The only conclusion that we can reach is that, if you’re not clean, and you’ve covered something up in the past, it can be caused to come back and haunt you.
The vast apparatus of record-keeping and data collection does not exist to prevent future incidents, it exists to retro-scope the past
I am not trying to paint a conspiracy theory, but rather to illustrate that there is already a history of retroactive data analysis being used to take political figures off the game-board. Could the same techniques be used in the future? Of course they will. The question is whether they will be used even-handedly, to weed out official corruption wherever it may be found, or to weed out official corruption in the opposition party.
This is nothing new: the FBI investigated Martin Luther King’s sexual wanderings and recorded them, Nixon attempted to corrupt the CIA and IRS into investigating his political opponents, etc. We should expect this sort of thing from politicians – which is why computer security practitioners and privacy advocates have been waving warning flags over the intelligence community’s aggregation of power over domestic communications.
Back to the questions from the email:
The reason I ask is to know if I should be nagging our local organizers to encrypt their communications more.
It’s probably not worth even trying to protect your communications. They should assume that their communications have been compromised and that the very fact they are communicating at all means they will be subject to traffic analysis. The US Government’s various intelligence agencies have been buying copies of Palantir like it’s going out of style. One should assume that if they regularly communicate with a group that is being investigated, they will be appearing as a pixel on a display like the one above. If you’ve been buying drugs on the “dark web” and you’re also a part of some dissident group, you’re going to be the pixels appearing as links between those two groups. When the establishment needs an agent-in-place in the dissident group, they’ll turn you, just like they did Sabu: want to lose your kids? Your job? Spend some time in jail? No? Then we can work something out.
If you want to communicate securely, don’t use the internet, or any national mail service, cell phone messaging, or … crap, what’s left? I’m reminded of Ghost Dog and his carrier pigeons as a way of getting messages to/from his feudal lord.
Either operate openly and understand the ground-rules of the world in which you communicate, or go off the grid. Those are your choices.
If you want to continue to operate in the grid, use Signal, or Protonmail, but assume that if you’re communicating using techniques intended to bypass monitoring that you’re going to be more closely monitored because you are doing so. In the old days it was accepted as a given that if you were using PgP your messages would be collected. Now it’s Signal and whatnot. The reason for this is important: they collect the messages and keep them, because if the communications channel is eventually compromised, then they can back-decrypt your traffic – it’s like a telescope into the past. Ask Petraeus and Spitzer how that works. Imagine if you’re using Signal for 5 years and in year 6 someone at NSA figures out a flaw in their random number generator that allows them to back-crack keys: those 5 years worth of stored crypto-blobs are now decrypted offline and fed into the analysis engine.
The email questions conclude:
The Indivisible Guide recommends using WhatsApp or Signal, but of course if you have better recommendations I am all ears.
I don’t, really. Assume your communications are compromised and operate as though everything you do is public.
I’m sorry it has gotten so bad. The cipherpunks[wikipedia] tried to warn everyone, starting back in the early nineties, but by then the battle-lines in the security community had already been drawn. There was a great deal of money to be made producing systems for surveillance and data collection on behalf of the police state, and many practitioners gravitated toward the money. Capitalism works that way: it forces you to forge your own chains, then punishes you if you complain later that they are uncomfortable.
By the way, if anyone wants them, the tutorial notes for my 1997 USENIX class “Secure Communications Over Open Networks” are here. Unfortunately, I never PDF’d the notes pages. It’s quite dated, now, but the problems are still the same. I describe the ssh-VPN-over-PPP trick, which was only known to a few ultra elite hackers in 1997, but which has since become reasonably well known. Also, the trick of using bulk encryption (in my example I used PGP) over backchannels like in-game chat has been publicized. There was a while when the FBI was seriously worried that ISIS was going to use World of Warcraft as a communications channel. As if! Anyone cool would use League of Legends. (Actually, they’d use steganography to carry superencrypted messages through one of the myriad image-sharing services, or paper letters delivered by hand)