Thursday, 18 September 2014

Issues of 21st century spying go much deeper than NZ election


The spying revelations revealed on Monday night by Kim Dotcom, Edward Snowden, Julian Assange, and Glenn Greenwald go much deeper than the New Zealand elections.

This is no longer about spying and where we want to set the balance of privacy and security. It’s fast becoming a question about how we want the very foundations of representative government to look in the future.

Whether John Key’s government survives Saturday’s decision may or may not hinge on whether the voting public feel sufficiently aggrieved at the exposures. Edward Snowden’s track record of accurate intelligence leaks suggests his accusations have substance, but as yet, he has not provided sufficient hard proof to back up those claims.

One of his claims Monday night was that the Government Communications Security Bureau (GCSB) was collecting every scrap of electronic data emitted by New Zealand citizens as part of a US National Security Agency (NSA) programme called “SPEARGUN”.

Mr Snowden reported to have evidence that the programme used covert means to break into the fibre optic cable connecting New Zealand with the world’s Internet. Prime Minister John Key did later admit a “test probe” was created for a similar purpose but the programme was abandoned for technical and storage reasons in 2012 or 2013.

Both claims appear to focus on the centrality of New Zealand’s only Internet cable, which, in a world where almost every piece of communications data flows across such trunk lines, is significant.

Members of Monday night’s panel have in the past already exposed an effort by the NSA to “collect everything”, according to NSA documents referring to Internet data. New Zealand’s section of the network appears to be just as important in this effort.

However, NBR ONLINE reported in August that any claims of secret tapping of the undersea Southern Cross Cable linking New Zealand’ Internet with the United States and Australia are unfounded.

The cable itself is highly unlikely to have been spliced or “bent” without the system operator knowing and causing a serious outage. And according to Southern Cross Cable’s chief executive Anthony Briscoe no such invasion has been undertaken to his knowledge.

But there is a larger context in regards to the Southern Cross Cable which needs to be fleshed out a bit more. Mike McGrath, a technician responsible for the operation of the cables’ landing site in Auckland’s Takapuna suburb, explained to the NBR that the cable doesn’t solely serve New Zealand’s Internet needs.

Since New Zealand is too small an economy to fund its own cable from the United States, the original venture relied on Australian funding to begin. Mr McGrath described how the cable’s traffic includes content originating in East and South East Asia.

That traffic never passes through servers or routers based on the United States mainland. Instead, very roughly, it begins and ends in a closed loop limited to Australia, New Zealand and Pacific Islands.

In effect, a collection site in Auckland or Australia would give the NSA and GCSB an efficient source to gather the balance of East and South East Asian traffic which doesn’t pass through the US. Neither the technician nor Southern Cross Cable’s CEO knew of such a system – hardware or software – operating inside their network.

Although, Mr McGrath hypothesised that such a collection site, if the NSA did want to spy on New Zealanders, would be better placed on one of the domestic telecom networks such as Spark or Vodafone. In other words, the NSA has better options than using the cable if New Zealand was its target.

But putting a collection apparatus on the landing site would make perfect sense from a foreign intelligence–gathering perspective because the vast majority of Internet traffic passing through our cable does not arrive in New Zealand, instead it passes straight through to Australia and Asia destinations.

How does this fit into the context of the larger geopolitical reality? South East Asia especially has experienced a great deal of militant activity over the past decade since the 219 program (the metadata collection activity mentioned by Edward Snowden on Monday) was implemented. Australia directly, but not alone, has been the target of terror attacks from this region during this time.

This does not include the multitude of threats posed by state actors in the region (as opposed to non-state actors), criminals, drug smugglers, extortionists, pirates, capable hackers and low-level hackers. The security environment in East and South East Asia is fluid, so to speak.

Possessing a collection site in New Zealand – assuming such a site exists – fits into the wider security strategy of the Five Eyes intelligence network (of which New Zealand is a signatory along with Australia, Canada, the United Kingdom and the United States) and its allies.

The realities of the real world

A key point to remember about such a collection processes is the very nature of the Internet and how simply gigantic it is. No longer can a state’s signals intelligence agency (intelligence defined as electronic communications) focus on known enemy channels and bypass friendly or neutral traffic. It’s not that simple anymore.

No one complained, for instance, when, during the 1960s and 70s, the NSA turned its ears towards the Soviet Union where modern-day Russia stored its Intercontinental Ballistic Missile fields in the frozen permafrost beyond the Ural Mountains.

Many similar methods used on the Internet by the NSA today with their metadata systems were employed looking for keywords in Soviet radio traffic, searching for commands like “launch” or “test”. Knowing which command one was which was crucial for world peace.

The issues now is not that the NSA and GCSB use such methods to gather and analyse intelligence in the 21st Century, but that they use the same methods when the threats are no longer as simple to define and pinpoint as fixed ICBM fields.

For instance, militants operating in the jungles of the southern Philippines or Indonesia do not enjoy the resources of state systems. They communicate their intentions and plans with each other using Gmail and Yahoo! email accounts while operating perfectly innocuous Facebook and Twitter accounts to spread their messages.

Competent militants or terrorists deploy these processes secretly, hiding their communications among the traffic of everyday communications. Sometimes, as is the nature of the Internet, their traffic commingles with a discussion between a businessperson in New Zealand and their counterpart in Finland, for example.

It all depends on the most efficient travel route for that Internet traffic. It gets mixed up as plain photons and simple 1’s and 0’s along with everything else. That’s the new world our intelligence agencies have to deal with.

Unfortunately, no one has been able to create the perfect intelligence-gathering device yet. One in which only bad people’s data is vacuumed up. Instead, the NSA and GCSB were forced to bend their collection answers discovered last century over into the new century to answer the new questions. The result is very messy and very controversial, but there’s no way around it yet.

The conundrum the NSA and GCSB face is that in order to find that crucial needle of bad plans, they need to create a haystack. What emerges from this collection process is the inescapable result of gathering all Internet data at once. Ultimately, to provide sufficient security, our signals intelligence agencies must gather as much data as possible.

Sometimes that process includes your communications with friends and loved ones, in other words, private communications that we don’t want touched by anyone else.

But how far does the GCSB or NSA actually go?

The NSA and GCSB know this reality. After all, citizens with private lives just like anyone else staff those agencies. So they put in place self-limiting measures to ensure that people’s privacy wasn’t invaded unnecessarily in the course of their work.

For instance, using only Edward Snowden’s words and documentary proof, the NSA gathers metadata records (call duration, phone numbers, IP addresses, email addresses and other framework material), not the content of people’s calls or emails. The data is stored and can be queried by a programme called XKEYSCORE, again, all revealed by Mr Snowden.

When would an analyst need to query this metadata? Consider a scenario in which a militant’s cell phone or laptop is confiscated in one of the hundreds of law enforcement or Special Forces raids occurring across the world each year.

The phone or email records stored on those devices can be entered into the XKEYSCORE system to ask the program whom this phone or email address has talked to in the past day, week, month or year.

From there, if the analyst finds a connection in their stored metadata records, the analyst is able to ask again for more connections related to the new point of contact. This query loop can only occur around two to three times before the information becomes both irrelevant (think of “degrees of separation” dilemma) and illegal.

Other commentators have pointed out how metadata can be used in a puzzle method to put together a surprising amount of information about an individual, even if the content of the calls or emails cannot be read directly by an analyst. That is indeed true, but the context is important here.

The intelligence agencies of the Five Eyes partners are the most powerful state apparatus’ the world has ever seen. They clearly have the ability to gather every message uttered electronically by anybody on earth in whatever form – forever. And yet, according to Edward Snowden himself, they do not do this. They stick with the metadata.

Another key point to remember in this debate is where the governments of the Five Eyes partners have decided to put the bar of what they are willing to do. It can be assured that this bar can be lowered and the collection powers of the NSA and GCSB remarkably improved until they catch and analyse every relevant piece of bad communication. The capability exists.

Yet the restraints imposed by the representative governments of those countries, and the directors of those agencies self-limit the degree to which their collection efforts can extend. The key phrase here is ‘self-limit’.

What Edward Snowden and the other three important panellists Monday night don’t tell you is that every other nation outside the Five Eyes partners does not self-limit in this way. They don’t even come close. Someone needs to ask France how its supposedly “free” country deals with its own Internet traffic. It’s not pretty.

The panellists are talking about the most powerful and yet the most constrained intelligence agencies in the world. That’s not a cheap fact, it’s the objective reality, again, based off the revelations exposed by Edward Snowden himself.

And he did not simply leak a few drops or a bucket, Mr Snowden revealed the very plumbing of the NSA. There is probably very little left inside that agency that won’t be revealed about what they’re up to.

Finally, it has to be remembered why those programmes were created in the first place.

The all-important context

Today there are high school children who do not remember the events of September 11, 2001. That might be hard for adults to understand, but we are moving inexorably further away from those horrible events every day and it’s showing.

I recall that day like it was last week. Being awoken by a phone call from the United States at 4am in the morning and told something was happening and we’d better turn on the television was scary. Everything about that day will stick in my mind for the rest of my life. If you say you weren’t worried on that day, even in New Zealand, you aren’t remembering clearly.

After all, if it could happen in the United States, why not in New Zealand? The western world’s reaction in the immediate future following those events was to turn to its intelligence agencies and ask both why they didn’t see it coming and whether there was anything they could do to prevent a repeat of the attacks.

Our agencies have been hauled over the coals, and God help the GCSB if a similar attack happens in New Zealand. Yet the issue of what other methods and processes they could implement to protect us has been an ongoing question.

In the wake of the confusion and fear of 9/11, the 219 program (metadata) and others were established and implemented. Since then, they have evolved and refined and become extraordinarily effective considering the constraints and realities imposed on them by the modern communications system as outlined above.

That no large-scale attack has occurred in the United States is in a large part testament to the success and efficiencies of those programs. Attacks on the scale of 9/11 – and many were planned by terrorists over the last 13 years – are now the least likely terrorist attack on the spectrum. You can thank your nearest intelligence officer for that.

The problem with all of this, and what we saw Monday night is one result, is that as time moves on, the balancing act of privacy with security begins to tip in the favour of privacy more and more. When the memory of fear fades into the background, citizens demand that soldiers be recalled from the parapets for more profitable work.

This is the reality of living in an evolving world. Intelligence officers are at the mercy of their citizenry in organising what they can and cannot do, and what they will and will not do. If they get the word that their collection methods are no longer justifiable in the present climate, then they will switch off those processes or lift that bar back to a more privacy-friendly notch.

And yet, what the four panellists Monday night do not seem to understand about this process is what this debate truly means for the future. If they succeed in convincing enough people to demand the government switch off those programs, they must understand the trade-off of such a decision.

Consider what would happen in this new, privacy-friendly utopia if a terrorist attack were to occur in Auckland.

Instead of ignoring the attacks, people would be protesting outside the Beehive demanding greater government protection. Most people would sideline their preconceptions about privacy and rush to help the prime minister sign new legislation allowing the GCSB to lower that bar again to provide better security.

Our intelligence officials, professional as always, would calmly comply. But deep down they would explain to those who would listen that the privacy/security trade-off decision made by the country in 2014 made it easier for the attacks to occur. Their hands were constitutionally and legally tied.

The core of the debate

The trick for this question is not to let the bar slip effortlessly higher or lower on a whim of the crowd. Citizens have the right to be worried and scared both for their privacy and security, but they have the responsibility to encourage the construction of checks and balances in their governments which allow for rational and cool thought in the event of either great fear or great peace. That is a true balance.

This stuff is really hard. Remember that the 219 program (metadata) as constructed by the NSA was approved in the United States by all three branches of government (legislative, judicial and executive) on multiple occasions and by two presidents who could not be more different in character and politics.

All of those institutions were operating on the assumption that they possessed the full compliance and support of their constituencies. They were part of a representational government, in a similar structure to the government of New Zealand. What they were doing to protect their country was considered in the interest of its citizens.

Yet when the revelations of Mr Snowden emerged, the public in both New Zealand and the United States dismissed the explanations and reasoning of their elected officials almost categorically.

They said, “it’s all very well that our representative governments made these decisions. And it’s all very well that the NSA and GCSB secretly briefed our leaders in closed rooms to protect their sources and methods.

“But they didn’t tell ME!”

Fair enough. If the new world of communications and government can no longer operate on foundational assumptions, then so be it. But this is where the debate becomes not just about our present situation, but more strictly about our future.

If we say that we no longer trust our representative leaders to make security decisions on our behalf, then we’re going to have to invent not just a new balance for security and privacy, but potentially a whole new way of conducting the government of free peoples.

Again, the events of Monday night are no longer about some messy general election in the smallest partner of the world’s more powerful intelligence alliance. It’s quickly becoming the beginning of a realisation that the old ways of doing things – the old answers – no longer apply to the new questions.

It’s going to take more than a few intelligence revelations and demagogic Germans to figure out how to fix this.

If you really want to be truly involved in this country’s politics, consider this election your first real excuse to think deeply about what sort of governmental structure you want your kids living in. This goes beyond what party or personality you want at the head.

No comments: