W7y8w3

In April 2014 the Heartbleed vulnerability, a criticalflaw in OpenSSL, was discovered. As one analystput it: “[OpenSSL] is a software which is used tosecure hundreds of thousands of websites, includingmajor sites like Instagram, Yahoo, and Google.This security exploit can give attackers access tosensitive information like logins and passwords,as well as session cookies and possibly SSL keysthat encrypt all traffic to a site.” 7 Other than thesecurity hole there were two major problems withHeartbleed. The first was that the National SecurityAgency (NSA) in the United States knew aboutthis vulnerability for at least two years and used itto intercept communication traffic instead of fixingthis global security problem. 8 Secondly, after thevulnerability was discovered, the bigger internetcompanies fixed the problem quickly while internetcompanies with less security expertise laggedbehind, leaving their clients vulnerable for a longerperiod of time.It is important to realise that Heartbleed is onlyone example of a vulnerability used for monitoringof communication. At the end of 2013 the Germannewspaper Der Spiegel reported on the NSA’s TailoredAccess Operations unit (TAO). Der Spiegeluncovered that TAO has multiple methods to interceptcommunications between people, whichrequired them to install backdoors on, among others,internet exchange points (IXPs), internet serviceproviders (ISPs), modems, computers and mobilephones. To increase the ability to intercept communicationtraffic the NSA chose to compromise thesecurity of the entire internet and mobile infrastructurefor intelligence purposes. 9, 10 Both Heartbleedand Tailored Access Operations are examples of thegovernment using infrastructural vulnerabilities forsurveillance instead of fixing the problem, leavingus all more exposed to exploitation.Censoring of contentStates have different ways to censor content; technicalblocking, search result removal, take-down7 Zhu, Y. (2014, April 8). Why the web needs perfect forward secrecymore than ever. Electronic Frontier Foundation. https://www.eff.org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy8 Riley, M. (2014). NSA said to have used Heartbleed bug forintelligence for years. Bloomberg. www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bugexposing-consumers.html9 Appelbaum, J., Horchert, J., & Stocker, C. (2013, December 29).Shopping for Spy Gear: Catalog Advertises NSA Toolbox. DerSpiegel. www.spiegel.de/international/world/catalog-reveals-nsahas-back-doors-for-numerous-devices-a-940994.html10 Appelbaum, J. (2013). To Protect and Infect: The militarization ofthe internet. Presentation given at the 30C3, Hamburg, Germany,29 December. https://www.youtube.com/watch?v=vILAlhwUgIUof content and induced self-censorship. 11 Technicalblocking can target specific websites, domains orIP addresses, or use keyword blocking which automaticallylooks for specific words and blocks accessto websites where these keywords are found. Governmentcan also request the blocking of specificsearch results. Google’s transparency report states:“Governments ask companies to remove or reviewcontent for many different reasons. For example,some content removals are requested due to allegationsof defamation, while others are due toallegations that the content violates local laws prohibitinghate speech or adult content.” 12 Take-downof content is used when states, companies and otherscan demand the removal of websites or contentthrough the court.However, in the last two years we have seenother ways in which non-state groups use the termsand conditions of social media platforms to takedown content. Syria activists believe that the SyrianCyber Army, a collection of computer hackers whosupport the government of Syrian President Basharal-Assad, 13 is using Facebook’s terms and conditionsto take down content published by the Syrianopposition. Facebook’s community standards areguidelines to protect the community and do notallow content that can be described as graphic content,nudity, bullying and more. 14 If a user believesthat a post on Facebook violates these terms theycan report it as abuse, which is called flagging. TheSyrian Cyber Army is allegedly using this complaintprocedure to flag content which shows humanrights violations by the Syrian regime as inappropriateand graphic content, after which it can betaken down. 15 This is particularly problematic sincethe Syrian opposition moved to social media after acrackdown on the traditional media – and the country’scitizens.There are also cases where a state does not needto have legal jurisdiction over social media sitesto request the take-down of content. In May 2014Twitter censored tweets in Russia and Pakistan. Inthe case of Pakistan, Twitter caved in to pressurefrom the government to censor specific tweets thatwere deemed blasphemous or unethical. In Russia,Twitter took down the content of a Ukrainian11 https://opennet.net/about-filtering12 Google. (2014). Transparency report: Requests to removecontent. https://www.google.com/transparencyreport/removals/government/13 https://en.wikipedia.org/wiki/Syrian_Electronic_Army14 https://www.facebook.com/communitystandards15 Pizzi, M. (2014, February 4). The Syrian Opposition is DisappearingFrom Facebook. The Atlantic. www.theatlantic.com/international/archive/2014/02/the-syrian-opposition-is-disappearing-fromfacebook/283562Twitter account which, according to Eva Galperin ofthe Electronic Frontier Foundation (EFF), is “plainlypolitical… These actions are highly problematic asindependent media in Ukraine is increasingly underattack.” 16 In both countries, Twitter does not haveformal representation and there is no legal jurisdictionover the service, yet still the service providerscomplied with government requests.Profiling of peopleMuch of our behaviour is already leaving digitaltraces – even actions that seem as harmless aswalking down the street. Traffic and surveillancecameras are monitoring us, our mobile phones areregistering our whereabouts every moment of theday and we voluntarily post our private lives on publicproprietary platforms. This might seem innocentat first, but there have been numerous instanceswhere a mobile phone has been used to locatesomeone, and online behaviour and information areused for profiling.During the protests in Ukraine in the beginningof 2014 a collective message was sent to mobilephone users near the scene of violent clashes inKiev: “Dear subscriber, you are registered as aparticipant in a mass riot,” it said. 17 In the end theprotestors toppled the regime of ex-president ViktorYanukovych, yet the records of who was near thesquare still remain. Mobile phone companies havethe capabilities to track and collect the following informationon you through your phone: phone calls,text messages, data services you use, and your approximatelocation, and may share that informationwith the government. A mobile is a goldmine of information:your phone book with all your contactsin it, call history, text messages, locations and previouslocations, data from any application you areusing, and photos and videos. In addition, governmentsand phone companies can see which phonesare close to yours, which other “people” or phonesare in the room.Regimes have also used malignant viruses toprofile political actors and their networks. The mostwell known cases are of the commercial malware16 Galperin, E. (2014, May 21). Twitter steps down from the freespeech party. Electronic Frontier Foundation. https://www.eff.org/deeplinks/2014/05/twitter-steps-down-free-speech-party17 Walker, S., & Grytsenko, O. (2014, January 21). Text messages warnUkraine protesters they are ‘participants in mass riot’; Mobilephone-users near scene of violent clashes in Kiev receive texts inapparent attempt by authorities to quell protests. The Guardian.www.theguardian.com/world/2014/jan/21/ukraine-unrest-textmessages-protesters-mass-riotHacking Team 18 and FinFisher 19 that were – andmight still be – deployed in countries like Ethiopia,Bahrain, Mexico and Turkmenistan. Privacy Internationalpublished one of FinFisher’s brochures, whichstates: “The product is known as FinFisher and isdelivered onto computers, it then harvests informationfrom the computer, from passwords and webbrowsing sessions, to Skype conversations. It caneven switch on a computer’s webcam and microphoneremotely.” 20ChallengesIn mitigating these different threats there are a numberof challenges we have encountered, specificallywhen you approach censorship and communicationssurveillance from a human rights defenders orjournalist perspective.The majority of digital threats are invisible andabstract. While a virus on your computer or phonecan grant someone access to your physical surroundingsby turning on the camera or microphone,we do not see it and therefore the threat remainsabstract. The second challenge is that secure communicationis always a trade-off between securityand convenience. Security measures are seen ascumbersome and a distraction from the prioritiesof the day. When in the trenches, short-term winsand threats are more pressing then the intangiblenature of communications surveillance and longtermexposure – especially when installing andusing certain tools can be more inconvenient andtime consuming than using unsecure communicationmethods.When a digital emergency happens, it is difficultto know where to turn, who to ask for help andhow to solve the problem. Very few organisationshave done work on the prevention of digital emergencies.If we live in an earthquake-affected area,we have flashlights, water and emergency plansready; but even with all the knowledge of differentdigital threats and communication surveillance,similar contingency plans to mitigate digitalthreats are few and far between. If NGOs, humanrights defenders or media organisations recognise18 Marczak, B., Guarnieri, C., Marquis-Boire, M., & Scott-Railton, J.(2014). Hacking Team and the Targeting of Ethiopian Journalists.Toronto: The Citizen Lab. https://citizenlab.org/2014/02/hackingteam-targeting-ethiopian-journalists19 Marquis-Boire, M., Marczak, B., Guarnieri, C. & Scott-Railton,J. (2013). For Their Eyes Only: The Commercialization of DigitalSpying. Toronto: The Citizen Lab. https://citizenlab.org/2013/04/for-their-eyes-only-220 https://www.privacyinternational.org/sii/gamma_group42 / Global Information Society Watch Thematic reports / 43