This is not a short story, not even a scary one. It is a rant. A cry out of indignation while I can. I hope that this technical analysis demonstrates how futile and suspicious it is to spy on an entire society.
Surveillance societies are springing like mushrooms nowadays. One here, one
there, one over there, one down there, even under my own feet. But these are not nice mushrooms you pickup on a chilly autumn afternoon. No, these are the ones that eat your feet, your hands, your face, slowly but surely.Enough with the prose. Lets get technical shall we?
Why Massive Surveillance Does not Work Against Threats
Assume for a moment that every single electronic communication is analyzed for sake of saving us from terrorists, and that there is enough computational power to do it in reliably and fast enough.
How can a machine tell the difference between a legitimate lawful communication and a criminal one? For starters one have to tell the machine how a criminal one looks like. One have to figure out that oneself.
Suppose one have done it, somehow. Correlating hundreds of "real-world" criminal communication captured under previous legal frameworks (i.e. pre-massive surveillance).
Who can assure that no one is taking shortcuts? Like for example, making a few rules to match a handful of websites, email addresses, keywords, names and phone numbers. If someone does that, then a whole lot of false positives will emerge. I won't bother posting them there are many examples. Simpleton rules like that cannot tell from a person doing useful independent research to combat terrorism, like it has happened. Cannot tell if some teenagers are too curious for their own good. Cannot tell if the target person is only a plumber who happens to service the area of one a suspect. And of course the simpleton rules grow and grow because someone was careful enough to make sure new suspects are registered in the database, but not careful enough to think about how to handle false positives. Something tells me the the TSA "no-fly list" is a perfect example of this.
Lets assume one more time, that the rules are gold and they have a very good hit rate, say 80%.
I would not be surprised if the surveillance yielded results pretty fast. Then the arrests will stall. Why? Human nature, we adapt, we evolve, and very quickly. Criminals and terrorist will soon adapt. How? First one is a no-brainer, encryption. Second one is also easy, use other channels, regular post, parcels, newspapers, the whole of the spy v spy arsenal of WWII. The next ones are getting scarier. But it actually something similar has happened already.
Spam is an excellent example of criminal(esque)
activity adapting very quickly and increasing complexity. Actually most of our email is already scanned and monitored for the purpose of spam and malware control. How many times have you received email with viruses and spam even though all the filters? How many times a legitimate email has been discarded? But spam monitoring would be the inverse of criminal monitoring, ignore legitimate conversations but capture suspicious activity, and it will be the government not your ISP doing the monitoring and the consequences are far greater.So how to fool surveillance? Scary question, by now have read the disclaimer. If not scroll down and read it. Simple answer:
- Make your conversations look like regular ones (just like spam)
- Imagine stenography but 21st century style
- Make everyone else's conversations look suspicious (just like spam bot nets)
- Infect millions of computers/mobiles with worms or viruses that behave to match the scanning rules
One may argue that rules will have to be refined endlessly creating the classic "arms race" good guys v bad guys. But to refine the rules you have to do good old fashioned classic criminal investigation, forensic and analysis work. No computer magic here, sorry not they are not that smart, just smart as the people that programmed them.
Here is my proposal, surveillance is not useless. It is a handy tool in criminal investigations that current legal frameworks should allow when there is compelling evidence that suspicious activity is taking place. Massive surveillance cannot replace good old fashioned classic criminal investigation work. And I think someone else said it before me. Whether mass surveillance or not, humans have to intervene, the difference is how we perceive "decisions" taken by a machine. We assume machines cannot be wrong (being technologist the reason why escapes my understanding), and then we act coldly. If the rules, created by humans, have errors, so mistakes will be made and they will be very costly indeed. People! Snap out of it! Technology cannot solve anything by itself, it is a tool not a complete solution.
More proof that mass surveillance is ineffective? Against terrorism and criminal threats, that is off course. More than one government that has such laws in place has resorted to the desperate measure of asking the public to report suspicious terrorist activity. As if people without training could tell between a terrorist and someone ordinary acting wacky. Quite frankly, the idea sounds desperate.
Mass monitoring may be useful to other purposes, but definitely not combating crime. Just ask the Soviet Union. Anyway, just in case whenever I will visit a government office in the future I will perfume my undies and trousers before hand. Just in case.
Mass monitoring is such a dumb idea only a politician could listen to it.
Disclaimer
By reading, loading, forwarding, requesting or displaying this page, partially or fully, or any of its contents you agree not to sue the author or anyone in connection with the work.
Update
Someone in the US Government also thinks it is unfeasible to spot terrorist with data mining.
Credits:
Image 1: http://flickr.com/photos/poper/
Image 2: http://flickr.com/photos/nhall/
Image 3: http://flickr.com/photos/enjoy-surveillance/
No comments:
Post a Comment