CSC 379:Week 4, Group 1: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
 
(28 intermediate revisions by 4 users not shown)
Line 1: Line 1:
=Internet Surveillance (e.g. AT&T’s NSA Rooms)=
=Internet Surveillance (e.g. AT&T’s NSA Rooms)=
==The issues concerning internet surveillance==
==The issues concerning internet surveillance==
Most of us are aware of government surveillance as it pertains to wiretapping to listen in on phone conversations. This type of government surveillance has had many laws developed around it and how and when it may be done. With the growth of internet traffic, similar surveillance has appeared in the realms of email, voice over IP (VOIP), and general internet traffic. The same problems that occurred years ago for the telephone communications networks have been approached for internet communications.
Most of us are aware of government surveillance as it pertains to wiretapping to listen in on phone conversations. This type of government surveillance has had many laws developed around it and how and when it may be done. With the growth of internet traffic, similar surveillance has appeared in the realms of email, voice over IP (VOIP), and general internet traffic. The same problems that occurred years ago for the telephone communications networks have been approached for internet communications.


The first issue that surrounds internet surveillance is how to make it possible. In order to conform to Communications Assistance for Law Enforcement Act (CALEA), phone networks had to be designed so that wiretapping was an easy thing to do if an appropriate government organization requested it. However, much internet traffic is optical instead of electrical. When electricity travels through a wire, it emits a small magnetic field. Something very close to the wire could intercept the electrical communication without affected it. Optical communication doesn't "leak" any of the light, so the communication has to be disturbed in order to intercept it. This is usually done with a splitter which diverts a percentage of the light down another path.
The first issue that surrounds internet surveillance is how to make it possible. In order to conform to Communications Assistance for Law Enforcement Act (CALEA), phone networks had to be designed so that wiretapping was an easy thing to do if an appropriate government organization requested it. However, much internet traffic is optical instead of electrical. When electricity travels through a wire, it emits a small magnetic field. Something very close to the wire could intercept the electrical communication without affecting it. Optical communication doesn't "leak" any of the light, so the communication has to be disturbed in order to intercept it. This is usually done with a splitter which diverts a percentage of the light down another path.


The second issue is authority. Mainly, who decides whether and how much internet surveillance can take place. Should there be a different authority or amount of evidence in order to intercept foreign communications as opposed to domestic? Does the person whose information is being gathered have to be notified? Does the court have to issue a warrant for a government agency to investigate internet traffic? If so, how much information can be gathered without a warrant?
The second issue is authority. Mainly, who decides whether and how much internet surveillance can take place. Should there be a different authority or amount of evidence in order to intercept foreign communications as opposed to domestic? Does the person whose information is being gathered have to be notified? Does the court have to issue a warrant for a government agency to investigate internet traffic? If so, how much information can be gathered without a warrant?
Line 13: Line 12:


==Ethical issues with CALEA==
==Ethical issues with CALEA==
Making it possible to intercept internet communications has several privacy issues surrounding it. A large amount of information passing through the internet is encrypted making it difficult to intercept. "Wiretapping" optical lines involves splitting which degrades the signal strength unlike typical phone line wiretapping. Because the information is essentially anonymous once it leaves the local network and enters the world wide web, is it even possible to filter out a single person's communication? If there is a backdoor for government internet surveillance capabilities, how can the typical American be assured that this backdoor is only used by the government?
Making it possible to intercept internet communications has several privacy issues surrounding it. A large amount of information passing through the internet is encrypted, thus making it difficult to intercept. "Wiretapping" optical lines involves splitting, which degrades the signal strength, unlike typical phone line wiretapping. Because the information is essentially anonymous once it leaves the local network and enters the world wide web, is it even possible to filter out a single person's communication? If there is a back door for government internet surveillance capabilities, how can the typical American be assured that this backdoor is only used by the government?


===Encryption===
===Encryption===
Line 19: Line 18:


===Splitting optical communication===
===Splitting optical communication===
With electrical communications, government organizations could easily start intercepting information without affecting that communication in any way. This can not be done with optical communications. Therefore, in order to allow surveillance effectively, the intercepting of information must have already been started before it was requested. This means that average citizens of the United States will have the information intercepted (even if not recorded) regardless of whether the citizen is under suspicion. Shouldn't unsuspected people be allowed privacy of their communications?
With electrical communications, government organizations could easily start intercepting information without affecting that communication in any way. This can not be done with optical communications. Therefore, in order to allow surveillance effectively, the intercepting of information must have already been started before it was requested. This means that average citizens of the United States will have the information intercepted (even if it is not recorded) regardless of whether the citizen is under suspicion. Shouldn't unsuspected people be allowed privacy of their communications? Moreover, does the interception, even without use, of a person's communications, without probable cause, violate their Constitutional rights?  To many, it would seem so.


===Difficulty of filtering===
===Difficulty of filtering===
Most legal surveillance depends upon the governments right to intercept communication from or to a particular person or organization. However, in many circumstances, this is impossible without intercepting a large amount of communication between other people. Since this information is intercepted, a government agent could stumble upon private communications. The only method preventing this accidental invasion of privacy is programs that attempt to filter out only certain types of data. Since it cannot be proven that such filters will actually prevent invasion of privacy, should the government be allowed to intercept communications when they can't intercept only the suspected persons' data? What if the program could filter out all unsuspected individuals? Would it not still be an invasion of privacy for those communications to be intercepted and stored even if they are later filtered out?
Most legal surveillance depends upon the government's right to intercept communication from or to a particular person or organization. However, in many circumstances, this is impossible without intercepting a large amount of communication between other people. Since this information is intercepted, a government agent could stumble upon private communications. The only method preventing this accidental invasion of privacy is through the use of programs that attempt to filter out only certain types of data. Since it cannot be proven that such filters will actually prevent invasion of privacy, should the government be allowed to intercept communications when they can't intercept only the suspected persons' data? What if the program could filter out all unsuspected individuals? Would it not still be an invasion of privacy for those communications to be intercepted and stored even if they are later filtered out?


===Backdoor security===
===Backdoor security===
Having a backdoor for internet surveillance must be extremely secure. If a government agency can use the backdoor to intercept communications when given the appropriate authority, how can we be sure that such a backdoor can't be used without appropriate authority? Especially when dealing with the NSA, citizens fear that given an inch, they will take a mile. Allowing the backdoor to exist gives them the opportunity to use it at their own discretion no matter what the legal authority says. Just as well, building a backdoor into a system that doesn't intrinsically have such a backdoor lowers the security of the entire system. It may be possible for criminals to use the backdoor created in order to combat them for their own cybercrime.
Having a backdoor for internet surveillance must be extremely secure. If a government agency can use the backdoor to intercept communications when given the appropriate authority, how can we be sure that such a backdoor can't be used by anyone with sufficient technical knowledge, even without appropriate authority? Especially when dealing with the NSA, citizens fear that given an inch, they will take a mile. Allowing the backdoor to exist gives them the opportunity to use it at their own discretion no matter what the legal authority says. Just as well, building a backdoor into a system that doesn't intrinsically have such a backdoor lowers the security of the entire system. It may be possible for criminals to use the backdoor created in order to combat them for their own cybercrime.


'''Links'''
'''Links'''
Line 33: Line 32:


==Ethical issues with the limits of internet surveillance==
==Ethical issues with the limits of internet surveillance==
Internet surveillance is a very touchy issue for many people. There is a wide range of thought and laws regarding the limits to which such surveillance can go. Especially recently and due to the Patriot Act, their is an increasing difference between how much surveillance can be done on foreign communications versus domestic communications. There is a question, especially due to the NSA's recent actions to make it easier for them to intercept data, about how much data can be acquired before a warrant or other such authority is given. Along with how much data, is what type of data. Can government agencies freely collect information about where you send emails as long as they don't collect the content?
Internet surveillance is a very touchy issue for many people. There is a wide range of thought and laws regarding the limits to which such surveillance can go. Especially recently and due to the Patriot Act, there is an increasing difference between how much surveillance can be done on foreign communications versus domestic communications. There is a question, especially due to the NSA's recent actions to make it easier to intercept data, about how much data can be acquired before a warrant or other such authority is required. Of equal concern as the amount of data is its type. Can government agencies freely collect information about where you send emails as long as they don't collect the content? Can they, in fact, collect the content itself?  Perhaps more importantly, should they collect either?
 
===Foreign and domestic communications===
===Foreign and domestic communications===
There is a general idea that foreign communications should be closely monitored in order to prevent terrorism. However, most Americans also value their personal privacy and think that unsuspected citizens shouldn't have their everyday communications recorded and scrutinized by government officials. Therefore, there exists the Foreign Intelligence Surveillance Act (FISA) which allows a great deal of intelligence gathering for foreign communications that are not allowed for domestic law enforcement. In recent times, many citizens believe that the NSA is gathered information on internet traffic that is unrelated to international matters. Another interesting international surveillance issue deals with the Council of Europe Cybercrime Convention. This would have allowed foreign governments to request the NSA to intercept Americans. Should foreign governments be allowed to intercept internet data of Americans? Should domestic government agencies be allowed to investigate crimes through internet communications? Should the United States have different policies regarding international communications and domestic communications?
There is a general idea that foreign communications should be closely monitored in order to prevent terrorism. However, most Americans also value their personal privacy and think that unsuspected citizens shouldn't have their everyday communications recorded and scrutinized by government officials, even when such communications extend overseas. Therefore, there exists the Foreign Intelligence Surveillance Act (FISA) which allows a great deal of intelligence gathering for foreign communications that are not allowed for domestic law enforcement. In recent times, many citizens believe that the NSA has gathered information on internet traffic that is unrelated to international matters. Another interesting international surveillance issue deals with the Council of Europe Cybercrime Convention. This would have allowed foreign governments to request the NSA to intercept Americans. Should foreign governments be allowed to intercept internet data of Americans? Should domestic government agencies be allowed to investigate crimes through internet communications? Should the United States have different policies regarding international communications and domestic communications?


===Requiring a warrant===
===Requiring a warrant===
Naturally, most Americans favor requiring a warrant to intercept internet communication. However, the NSA has allegedly conducted much surveillance in recent years specifically without a warrant. Some people have pursued a [http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026379 lawsuit] against the NSA for such information gathering. However, the lawsuit was thrown out because the people could not show that the NSA's gathering of information damaged them in any way, regardless of the manner in which the NSA had gathered the data. The EFF also [http://boingboing.net/2006/01/31/eff_suing_att_for_he.html sued] AT&T for allowing the NSA to illegally gather data through the use of secret rooms. Should a warrant be required for putting the technology in place for surveillance? Or should a warrant simply be required for using such surveillance technology? If the NSA is brought to court for gathering data, shouldn't the proof needed to find the NSA guilty simply be the gathering of data without warrant, rather than whether the data gathered caused any harm to the individual?  As civil cases require such a demonstration of damages, and criminal charges against the federal government are nearly impossible without unconstitutionality, what recourse is left to citizens?
===What types of data can be collected?===
===What types of data can be collected?===
During police investigations, what types of information can be gathered about an individual's internet communication before a warrant is issued? This is an especially important question because the data that can be collected without getting a warrant is the data that can be used as evidence to request a warrant. The typical idea is that meta-data about the communications can be collected whereas the content of the communication can not. This meta-data typically consists of who sent the communication, to whom the communication was sent, the time and date of the communication, and (where applicable) the length of communication. This is all information that can be gathered about email and VOIP communication without the ability to intercept the actual content of the message. Are these types of data invasion of privacy? Should such data require a warrant as well? Should such data require at least suspicion of one of communicators in a currently investigated crime?
During police investigations, what types of information can be gathered about an individual's internet communication before a warrant is issued? This is an especially important question because the data that can be collected without getting a warrant is the data that can be used as evidence to request such a warrant. The typical idea is that meta-data about the communications can be collected prior to obtaining a warrant, whereas the content of the communication cannot. This meta-data typically consists of who sent the communication, to whom the communication was sent, the time and date of the communication, and (where applicable) the length or size of the communication. This is all information that can be gathered about email and VOIP communication without the ability to intercept the actual content of the message. Are these types of data invasion of privacy? Should such data require a warrant as well? Should such data require at least suspicion of one of communicators in a currently investigated crime?


'''Links'''
'''Links'''
Line 58: Line 60:
'''Examine a variety of ethical concerns related to tracking of both voluntarily and non-voluntarily provided information on the internet by members of the public, employers, government, and schools.  Cite relevant laws, policies, and/or actions taken that are related to these concerns.'''
'''Examine a variety of ethical concerns related to tracking of both voluntarily and non-voluntarily provided information on the internet by members of the public, employers, government, and schools.  Cite relevant laws, policies, and/or actions taken that are related to these concerns.'''


==Resources==
 
===Relevant External Links:===
=Public and Government Surveillance=
With the convenience of electronic communication via the Internet, it has become very apparent more and more services are moved over to the Internet.  For instance, it is fairly common to pay one's bills online instead of waiting for the bill and mailing a check.  Video conferencing and Voice Over IP ([http://en.wikipedia.org/wiki/VOIP VOIP]) has enriched and eased the process of how one communicates with another.  With that enrichment and ease comes the issue of usage and ethical interpretation.  The ethical issues of Internet surveillance, as with most technologies, is determined by how it is used and by whom.
 
When discussing the issues of Internet surveillance, there are times when the boundaries between public and government are indistinguishable.  For instance, how does one determine the ethical "rightness/wrongness" when the issue in question is pertinent to both sides?  Some of these issues are addressed at [http://www.sourcewatch.org/index.php?title=SourceWatch SourceWatch] (a subset of the [http://www.prwatch.org/ Center for Media and Democracy]).  Three such cross boundary issues are the Echelon Project, Carnivore System, and DPI.
 
====Echelon====
The Echelon Project first became prominent during the 1990's as the [http://www.google.com/search?hl=en&q=telephone+freaking&btnG=Search "freaking"] and other underground communities became aware of such surveillance systems.  It was speculated that the Echelon system was essentially an array of supercomputers designed to sniff out and analyze all forms of electronic communications with primary interest in telephone systems.  The belief was partly fueled by huge increases in government spending on buying supercomputers during the 1990s.  Due to the conflict with civilian rights, some believe the U.S. government was able to bypass the law by moving the monitoring offshore (thus no longer under U.S. privacy laws).  It should be noted that the U.S. is believed to be one of the contributers to the system.  The main Echelon installation is believed to reside in Australia.
 
One of the issues is not the technology itself but how it is used.  From the standpoint of national security, it could be argued that it may intrude on some "rights," but the benefits outweigh the costs and infringements on personal liberties.  From the individual point of view, it could be argued that it is in fact an invasion, and with that invasion, the information obtained may be used with malice.
 
Some useful links for Echelon:
* [http://www.sourcewatch.org/index.php?title=ECHELON Echelon - SourceWatch]
* [http://en.wikipedia.org/wiki/ECHELON Wiki of Echelon]
* [http://cryptome.org/echelon-60min.htm 60minute transcript 60-Minutes Transcript discussing Echelon]
* [http://www.google.com/search?q=echelon Google Search for Echelon]
 
====Carnivore====
The Carnivore system (aka DCS1000) also became prominent during the 1990's when the FBI and other government agencies began to install the devices at major ISP locations.  Carnivore is another analysis tool that allowed the system to sniff out and analyze network traffic.  The commotion became apparent at the time primarily because of the scope of the abilities of the device in question.  At the time, network sniffers and analysis tools were available that served the same functions as Carnivore, but not at the same scale.  Additionally, at the time most emails were sent over the network in plaintext.
 
The primary issue here is again the same as Echelon; the technology by itself has no ethical value, it is the use of it that introduces ethical concerns.  The same argument was used for or against Carnivore.
 
Some useful links for Carnivore:
* [http://www.sourcewatch.org/index.php?title=Carnivore Carnivore - SourceWatch]
* [http://r-s-g.org/carnivore/ The actual program itself.]
* [http://www.google.com/search?q=Carnivore Google Search for Carnivore]
* [http://www.google.com/search?q=DCS1000 Google Search for DCS1000]
 
====DPI====
DPI (Deep Packet Inspection) is essentially an examination of the IP packet as it traverses the [http://en.wikipedia.org/wiki/OSI_model OSI] layers.  DPI spawned from the same technology that spawned SPI (Stateful Packet Inspection), first made prominent by Check Point Software's Firewall-1.  With the speed of computers increasing at such a rapid pace, it has allowed DPI to dig down from [http://en.wikipedia.org/wiki/Application_layer Layer 7] to [http://en.wikipedia.org/wiki/Data_link_layer Layer 2] and reconstruct whole transmissions; compared to the static packet inspection (which primarily inspected the packet headers). Again, the technology of DPI is not something new.  Network tools and analysis have had these types of capabilities for many years.  The only difference now is how deep the inspection is going and scale of the inspection.  What makes DPI implementations dangerous is the fact that current technology allows these inspections to be done in real time on hundreds of thousands of simultaneous connections with hardware that is not too cost prohibitve.  For instance, some types of analysis required supercomputer number crunching capabilities, but current DPI hardware only costs in the range of hundreds of thousands.  What makes the potential for abuse even more dangerous is that it applies to all network traffic, everything from application specific to services such as [http://en.wikipedia.org/wiki/VOIP VOIP].  Along with the potential abuse of civil rights, the issue of [http://en.wikipedia.org/wiki/Network_Neutrality Net Neutrality] comes into play.
 
Again the ethical issue is how the technology is used.  For instance, one could prioritize traffic to meet specific needs.  Such an example is to inspect the traffic and allocate the bandwidth to needs, such as lowering BitTorrent traffic priority to VOIP traffic during business hours.  Another potential good is to inspect and if there exists some malicious payload (like a virus) then deal with it properly before getting to the user.  The other side is one of potential abuse, such as the issue of Net Neutrality.  The consumer is hurt if specific traffic is steered and manipulated based on criteria other than the needs of the consumer.
 
Some useful links for DPI:
* [http://www.securityfocus.com/infocus/1716 Security Focus Primer on DPI]
* [http://www.esoft.com/pdf/White%20Paper%20-%20Migration%20to%20DPI.pdf Whitepaper by ESoft (a supplier of DPI products)]
* [http://www.linuxdevices.com/articles/AT8138920604.html Review of Bivio 7000, a Linux based DPI network appliancel.]
 
Due to the fact that public and government are dependent upon each other, there are many issues regarding the boundaries of where one ends and begins.  At one side, the government by definition is to exist and provide laws for the masses.  Yet, not all laws are capable of defining boundaries for all citizens; as such, the best it can do is to address the majority at large (thus the democracy).  Yet on the other side, how does one define when that "majority at large" is no longer sufficient?  Additionally, it could be said that certain types of civil rights are not as important as others.  Yet, one individual may value certain "rights" more than others, thus how would one address such issues? 
 
At times there are no specific boundaries, the interpretation of whether a technology is ethical is dependent upon the utilization of said technology.  Thus, the issue becomes one of not addressing the technology but how it is used (potential for good/bad).  And how it is used is dependent upon interpretation.
 
One possible solution to the weary individual is the use of strong encryption (such as [http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography ECC] and [http://en.wikipedia.org/wiki/Advanced_Encryption_Standard Rijndael]).  To address government issues, there needs to be more control and legislation on the uses of these technology.  Although there are great potential of these technologies to preserve individual rights and freedoms, there is also great potential for abuse.
 
=Employer Surveillance=
In recent years, Internet surveillance by employers, or potential employers, has become an increasingly common phenomenon.  Many companies - from multinational corporations to small owner-operator businesses - run software on company computers to [http://www.privacyrights.org/fs/fs7-work.htm monitor] employee behavior and Internet usage.  As this surveillance is conducted on company-owned machines and typically during the business day, when an employee is being paid to perform a particular set of tasks, this practice is largely recognized as justified, and is in fact the official policy of many organizations.  However, while certain organizations' surveillance is limited to applications as simple as filtering out social networking sites and private email, some companies go so far as to log all website requests from company computers, or even screenshots and keystroke records.  Employers almost unanimously defend these practices as ethical, pointing out their ownership of the machines being monitored and an employee's duty to perform the job for which he or she is being paid with adequate focus and dedication.  However, in response to some of the more stringent surveillance policies, employees not few in number have pointed out that on the occasion that a legitimate reason for personal use of a business machine might arise, an employer may unfairly collect sensitive personal data, such as passwords or the contents of personal emails, even if the personal use is due to an extenuating circumstance.
 
Another, perhaps more questionable policy is the execution of informal "Google checks" or "Net checks," in which employees are subject to a background check consisting of whatever information the employeer can find on Google, or social networking and blog such as Myspace, Facebook, Blogspot, or LiveJournal.  From the employer's point of view, this allows an inspection of the potential employee's character, an examination of what behavior they are comfortable making public to friends or the general public.  [http://arstechnica.com/news.ars/post/20070510-google-search-by-employer-not-illegal-say-judges.html Legally,] this is a viable option, as the Equal Opportunity Employee Act does not forbid frivolous job requirements, so long as they do not discriminate by race, religion, gender, national origin, or a few other criteria.  Thus, an employer is free to make a hiring decision based on the content of one's social networking sites, news reports on the internet, or blog posts.  Many employers defend the ethical nature of this practice by insisting that the content one chooses to voluntarily put online reflects his or her personality, habits, and morals, any one of which could be an indication of job candidate quality.  In their defense, employees reply that their private life, so long as it does not conflict with legality, should be of no concern to their chances of being hired for a job unless it would directly interfere with job performance.  In the United States, the law sides with the employers, but the ethical choice is a matter of personal decision.
 
=School Surveillance=
The issues raised by Internet surveillance of students by academic institutions largely parallel those concerned in the matter of employers conducting surveillance on employees.  Often, especially in public primary and secondary schools, content is automatically assessed and screened.  Initially, only adult content was filtered, which few individuals, if any, would consider an objectionable policy.  However, over the years, the scope of filtered material has increased, to the point where it now includes email, social networking, blog, and even political and international sites.  Such filtering of educational sites is often [http://www.ncsl.org/programs/lis/cip/filterlaws.htm required by law.]  School administrators cite the fact that the majority of websites are either obviously inappropriate for children or a waste of school time, but, conversely, others have observed that the scope of filtered material now includes much which could be considered usefully educational.
 
In the realm of higher education, voluntarily created blogs or social networking sites are sometimes perused by [http://voice.paly.net/view_story.php?id=4509 admissions officers,] much as they often are by potential employers, potentially jeopardizing admission to universities for pictures or comments denoting behavior such as drinking, spoking or drug use, whether illegal or conventionally immoral.  Much as screened employees argue that their hiring for a job should be based on their qualifications for the job alone, students object that their academic qualifications or athletic abilities should be the deciding factors for their admission to an academic institution.  However, admissions officers have been known to argue that students who engage in illegal activity are not the sort of students that universities desire.  Additionally, university officials have been known to report illegal behavior to authorities with pictures from social networking sites as [http://en.wikipedia.org/wiki/Use_of_social_network_websites_in_investigations evidence.] Prosecuted individuals decry this as unfair, but to the courts, photographic evidence of illegal behavior, if those photographs are made public, are evidence of crime, and voluntary evidence at that. 
 
Ironically, the usefulness of these online screening techniques for assessing potential employees and students are becoming less and less effective.  As these policies of employers and universities are increasingly publicized, students and employees are learning to more tightly control content on, or at least access to, websites which contain personal, perhaps compromising information.
 
=Resources=
==Relevant External Links:==
* [http://boingboing.net/2006/01/31/eff_suing_att_for_he.html EFF suing AT&T for helping NSA]
* [http://boingboing.net/2006/01/31/eff_suing_att_for_he.html EFF suing AT&T for helping NSA]
===Relevant Class Website Links:===
==Relevant Class Website Links:==
* [http://ethics.csc.ncsu.edu/privacy/web/ http://ethics.csc.ncsu.edu/privacy/web/]
* [http://ethics.csc.ncsu.edu/privacy/web/ http://ethics.csc.ncsu.edu/privacy/web/]
* [http://ethics.csc.ncsu.edu/privacy/mining/ http://ethics.csc.ncsu.edu/privacy/mining/]
* [http://ethics.csc.ncsu.edu/privacy/mining/ http://ethics.csc.ncsu.edu/privacy/mining/]
* [http://ethics.csc.ncsu.edu/privacy/surveillance/ http://ethics.csc.ncsu.edu/privacy/surveillance/]
* [http://ethics.csc.ncsu.edu/privacy/surveillance/ http://ethics.csc.ncsu.edu/privacy/surveillance/]
* [http://ethics.csc.ncsu.edu/privacy/financial/ http://ethics.csc.ncsu.edu/privacy/financial/]
* [http://ethics.csc.ncsu.edu/privacy/financial/ http://ethics.csc.ncsu.edu/privacy/financial/]

Latest revision as of 20:38, 2 August 2007

Internet Surveillance (e.g. AT&T’s NSA Rooms)

The issues concerning internet surveillance

Most of us are aware of government surveillance as it pertains to wiretapping to listen in on phone conversations. This type of government surveillance has had many laws developed around it and how and when it may be done. With the growth of internet traffic, similar surveillance has appeared in the realms of email, voice over IP (VOIP), and general internet traffic. The same problems that occurred years ago for the telephone communications networks have been approached for internet communications.

The first issue that surrounds internet surveillance is how to make it possible. In order to conform to Communications Assistance for Law Enforcement Act (CALEA), phone networks had to be designed so that wiretapping was an easy thing to do if an appropriate government organization requested it. However, much internet traffic is optical instead of electrical. When electricity travels through a wire, it emits a small magnetic field. Something very close to the wire could intercept the electrical communication without affecting it. Optical communication doesn't "leak" any of the light, so the communication has to be disturbed in order to intercept it. This is usually done with a splitter which diverts a percentage of the light down another path.

The second issue is authority. Mainly, who decides whether and how much internet surveillance can take place. Should there be a different authority or amount of evidence in order to intercept foreign communications as opposed to domestic? Does the person whose information is being gathered have to be notified? Does the court have to issue a warrant for a government agency to investigate internet traffic? If so, how much information can be gathered without a warrant?

Links

Ethical issues with CALEA

Making it possible to intercept internet communications has several privacy issues surrounding it. A large amount of information passing through the internet is encrypted, thus making it difficult to intercept. "Wiretapping" optical lines involves splitting, which degrades the signal strength, unlike typical phone line wiretapping. Because the information is essentially anonymous once it leaves the local network and enters the world wide web, is it even possible to filter out a single person's communication? If there is a back door for government internet surveillance capabilities, how can the typical American be assured that this backdoor is only used by the government?

Encryption

Especially when talking about VOIP, much communication is encrypted. Even the networks serving such content cannot decrypt the content without the decryption key. The United States government has requested a backdoor to such communication in the past, but it could not be provided by the VOIP networks that supported such encryption. If these networks can allow for criminal communication without a method for the government to intercept the communication, should they be allowed to exist? Or should citizens be allowed to have a form of communication that they can be reasonably assured is completely private?

Splitting optical communication

With electrical communications, government organizations could easily start intercepting information without affecting that communication in any way. This can not be done with optical communications. Therefore, in order to allow surveillance effectively, the intercepting of information must have already been started before it was requested. This means that average citizens of the United States will have the information intercepted (even if it is not recorded) regardless of whether the citizen is under suspicion. Shouldn't unsuspected people be allowed privacy of their communications? Moreover, does the interception, even without use, of a person's communications, without probable cause, violate their Constitutional rights? To many, it would seem so.

Difficulty of filtering

Most legal surveillance depends upon the government's right to intercept communication from or to a particular person or organization. However, in many circumstances, this is impossible without intercepting a large amount of communication between other people. Since this information is intercepted, a government agent could stumble upon private communications. The only method preventing this accidental invasion of privacy is through the use of programs that attempt to filter out only certain types of data. Since it cannot be proven that such filters will actually prevent invasion of privacy, should the government be allowed to intercept communications when they can't intercept only the suspected persons' data? What if the program could filter out all unsuspected individuals? Would it not still be an invasion of privacy for those communications to be intercepted and stored even if they are later filtered out?

Backdoor security

Having a backdoor for internet surveillance must be extremely secure. If a government agency can use the backdoor to intercept communications when given the appropriate authority, how can we be sure that such a backdoor can't be used by anyone with sufficient technical knowledge, even without appropriate authority? Especially when dealing with the NSA, citizens fear that given an inch, they will take a mile. Allowing the backdoor to exist gives them the opportunity to use it at their own discretion no matter what the legal authority says. Just as well, building a backdoor into a system that doesn't intrinsically have such a backdoor lowers the security of the entire system. It may be possible for criminals to use the backdoor created in order to combat them for their own cybercrime.

Links

Ethical issues with the limits of internet surveillance

Internet surveillance is a very touchy issue for many people. There is a wide range of thought and laws regarding the limits to which such surveillance can go. Especially recently and due to the Patriot Act, there is an increasing difference between how much surveillance can be done on foreign communications versus domestic communications. There is a question, especially due to the NSA's recent actions to make it easier to intercept data, about how much data can be acquired before a warrant or other such authority is required. Of equal concern as the amount of data is its type. Can government agencies freely collect information about where you send emails as long as they don't collect the content? Can they, in fact, collect the content itself? Perhaps more importantly, should they collect either?

Foreign and domestic communications

There is a general idea that foreign communications should be closely monitored in order to prevent terrorism. However, most Americans also value their personal privacy and think that unsuspected citizens shouldn't have their everyday communications recorded and scrutinized by government officials, even when such communications extend overseas. Therefore, there exists the Foreign Intelligence Surveillance Act (FISA) which allows a great deal of intelligence gathering for foreign communications that are not allowed for domestic law enforcement. In recent times, many citizens believe that the NSA has gathered information on internet traffic that is unrelated to international matters. Another interesting international surveillance issue deals with the Council of Europe Cybercrime Convention. This would have allowed foreign governments to request the NSA to intercept Americans. Should foreign governments be allowed to intercept internet data of Americans? Should domestic government agencies be allowed to investigate crimes through internet communications? Should the United States have different policies regarding international communications and domestic communications?

Requiring a warrant

Naturally, most Americans favor requiring a warrant to intercept internet communication. However, the NSA has allegedly conducted much surveillance in recent years specifically without a warrant. Some people have pursued a lawsuit against the NSA for such information gathering. However, the lawsuit was thrown out because the people could not show that the NSA's gathering of information damaged them in any way, regardless of the manner in which the NSA had gathered the data. The EFF also sued AT&T for allowing the NSA to illegally gather data through the use of secret rooms. Should a warrant be required for putting the technology in place for surveillance? Or should a warrant simply be required for using such surveillance technology? If the NSA is brought to court for gathering data, shouldn't the proof needed to find the NSA guilty simply be the gathering of data without warrant, rather than whether the data gathered caused any harm to the individual? As civil cases require such a demonstration of damages, and criminal charges against the federal government are nearly impossible without unconstitutionality, what recourse is left to citizens?

What types of data can be collected?

During police investigations, what types of information can be gathered about an individual's internet communication before a warrant is issued? This is an especially important question because the data that can be collected without getting a warrant is the data that can be used as evidence to request such a warrant. The typical idea is that meta-data about the communications can be collected prior to obtaining a warrant, whereas the content of the communication cannot. This meta-data typically consists of who sent the communication, to whom the communication was sent, the time and date of the communication, and (where applicable) the length or size of the communication. This is all information that can be gathered about email and VOIP communication without the ability to intercept the actual content of the message. Are these types of data invasion of privacy? Should such data require a warrant as well? Should such data require at least suspicion of one of communicators in a currently investigated crime?

Links

Prompt

During the mid 1990s, one would consider himself/herself lucky to find what one was looking for though an internet search. As internet usage has grown, better search technologies has emerged displacing many human created directory-based search engines with ones providing a vast array of dynamically-created and helpful results. Technologies such as Google Alerts allows the tracking of yourself and others content on the internet based on keyword identifiers. Voluntary technologies such as blogs, online photo albums, and social networking have added a wealth of information available about us online.

AT&T has come under scrutiny by members of the public for allegedly constructing “NSA rooms” containing equipment that has the capability to monitor large amounts of internet traffic and are only accessible special US Government-affiliated staff members.

Examine a variety of ethical concerns related to tracking of both voluntarily and non-voluntarily provided information on the internet by members of the public, employers, government, and schools. Cite relevant laws, policies, and/or actions taken that are related to these concerns.


Public and Government Surveillance

With the convenience of electronic communication via the Internet, it has become very apparent more and more services are moved over to the Internet. For instance, it is fairly common to pay one's bills online instead of waiting for the bill and mailing a check. Video conferencing and Voice Over IP (VOIP) has enriched and eased the process of how one communicates with another. With that enrichment and ease comes the issue of usage and ethical interpretation. The ethical issues of Internet surveillance, as with most technologies, is determined by how it is used and by whom.

When discussing the issues of Internet surveillance, there are times when the boundaries between public and government are indistinguishable. For instance, how does one determine the ethical "rightness/wrongness" when the issue in question is pertinent to both sides? Some of these issues are addressed at SourceWatch (a subset of the Center for Media and Democracy). Three such cross boundary issues are the Echelon Project, Carnivore System, and DPI.

Echelon

The Echelon Project first became prominent during the 1990's as the "freaking" and other underground communities became aware of such surveillance systems. It was speculated that the Echelon system was essentially an array of supercomputers designed to sniff out and analyze all forms of electronic communications with primary interest in telephone systems. The belief was partly fueled by huge increases in government spending on buying supercomputers during the 1990s. Due to the conflict with civilian rights, some believe the U.S. government was able to bypass the law by moving the monitoring offshore (thus no longer under U.S. privacy laws). It should be noted that the U.S. is believed to be one of the contributers to the system. The main Echelon installation is believed to reside in Australia.

One of the issues is not the technology itself but how it is used. From the standpoint of national security, it could be argued that it may intrude on some "rights," but the benefits outweigh the costs and infringements on personal liberties. From the individual point of view, it could be argued that it is in fact an invasion, and with that invasion, the information obtained may be used with malice.

Some useful links for Echelon:

Carnivore

The Carnivore system (aka DCS1000) also became prominent during the 1990's when the FBI and other government agencies began to install the devices at major ISP locations. Carnivore is another analysis tool that allowed the system to sniff out and analyze network traffic. The commotion became apparent at the time primarily because of the scope of the abilities of the device in question. At the time, network sniffers and analysis tools were available that served the same functions as Carnivore, but not at the same scale. Additionally, at the time most emails were sent over the network in plaintext.

The primary issue here is again the same as Echelon; the technology by itself has no ethical value, it is the use of it that introduces ethical concerns. The same argument was used for or against Carnivore.

Some useful links for Carnivore:

DPI

DPI (Deep Packet Inspection) is essentially an examination of the IP packet as it traverses the OSI layers. DPI spawned from the same technology that spawned SPI (Stateful Packet Inspection), first made prominent by Check Point Software's Firewall-1. With the speed of computers increasing at such a rapid pace, it has allowed DPI to dig down from Layer 7 to Layer 2 and reconstruct whole transmissions; compared to the static packet inspection (which primarily inspected the packet headers). Again, the technology of DPI is not something new. Network tools and analysis have had these types of capabilities for many years. The only difference now is how deep the inspection is going and scale of the inspection. What makes DPI implementations dangerous is the fact that current technology allows these inspections to be done in real time on hundreds of thousands of simultaneous connections with hardware that is not too cost prohibitve. For instance, some types of analysis required supercomputer number crunching capabilities, but current DPI hardware only costs in the range of hundreds of thousands. What makes the potential for abuse even more dangerous is that it applies to all network traffic, everything from application specific to services such as VOIP. Along with the potential abuse of civil rights, the issue of Net Neutrality comes into play.

Again the ethical issue is how the technology is used. For instance, one could prioritize traffic to meet specific needs. Such an example is to inspect the traffic and allocate the bandwidth to needs, such as lowering BitTorrent traffic priority to VOIP traffic during business hours. Another potential good is to inspect and if there exists some malicious payload (like a virus) then deal with it properly before getting to the user. The other side is one of potential abuse, such as the issue of Net Neutrality. The consumer is hurt if specific traffic is steered and manipulated based on criteria other than the needs of the consumer.

Some useful links for DPI:

Due to the fact that public and government are dependent upon each other, there are many issues regarding the boundaries of where one ends and begins. At one side, the government by definition is to exist and provide laws for the masses. Yet, not all laws are capable of defining boundaries for all citizens; as such, the best it can do is to address the majority at large (thus the democracy). Yet on the other side, how does one define when that "majority at large" is no longer sufficient? Additionally, it could be said that certain types of civil rights are not as important as others. Yet, one individual may value certain "rights" more than others, thus how would one address such issues?

At times there are no specific boundaries, the interpretation of whether a technology is ethical is dependent upon the utilization of said technology. Thus, the issue becomes one of not addressing the technology but how it is used (potential for good/bad). And how it is used is dependent upon interpretation.

One possible solution to the weary individual is the use of strong encryption (such as ECC and Rijndael). To address government issues, there needs to be more control and legislation on the uses of these technology. Although there are great potential of these technologies to preserve individual rights and freedoms, there is also great potential for abuse.

Employer Surveillance

In recent years, Internet surveillance by employers, or potential employers, has become an increasingly common phenomenon. Many companies - from multinational corporations to small owner-operator businesses - run software on company computers to monitor employee behavior and Internet usage. As this surveillance is conducted on company-owned machines and typically during the business day, when an employee is being paid to perform a particular set of tasks, this practice is largely recognized as justified, and is in fact the official policy of many organizations. However, while certain organizations' surveillance is limited to applications as simple as filtering out social networking sites and private email, some companies go so far as to log all website requests from company computers, or even screenshots and keystroke records. Employers almost unanimously defend these practices as ethical, pointing out their ownership of the machines being monitored and an employee's duty to perform the job for which he or she is being paid with adequate focus and dedication. However, in response to some of the more stringent surveillance policies, employees not few in number have pointed out that on the occasion that a legitimate reason for personal use of a business machine might arise, an employer may unfairly collect sensitive personal data, such as passwords or the contents of personal emails, even if the personal use is due to an extenuating circumstance.

Another, perhaps more questionable policy is the execution of informal "Google checks" or "Net checks," in which employees are subject to a background check consisting of whatever information the employeer can find on Google, or social networking and blog such as Myspace, Facebook, Blogspot, or LiveJournal. From the employer's point of view, this allows an inspection of the potential employee's character, an examination of what behavior they are comfortable making public to friends or the general public. Legally, this is a viable option, as the Equal Opportunity Employee Act does not forbid frivolous job requirements, so long as they do not discriminate by race, religion, gender, national origin, or a few other criteria. Thus, an employer is free to make a hiring decision based on the content of one's social networking sites, news reports on the internet, or blog posts. Many employers defend the ethical nature of this practice by insisting that the content one chooses to voluntarily put online reflects his or her personality, habits, and morals, any one of which could be an indication of job candidate quality. In their defense, employees reply that their private life, so long as it does not conflict with legality, should be of no concern to their chances of being hired for a job unless it would directly interfere with job performance. In the United States, the law sides with the employers, but the ethical choice is a matter of personal decision.

School Surveillance

The issues raised by Internet surveillance of students by academic institutions largely parallel those concerned in the matter of employers conducting surveillance on employees. Often, especially in public primary and secondary schools, content is automatically assessed and screened. Initially, only adult content was filtered, which few individuals, if any, would consider an objectionable policy. However, over the years, the scope of filtered material has increased, to the point where it now includes email, social networking, blog, and even political and international sites. Such filtering of educational sites is often required by law. School administrators cite the fact that the majority of websites are either obviously inappropriate for children or a waste of school time, but, conversely, others have observed that the scope of filtered material now includes much which could be considered usefully educational.

In the realm of higher education, voluntarily created blogs or social networking sites are sometimes perused by admissions officers, much as they often are by potential employers, potentially jeopardizing admission to universities for pictures or comments denoting behavior such as drinking, spoking or drug use, whether illegal or conventionally immoral. Much as screened employees argue that their hiring for a job should be based on their qualifications for the job alone, students object that their academic qualifications or athletic abilities should be the deciding factors for their admission to an academic institution. However, admissions officers have been known to argue that students who engage in illegal activity are not the sort of students that universities desire. Additionally, university officials have been known to report illegal behavior to authorities with pictures from social networking sites as evidence. Prosecuted individuals decry this as unfair, but to the courts, photographic evidence of illegal behavior, if those photographs are made public, are evidence of crime, and voluntary evidence at that.

Ironically, the usefulness of these online screening techniques for assessing potential employees and students are becoming less and less effective. As these policies of employers and universities are increasingly publicized, students and employees are learning to more tightly control content on, or at least access to, websites which contain personal, perhaps compromising information.

Resources

Relevant External Links:

Relevant Class Website Links: