Types of Surveillance Technology Currently Used by Governments and Corporations

1
Types of Surveillance Technology Currently Used
by Governments and Corporations

• Jeffrey Aresty
• President, Internetbar.org
• www.internetbar.org
• www.cyberspaceattorney.com
• March 2006

2
Introduction

• At present, users obtain various online
  identities (IDs) from
• E-mail
• ISPs
• URLs
• IDs function on the Internet in anonymous
  spacean online ID does not actually identify
  the person connected with the ID
• Anonymity facilitates theft, fraud, and abuse

3
Introduction

• In contrast, in the works are efforts to create a
  new layer of identity
• Focusing on the user, the new system would not
  require multiple online IDs, but would be
  characterized by a single sign-on
• The system, called an open security, would be
  more secure and trustworthy, reducing theft,
  fraud, and abuse

4
Introduction

• In part because we do not yet have security on
  line, governments and corporations can, and do,
  breach privacy with technology
•  Intrusions fall into two categories
•  Cyberspace intrusions
•  Breaches of privacy in the physical world
• Increasing capacity and tendency to use
  technology to connect new and old technologies
  for surveillance

5
Real-World Technologies that Intrude on Privacy

• Cameras
• Eavesdropping
• Face-Recognition and other Biometrics
• No Fly and Similar Watch Lists

• Odor Prints
• Radiation Detection Technology
• RFID
• Smart Video Surveillance

6
Cameras

• Cameras have been used for decades
• by governments
• to monitor traffic
• to detect and prevent crime
• by corporations
• to surveill private businesses
• to detect and prevent crime in retail
  establishments

7
Cameras

• In Britain,
• more than four million closed-circuit (CCTV)
  cameras
• 1,800 cameras in railway stations 6,000 in
  underground train network and buses
• CCTV tapes used in July 2005 London bombings
  investigation
• In US,
• 5,000 cameras in New York Citys transportation
  systems
• US Border Patrol uses Remote Video System (RVS)
  along borders, costing over 64 million in FY2005
• Worldwide, video surveillance software sales in
  2004 were 147 million expected to reach 642
  million in 2009

8
Eavesdropping

• US government has capacity and authority to
  monitor e-mail, telephone, pager, wireless phone,
  facsimile, computer, and other electronic
  communications and communication devices
• Court order is required except in emergencies and
  cases of national security
• In 2003, 1,442 wiretaps requested, all granted,
  intercepting over four million conversations

9
Eavesdropping

• National Security Agency (NSA) uses
  Echelonglobal electronic eavesdropping system
• Picks up telephone, e-mail, Internet upload 
• Downloads communications transmitted by
  satellite, microwave tower, cable 
• Information sifted by supercomputers for
  terrorism information 
• Software-defined radio, a wireless technology,
  makes cell phones and computers easier to bug and
  makes intercepting device compatible with networks

10
Face-Recognition and other Biometrics

• Biometric devices scan, record, and recognize 
• Irises
• Voices
• Facial bone structure 
• Improved picture quality technology enables
  face-recognition software to inspect 1/400th of
  facesize of pores
• Infrared technology piggybacked onto
  face-recognition software enables
  three-dimensional map of face 
• Plans for US passports with face-recognition
  biometrics and RFID chips
• EU requires member states to have face biometrics
  in passports in mid-2006

11
Face-Recognition and other Biometrics

• In 2003, biometric face-recognition software
  resulted in over 40 false positives
• 4.7 billion industry in 2009
• Other biometrics 
• below-skin fingerprints (capture swirling
  patterns of capillaries)
• palm scanners that read vein patterns
• iris scanners
• gait-recognition systems (measure torsos
  silhouette and movement of shoulders and legs to
  determine individual signature strides)

12
No Fly and Similar Watch Lists

• In 2005, 12 separate lists maintained by nine US
  governmental agencies
• Confusion and lack of leadership in maintenance
  of lists some lists outdated
• List bloatlists become unreasonably large from
  incentive to add names, sloppiness
• Innocent individuals names appear

13
No Fly and Similar Watch Lists

• Access to the lists curtailed in the name of
  securitynearly impossible to discover if and why
  a name is on the list, much less have it removed 
• Lists will connect with government-developed
  Secure Flight
• Related British government pressing for
  creation of comprehensive electronic population
  register

14
Odor Prints

• Odor-printing technology is based on premise that
  each human being has distinct set of odors that
  could serve as an identifier

15
Radiation Detection Technology

• US Customs and Border Protection (CBP) employs
  radiation-detection technologies at official
  entry points, including 
• Highly sensitive personal radiation detectors
• Radiation portal monitors
• Hand-held radiation isotope identifiers

16
Radio Frequency Identification (RFID)

• Tiny computer chips use electromagnetic energy in
  the form of radio waves to track things from a
  distance 
• Nicknamed spychips 
• Can travel through clothing, backpacks,
  briefcases, wallets, walls, and windows without
  obstruction, misorientation, or detection
• RFID chips read and retain biometric information,
  such as fingerprints and photographs

17
Radio Frequency Identification (RFID)

• The RFID tag, in use in 2005, contains 
• Tiny silicon computer chip with unique ID number
• Connected antenna
• RFID tag is 
• Thumbnail size
• Affixed to plastic surface
• Paper thin 
• Can be embedded into clothing label, where it is
  virtually undetectable 

18
Radio Frequency Identification (RFID)

• Passive RFID tags do not have their own
  internal power source, but communicate when a
  reader seeks a signal from them
• Active or self-powered RFID tags have a battery
  attached and so can actively transmit
  information 
• RFID reader emits radio waves, seeking out RFID
  tags
• RFID easily integrates into existing database
  systems 
• Electronic Product Codeevery, single object on
  Earth will have its own unique ID number

19
Radio Frequency Identification (RFID)

• By 2005 embedded in some
• Worker uniforms
• Employee and student ID badges
• Toll transponders
• Animals (pets and livestock)
• Warehouse crates and pallets
• Gasoline cards
• Consumer products such as diapers and shampoo
• Library books
• Toll collection systems such as EZ-Pass
• Keyless remote systems for cars
• Keyless remote systems for garage door openers

20
Radio Frequency Identification (RFID)

• Predicted to be embedded soon in 
• Clothing
• Passports
• ATM cards
• Vehicles
• US postage stamps
• Paintings
• Beads
• Nails
• Wires
• Cash

21
Radio Frequency Identification (RFID)

• VeriChipglass capsule containing RFID device
  to be injected into human flesh for ID and
  payment purposes 
• 60 persons in US had VeriChips at end of 2005
• Also, injected into deceased victims of Hurricane
  Katrina
• RFID is predicted to be used by
• Retailers to price products according to
  customers purchase history and value to store
• Pharmaceutical manufacturers on prescription
  medications
• Banks to identify and profile customers who enter
  premises
• Governments to
• electronically frisk citizens at invisible
  checkpoints
• track citizens in airports and border-crossing
  points
• track mail sent from point to point through
  embedded postage stamps
• track library materials

22
Smart Video Surveillance

• Video surveillance combined with
  behavior-recognition software 
• Uses computer to 
• Learn what normal behavior is
• Identify unusual activity, such as shifting in
  ones seat on a bus
• Work in conjunction with other technology such as
  facial-recognition systems

23
Privacy Intrusions in Cyberspace

• Clickstream Data Analysis 
• Cookies 
• Man-in-the-Middle Attacks 
• Pharming 
• Phishing 
• Spyware 
• Voice Over Internet Protocols (VoIPs) 
• Web Bugs

24
Clickstream Data Analysis

• Logs of transactions recently performed on
  Internet computers, such as 
• Addresses of computers that have made requests
• Date and time
• How computers services were used
• Which page was visited prior to entrance into
  Website
• How Website was exited 
• Internet logs also called Clickstreams 
• Can be used to prepare statistics about paths
  taken and not taken by Internet users

25
Cookies

• Small file placed and stored on users computer
  by remote computer
• Used to track information about how user moved
  about Website 
• Which choices made
• Which links clicked 
• User visits same Website again and cookie, now
  written onto users computer, provides
  information about users last visit 
• Cookies can be used to build user profiles 
• Internet sites share cookie information with
  others

26
Man-in-the-Middle Attacks

• Computer security breach in which hacker
  intercepts, reads, and alters data traveling
  along network between two Websites 
• Also called TCP hijacking

27
Pharming

• Hackers redirection of Internet traffic from one
  Website to another
• Second Website appears identical to legitimate
  site
• User is tricked into entering user name and
  password into fake site 
• DNS poisoning or DNS cache poisoning used to
  reroute user
• Domain name systems servers corrupted

28
Phishing

• Internet user receives e-mail appearing to be
  legitimate and from reputable company, asking
  user to reply with updated credit card
  information
• Clicking on link sends user to fake Website,
  where user provides
• Credit card information
• Date of birth
• Address
• Site password
• Social Security number 
• Also called brand spoofing 
• Puddle phishing is phishing specifically
  targeting a small company, such as community bank

29
Spyware

• Software that sends data about user when computer
  is connected to the Internet

30
Voice Over Internet Protocols (VoIPs)

• Method for speaking through computer by phone or
  microphone 
• Analog voice signal converts to digital format
• Broadband networks transmit calls in Internet
  Protocol (IP) packets 
• Also called Internet telephony 
• VoIP vulnerable to eavesdropping
• A free Internet program captures and converts
  transmissions to audio files

31
Voice Over Internet Protocols (VoIPs)

• Is VoIP a communications service or information
  service? 
• In 2005, FCC adopted rules requiring VoIP
  providers to allow law enforcement to tap into
  Internet phone calls 
• FBI has authority and ability to conduct
  surveillance of broadband users pursuant to court
  order

32
Web Bugs

• Tiny, invisible image or graphic embedded into
  HTML-formatted Website or e-mail message to track
  users activities 
• Web bugs present as HTML IMG tags 
• Provide Website owner with information about
  hits, including
• IP address of users computer
• Type of browser used
• Time of the hit
• Previously set cookies 
• Also called HTML bugs or clear GIFs

33
Connectors of Information

• Automated Targeting System
• Automatic Number Plate Recognition System 
• CALEA Petition for Rulemaking 
• Data Mining 
• ID Cards 
• Integrated Automated Fingerprint Identification
  System
• Multistate Anti-Terrorism Information Exchange
• Secure Flight and other Targeting Systems 
• Sharing/Databases 
• Terrorist Screening Database of the Terrorist
  Screening Center
• Total Information Awareness  
• US-VISIT

34
Automated Targeting System (ATS)

• US Customs and Border Protection technology
  collects and analyzes cargo shipping data 
• Distinguishes and identifies high-risk shipments

35
Automatic Number Plate Recognition System
(ANPR)

• Britains national database
• Each camera on a pole or in police van is
  supported by a computer 
• Allows for automatic tracking
• Information obtained by camera immediately
  cross-referenced with database 
• In 2006, information could be stored for two
  years projected to be able to store for five
  years

36
CALEA Petition for Rulemaking

• In August 2005, FCC ruled that Internet broadband
  access providers and certain VoIP service
  providers must design networks to be
  wiretap-friendly pursuant to Communications
  Assistance for Law Enforcement Act (CALEA) of
  1994

37
Data Mining

• Computer systems that search numerous databases
  for correlations between data 
• Currently used by corporations to determine
  consumer preferences

38
ID Cards

• Biometric ID cards to be issued starting in 2008
  to voluntary participants in Britain would become
  compulsory in 2013 
• Cards contain 
• Name
• Gender
• Date and place of birth
• Current and previous addresses
• Immigration status
• Chip containing 
• Digital photo
• Fingerprints
• Iris scans

39
Integrated Automated Fingerprint Identification
System (IAFIS)

• System electronically compares live-scanned
  fingerprint with database of previously captured
  fingerprints

40
Multistate Anti-Terrorism Information Exchange
(MATRIX)

• Integration of factual, disparate data from
  existing sources to Web-enabled storage
  systems to identify and combat criminal activity 
• Includes 
• Aircraft and other property ownership records
• Bankruptcy filings
• Corporate filings
• Criminal history records
• Digital photographs
• Drivers and pilots licenses
• State professional licenses
• State sexual offenders lists
• Terrorism watch lists
• UCC filings
• Vehicle registrations

41
Secure Flight and other Targeting Systems

• Secure Flight passenger-screening program 
• Computer-assisted passenger screening system that
  searches databases, matches passenger against FBI
  consolidated watch list, and rates passenger with
  a threat level in red, yellow, or green 
• Based on tagging, passengers could be
  scrutinized, interrogated, or detained 
• Might incorporate behavioral profiling 
• Goal is to link in real time to video
  imagesautomatic link between video of terrorist
  suspect and watch list
• Not yet approved in mid-2005

42
Secure Flight and other Targeting Systems

• Border Patrol Targeting Systems Enhancement
• Over 20 million budgeted in US Department of
  Homeland Security in 2005
• Seeks to develop and refine automated target
  recognition systems using latest sensor
  technology 
• Semantic Information Fusion 
• Seeks to correlate disparate data about human
  targets, including
• Location
• Identity
• Behavior 
• Creates composite description of a particular
  situation
• Uses linguistic information and physics-based
  models of access, mobility, and visibility to
  reconstruct past and infer current events

43
Sharing/Databases

• Governments increasingly share citizens personal
  information with each other and with the private
  sector 
• Data . . . are tributaries flowing into one
  giant river of databases. Lee Tien, Electronic
  Frontier Foundation (Aug. 8, 2005)

44
Terrorist Screening Database (TSDB) of the
Terrorist Screening Center (TSC)

• Aggregates numerous government watch-lists 
• In 2005, TSDB had over 200,000 names, ranging
  from known terrorists to persons suspected of
  having some ties to terrorism 
• Each name receives one of 28 codes, describing
  persons connection to terrorism
• Names are categorized according to the actions
  users should take when encountering someone on
  list

45
Total Information Awareness (TIA)

• Computer surveillance system proposed by
  Department of Defense  
• Would have used data mining and networking to
  connect sources of information including 
• Credit card purchases
• Bank transactions
• E-mail 
• Shut down by Congress in 2003

46
US-VISIT

• Project of US Department of Homeland Security to
  develop biometric-enabled system for collecting,
  maintaining, and exchanging information on
  foreign nationals 
• 340 million budgeted for FY2005

47
Conclusion

• Government and corporations are using many
  technologies for surveillance, invading privacy
  in cyberspace and in the real world
• Do citizens and consumers care?
• What can we do to protect our privacy and to
  manage our digital identities and digital
  reputations?

48
For more information

• Contact Jeffrey Aresty, President,
  Internetbar.org, jaresty_at_cyberspaceattorney.com
• Articles on privacy-invading technologies and
  public attitudes toward privacy invasions are
  available now
• Article on digital identity will be available
  soon