The problem with the Tempora and GCHQ story – How do we communicate it?

We know we’re being watched by GCHQ.

We’ve found out, via a whistleblower, that in the past few years, mass surveillance, for the purposes of later analysis, has been turned into reality, in the US and in the UK.

The thing is, the general public is largely unphased. It’s barely scraped public opinion. The average person who doesn’t watch the news, might be aware that there was a guy called Snowdon, but would not be aware that the UK government knew who they’d phoned, who they’d emailed, and what the subject lines of those emails were.

Would you be happy to be filmed by faceless figures wherever you went?
Would you be happy to be filmed by faceless figures wherever you went?

The thing is, if I’d suggested this 6 months ago, it’d have sounded like a crazy conspiracy. Even today, it’s only information, pieced together – various sources correlating stories and confirming points, that give me the confidence to say it exists.

But the public doesn’t care, and apart from The Guardian, the UK media isn’t bothered in the surveillance story (perhaps due to this D-notice?) or more probably, due to various bias’s inherent to their organisations.

The problem is: we’ve not communicated it well enough.

We’ve so far not communicated how this means that the Government knows about you. How talking to your girlfriend via Facebook is a lot less private than you might think and that actually, your phone shares a lot more information about you than you think it does.

We have a system so far reaching, that a German ex-Stasi lieutenant said:
“You know, for us, this would have been a dream come true,”

What we need to do now is to work out:

How can we communicate this to people?

How do we communicate Tempora to the people?
How do we communicate Tempora to the people?

PRISM: What you won’t hear the Americans say (but what you should be very scared of).

The recent revelations from whistleblower Edward Snowden about the US’s PRISM program, have, in the US, mainly centered on how the NSA could be spying on American citizens which may or may not be against the constitution. The details seem to suggest that so long as the data collected is 51% or more, between non-Americans, then it’s all good. The EFF/ACLU are upset that American’s are being spied on.. and simultaneously missing the much larger point:

Since when did it become “OK” for the US to conduct surveillance on every foreign internet user?

The big thing the American constitutionalists are up in arms about is these discoveries in relation to their constitution’s 4th amendment – their protection again unreasonable searches and seizures – the oversight role of their judiciary and the requirement of ‘probable cause’.

It seems that whilst American foreign policy frequently talks up the virtues of their country’s bill of rights, they don’t feel this applies to “the rest of the world”.

The US disregards non-american's privacy in the name of it's own security.
The US disregards non-american's privacy in the name of it's own security.

Unfortunately, this means that for non-Americans, most of the world, we know that any traffic to/from the US is being spied on as a matter of course, and I think that is significant cause for concern.

The NSA director says:

“The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.”

The concept that one can lose one’s privacy, without oversight, in the name of “American Security” is something I find upsetting? Does unauthorised copyright usage also threaten US security?

Use Gmail? NSA seen it.

Use Facebook? NSA knows you.

etc.

William Hague, our esteemed foreign secretory” says: “law-biding members of the public had ‘nothing to fear'”.

Personally, I think he’s a bit of a bellend, and, more crucially, wrong.

Pet Shop Boys- Integral

What when anonymous turns out to be not anonymous?

Hypothetical scenario:

Someone starts an anonymous website that states it’s aim (in the future) is to make information available that governments and companies may dislike. Clearly being anonymous would be a key part of their strategy to avoid trouble.

Hypothetically, one decides to see what publicly available information one can find about who’s running the anonymous website, using queries and searches of publicly accessible information. Assume one finds a trail that gives enough of a rough idea of the main person’s name, contact details and physical location.

At this point, what should would you do?

  1. nothing
  2. tell the person their anonymity is exceptionally poor
  3. post the suspected information on the internet for critique
  4. inform the authorities (though one has no reason to assume any law has been broken)

Does your mum now have my O2 phone number?

Today we found out that O2 had screwed up their mobile internet proxy settings quite epically and had sent customer phone numbers to millions of websites, worldwide, as a matter of process, presumably by accident.

We already know this from the fantastic investigative works of O2 customer and twitter user Lew Peckover, a 28 year old web systems administrator working in the field for 10 years.

Now let me explain what’s going on from a technical view. Mobile operators skimp on deploying proper internet infrastructure and frequently implement various nasty tricks for a variety of reasons. Things like downscaling images, inserting javascript into HTML pages with DPI, arbitrarily blocking websites and ports and NAT are frequently seen used by mobile internet providers, including O2.

To be able to downscale images, insert things into HTML pages etc. O2 must  route your web queries through a HTTP proxy. As well as the things mentioned above, the proxy is adding an extra HTTP Header to outgoing requests. This header contains your mobile number.

Lew created a website to let people see this in action; let’s look at an example:

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Accept-Encoding: gzip, deflate
x-up-calling-line-id: 4479XXXXXXXX
Host: lew.io
X-Forwarded-For: 82.132.248.203

From the top line we can read information about the device and browser, from lines 2-4 we can read about how the phone is setup and what kind of content it likes to recieve and then, there it is, the header that contains your phone number.

As various MVNO‘s like Tesco and GiffGaff use O2’s technical backbone, they’re also affected, though it’s suspect that it’s not affecting all users.


So the big questions I can imagine people are asking now:

Who has my mobile number? Will I receive loads of nusiance calls? Does Facebook/Google/Microsoft/Your Mum have my mobile number?

Short answer: Theoretically any website one has visited recently on your O2 phone will have received it. They probably didn’t know they’d received it though and I suspect probably didn’t think to save it. I’d doubt that anyone will have acquired anyone’s phone number via this message, however, clearly it’s quite an epic security failure because the oppotunity for this happening is high.

Did this happen on purpose?

Short speculation: I highly doubt it. I suspect the issue occurred because O2 wants to track which customer is responsible for traffic as it goes into their land of HTTP proxies so I suspect they have a rule to use DPI to insert this header into each query – it’s an unique key that they can track to every customer. I suspect the way it’s supposed to work is that on the way out of their cluster of web proxies (doing censorship, image rescaling, etc) they should have a rule to remove the header and thus pass all the HTTP requests up to the internet unmodified. My suggestion is that someone probably misconfigured the rule to “look for this header and remove it”, probably by misspelling the rule they were looking for. It’s an easy sysadmin mistake to make.

Shouldn’t O2 have policies in place to deal prevent stuff like this?

Oh yes. I’m sure they do. I’m sure they have change control systems that I could write novels about. Stuff still slips through though. Was this preventable? Almost certainly, but only O2 knows for sure.

What are O2 saying about this?

Well, I’m sure we’re going to see a mediastorm, some big O2 apology and some PR theatre where someone apologies to 02 and twitter is awash with complaints.

However, currently, some numpty at O2 twitter support thought the following response would make sense:

Hi Lewis. The mobile number in the HTML is linked to how the site determines that your browsing from a mobile device #O2Guru

No, you are not a guru. Lines 1-4 of the header do that. Look at line 5. Yep – there’s the issue.

Currently they’re saying it’s their “top priority” and they are “looking into it as we speak” aka they’re frantically paging technical guys and working out how to write the press release; basically the first few scenes of the PR theatre.

Update 1: And their announcement and that they fixed itthanks MJ Ray.

What should O2 do?

Well, all they can do is fix it, try not to do it again and apologise profusely to their customers.

What’s the legal perspective?

I’m not a lawyer, however I think that the Information Commissioner’s Office should look into the incident with regards to compliance with the Data Protection Act 1998. The ICO should deal with the case as they see fit.

Is new legislation needed to prevent this from happening again?

No. This looks a lot like a technical mistake. In my opinion, the DPA covers this well enough and if anything should be given extra teeth, it should be the ICO in being able to investigate things like this.

How does this affect you, Tim?

Well, I’m not an O2 customer, but this could very well have been any mobile network carrier, anywhere in the world. I’m interested in how this will play out and obviously I’m concerned about the theoretical potential implications, even though personally, I think the actual risk, is relatively low. I’d be quite peed off if this had happened to me.

How can I check if it’s been fixed?

Visit this website on your phone. Do you see your mobile number at all? If yes, it’s still broken, if no, it’s fixed.

Howto be a submarine facebook ‘friend’ and wreck friendships

Hi, today I want to talk about how to really mess up friendships with Facebook. No this isn’t so that you can go an use it on people, but because it’s a flaw which I think people should be aware of.

First we have to understand a little known feature of Facebook:

Facebook doesn’t want it’s users leaving. That bit is obvious. So instead of encouraging you to delete your profile and delete all the comments you’ve posted over the years, they suggest you disable it. This means that they still have everything and get simply reinstate you if you come back and decide actually you like the book of faces.

Now I actually don’t think this is such a bad idea. Despite my loathing of facebook the company, I don’t like the idea of people deleting their archives of social interactions. I’m in favour of keeping your letters, birthday cards, photos. Sure keeping them on Facebook is epic privacy fail, but that’s out of the scope of this article.

However, consider the following scenario:

  • Alice and Bob become friends on Facebook.
  • Bob disables his Facebook account.
  • Alice and Bob fall out.
  • Alice no longer wants Bob to have access to her Facebook account.
  • Alice tries to delete Bob from her friends list, but Bob isn’t in it. (His account is disabled; he won’t show up)
  • Alice posts stuff she doesn’t want Bob to see.
  • Bob re-enables his facebook account.
  • Bob is still friends with Alice, Alice is unaware he is able to access her profile until he shows up in her newsfeed.
  • Bob is able to see all of Alice’s updates of the same permissions he was able to before he disabled his account.

And there you have it. A really easy way of being really shitty.

I don’t like it, I’m not sure what I’d suggest facebook did, but yeah; it sucks.