Enterprise Software optimize

EFF and the Surveillance Self-Defense Project

The EFF recently went live with a Web site that explains electronic surveillance and the laws governing it. Some consider the Web site irresponsible. Others disagree, let me explain why.

The Electronic Frontier Foundation (EFF) has been at the forefront of the digital rights battle since 1990, defending the right to free speech and on-line privacy. Still entrenched in that battle, a few months ago the EFF unveiled a new Web site titled the Surveillance Self-Defense Project (SSD). Its entire purpose is to provide relevant information about surveillance:

"The Electronic Frontier Foundation (EFF) has created this Surveillance Self-Defense site to educate the American public about the law and technology of government surveillance in the United States, providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it.

Surveillance Self-Defense exists to answer two main questions: What can the government legally do to spy on your computer data and communications? And what can you legally do to protect yourself against such spying?"

Risk Management

Although the EFF is focusing on what many call "big brother" surveillance, I find that their information is relevant for maintaining information security against all threats. One area that the EFF has focused on is risk management and that resonates with what TechRepublic's IT Security host Chad Perrin has been championing for a long time. The EFF goes on to say that security means making trade offs to manage risks:

"Security isn't having the strongest lock or the best anti-virus software, security is about making trade offs to manage risk, something we do in many contexts throughout the day.

When you consider crossing the street in the middle of the block rather than at a cross-walk, you are making a security trade-off: you consider the threat of getting run over versus the trouble of walking to the corner, and assess the risk of that threat happening by looking for oncoming cars.

Your bodily safety is the asset you're trying to protect. How high is the risk of getting run over and are you in such a rush that you're willing to tolerate it, even though the threat is to your most valuable asset?"

It's a simple example. Yet it has to hit home, putting the entire process into perspective. To explain further, the EFF divides risk management into four distinct yet related concepts:

  • An asset is something you value and want to protect. Anything of value can be an asset, but in the context of this discussion most of the assets in question are information.
  • A threat is something bad that can happen to an asset and what you are protecting against.
  • Risk is the likelihood that a particular threat against a particular asset will actually come to pass, and how damaged the asset would be.
  • An adversary, in security-speak, is any person or entity that poses a threat against an asset.
It all comes together

The entire point of risk management is to determine which threats present the greatest risk to the assets being protected. The EFF Web site further explains:

"Putting these concepts together, you need to evaluate which threats to your assets from which adversaries pose the most risk, and then decide how to manage the risk. Intelligently trading off risks and costs is the essence of security. How much is it worth to you to manage the risk?"

The EFF also points out that data needs protecting in two distinctly different venues: Data stored on the computer and data on the wire.

Defensive Technology

After explaining risk envelopes, the SSD Web site offers technical information on how to provide security for the data, regardless of whether it's resides on the computer or in transition to a remote endpoint. The major areas touched on are:

The information provided on the SSD Web site is comprehensive, offering excellent how-to methods that should be considered by everyone.

Is it Controversial

Paul McNamara of NetworkWorld in his article "Helping to keep government's prying eyes at bay" made a prediction that the SSD Web site wouldn't make it a day. I'm not sure if he was kidding or not, but he mentioned:

"Someone's going to call it a threat to national security before the day is out. ... Phooey."

That was on 03 Mar 2009 and the Web site is still there there today. After investigation, do you think the SSD Web site makes it more difficult for the government to do their job? Is it something that governments just need to deal with because citizens have the right to privacy? What do you think?

Final thoughts

As I read through the Web site I had one of my daah moments: Security preparations have to be preemptive, otherwise they're totally worthless. That means we don't know who we're protecting ourselves from initially. So controversial or not, enabling the security practices described on the SSD Web site could be considered useful protection against all digital intruders. How's that for justification?

TechRepublic's IT Security e-mail newsletter (delivered every Tuesday) is a great way to keep on top of security issues related to Information Technology. Please make sure to sign up.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

64 comments
frylock
frylock

Michael, for an informative and timely article. And to the posters. I expected to find a thread that quickly degenerated into a flame war (as usually happens with provocative topics) but instead found many thoughtful and insightful posts. Particularly to apotheon (as always) and dixon (new to me). Good work.

NotSoChiGuy
NotSoChiGuy

http://www.suntimes.com/news/cityhall/1498606,CST-NWS-emergency27.article Specifically, this was a part of the article I found interesting: "Just last month, Mayor Daley showcased the upgrade, which lets call takers and dispatchers see real-time video from surveillance cameras within 150 feet of any 911 call." 150 feet of ANY 9-1-1 call??? Really??? Either that was poor wording choice on the part of the reporter, or I'm going to go get me some lead-based paint right now!! ;)

dixon
dixon

As a result of the biggest and most insidious PR scam in history, and through the hefty application of fear-mongering, we have been led to place where we can now actually regard our right to privacy as 'controversial'. If there's anything that should be viewed as controversial, if not plain outrageous, it's the numerous loopholes government has managed to create for itself for subverting the time-honored ideals of due process, probable cause, habeas corpus, and the Bill of Rights. We are viewed by our own public servants with fear, disrespect, contempt, and suspicion at every turn, and we're told to simply get used to it because the world happens to be a dangerous place. Ben Franklin was right about security vs. liberty, and the Great Experiment seems to have failed after all. Long live John Perry Barlow.

bboyd
bboyd

Good views on why government needs to be curtailed and the correct in my opinion view that privacy is the basic component on individual freedom. To bad a lot of individuals have no respect for freedom. Good fences make it easy to identify thieves, especially ones trying to circumvent the fence. EFF is good at explaining the limits of the protections. Wish guys like them had their own political party to vote for.

Neon Samurai
Neon Samurai

Given that the Gov has a legal mechanism to contact me and request my encryption keys given grounds for search, providing strong encryption and safe user tips is a non-issue. It's simply educating the public about a standard they should already be at. We're having a similar issue up north of the meridian; .CA officials are crying out about Blackberry providing better security than they'd like. I think it's the same here; if law has valid reasons then a judge can always "request" the needed information from RIM or whomever manages the BB's data.

sidekick
sidekick

The website looks interesting. I can't wait to delve into it. We have to remember that Big Brother doesn't pop up overnight. It's a cycle of getting closer to, but not crossing, a line. Then the line sort of drifts away a little bit, then we can take another step without crossing it. Repeat. I wish I knew my history better, because I'm sure there is a good example in there. But since I don't have one, let's look at Star Wars. Raise your hand if you're not familiar with these films. No one? Good. Palpatine didn't just show up one day and take over. He continuously manipulated the system to gain more and more power until it was absolute. And they let him do it, in fact gave it to him, because they couldn't see what was happening. Then of course the rebellion, back to a republic, and it starts all over again. Hmm, I suddenly have an urge to reread Animal Farm.

boxfiddler
boxfiddler

yes. I think they are. I've been following EFF since early Napster days, find their work relevant to a trend towards curtailing our 'right to privacy.' Thanks for getting this out there.

Michael Kassner
Michael Kassner

I try hard to present the subject in a manner that avoids confrontation. It's more important to share thoughts and ideas that will enlighten rather than burn.

doug
doug

Well, I'm sure they meant 150 feet from every camera. I wonder where that video is going. The supercomputers the government has probably has plenty of space to store all that video. And the technology exists to create a mathematical reference for a face, and store that in a database after processing the video. Basically they could, if they've set it up, take a picture of your face, process it into a mathematical reference, do a simple database search, and then pull up every surveillance video you've ever been in.

Michael Kassner
Michael Kassner

I'd assume that's an exaggeration. A city the size of Chicago has to have a significant number of 911 calls at any given moment. I wonder if they are like the traffic cameras here in MN. where we get to view the images.

dixon
dixon

...and a surveillance camera in every garage.

Michael Kassner
Michael Kassner

You provide insight and a very interesting quote: "We have been led to place where we can now actually regard our right to privacy as controversial."

kama410
kama410

His name was Ron Paul. Of course, since he wasn't heavily televised, 90% of the population didn't even realize he was running. ...and there are always the idiots who think that voting for the candidate who you want, rather than the one you think will win is 'wasting' your vote. I really have to question the value of having a vote if people are too stupid to actually use it.

apotheon
apotheon

EFF is good at explaining the limits of the protections. Wish guys like them had their own political party to vote for. The closest thing to an EFF political party is probably the Libertarian Party (when it's not busy trying to destroy itself with incredibly bad ideas like running a neocon as an LP candidate -- i.e., Bob Barr). I'm beginning to think that I should try to organize some kind of Technology Caucus within the LP, to help wake up the party to the present/future technology concerns that should be addressed under the heading of liberty.

Michael Kassner
Michael Kassner

I wonder how much traction an EFF -based political party would have.

Michael Kassner
Michael Kassner

TSA for example can demand the encryption keys or they keep the device. Ironically that has driven users to resort to hiding encrypted flash drives and not having any sensitive data on the actual notebook.

Michael Kassner
Michael Kassner

Good examples of mission creep. Thanks for bringing them up.

eric
eric

Have you been to London recently? =Eric

MartyL
MartyL

In no particular order: I'm not much for bumper stickers, but I like this one: "A true patriot is prepared to protect his country from his government." Every time someone from the government says, "An honest man has nothing to hide," what it really means is, "An honest man had better already have a good hiding place." Every time. If EFF can field a candidate, I'm ready to change my party registration and vote for them. Too many government bozone-dwellers have forgotten who they work for.

dixon
dixon

It seems to me that we've somehow forgotten a vital truth: A democracy is no place for wimps. It takes alot of courage for us all to just leave each other be, trusting that the vast majority of us will exercise our liberties in a responsible, ethical fashion. This will go down in history as the moment we lost our nerve. "We've decreased your liberty and increased our own authority," the government says, "but don't worry, we won't abuse it." This is the very definition of abuse. We may as well be told that remote-controlled bombs have been installed in our cellars with no malicious intent.

apotheon
apotheon

My experience trying to support Ron Paul taught me more about the machinery of the Republican Party than any human being should have to endure. I don't think I could do it again.

Michael Kassner
Michael Kassner

Would have a very good communications infrastructure. Even better than President Obama's.

boxfiddler
boxfiddler

I vote third party as a rule of late anyway. These guys have been consistent and clear in their efforts over the course of years. Something rather lacking in politics these days.

apotheon
apotheon

It has prompted me to drive everywhere. Flying, these days, is mostly for chumps and luddites.

apotheon
apotheon

"Creep" is a good word for it, in this case. There's a reason they call espionage and counter-espionage agents "spooks".

Michael Kassner
Michael Kassner

I guess I was considering 911 calls from inside buildings or homes.

apotheon
apotheon

I appreciate the compliments (and the complements, to sorta springboard off of MK's comment about being fortunate to have people like you contributing to discussion).

Michael Kassner
Michael Kassner

That members like yourself interject as it helps us learn new viewpoints and information.

dixon
dixon

I don't post as much as alot of folks, and I'm generally sort of unnoticeable. On the other hand, I've read a bunch of your posts and have found them very thoughtful, useful, and interesting.

apotheon
apotheon

How did I not notice you on TR before this?

Michael Kassner
Michael Kassner

Not in question to be sure. I was totally impressed by the SSD Web site. It was to say the least comprehensive and detailed.

apotheon
apotheon

. . . but it's one of several books I have sitting around here somewhere waiting for me to read them.

apotheon
apotheon

Thanks for the suggestions, guys, but I think I'll stick with driving. In fact, I'm looking forward to getting another motorcycle and going on a two wheel per person road trip with my significant other at some point in the reasonably near future (say, within eighteen months).

NickNielsen
NickNielsen

You can't beat the service, but the accommodations stink....in both cases.

Michael Kassner
Michael Kassner

I appreciated the exchange and am once again walking away a better person.

eric
eric

They ask no questions, check nothing, and get it where you're going, when you want it there. =Eric

santeewelding
santeewelding

Seek audience with Sonja, resident Master every Friday on TROLOV, to see unaided how it looks.

dixon
dixon

And having just now put my previous posts under a different sort of 'microscope', I detect a tone that's been far too negative. It's always hard to know how you sound to others. So I tried to read my own words as if they had been written by someone else, and imagined what sort of helpful advice I'd give to such a frustrated sounding person. Interesting exercise. I found myself thinking, "Why don't you shift your focus to something you have control over, like maintaining as honorable, ethical, happy and productive a life as you can? Why not concentrate on your blessings instead of your worries?" I immediately realized how good I've really got it: decent health; great family, friends, and clients; a business that does reasonably well; and citizenship in a wonderful country which, despite its imperfections, still has effective and noble institutions with which to solve its problems. I'm going to try and hang onto this hopeful attitude, and will probably be watching less news. I'm also going to stick to positive, useful posts from now on. I apologize to anyone who may have been bothered by my previous negitivity.

santeewelding
santeewelding

And further. I mean our own roles; our own analysis; our own putting each other under our respective microscopes as to every word, every presents here. To grow anxious over the extent to which "government" does so, while neglecting (your) own apparent, considerable prowess in observation and analysis, could defeat you.

dixon
dixon

I agree, Michael, that up to a point, elevated security is appropriate in airports. The hard part is determining where that point lies. On what basis are we confident that this new form of scrutiny wouldn't be deployed far more broadly? Should we accept being peered at under a thousand microscopes everywhere we go? And by the way, CNN seems as odd as most mainstream news outlets to me. They'll give a thirty-second gloss-over on a story of true global import, then chatter on for two weeks about a family whose cat is missing. Santee, I wouldn't be a bit surprised if this conversation is being monitored. I wouldn't be a bit surprised if all of them are. Here's one of my favorite quotes ever to come from the Supreme Court. It's old, but still meaningful, or at least should be. It's relevant to the EEF's efforts as well as the rest of this discussion: "The protection guaranteed by the amendments is much broader in scope. The makers of our Constitution undertook to secure conditions favorable to the pursuit of happiness. They recognized the significance of man's spiritual nature, of his feelings and of his intellect. They knew that only a part of the pain, pleasure and satisfactions of life are to be found in material things. They sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred, as against the government, the right to be let alone-the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment. And the use, as evidence in a criminal proceeding, of facts ascertained by such intrusion must be deemed a violation of the Fifth. Applying to the Fourth and Fifth Amendments the established rule of construction, the defendants' objections to the evidence obtained by wire tapping must, in my opinion, be sustained. It is, of course, immaterial where the physical connection with the telephone wires leading into the defendants' premises was made. And it is also immaterial that the intrusion was in aid of law enforcement. Experience should teach us to be most on our guard to protect liberty when the government's purposes are beneficent. Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded rulers. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding." Supreme Court Justice Louis Brandeis Olmstead vs. The United States, 1928 Amen.

santeewelding
santeewelding

How much of this do you suppose is going on in the (literary) analysis of every word posted here?

Michael Kassner
Michael Kassner

I may be old school, so please forgive me. I find CNN to use sensationalism more than my stand by the Washington Post. What's your opinion? Also airports are a special case. I actually like the extra nervousness exhibited by TSA. I'm not sure you can over do safety when you are 2 miles up.

dixon
dixon

..but that doesn't lessen the concept's significance as yet another symptom of this backdoor trojan infecting the very root of our culture. I defiantly declare my God-given right to have an anxious expression without suffering molestation from authorities. I might even dare to frown, once in awhile. Next, I'll be told that, if I object to being stripped naked in public, I'm suffering from pathological body embarrassment. This might qualify me as 'mentally unstable', which would justify further scrutiny. This whole notion that, in the interest of encouraging a feeling of safety, delusional as that may or may not ultimately turn out to be, authorities can suspend any and all recognition of our rights at a whim, leads to a plainly ruinous path. Gosh, now I'm actually scowling. I sure hope nobody's watching.

Michael Kassner
Michael Kassner

About that. I think that Mr. Schneier wrote about it. I'll try and find that. From what I remember, he thought it was fairly useless.

dixon
dixon

...about the latest fun and games? Airport security strategy now includes 'trained personel' who prowl around randomly 'analysing' people's facial expressions for subtle signs of stress or anxiety, as a basis for detention and questioning. I don't know what your expression looks like when you're running through an airport five minutes before your plane's taking off, but I'd be sent straight to Gitmo.