hello everyone so um is that my audio is that yours alright so I'm my name is Krista goin I'm a PhD candidate at Indiana University and I'm gonna be talking about government surveillance today my day job I guess is two things so first I'm a researcher and activists that work on privacy and security issues I also work half time at the Federal Trade Commission where I assist the team of lawyers and going after companies that violate your privacy unfortunately in the United States there's actually no federal agency that's tasked with protecting your privacy from the government the FTC has no official position on the department of justice or NSA's abuse of your civil liberties and so for those reasons I'm not speaking on behalf of the FTC here this is this is definitely my student research so my dissertation relates or is focused on the the relationship between ISPs in the government and so this is this is basically a collection of some of the research I've put together over the last year or two so you might remember me a few years ago I made a website that made fake boarding passes that led to the FBI writing my house at two in the morning shortly after that they finally got around to fixing the ease with which you could manipulate boarding passes now there are cryptographic hashes on the boarding passes whether you could consider that a good thing or not you know that's that's up to you alright so this talk is going to be focused on on a few things so first how often the companies provide our our costs the people's data to law enforcement intelligence agencies what data that can they be forced the club disclose how much money do they make by selling your data to the government and which engineering and legal practices can actually impact the degree to which your information is disclosed Sokka some companies actually fight both through legal means and through engineering means and I'm going to be shedding some light on those because it's for the most part they're just not really known right so part one how often does the government get our data alright so you might remember from the movies you know the old days of wiretapping was someone climbing up a telephone pole and and and listening in on headphones that's not how wiretaps work anymore right this is how wiretaps work someone sitting in an air-conditioned data center typing away at a keyboard pulling down a trunk full of data right when you store your data in the cloud Google doesn't get a visit at 2am by from armed police they don't seize Google's hard drives right Google just sends them a DVD with your data you know there's a reason that this shift from hosting data on our personal computers to hosting it in the cloud is important and impacts that the way the way the government gets information so there are bottlenecks with regard to government resources they only have so many agents and so many officials and so many lawyers right and so consider the marginal increase in work five more searches of homes that means five more teams that have to go out and raid the house and take all your data versus asking Google for five more accounts you're just adding a few names to an existing subpoena or existing search warrant and so it's really really easy for the government to benefit from sort of other network effect with ISPs they can ask for 20 more users information at very little cost all right so well what do we know about the extent of surveillance today so there are surveillance statistics that are published according to to some federal statutes for certain kinds of surveillance but a lot of the information that I have and I'm presenting here I've gone through the Freedom of Information Act through friends that I've made in Washington DC and a really effective strategy is getting company's lawyers drunk they they like to talk and when you promise them that you want name you won't name them they're actually willing to give up the goods it's important to note that the stats that I have by and large don't cover intelligence and the reason for that is that intelligence requests are shrouded in secrecy we have some stats regarding the number of pfizer orders which is a foreign intelligence surveillance court but they list the number of requests or the number of court orders not the number of individuals and so one court order can get 10,000 people's information right so we know nothing about the intelligence industry but we do know plenty about law enforcement so the first sort of a method of surveillance a bit talking about his wiretaps this is real-time interception of communications content includes voice communications text instant messaging and network traffic dumps like think TCP dump to get one you need what's called a super warrant this is a really really high legal standard it's a pain in the ass to get and then it takes a little bit of time and the police have to show probable cause they have to show there's probable cause to believe that you've broken the law they also have to show that they've gone through the all these other steps to try and get data and it failed all right so let's look into the wiretap stats and see what we can figure out so the first thing is this the use of surveillance intercepts grows every year so this is a 1987 through 2009 you can see a clear increase the blue is total intercepts and the red is federal intercepts so take home lesson here is that the federal usage isn't really going up that much but States is skyrocketing also important to note that look at between 1999 and 2001 2003 you would assume that after nine eleven there would be a massive increase in the number of wiretaps it's not there and the reason is because the the massive buildup of surveillance that happened after nine eleven wasn't law enforcement it was intelligence all right next take home lesson drugs are bad if you value your privacy all right so these are the major offences specifies an inner specified in intercept orders narcotics versus other crimes you can see that your chance of getting wire topped if you're engaged in drugs is pretty high and if you're engaged into anything else it's pretty low take-home lesson here is if you're going to break the law and don't want any wires out to stick with something safer like murder bribery or extortion you can see this from the numbers here right so we have two thousand intercepts a year for narcotics and nine for robbery these numbers speak for themselves right so the police are focused on drugs this is this is the this is the impact of the war on drugs in this country and most of the requests are coming from New York and California which have specialized Drug Task Forces these are agents who are trained in the process of getting these these pan the asks court orders um you're not seeing a police officer in podunk Minnesota who is going to go through all the efforts to do a wire that these are special units in LA and New York San Francisco all right next trend foreign surveillance interest increases each year while other forms decline and this isn't due to increases from the feds but this is due to the states so I don't know if you can see this graph but the take-home lesson here the blue thing is total phone intercepts with those have skyrocketed again due to use of the states the little things on that start on the left and the orange and a few other colors those are electronic surveillance so basically electronic surveillance is zero at this point so in in 2009 so actually one of the two thousand nine ninety-five percent of intercept borders were for portable devices so this is your cell phone being surveilled if you are using a phone in your house the chance of them are tapping is also very very slim so again you can see here from from the stats portal devices which are green are the lion's share just massive massive numbers here electronic intercept orders so that that's computers and other things used to be significant in number right so if we look through 1997a you know in 1999 there are nearly 700 electronic intercepts a year and if you go to 2 2009 you can see that you can't even see it on the graph and they've punched to less than five a year all right so we used to have hundreds of electronic intercepts and now we have five or 10 a year combined for federal and state so what happens this is electronic intercept so that category used to include pagers faxes and computers and when people stopped using pagers the number of electronic intercepts went down so why are there no network wiretaps the reason is because they're expensive law enforcement has to maintain a leased line back to their back from the ISPs data center back to theirs it's expensive it requires all this fancy gear they don't have the training to do it so law enforcement agencies just really are not doing network level wiretaps the instead they're going after the fact to your ISP and getting your store data that's your store to email your search queries and this other stuff like why tap your ISP in real time when you can go out for the fat and get it at much much cheaper prices so another interesting data point we used to hear for years that encryption was going to be the scourge of law enforcement how can they keep us safe when criminals are going to be using PGP and so a few years ago the Senate initiated a bill that got reporting of encryption added to the stats so every year law enforcement have to reveal how many cases of encryption they found when they were doing wiretaps so the take-home lesson here first is it they're not encountering it and when they are encountering it doesn't stop them from getting what they're after now again I have to clarify that this is not intelligence collection of data right so NSA is seeing encryption because they're monitoring skype but again you're podunk police officer in the south is not playing with encryption and they're not seeing it because the criminals that they're going after they don't know how to use encryption all right another category of data pen registers so this is the real time capture of non-content communications data we're thinking IP headers to and from information on emails the phone numbers dialed the URLs viewed in some cases and also geolocation data when combined with another kind of order the standard for getting these is ridiculously low it's called relevance to an ongoing investigation this is so so easy to get and as you'll see from the numbers you know they're a lot more of them all right so we have in 2008 14,000 pen registers a year at the federal level this doesn't include States um these reports are not public I had to FOIA these and then get some other stuff leaked to me but we're seeing massive massive numbers like five or six times the number of wiretaps and the reason is one it's really really easy to get there's no there's no evidentiary threshold that they really have to surpass and to the data is not as difficult to parse right they get a list of the phone numbers that are dialed in real time as opposed to having to deal with gigabytes of network transfers all right this is where the mother lode is stored communications and other data oops I move that all right well I'll get to that into them all right so before that location location requests have become a massive massive problem or massive massive tool if you take the perspective of law enforcement it is routine now if there is a murder and the police don't know who did it they call up the phone companies and they say tell us everyone that was within 200 feet of the corner of first and main street at seven p.m. on friday night they can get hundreds of people's information with this the legal threshold to get this historic and historical information super super low the historical information is usually usually cell tower data that is not super accurate but real-time data is based on gps pings or tower triangulation data which is really accurate in some parts of the country it requires a warrant but in often in other areas it can be gotten with a far lower legal process in fact the the standard varies by magistrate in a district so two judges down down the hall from each other can can have different standards this is a big problem because there's no federal guidance as to what the standard should be so it's caught this this is a quote from a house judiciary hearing a few weeks or a few months ago this is a lawyer representing tmobile and a few other companies it's common in hybrid location orders for the government to seek the location of the community of interest that is the location of persons with whom the target communicates so that means if you're under investigation not only is the government getting your location information but they're also getting a location information of everyone that you've called and that everyone who's called you with one order this is really really scary the extent to which they're getting this data and then putting it in a database and keeping it forever so this is a slide that I acquired that was presented at an intelligence conference a few years ago this is a British software solutions company that created a plugin for google earth this shows real-time geographic information geographic sell information on 60 million indonesian cellphone users in google earth so an analyst can sit at a desk top and in real time zoom from the city level down to the street level and see a little dot for every phone this is really really scary and if these companies are so these are Western companies that are selling it around the world you can bet that they're selling it to governments that are slightly closer to our hearts all right so this is something I'm particularly proud of last fall there was a conference in washington DC called ISS world it's some it's nicknamed the wire toppers ball to closed-door conference where surveillance software vendors get together and show off their products to intelligence and law enforcement officials from around the world and a nice lock in it's fun as first time i shaved in six years put on a suit anyway so so i went there and collected some information I rather than explaining it myself I'll let my friend Steven do it for me it was recently revealed that sprint gives the government their customers GPS coordinates sprints electronic surveillance manager Paul Taylor describes the program's success their GPS well we turn it on for law enforcement about one year ago last month and we just had a million requests that conversation was recorded without mr. Taylor's consent which is a terrible violation of sprint's violation of your privacy all right i mean it's funny right but what the fuck are these guys doing eight million pings in one year so what sprint did is they set up a special website where law enforcement can log in and view real-time coordinates for any individual under surveillance now sprint used to charge per paying two hundred and fifty dollars per ping back in the old days when they had an analyst sit down and type the command themselves they removed that that step and now law enforcement is logs in on respect their own special web interface sprint also has created a system they called El site which is an API that law enforcement agencies can can program to and then access the information they want with their own systems so the DEA the Drug Enforcement Administration is the first test pilot user of the system and every DA office has a terminal in it where an agent can sit down and type up there the subpoena or the order or whatever it gets sent electronically cryptographically signed to sprint systems it gets put in a bug tracker spin Sprint's people like monitor it get put the data back in and then I get sent back to the analyst it's cut the response time from days two hours so a sprint employee or the DEA folks put it in the evening before the next morning the date is waiting for them I mean it's cutting through red tape but I would argue that the red tape is actually a feature not a bug but this this stuff is really scary Sprint is not the only company that is providing this GPS information but they are at least right now as far as I know the only one that has provided it in such an easy and friendly to use manner all right so stored Communications I'm to my slides before alright so this includes your email inbox your google documents your spreadsheets your search queries your password protected private blogs your instant messaging communications if saved by a service writer and archived cellular text messages so this is all the data we store with Google and Yahoo and Microsoft and Flickr and all these other companies and the legal standard to get this information is ridiculously low and so obscure and weird right so if your emails are 180 days old it requires one threshold but once it 181 days it's a much lower threshold the minute you've opened up through emails it's easier for the government to get they can get your sent mail and your drafts with a single sip with a simple subpoena that the standards are just really really weird but the take-home messages it's very easy for them to get your information so most most isp's don't talk about the number of requests they get google is actually the first and they release this really handy tool in april this year and they show on a country-by-country basis how many requests they get take-home lesson here message really is that they're not getting that many requests so 3500 requests a year in the US but again that doesn't say how many individuals communications were disclosed just how many requests and one request can be for 10,000 individuals it also notes that this doesn't include intelligence orders because it's illegal for Google to disclose the existence of those but no other isp has created anything like this and google has pledged that every six months they'll be updating this so this actually pretty cool even if it isn't actually particular useful all right a few other data points in May of 2009 an unknown facebook employee gave an interview with Newsweek saying that they were getting between 10 and 20 requests per day that was when they had like 200 million users now they have a 500 million so maybe it's twice as much as that in 2006 AOL was getting a thousand requests a month but that was when a wall had customers so I don't know how many they're kidding now Time Warner revealed just recently that they got about 560 requests a month this is because they don't want to provide people's IP addresses to copyright lawsuits that they reveal dust at this data point they said that nearly all of those requests they get right now come from law enforcement verizon gets a shitload of requests they get the thousand requests a year and approximately 35,000 hours from federal officials and fifty-four thousand from state and local officials we don't have any numbers for AT&T or sprint or t-mobile but it's reasonable to assume the vast majority the requests are going to phone companies right now this is because they have the longest relationship with the government like all the police know how to submit a request to to AT&T or as they don't know how to submit a request the Twitter alright so this awesome document landed in my lap a few weeks back so this is you'll see that the details in a minute this is there's a really nice DOJ agency that can't disclose the identity of them yet that keeps a database of every request they submit to every ISP and they list the recipient of the request and the reason for it so this is information from 2006 you can see that Yahoo and Microsoft hotmail sure that the big winners here the recipient the major recipients 2010 oh look myspace now the number one recipient but by a huge margin myspace is just receiving massive amounts of requests well a few years ago a researcher Berkman named Anna voyage hypothesize that the basically poor people use myspace and rich people use facebook there's been a white flight from from myspace and that the only people who are left behind or those not likely to go to college well you know what unsurprisingly if there are people if there are people who are more poor and more minorities on myspace then they're going to get more requests because they're unfortunately on the receiving end of most government investigations in the real world so why not in cyberspace to what these users don't know is that myspace actually goes out of their way to help the government myspace is by far the best friend forever of the government and I'll get into that later but myspace is chief security officer told me at a conference that he takes it's a matter of pride that the company doesn't charge for the tens of thousands of requests they get per year they they see it as a service to their customers their customers being of course the government alright so those are the stats that we have now let's look into something a little bit more interesting so in which ways in which technical ways can companies actually differ on privacy and protect their customers all right first email headers this is a lovely technical audience I can speak about these things we all know that there is infant interesting information and email headers what you may not know is that webmail providers voluntarily put in some special headers so Microsoft and Yahoo put in their customers current IP address in the headers of the outgoing emails what that means is that if you're sitting in an internet cafe at your house and using Microsoft hotmail or yahoo your computer's IP address is going in the outbound email header not Microsoft or Yahoo's servers IP address um this is not required by technical standard this is something that they've chosen to do to help the government or to cut down on them of requests they receive from the government but Google doesn't do this in several other webmail providers are not doing this so it's important to note that these two companies are voluntarily providing their customers information and actually not telling their customers that they're doing this they're not the only one though so between 2006 and 2009 Facebook was adding users IP addresses to every automated message that was sent so if you commented on someone's wall or you poke them or did something stupid like that your IP address would get sent in the in the notice that was was sent to them I think it's slightly interesting but suck male the email server and named after Zuckerberg was leaking your personal information so in 2009 they changed they they started including the information in an encoded form this is base64 so it doesn't take rocket science to reverse it once people figured out what was going on the company quickly removed it but you know the impact of including this information is that when this information is in a header these companies are not in the loop when they get a request from law enforcement so if i send a threatening email to someone with a yahoo account they can look in the header and know exactly which dial-up or broadband is p i use okay well you know I yahoo or Microsoft we're going to have to give that information up anyway but what if the request comes from the government of Burma or Pakistan or Zimbabwe where those ISPs actually will tell the government's to get lost in those instances you know people in those countries would have had more privacy have been information not been provided all right so another really interesting data point mobile phone and broadband IP addresses so at that same conference I went to Oregon where I was lucky enough to record the executive from sprint talking and he revealed that sprint statically assigns all of their broadband customers IP addresses and they keep the logs of who has which IP address for 24 months they also have the URL history of every web page you view using their web gateway and they keep those for two years but they note that they don't store it for law enforcement purposes they start because when they originally launched their service in 2001 they thought they were going to build by the megabyte but then they decide not to do that but the reason they keep it is because marketing wants to rifle through the data how nice of sprint so if you're using sprint they know which IP address you use which means if you leave a nasty comment and someone's blog and then that person tries to unmask you Sprint is in a position to reveal who you are and which websites you were going to at that time contrast this to cricket which is a prepaid service aimed at the the poor in inner cities they use level 3 communications which is a upstream provider they use that they have no idea which users are using which connections everyone in the same city comes from a single IP address and so in this so this is the this is cricket surveillance manager at the same conference and they're apologizing they're saying look we're really sorry we're not able to help you law enforcement well you know we'd like to but our infrastructures doesn't provide us with that data so if you're a cricket user and you leave a nasty comment on someone's blog that person isn't gonna be able to unmask you you know that's a cool feature but cricket is apologetic they are not advertising this as a privacy feature also at the same conference t-mobile's person said yep we're in the same boat as cricket we don't have the ability to determine IP addresses everyone comes from the same address in the city so if you were a tmobile user you can have far more confidence in your ability to leave the framing comments or download bit torrent files over their network then if you're using sprint I'm not advising that you do that but I would definitely consider that issue when you're deciding who to renew your mobile contract with all right this is an issue that's near and dear to my heart https for webmail so many of you have seen the wall of sheep in previous years i think it's running this year as well all right so when we use wireless networks and we're not using encryption our usernames and passwords go over the network in the clear which means that anyone running a packet sniffer can hijack your information get it break into your account steal your data the solution for this is not rocket science right like it's HTTPS it's used been used by banks for the last 15 years in 2008 google said HTTPS can make your mail slower your computer has to do extra work to decrypt all that data encrypted data doesn't travel across the internet as efficiently as an unencrypted data that's why we leave the choice up to you now in all fairness Google at least offered its customers a choice every other web mail provider at the time didn't even offer HTTPS so Google was at least ahead of the pack and offering it but the choice that they were offering was an option in their inner settings the last of 13 options after Unicode keyboard shortcuts and vacation responders so it wasn't exactly a high priority setting in their eyes well in 2010 Google said you know over the last few months we've been researching the security and latency trade-offs who decided that turning HTTPS on for everyone is the right thing to do and then just this week in testimony before Congress Alma Witten Google's lead privacy engineers said you know we hope other companies will join us soon follow our lead were the first and only provider to do this blah blah blah well why did Google do this what caused him to change your tune well last May or last June I wrote an open letter to Eric Schmidt and it was signed by 38 other experts including some some folks who speak at this conference and some folks in the community and they said we said look this is the responsible thing turn the shit on encrypt your users data it's totally irresponsible to let this stuff go out and make it over the wire Google turn around said yeah we're going to we're going to look into this and then six months later they did it all right so who's still doesn't offer HTTPS by default Twitter Facebook Google's other services so Google Docs Google Calendar Google search they just started offering encrypted search a month or two ago but it's not on by default all right who doesn't use HTTPS at all even as a configurable option to Yahoo Hotmail Bing search myspace these providers don't offer any encryption at all after your username and password goes out over the wire all right well maybe it's expensive right like buying all those crypto accelerators it's really really expensive it's about this gear put in data centers configure these servers how many thousands of servers does it require to support ssl none at this point it's free so this is Google's SSL engineer Adam Langley on a blog post just last month revealing that they had 0 new machines deploy that ssl accounts for less than 1% of the cpu load less than 10k per memory per connection and less than 2% network overhead so encryption is free for these companies this means there is no longer any reason not to protect your customer data with ssl right ssl is awesome it protects your people your users from passive network monitoring it protects them from from many hijack attacks and it protects them from passive Network surveillance by you know folks at NSA who have convinced AT&T to give them access to their backbone this is a good thing and many isps should be doing it all right bet it network encryption isn't enough we also need storage encryption so when you upload your data into the cloud the file should be encrypted so that you know no one can get the information a few companies have been leading the way here so I don't know how many of you using the Firefox web browser they have an add-on that's I think and we come part of the browser at some point called Firefox Sync is synchronized as your cookies and bookmarks and stuff across multiple computers across your wireless or your your hands handheld and the data stored on Mozilla servers but it's encrypted with a key that Mozilla doesn't have Mozilla cannot be compelled to reveal your bookmarks this is a really awesome thing and probably the reason that they've designed it this way is because they're not profiting from it right whereas your webmail provider pays for their costs by scanning your email and showing you ads it's unlikely that they're ever going to be able to offer you encrypted storage of your data right they need to be able to access the plain text of your communications to pay their their hosting costs to other awesome services SpiderOak is a secure backup service and tar Snap is a similar service that has no graphical user interface both offer encrypted backups really really cool really fun and subpoena proof what about data retention so through through collecting some information I've been able to get the data retention periods for a bunch of service providers some of this stuff has been leaked I've gotten other information other ways take-home lesson is that your IP address connection information is retained across the board at companies Microsoft keeps it for 60 days AOL keeps it for 90 days myspace for a year Time Warner for six months companies all have these policies they all have established policies for how long they keep data and when they delete it but they don't tell their customers about these policies the one area where they do tell their customers is in the search engine in space so over the last couple years european regulators have been beating up the search engines and pushing them to start deleting IP address data in response all have moved right so Microsoft now deletes the entire IP address from their logs after six months Yahoo anonymize is some of their logs after three months they keep a second set for security purposes that only a few engineers have access to but it can still be subpoenaed up until six months and then Google does a really shitty job of anonymizing their data they delete the last octet of the IP address and nine months so like one in 255 Google is not doing a good job in the space but but they're all anonymizing their logs after a certain number of months well does this matter no so Google's head privacy lawyers spoke to Wired in 2007 and basically said that when law enforcement comes for data they come a couple days after the searchers we're done right so deleting the data six months at nine months at one month it doesn't really matter because when law enforcement is coming the companies have the full data in there what about Microsoft well they were asked by the New York Times a couple years ago why they wouldn't adopt zero data retention and microsoft said too much privacy is actually dangerous anonymize search can become a haven for child predators and we want to make sure that users have control and choices but at the same time we want to provide a security balance well you know I don't really want my service provider to be striking that balance I wanted to be deleting the data on day one or two not keep it in the first place but you should think about this when companies say we protect your privacy we care about your privacy we put your privacy first then they're making these statements and cutting these deals behind closed doors right so when companies talk about putting your privacy first what they're talking about is putting your commercial privacy first we want to share your data with third parties we want to sell your data none of them consider their relationship with the government to be part of that aspect of privacy so one interesting thing is that when companies have these data retention policies and they don't talk about the data retention policies when they change the number of months after which they keep the data no one knows alright so this is these are screenshots from myspaces law enforcement handbook which they published and compile and pretend give to any law enforcement official in the country you can see it in 2006 they kept 90 days worth of logs and in 2007 they kept to one year of logs so they massively multiply the length in which they keep data and they never told their customers the reason is their privacy policy doesn't include this stuff the privacy policy says we will provide your data you know in certain circumstances we protect your privacy we value privacy blah blah blah but they don't actually include the important details the place those details are listed are in the law enforcement handbooks they don't share with their customers all right so there are also these non technical methods by which companies can protect your privacy and companies do differ in these ways right so not every company is the same and in the way that they respond to requests emergency requests all right so we have requests that come with court orders we have requests that come with subpoenas that has come with some legal process and we have these emergency requests what this means is the law says if a provider in good faith believes that an emergency involving danger of death or serious physical injury to any person requires disclosure or delay of communications relating to the emergency so what this means is that the feds or local police can go to an ISP and say someone's going to die we need this person's data it sounds reasonable right you don't want to stop the investigation its tracks well when you have two paths one with high work and one with low work everything shifts to the low work track and so suddenly there are lots and lots of emergencies so how many are there a huge fucking amount so of the approximately ninety thousand requests that Verizon received from government agencies each year twenty five thousand or emergency requests these are requests that have no court order no subpoena no search warrant no oversight at all this is a police officer calling them up or writing a fax saying someone's going to die and the ISPs don't even have to learn about the circumstances they can take the police on their word so the important thing is here that the feds are not actually submitting loads of emergency requests to verizon they're all from state and local law enforcement so like missing person in the woods or you know a murder or something I don't know what what you know what the cases are because unfortunately because there's no court order there's also no paper trail to follow up so we have no idea what these emergencies are it's important to note that a voluntary disclosure means a voluntary disclosure right so according to the internet service providers Association which represents all the big ISPs there is never an emergency obligation on a nice we disclose the ISP has the right to tell the government to get lost and to come back with a warrant they can and in some cases the ISPs do there is a process by which you know the police can wake up at two in the morning and get him to sign a court order I know because they did one and use it to break into my house they can call a pope magistrate over the phone and and he'll issue the order by fax it can take half an hour so this isn't a serious issue but very few ISPs actually say no alright so a company's policy on emergency requests is one of the most important indicators regarding its overall commitment to privacy because this is an area where they can actually say no when they get a court order or they get a search warrant there's nothing they can really do the warrant is if it's valid they have to disclose the data but when it's a voluntary request isp can put their foot down but we don't know how many say no because they don't talk about it this is like an area of uber uber secrecy because the ISPs think that if customers find out that they're doing this that they will not entrust them with their data may be for a good reason all right well what about the cost rights nothing is free in this world companies are legally permitted to pass along the cost of surveillance to the government this includes labor capital costs including associated with hardware and software the development of the of the wiretapping systems as an example sprint has a hundred employees doing nothing but wiretapping their customers and providing their customers call records and location and other stuff that isn't free right those those folks all have salaries what what's interesting is that you know these companies charge you know on a regular basis and actually right now several I big ISPs are under investigation by the Department of Justice for overcharging the government again because we don't know how much they're charging all right so this is some information that came out of report a couple years ago this details the prices for different ISPs it's tough to read but yet basically you can see that the average cost of intercept is between one and a half and two and a half thousand dollars they're charging big bucks for these intercepts not everyone charges them so myspace Facebook and Microsoft don't charge at all they've decided that they would like to help the government in any way they can so they just give the information for free well you know is it good or bad that these companies are charging well so they're actually some benefits the public when is P is charged this is again a telecommunications lawyer godari speaking when records are free law enforcement over consumes with abandon but when service providers charge for extracting data law enforcement requests are more tailored also when they when you charge there's an invoice there's a there's a paper trail and so over the last couple of years I've been filing FOIA requests to get the invoices so you can see here the google charges $25 for your email account it's pretty interesting to know also yahoo charges twenty dollars and thirty-nine cents or twenty dollars and 41 cents what's the difference between those two numbers the increase in the cost of a stamp Yahoo is passing on the cost of a stamp to the government for every time they hand over your data I think this is pretty cool actually alright so as I said before all of these ISPs have surveillance manuals in which they detail their policies that costs everything else they provide sample subpoenas so that the police don't have to spend as much time writing up the requests many of these these surveillance manuals have leaked onto the internet recently I've got copies and they're really interesting you can see them all at crypto morgue that's where they're all hosted this is my favorite this is sprint surveillance manual you can check out the awesome clip art thankfully folks other companies are pitching in like Yahoo who is currently facing a Freedom of Information suit that seeks to learn how much money they made selling their customers private information to the feds they are fighting this suit because according to their lawyer the information if disclosed would be used to shame yahoo and other companies and to shock their customers I for one am shocked does yahoo still have customers so you know there's always this talk about bloggers ripping off the mainstream media and I don't know if Stephen Colbert accounts as the mainstream media but both that sprint recording and this foil request that he's citing are mine and he didn't mention my name on the air so I think it's totally appropriate that I then make it use a clip of his without paying for it all right so we know the ISPs differ on privacy we know that some fight more requests and others we know that the some go out of their way to help the government I think it's interesting to note that so Yahoo's surveillance manual showed up on a crypt home which is a website yahoo sent a cease-and-desist then a few weeks later in Microsoft surveillance manual setup in crypto and Microsoft's like really went hardcore after crypto man had the site shut down like their upstream ISP pulled the connection for a little while these companies don't want their surveillance manuals getting out because it makes them look bad right like there's they're spilling all the goods and describing all the ways in which the government can get your data and the prices they charge like this is damning stuff but i really recommend that you look through these because it's really interesting all right so from this information though maybe we can take it do a little bit of analysis and say well which is peas sucked the least which is P is not going to totally violate your privacy all right so let's start with sprint sprint retains the IP address logs and the URLs viewed for two years and they provided eight million GPS pings to law enforcement in one year another thing these guys are really good so I wouldn't recommend using sprint verizon when sued by eff for assisting in the warrantless wiretapping program actually went to court and an argue that they had a First Amendment right to disclose their customers communications to the government they believe they have a free speech right to have to share your information so so screw verizon what about AT&T one word alright so sort of by process of a process of elimination t-mobile is the largest reasonable communications carrier they use nap they have no IP logs to keep they don't retain the URLs that you view and at least I haven't found any public materials that indicate they went along with the NSA warrantless wiretapping program they very well may have but they didn't get caught doing it which is more than I can say for the author too big service writers also it's important to know that prepaid phones or your friends there's a bill in Congress right now to try and ban the use of prepaid SIM cards hasn't gone through yet so I recommend that you buy several SIM cards and share them with your friends um so you know it is important to know the companies do differ on privacy and they don't want to talk about why they differ in many cases they're apologetic for the ways they differ but you know you can significantly impact and protect your own privacy by intelligently picking your service provider your email provider by using an encrypted cloud service rather than one that data minds your information and serves you ads I would like that when you that you get to walk into best buy and in addition to comparing who has the sexiest new phone or who has the cheapest prices that you could actually compare you know who fights law enforcement requests the most or who keeps the least amount of data we don't have that yet but hopefully we will in the near future thank you
0 Comments