The Norwegian Government proposed Proposition 68 L (2015-2016) today extending and introducing a wide range of methods for the police to cross the privacy boundry with increased surveillance, including what the Minister of Justice, Progress Party (FrP)'s Anundsen, calls "surveillance closer to the soul".
The possibility to perform telecommunications control in Norway has history back to 1915, however was limited to cases involving national security until 1976. Starting in 1915 the surveillance was restricted to post and telegraph but telephone surveillance was added in December 1950. Now in 2016 the government wants to extend the scope to:
- "Data reading" is introduced as a term giving the police access to hacking into computers, including adding keyloggers (physical or virtual)
- Possibility to send silent SMSes to generate telephone traffic. The Norwegian police has already been wildly criticized for illegally using IMSI catchers across, in particular, Oslo in violation with court order and registration requirements. A silent SMS is a message that is not displayed by the phone, but the generated traffic will increase the verbosity information that can be apprehended by the police when the phone company is compelled to turn over data.
- Take control over email accounts without a court order to ease access to information early in an investigation
- Physically bug (microphone) private rooms without an actual crime having been committed as a preventive measure.
"Closer to the soul", indeed; if you don't already see the resemblance to Minority Report (2002) you likely want to make it your weekend movie pick. IMDB summarize the Spielberg movie as "In a future where a special police unit is able to arrest murderers before they commit their crimes, an officer from that unit is himself accused of a future murder"
Anundsen argues that you don't get any more access to an individual's thoughts from monitoring what is typed on a computer and potentially never sent, than you get by physically taking control over the person's diaries. Without going into how wrong that argument sounds to begin with, there is of course a difference of awareness of the police physically getting access to a person's diaries or just silently monitoring in the background while the person were to be writing in the diary without knowledge of the police presence.
This adds to a long line of police requests for increased access to information across the globe. Senators in USA wants a new bill to impose fines if operators don't willingly help attacking their own products and Obama is ever reducing security, this time by increasing the scope of use of data collected.
So what can you do to protect yourself in a society where everyone around you is increasingly becoming your enemy? Arstechnica had an interesting post recently titled "Most software already has a 'golden key' backdoor: the system update". If you can't trust the operative system and hardware providers you're lost to begin with. Bill Gates expresses his view on personal information access as “It is no different than [the question of] should anybody ever have been able to tell the phone company to get information, should anybody be able to get at bank records,” Gates said. “There’s no difference between information.” He offered this analogy: “Let’s say the bank had tied a ribbon round the disk drive and said, ‘Don’t make me cut this ribbon because you’ll make me cut it many times.’”
So you need a software stack that you can trust, and likely want to audit the source code of, or if using binary builds at least a system that use reproducible builds.
With a relatively trusted software stack, and monitoring any update activity, while making sure that you do update for security issues immediately, of course, the added complexity of encrypted and digitally signed emails comes into question. Personally I quite prefer OpenPGP using the GnuPG implementation, and with the way the world continues to develop I'm tempted to refuse to answer emails from people that sends me emails that aren't following proper email etiquette and are properly signed and encrypted. Phone calls and SMS messages I prefer not to get or take to begin with (we haven't even discussed SS7 in this post). Naturally private keys should only be stored on smart cards and data expected to be sensitive only read on airgapped systems.
It is also curious that Norway is following China in its privacy activity by this act.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
It's very worrying to see such things eroding not only for Americans, but
citizens of other countries as well. They claim it's to stop criminals, but they
don't bother to publish which people have been incarcerated due to the
information gathered in this fashion. They don't disclose which people were
wrongly accused and later exonerated. They don't disclose how many peoples lives
have been ruined due to such erroneous accusations. I think these governments
are aiming to sieze complete control in a way tyrants only dreamed of centuries
ago. In this progressive erosion of privacy, not a single benefit has come along
with it. Crime has not lessened -- even if it had, is it worth exposing people
or catching the wrong person?
I'm sorry to read about the loss in Norway. It would be nice if privacy were
recognized as a basic human right. No government deserves lassez faire access to
peoples' everyday lives. Warrants exist for a reason, and require reasonable
doubt or other supporting logic to legitimize the infringing upon the rights of
the individual. These events are panning out like, "We're infringing on your
rights for your own safety." We are not safe. We are more vulnerable to
exploitation and silencing than ever before.
I've considered restricting most of my communications to cryptographically sound
methods. I'm fine with this message being public, but have signed it for our
keys. Here's hoping I used it correctly. 🙂
On that note, that's one of the biggest hurdles cryptography has. The average
user wants to click through things and doesn't pay much attention. Accessibility
and ease of use are worthy goals, but cryptography and security are things that
should be approached with much caution. The public needs to be educated on the
dangers of public communications. Unfortunately, it may take vast overreaches of
power before people begin to care. By then, it will be too late. That is my
fear.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJW5A06AAoJEAEkDpRQOeFwabwQAJsGUbo2KQC+KusTKF4cFT/W
nW26ilnr7yXhi6zWty0zfM1U34GINCTULPTcfkqFlWx7bu4CpyFvRC1tQ2iNlZ1y
z2m16V5PbhfLJahx/f9PAZtb5UTAeX/tINZuM0XgCmq2cZc03R6eHb8XTNyz9DUX
3IHtxBmwfGx3Ps+8PXeo+f+KZ4GvrkkCXSmLDQB4vDYyfJigUyo4HtwiVzN8T1Un
GxwKGg1p4M8rspZp8bSO0tlIyjrPziqLzd1A4wB+J1TpMKhIqgm168Y8vR9mYPjb
Wuy+O1sfTn4So9l0PrKzSiUzQ0meEqE1mRFxsp8111j+vHcWIVupC8PkYuC69WNu
n2C8y9Usby10DuFRsH1fJZkc2ZUsoM/AnFOL711lvG2lll6Gs+XU9HJSbiGaYBfG
IvSNu6DEtU3maajFZdMG0qfU7ZObkkfMVKsgcpalRQIffouOJ0UrcHoullUqjam/
UDi6p4mIVF3vlfd0Y2X6PfWR7ldb6Qotd4Vg/VwCnkDWpkinIKclueVNbAdNKQrH
A9joIoc/L5ta+6X+lw6pFH4AKWpN8LxYqRIAaLA5G+5wVLWzUHJHEj/UgI7tqVcC
j72V5dP+MCiy+cPgagj03K88JdKZ/WhYOJbCJ413trjNDGpPxhpz94lRZTmjdbum
IdZlOkWFoCw3T5Xo9CCD
=+EV8
-----END PGP SIGNATURE-----