Can we Play Hide and Seek in the Panopticon?

09 Dec. 2014

Can we hide through mass surveillance? Read more to find out.

Last Updated: 22 Sep 2015

This is the 3rd blog of the MyShadow series: "Why shrugging at the Snowden revelations is a bad idea"
Author: Maria Xynou, Researcher at Tactical Tech
The Panopticon, as envisioned by philosopher Jeremy Bentham, is an “Inspection House” described as a circular building, where a single watchman observes all prisoners without them being able to tell whether or not they are being watched. Today there is no single watchman, but rather multiple watchmen –  ranging from various intelligence agencies, like the NSA and the GCHQ, to corporate entities, like Google and Facebook. But similarly to Bentham's Panopticon, our personal lives are closely being watched and we largely cannot know when we are a spy target.      
We have heard a lot about surveillance over the last years, especially following the Snowden revelations. But to what extent can it actually affect us personally? 
Am I the only person who does not care if the NSA goes through my stuff? I am one of 400,000,000 files in a server lol” - tweet from the Nothing to Hide Twitter account.
Mass surveillance literally involves the monitoring, interception and collection of huge volumes of data, which leads many to think that they can “hide within the crowd” as their personal data will not easily stand out. After all, when huge volumes of data are routinely being collected about everyone and everything, what are the odds that you will be identified within this bulk of data? And even if you are identified, the chances that there will be repercussions to your personal life are low, right?
Our perception of security often differs significantly from the reality of security. We might feel, think or hope that mass surveillance will never lead to the targeted monitoring and interception of our most personal communications, either because we are not criminals or terrorists or because we simply don't believe that we are “special” enough to be under surveillance. However, that is not up to us to decide - it's up to data analysts. 
When placed under surveillance, our data it not being collected randomly. Algorithms are used to collect, organize and aggregate our data around key identifiers, such as user names, email addresses, phone numbers, IP addresses and browser cookies. These algorithms use such key identifiers to create profiles about people and to cross reference them with other profiles, both from online and offline data. Every time we use digital technologies, such as the internet or mobile phones, more data is added to our profiles. Such profiles, created by algorithms, determine whether we have “something to hide” or not, and that is something we largely cannot control.
In short, technology which can analyze huge volumes of data and detect individuals, even in real time, exists today. And the Snowden revelations illustrate specific surveillance systems which are being used by intelligence agencies for precisely this purpose.


Finding you in the Panopticon

Over the last year and a half, media organizations have been publishing numerous articles featuring the code names of various surveillance systems primarily operated by the NSA and the GCHQ – as revealed through the documents leaked by Snowden. Some of these code names, such as “Squeaky Dolphin”, “Happyfoot”, “EvilOlive”, “DreamySmurf” and “Egotistical Giraffe”, might sound harmless.
However, these fluffy code names belong to all-encompassing surveillance systems which are capable of watching your every move, reading your every email, listening to your every phone call and, in some cases, taking full control over your computer. These surveillance systems do not only collect data with the aim of finding specific individuals who are suspected to be involved in a crime. Often, intelligence agencies follow a “collect it all” strategy which involves the indiscriminate bulk collection of most online data. 
If we have a look at the GCHQ's Optic Nerve mass surveillance program, we will see that it is designed to collect our Yahoo web cam images in bulk. The leaked documents show that 1.8 million images of Yahoo users globally were collected within only 6 months and that such images even included a large amount of sexually explicit material. 
Another GCHQ mass surveillance program, codenamed “Squeaky Dolphin”, is designed to monitor activity in real time through social media platforms, such as Facebook, Twitter, Blogger and YouTube. This means that it is likely that every tweet we post, every photo we upload on Facebook, every blog we read or write and every video we watch on YouTube is closely being monitored by intelligence agencies. 
One of the most concerning surveillance systems revealed by Snowden is probably the NSA's XKeyscore program, which is designed to monitor “nearly everything a user does on the Internet” in real time. In particular, XKeyscore is a data collection system which is used to search and analyze internet data and which looks out for “suspicious” data and online behavior. A version of XKeyscore also supports the MUSCULAR program, which has been used by the NSA and the GCHQ to break into the main communications links that connect Google and Yahoo data centers around the world. As a result of this, millions of records from these data centers were stored in the NSA's headquarter. These records include both content data, such as audio and video, as well as metadata, such as details about the sender and receiver of an email, the time and date of correspondence and the location of the sender.
XKeyscore functions in conjunction with another NSA program called Turmoil, which collects and intercepts satellite, microwave and cable communications across the globe. It is also capable of identifying traffic through the detection of online “anomalies”, such as access to “suspicious” websites. Like most surveillance programs, Turmoil does not function in isolation. The process is aided by Marina, which is a NSA web application that looks out of for certain “selectors” and “realms”. A “selector” serves as an identifier – such as an email address or an account name - while a “realm” includes Internet services through which individuals can potentially be detected – such as Facebook or Twitter. In other words, the NSA uses Turmoil to collect Internet data and, in conjunction with the Marina web application, it is able to not only identify you in the bulk of data through your Facebook photos or email address, but to also identify your device through the browser cookies attached to it. 
Smartphones are the cherry on the pie for intelligence agencies. We carry these devices with us everywhere we go and they give away a lot of our information, such as who we are, where we are, who we are with, our social network, our interests and often even our personal emails and photos. The NSA “Co-Traveller” program is specifically designed to collect billions of cell phone user location data and to map the relationships of cell phone users across global mobile networks. This means that patterns of our activities, who we associate with and when can be mapped out by intelligence agencies. And Co-Traveller can even track our cell phones when they are switched off. Such programs can potentially be used to map out everyone who attends a protest, as well as the groups and individuals they are affiliated with and the locations they visited prior and after the protest. As we can imagine, if such information falls in the wrong hands, it can have a major impact on civil society movements and on human rights.  
All the above examples illustrate that we cannot “hide” through mass surveillance. Intelligence agencies aim to collect all data so that they can subsequently identify and target individuals. What's particularly concerning though is that we largely have no control over our data, nor over what will happen to it in the future. Laws and regulations change constantly and what might be acceptable today, might be viewed as a crime tomorrow. 
Mass surveillance comes at a price for human rights: we can almost never really know if we are personally under the microscope unjustly and that itself is an issue. 


View the rest of the blog series here and/or check out our blog series timeline.


Source of image: Digital Maze Symmetry Project (2007)