How does the government access your data?

Fast forward to 2013, and all of that changed when the planet’s most famous whistleblower, Edward Snowden, disclosed top-secret documents that revealed extensive global surveillance programs run by American, British, and other foreign security agencies. 

But it’s not all about hacking or spying. With the refinement of artificial intelligence technologies like pattern and facial recognition, citizen data can also be used to control them. The authorities can also use the law, in some circumstances, to view the information stored inside devices (and data centers). 

Because of Snowden’s revelations, perhaps the most famous organization engaging in such shadow activities is the American National Security Agency (NSA). While these projects may have been initiated to fight terrorism, they have  been used for a wide range of nefarious activities.

According to Alexander H Reay (MoD) (CDIS), Author, Advisor, Serial Entrepreneur, and President of the Nordic IT Association, “surveillance is like a cyber kill chain, and unfortunately, corporate and government security is a mess. The fact that Governments are illegally orchestrating blanket surveillance is one thing, but harvesting that data gives attackers a treasure trove at the end of the tunnel, resulting in increasing and more sophisticated ransomware attacks. US border control was hit with a recent breach and a good example. Yet, despite the cyber pandemic, surveillance activity isn't showing signs of slowing down, in fact it's the opposite now with facial recognition being rolled out. This is all in the name of anti terrorism? We are inadvertently creating new attack surfaces for terrorists, cyber terrorists. Unfortunately, we are not well prepared for what I fear is a cyber storm coming our way, and it is us the people that will suffer for it.”

Even the Federal Bureau of Investigation (FBI) have been found to use sophisticated tools to look at sensitive data without a warrant. Recently, FBI agents were found guilty of conducting tens of thousands of illegal searches on citizens between 2017 and 2018. 

The FBI was awarded NSA tools to search for evidence of a crime, as part of an investigation on foreign targets, or to monitor cyberthreats, and terrorism suspects. However, agents used these tools to engage in warrantless searches of databases for information about coworkers, family, and friends.

A backdoor (or trapdoor) is a technique that’s used by hackers and government agencies to bypass the system’s security mechanism, undetected. It helps them spy and access user data without anyone noticing what’s going on. 

The backdoor methods are also sometimes written by the programmers who build the software. But in 2013, Snowden revealed that the NSA was spending as much as $250 million a year to build backdoors and compromise products.  

"Obviously, a backdoor is a huge hole in the defense, and as we saw with NSA tools, sadly, this information ends up leaking and [is] exploited by criminal organizations. If not, they eventually get found by security researcher[s], or worse, by criminal organization security specialists, which [who] obviously will never reveal what they found, and while the backdoor creator might think he is alone using it, well, a bunch of people may be too…," stated Alexandre Blanc, Cyber Risk Subject Matter Expert and Director of Security at Adaware.

Today, governments in the U.S., Europe, and Australia are demanding backdoor access to social media platforms (like Facebook) and encrypted messaging apps. If tech giants agree to do this, it’ll have significant consequences for all of us.

XKeyScore or XKS is a tool that was developed and used by the NSA to monitor and analyze global data. It’s highly sophisticated and can monitor global internet traffic in real-time. 

XKS allows authorities to access:

• Browsing history
• Documents shared online
• Private emails
• Search queries
• Track your device movements

This tool also enables security agencies to virtually access devices to monitor everything in real-time. 

As you can see from the above, such tools provide the government (and potentially bad actors) access to your whole virtual life.

The NSA's Tailored Access Operations (TAO), an elite group of hackers, used spyware or malware to gather data. The TOA was excellent at compromising devices to use them as a surveillance tool or to collect information about different users.

They also consistently looked for security loopholes to break into software, mobile apps, and other platforms. However, their go-too tool was malware to compromise devices. They achieved this by rerouting traffic from fake versions of popular websites to monitor user activity and logs.

Through the years, the TAO has also been known to work with tech companies to develop backdoors in routers, both virtually and physically. Unfortunately, some of the hacking tools developed by the NSA have fallen into the hands of hackers (who aren't working for the government). 

So we now have hackers targeting high-value servers with NSA hacking tools like DanderSpritz (to monitor and exfiltrate data), DarkPulsar (a backdoor), and Fuzzbunch (a plugin for analysis) to infect servers running Windows Server 2003 and 2008 in Egypt, Iran, and Russia.

According to Kaspersky Labs, some of the infected organizations were companies with IT and R&D departments in aerospace and nuclear energy. Other NSA-built hacking tools like EternalBlue have already been used in the infamous WannaCry and NotPetya attacks.

The authorities can also leverage the law to access your data. The police, for example, can get a warrant to go through all your electronic devices and even access your car data. The same scenario can happen without a warrant at the border (especially in the United States).

In the U.K., it was found that 93% of police forces were using mobile phone extraction technology to extract user data from digital devices. However, data were collected for all types of crime, including low-level offenses. 

While the forces demand data extraction by default, there are no clear national guidelines as to how citizen data should be extracted, stored, and deleted. As a result, they have also been able to obtain data without a warrant. 

According to Ron Craig, Cyber Security Specialist, IT Security Awareness, and Senior Full Stack Web Developer at CoreSolutions Software Inc., “we already saw publicized cases of people in powerful positions getting caught putting in mobile unlock passwords on camera. And this is just a simple case. Surveillance can also be used to track for longer periods of time, and with more data points, you can ascertain much more information about a target that can be used to access private information. I use [the word] target on purpose here. When this in place, I feel you stop becoming citizens and now become targets.”

The internet (still) remains free in North America and Europe. In China, the story is quite different. They have their own, highly controlled internet with what’s known as “The Great Fire Wall” that keeps citizens in and foreigners out. This makes it easy for Chinese authorities to spy on their citizens, censor information, and exert control.

This was evidenced recently when an executive for the National Basketball Association’s Houston Rockets tweeted support for the Hong Kong protesters. China’s response was quick and resulted in apologies and a ban on speaking about Chinese affairs.

At the same time, government-backed hackers deployed bots across social media platforms to spread disinformation and attack media companies based in Hong Kong. It was also later revealed that Chinese police were also using these tools to control Muslim Uighurs minorities.

The world of espionage is also quite murky and full of surprises. Security researchers, for example, found that the Chinese were using tools developed by the NSA to hack US agencies.

Because of Snowden and Wikileaks, we are now quite familiar with how the authorities collect citizen data and engage in surveillance activities. Aside from using sophisticated hacking tools, the U.S. government is also on a relentless campaign to end encryption. 

Part of this crusade includes a demand for tech companies like Facebook and Apple to provide backdoor access to their messaging platform. While most of these initiatives are done under the guise of terrorism, this one focuses on the protection of children. 

However, the recent takedown of one of the largest dark web child porn marketplaces, Welcome to Video, reaffirms the fact there are other ways to tackle the child abuse problem without installing backdoors and ending encryption.

This subheading is misleading because the Swiss government doesn’t spy on its citizens. In fact, this Central European nation’s laws are designed to ensure strict privacy and security. However, the government can engage in surveillance when there’s a proven case of terrorism (or unlawful activity) that demands the collection of evidence through proper legal channels. Switzerland has been consistently strict on these terms.

As a result, Switzerland’s reputation in the cloud security market is growing rapidly. According to Mateo Meier, Founder and CEO of the cloud security company Artmotion, “Switzerland has always maintained its status as a neutral nation that respects the privacy of its citizens. What was once a highly attractive destination for banking is also the safest place to host your data.”

Meier makes an excellent point as Swiss law protects personal and enterprise data from government subpoenas. So even if, for example, a corrupt government tried to access trade secrets to help a local company gain an advantage, they won’t be able to access it without the explicit permission of the owner (of the data).

You can engage in secure browsing using Google Chrome, Microsoft Edge, and Safari, but these companies will collect data and track your online behavior. As a result, sensitive information can always be at risk of a data breach or a subpoena. 

The Tor browser, on the other hand, keeps you anonymous without the need for extra privacy tools like Qubes, Tails, and Whonix. Firefox Quantum, once properly configured, is also a reasonable option to keep your browsing data private. For secure searching, there’s DuckDuckGo.

While VPN tools can help encrypt the connection (and secure data in motion), server-side encryption can help protect the data where it lives (in the data center). 

Encryption is based on advanced mathematical formulae and comes in different forms like 128-bit, 256-bit Advanced Encryption Standard (AES), and XTS block cipher. The latter is a computer cipher or an algorithm that’s leveraged to achieve robust encryption.

As we enter the age of hyper digitization, you can expect the authorities to try and exert more control over businesses and citizens through spying. As a result, efforts to secure personal and enterprise data will require an on-going, adaptable, and evolving approach to help ensure enhanced privacy and security.

According to Reay “we certainly need independent standards and appropriate procedures and boundaries for offensive cyber operations. More specifically, there is no consensus for military cyber organizations that pretty much can gain access to systems and networks as they please. It's unconstitutional, and certainly a privacy issue, yet people seem to let them get away with it. Is privacy dead? Perhaps, despite the current privacy legislation, there is still a lot of smoke and mirrors. Yes, we have more secure approach, continuous monitoring, secure development approaches by design, defining the external and internal threats leads to a more secure approach to ensure national security. Better awareness, and allowing for people to take their own data and take agency over it. Of course one could put forward the merits of DLT (Distributed Ledger Technology) for that.”

Blanc said “well, the aggregated data should be stored in secure data centers, which could only receive information and not let anything out through the same channel. Aggregation of METAdata should be enough to get patterns, leading to [a] warrant, which then could lead to [a] seizure. Sadly, [the] current state of the art on the market is collecting data without any concerns, ripping of privacy. While [the] government is kind of following restrictions, private tech organization[s] just navigate above the laws. First, we need more regulation, and then we need metadata correlation, being [a] mandatory requirement with external proofs or assessment to get a warrant, which should then trigger research. We can't stop private entities [from looking] for vulnerabilities, criminal organizations do so as well, but I think there should be a mandatory disclosure delay, so as any identified weakness should be published in such delay[s], like 90 days or so. This way, while it makes investigation a bit more complex, it would stimulate research, allow [the] most advanced to gather data, and yet enhance overall security…”

Maria Gallant-Daigle, IT Security Consultant at Gallant-Daigle IT Security Consultant, Inc. and former IT Security Analyst at IBM Microelectronics Division, suggests another approach. “I believe that it would be possible to use the current technology to establish a Universal Device Authentication Infrastructure (UDAI). This infrastructure could be designed to allow legitimate surveillance, with a warrant, separation of powers. The most important idea behind such public infrastructure is virtual artifact traceability. Authorities and businesses need to have complete visibility of which devices were involved in the creation and modification of computer files, and this would be the main goal of the infrastructure.”

However, Craig added that “there very well might not be a way currently to ensure national security from cyber crime without resorting to having a skeleton key, but the reality is this will never work for long. People will find ways to create and control the encryption or the means of transport between themselves. These home grown methods will not abide by the same rules and won’t have the back doors inserted. So that leaves them now with having to control that too. So whatever you can’t decrypt is now criminal or suspect in nature and must be intercepted and blocked from reaching its target or traced to the source and target. That will get lucky a few times at best. Then, they will adapt and send another way. Remember, this is a cat and mouse game, and it’s endless as we keep playing the same game. Maybe it’s time to change the game, but that’s for people much smarter than I to figure out.”

What else can you do to ensure privacy and security? 

For the time being, the best available option is to store your data in Switzerland. However, individuals and companies alike still need to follow cybersecurity best practices and take advantage of the latest innovations to keep their valuable data safe.

This post was originally featured on Hacker Noon.