Ghosts in the machine, spooks on the wire

On the Internet, there's always a ghost in the room -- watching you, listening, recording your activities and interests, aggregating profiles or categorizing you, and whispering secrets and lies about you to others again and again.

It's not paranoia; you can't see them but they are there. "They" are all manner of public and private organizations, some legitimately involved with carrying your voice and data to intended destinations or acquiring records for commercial interests, others just ... listening. (Or, more precisely, sniffing.)

Some spirits -- friendly ghosts, if you like -- are dedicated to tracking actual risks, such as ensuring that stolen or dangerous materials, weapons or criminals are eventually found through their communications and movement. But others keep meticulous surveillance records of imaginary security risks -- U.S. travelers with one too many Canadian pharmacy runs or with a book by Khalil Gibran or Abbie Hoffman in their checked luggage. These are more malevolent entities, and if you saw the movie Poltergeist, you have a good idea of their potential effect on your world.

It's not the silliness of men being pulled off a plane for speaking Arabic that's frightening -- it's the insidious seepage of information between federal and corporate databases. Aggregations of unrelated risk criteria or subjective data lead to bogus correlations. Bogus correlations become inaccurate labels. Inaccurate labels become the basis for further labeling and profiling, and eventually a shoddy system breeds data with a ghostly presence of its own -- a specter that can haunt a person's reputation or bring a screeching halt to his or her livelihood.

Watching you

It's no secret that being stupid with a computer these days can get you fired or worse. Anyone living in the year 2007 who's foolish enough to browse lewd materials at work or to plan a crime using a computer at the local library has a nearly inevitable date with the reaper.

But you don't have to be walking on the wild side to attract a tracker, and it doesn't take a high-profile lifestyle to find electronic eyes and ears following you around, collecting information about supposedly-offline activities. Combine it with a legal culture grown increasingly careless about traditional privacy and consumer protections, and the result is enough to give any sensible person the creeps.

For example, location and movement data for airplanes has been tracked by "black box" flight data recorders for decades. The technology made its way from airliners to commercial vehicles in the 1980s, keeping track of everything from mileage and speed to theft and contract compliance. Black boxes started appearing in fleet and rental vehicles for fraud control, and they spread slowly into production cars for other reasons, including vehicle performance and accident investigation. For example, General Motors includes event data recorders (EDR) in all vehicles now, and makes a solemn promise not to divulge tracking data ... unless someone asks for it.

Page Break

GM's EDRs are the basis for the OnStar system, which includes two-way voice and data communications -- ostensibly designed to help drivers who find themselves headed down an unmarked country road or in an uncomfortable situation with a pallid hitchhiker. Even without an active subscription, these mobile phone-based systems -- with remotely activated audio monitoring -- turn on and register with Verizon, Sprint or AT&T every time the vehicle is turned on.

A spook targeting anyone with a pattern of behavior in a neighborhood or city might just gain access to the mobile phone provider's location database. After all, cellular phone systems inherently report cell site location as part of handset registration and the cell-to-cell handoff process. As more and more mobile phones incorporate true Global Positioning System tracking capabilities, all it takes is an unwary user turning on a phone that has GPS location reporting turned on, which it often is by default. And surveillance scales down to a most granular level. A suspicious parent might go to the trouble of placing a cheap GPS tracking device in a child's bookbag or car -- a surveillance device reporting data on one person to one person.

You don't even need to leave your home -- or even your bed -- to be tracked. Taking another example, home electric and water meters report minute-by-minute usage levels and patterns that reflect how many people are home, conveniently stored in the public utility's systems until someone wants to check out which service plan might be better for you ... or aggregate the data with something you've never thought of. Soon, all sorts of devices will have small data harvesters that collect and send little bursty data reports of activity, perhaps as supervisory control and data acquisition (SCADA) devices watch retail door movement and aggregate the radio frequency identification (RFID) inventory of your shopping bags and wallet.

Someone is listening

This swamp of information isn't just ebbing and oozing -- it's being watched, filtered and used. Telecommunications companies, broadly speaking, are the worst offenders, as old habits of turning a blind eye to unjustified wiretaps turn to new habits of quasi-commercialized monitoring services.

What's changed is that wiretaps of yesteryear were against an identified individual -- if not always for properly justified reasons. Now we've moved into the age of midnight fishing trips: roving wiretaps, e-mail filters and large-scale searches through online documents and sites. Just a couple of months ago, the U.S. Congress passed yet another exception for domestic spying not against individuals, but for "blanket wiretaps" for six months.

Page Break

Of course, financial companies are never far from the forefront in this arena, and every merchant and bank has become a peephole or tentacle of a beast with no single center or mind. As bank debit cards become Visa "check cards," the smallest of transactions start to traverse VisaNet, leaving pattern data behind. In some places, cash is no longer accepted.

Still others are pawing through your travel, financial and other behavioral data, even if they're not sure what they're looking for. Look no further than the three-quarters of a million people now on the Transportation Security Administration's "watch list" -- and many more standing next to the swamp's edge as the list continues to grow -- to find irrationality bordering on the creepy. Worse still, the TSA has partnered with commercial firms such as Verified Identity Pass Inc., which runs the dubious "Clear" service, through which one can pay a US$99-per-year indulgence to be quickly absolved of errors and slop in the TSA watch lists.

The gathering gloom

What happens, then, when all this data -- good, bad and pointless -- flows together? Sliding down the slippery slope, the data collected by the likes of Verified Identity Pass, GM and Verizon is but one step away from causing real trouble.

When minimally accountable companies share data with one another or with government agencies, their information is aggregated and labeled in ways that are troubling. The results could be commercial exploitation (including the horror of direct marketing based on trivial purchases) or more sinister developments such as debit payments for cigarettes leading to insurance rate hikes, or cash withdrawals in Nevada earning you a virtual reputation for moral turpitude.

And simple problems can be compounded by the way in which information is shared. Credit-reporting companies are prone to this: Instead of independently coming to a conclusion regarding risk rating, a note or error recorded by one credit reporting agency is often noted by others -- and the existence of the note is itself considered a negative risk factor. This subjective spiral of suspicion means that the risk-assessment system is weighted against an individual when systemic accuracy is off.

The U.S. federal "Real ID" Act is another good example of what happens when excess data get shared and published between agencies and organizations with different rules. The law is troubling in itself, since it establishes a de facto national identity card and promotes dubious use of more personal data than is currently collected by most licensing agencies. But it also establishes data-sharing rules between participating and nonparticipating states and other governments -- even those that may not subscribe to the privacy laws such as U.S. Drivers Privacy Protection Act (18 U.S.C. 2721) that supposedly protect this new trove of personal data. Add commercial service providers for license renewal and other governmental agencies, and the potential for abuse becomes legion.

Page Break

Fall of the house

During the making of Poltergeist, the special effects lead Kathy Kennedy said, "The line reads 'The house implodes ...' and it cost us a quarter of a million dollars to make the #$@%!\& thing implode!" Just 20 years earlier, that amount was the budget of the entire film in which the House of Usher eventually falls and consumes itself. (In that film, all we see is a dwindling light fading to black.)

The budget for our all-too-real fear-induced "feature" seems destined to skyrocket indefinitely. Recently, documents came to light revealing that the FBI planned to purchase phone and e-mail transaction databases across the U.S. for US$5.3 million. As The Register nicely points out, this works out to the private records of every American being sold -- to the agency that the U.S. Department of Justice accused in 2002 of repeatedly breaking the law (download PDF) and secretly accessing information about US citizens (again) -- for about 18 cents per citizen.

No wonder, then, that trust in government has been dwindling since the Eisenhower administration (whence comes, ironically, the phrase "military-industrial complex," the original problematic alignment of government and private interests against the common man). Despite a slight bump after 9/11, the Brookings Institution reported that just 40 percent of Americans "trusted the federal government to do what is right just about always or most of the time." And the government has earned that mistrust. As far back as one looks, people with privileged access to information abuse it.

But the incursions continue, the laws change, and the courts allow the erosions. The latest twists are that we're not even supposed to know about them. In a recent denial of a lawsuit about disclosure of phone records, U.S. Judge Matthew F. Kennelly said, "The court is persuaded that requiring AT&T to confirm or deny whether it has disclosed large quantities of telephone records to the federal government could give adversaries of this country valuable insight into the government's intelligence activities."

Real horror, however, comes from complacency and acceptance. As people get used to small technical encroachments on personal rights, they rely on existing laws to keep those powers in check. But with each small legal step to renew or strengthen those supposed crime-fighting technologies, the bar is set lower. I just can't figure out if we're getting a series of pointless quarter-million-dollar special effects or the low-budget horror of civil liberties dwindling in the darkness. Maybe both.

Jon Espenschied has been at play in the security industry for enough years to become cynical, blase, paranoid, jaded, vicious and cynical again. He manages information governance reform for a refugee aid organization and continues to have his advice ignored by CEOs, auditors and sysadmins alike.