Types of Surveillance Technology Currently Used

by Governments and Corporations

Jeffrey ArestyPresident, Internetbar.org

www.internetbar.orgwww.cyberspaceattorney.com

March 2006

2

Introduction

At present, users obtain various online identities (“IDs”) from E-mail ISPs URLs

IDs function on the Internet in anonymous space—an online “ID” does not actually identify the person connected with the ID

Anonymity facilitates theft, fraud, and abuse

3

Introduction

In contrast, in the works are efforts to create a new layer of identity

Focusing on the user, the new system would not require multiple online IDs, but would be characterized by a single sign-on

The system, called an “open security,” would be more secure and trustworthy, reducing theft, fraud, and abuse

4

Introduction

In part because we do not yet have security on line, governments and corporations can, and do, breach privacy with technology

 Intrusions fall into two categories  Cyberspace intrusions  Breaches of privacy in the physical world

Increasing capacity and tendency to use technology to connect new and old technologies for surveillance

5

Real-World Technologies that Intrude on Privacy

Cameras Eavesdropping Face-Recognition and

other Biometrics “No Fly” and Similar

Watch Lists

Odor Prints Radiation Detection

Technology RFID Smart Video

Surveillance

6

Cameras

Cameras have been used for decades by governments

to monitor traffic to detect and prevent crime

by corporations to surveill private businesses to detect and prevent crime in retail establishments

7

Cameras In Britain,

more than four million closed-circuit (“CCTV”) cameras 1,800 cameras in railway stations; 6,000 in underground train

network and buses CCTV tapes used in July 2005 London bombings investigation

In US, 5,000 cameras in New York City’s transportation systems US Border Patrol uses Remote Video System (“RVS”) along

borders, costing over $64 million in FY2005

Worldwide, video surveillance software sales in 2004 were $147 million; expected to reach $642 million in 2009

8

Eavesdropping

US government has capacity and authority to monitor e-mail, telephone, pager, wireless phone, facsimile, computer, and other electronic communications and communication devices

Court order is required except in emergencies and cases of national security

In 2003, 1,442 wiretaps requested, all granted, intercepting over four million conversations

9

Eavesdropping

National Security Agency (“NSA”) uses “Echelon”—global electronic eavesdropping system Picks up telephone, e-mail, Internet upload  Downloads communications transmitted by satellite,

microwave tower, cable  Information sifted by supercomputers for terrorism

information  Software-defined radio, a wireless technology, makes cell

phones and computers easier to bug and makes intercepting device compatible with networks

10

Face-Recognition and other Biometrics Biometric devices scan, record, and recognize 

Irises Voices Facial bone structure 

Improved picture quality technology enables face-recognition software to inspect 1/400th of face—size of pores

Infrared technology piggybacked onto face-recognition software enables three-dimensional “map” of face 

Plans for US passports with face-recognition biometrics and RFID chips

EU requires member states to have face biometrics in passports in mid-2006

11

Face-Recognition and other Biometrics

In 2003, biometric face-recognition software resulted in over 40% false positives

$4.7 billion industry in 2009 Other biometrics: 

below-skin fingerprints (capture swirling patterns of capillaries)

palm scanners that read vein patterns iris scanners gait-recognition systems (measure torso’s silhouette and

movement of shoulders and legs to determine individual signature strides)

12

“No Fly” and Similar Watch Lists

In 2005, 12 separate lists maintained by nine US governmental agencies

Confusion and lack of leadership in maintenance of lists; some lists outdated

“List bloat”—lists become unreasonably large from incentive to add names, sloppiness

Innocent individuals’ names appear

13

“No Fly” and Similar Watch Lists

Access to the lists curtailed in the name of security—nearly impossible to discover if and why a name is on the list, much less have it removed 

Lists will connect with government-developed “Secure Flight”

Related: British government pressing for creation of comprehensive electronic population register

14

Odor Prints

Odor-printing technology is based on premise that each human being has distinct set of odors that could serve as an identifier

15

Radiation Detection Technology

US Customs and Border Protection (“CBP”) employs radiation-detection technologies at official entry points, including 

Highly sensitive personal radiation detectors Radiation portal monitors Hand-held radiation isotope identifiers

16

Radio Frequency Identification (“RFID”)

Tiny computer chips use electromagnetic energy in the form of radio waves to track things from a distance 

Nicknamed “spychips”  Can travel through clothing, backpacks, briefcases,

wallets, walls, and windows without obstruction, misorientation, or detection

RFID chips read and retain biometric information, such as fingerprints and photographs

17

Radio Frequency Identification (“RFID”)

The RFID tag, in use in 2005, contains  Tiny silicon computer chip with unique ID number Connected antenna

RFID tag is  Thumbnail size Affixed to plastic surface Paper thin 

Can be embedded into clothing label, where it is virtually undetectable 

18

Radio Frequency Identification (“RFID”)

“Passive” RFID tags do not have their own internal power source, but communicate when a reader seeks a signal from them

“Active” or self-powered RFID tags have a battery attached and so can actively transmit information 

RFID reader emits radio waves, seeking out RFID tags

RFID easily integrates into existing database systems 

Electronic Product Code—every, single object on Earth will have its own unique ID number

19

Radio Frequency Identification (“RFID”) By 2005 embedded in some

Worker uniforms Employee and student ID badges Toll transponders Animals (pets and livestock) Warehouse crates and pallets Gasoline cards Consumer products such as diapers and shampoo Library books Toll collection systems such as EZ-Pass Keyless remote systems for cars Keyless remote systems for garage door openers

20

Radio Frequency Identification (“RFID”)

Predicted to be embedded soon in  Clothing Passports ATM cards Vehicles US postage stamps Paintings Beads Nails Wires Cash

21

Radio Frequency Identification (“RFID”) “VeriChip”—glass capsule containing RFID device to be injected

into human flesh for ID and payment purposes  60 persons in US had VeriChips at end of 2005 Also, injected into deceased victims of Hurricane Katrina

RFID is predicted to be used by Retailers to price products according to customer’s purchase

history and value to store Pharmaceutical manufacturers on prescription medications Banks to identify and profile customers who enter premises Governments to

electronically frisk citizens at invisible checkpoints track citizens in airports and border-crossing points track mail sent from point to point through embedded postage stamps track library materials

22

Smart Video Surveillance

Video surveillance combined with behavior-recognition software 

Uses computer to  “Learn” what “normal” behavior is Identify unusual activity, such as shifting in one’s

seat on a bus Work in conjunction with other technology such as

facial-recognition systems

23

Privacy Intrusions in Cyberspace

Clickstream Data Analysis  Cookies  Man-in-the-Middle Attacks  Pharming  Phishing  Spyware  Voice Over Internet Protocols (VoIPs)  Web Bugs

24

Clickstream Data Analysis

Logs of transactions recently performed on Internet computers, such as  Addresses of computers that have made requests Date and time How computer’s services were used Which page was visited prior to entrance into Website How Website was exited 

Internet logs also called “Clickstreams”  Can be used to prepare statistics about paths taken

and not taken by Internet users

25

Cookies

Small file placed and stored on user’s computer by remote computer

Used to track information about how user moved about Website  Which choices made Which links clicked 

User visits same Website again and cookie, now written onto user’s computer, provides information about user’s last visit 

Cookies can be used to build user profiles  Internet sites share cookie information with others

26

Man-in-the-Middle Attacks

Computer security breach in which hacker intercepts, reads, and alters data traveling along network between two Websites 

Also called “TCP hijacking”

27

Pharming

Hacker’s redirection of Internet traffic from one Website to another

Second Website appears identical to legitimate site

User is tricked into entering user name and password into fake site 

“DNS poisoning” or “DNS cache poisoning” used to reroute user

Domain name system’s servers corrupted

28

Phishing Internet user receives e-mail appearing to be legitimate

and from reputable company, asking user to reply with updated credit card information

Clicking on link sends user to fake Website, where user provides Credit card information Date of birth Address Site password Social Security number 

Also called “brand spoofing”  “Puddle phishing” is phishing specifically targeting a

small company, such as community bank

29

Spyware

Software that sends data about user when computer is connected to the Internet

30

Voice Over Internet Protocols (VoIPs)

Method for speaking through computer by phone or microphone  Analog voice signal converts to digital format Broadband networks transmit calls in Internet

Protocol (“IP”) packets  Also called Internet telephony  VoIP vulnerable to eavesdropping

A free Internet program captures and converts transmissions to audio files

31

Voice Over Internet Protocols (VoIPs)

Is VoIP a communications service or information service? 

In 2005, FCC adopted rules requiring VoIP providers to allow law enforcement to tap into Internet phone calls 

FBI has authority and ability to conduct surveillance of broadband users pursuant to court order

32

Web Bugs

Tiny, invisible image or graphic embedded into HTML-formatted Website or e-mail message to track users’ activities 

Web bugs present as HTML IMG tags  Provide Website owner with information about hits,

including IP address of user’s computer Type of browser used Time of the hit Previously set cookies 

Also called “HTML bugs” or “clear GIFs”

33

Connectors of Information Automated Targeting System Automatic Number Plate Recognition System  CALEA Petition for Rulemaking  Data Mining  ID Cards  Integrated Automated Fingerprint Identification System Multistate Anti-Terrorism Information Exchange “Secure Flight” and other Targeting Systems  Sharing/Databases  Terrorist Screening Database of the Terrorist Screening Center Total Information Awareness   US-VISIT

34

Automated Targeting System (“ATS”)

US Customs and Border Protection technology collects and analyzes cargo shipping data 

Distinguishes and identifies high-risk shipments

35

Automatic Number Plate Recognition System (“ANPR”)

Britain’s national database Each camera on a pole or in police van is

supported by a computer  Allows for automatic tracking Information obtained by camera immediately

cross-referenced with database  In 2006, information could be stored for two

years; projected to be able to store for five years

36

CALEA Petition for Rulemaking

In August 2005, FCC ruled that Internet broadband access providers and certain VoIP service providers must design networks to be wiretap-friendly pursuant to Communications Assistance for Law Enforcement Act (CALEA) of 1994

37

Data Mining

Computer systems that search numerous databases for correlations between data 

Currently used by corporations to determine consumer preferences

38

ID Cards

Biometric ID cards to be issued starting in 2008 to voluntary participants in Britain would become compulsory in 2013 

Cards contain  Name Gender Date and place of birth Current and previous addresses Immigration status Chip containing 

Digital photo Fingerprints Iris scans

39

Integrated Automated Fingerprint Identification System (“IAFIS”)

System electronically compares live-scanned fingerprint with database of previously captured fingerprints

40

Multistate Anti-Terrorism Information Exchange (“MATRIX”)

Integration of factual, disparate data from existing sources to Web-enabled storage systems to identify and combat criminal activity 

Includes  Aircraft and other property ownership records Bankruptcy filings Corporate filings Criminal history records Digital photographs Driver’s and pilot’s licenses State professional licenses State sexual offenders lists Terrorism watch lists UCC filings Vehicle registrations

41

“Secure Flight” and other Targeting Systems

Secure Flight passenger-screening program  Computer-assisted passenger screening system that

searches databases, matches passenger against FBI consolidated watch list, and rates passenger with a “threat level” in red, yellow, or green 

Based on tagging, passengers could be scrutinized, interrogated, or detained 

Might incorporate behavioral profiling  Goal is to link in real time to video images—automatic link

between video of terrorist suspect and watch list Not yet approved in mid-2005

42

“Secure Flight” and other Targeting Systems Border Patrol Targeting Systems Enhancement

Over $20 million budgeted in US Department of Homeland Security in 2005

Seeks to develop and refine automated target recognition systems using latest sensor technology 

Semantic Information Fusion  Seeks to correlate disparate data about human targets, including

Location Identity Behavior 

Creates composite description of a particular situation Uses linguistic information and physics-based models of access,

mobility, and visibility to reconstruct past and infer current events

43

Sharing/Databases

Governments increasingly share citizens’ personal information with each other and with the private sector 

“Data . . . are tributaries flowing into one giant river of databases.” Lee Tien, Electronic Frontier Foundation (Aug. 8, 2005)

44

Terrorist Screening Database (“TSDB”) of the Terrorist Screening Center (“TSC”)

Aggregates numerous government watch-lists  In 2005, TSDB had over 200,000 names, ranging

from known terrorists to persons suspected of having some ties to terrorism 

Each name receives one of 28 codes, describing person’s connection to terrorism

Names are categorized according to the actions users should take when encountering someone on list

45

Total Information Awareness (“TIA”)

Computer surveillance system proposed by Department of Defense  

Would have used data mining and networking to connect sources of information including  Credit card purchases Bank transactions E-mail 

Shut down by Congress in 2003

46

US-VISIT

Project of US Department of Homeland Security to develop biometric-enabled system for collecting, maintaining, and exchanging information on foreign nationals 

$340 million budgeted for FY2005

47

Conclusion

Government and corporations are using many technologies for surveillance, invading privacy in cyberspace and in the real world

Do citizens and consumers care? What can we do to protect our privacy and to

manage our digital identities and digital reputations?

48

For more information

Contact Jeffrey Aresty, President, Internetbar.org, jaresty@cyberspaceattorney.com

Articles on privacy-invading technologies and public attitudes toward privacy invasions are available now

Article on digital identity will be available soon