Recently there was an article in the Washington Post about the FBI using planes with thermal imaging technology to spy on protestors in Baltimore during the Freddie Gray unrest. Only through a Freedom of Information Act request made by the American Civil Liberties Union (ACLU) did privacy advocates learn of these new advances in surveillance technology.
This is the sort of surveillance threat that Alison Macrina and the Library Freedom Project highlight. During her recent presentation in Charlotte to the Metrolina Library Association, Macrina taught librarians about surveillance threats and privacy-protecting technology tools. Usually an ACLU representative reviews some of the major surveillance programs and another staff attorney for ACLU conducts a “Know Your Rights” training session on how to respond when served with a National Security Letter, administrative subpoena, or warrant. Macrina covered all this information in a three hour workshop.
Macrina started the presentation by walking us through a hypothetical threat assessment for a LGBTQ teenager using the Electronic Frontier Foundation’s Surveillance Self-Defense: Introduction to Threat Modeling. The guiding questions of the model follow:
- What do you want to protect? (assets: like computer, phone, text messages)
- Who do you want to protect it from? (parents, other students, bullies)
- How likely is it that you will need to protect it? (capabilities)
- How bad are the consequences if you fail? (being bullied at school, relationship with family)
- How much trouble are you willing to go through in order to try to prevent those?
Macrina then highlighted a variety of surveillance threat models. Some of those she mentioned follow:
The Drone Papers – documents leaked by a whistleblower about the U.S. military’s targeted assassination program in Afghanistan, Yemen, and Somalia.
National Security Agency’s XKeyscore software which allows analysts to narrow reams of intercepted internet data to focus on selected targets and Prism which is a system where NSA gains access to all the private communications of users of nine popular Internet services including Microsoft, Yahoo, Google, and Facebook. NSA collects bulk cell phone records to harvest data traveling over fiber optic cables. These are examples of “collect it all” type programs. While there is nothing wrong with a properly served search warrant based on individual leads, routine government surveillance into everyone’s lives is another matter.
Federal Bureau of Investigation (FBI). According to Macrina, the FBI is monitoring lawful First Amendment activities of Muslim college students by trawling websites and planting bugs in meeting rooms. Furthermore, she says an FBI Joint Terrorism Task Force tracked a Black Lives Matter protest at the Mall of America. Finally, the government has had software companies create “backdoors” in software to gain access to information. However when software is designed to provide law enforcement with access to everyone’s personal information, there are potential security gaps that can be exploited by hackers.
Local Police. Macrina listed counterterrorism fusion centers and the militarization of local police through the 1033 military surplus program as threats. And the ACLU website adds the following:
- “Stingrays, also known as “cell site simulators” or “IMSI catchers,” are invasive cell phone surveillance devices that mimic cell phone towers and send out signals to trick cell phones in the area into transmitting their locations and identifying information. When used to track a suspect’s cell phone, they also gather information about the phones of countless bystanders who happen to be nearby.1”
- “Automatic license plate readers, mounted on police cars or on objects like road signs and bridges, use small, high-speed cameras to photograph thousands of plates per minute. The information captured by the readers – including the license plate number, and the date, time, and location of every scan – is being collected and sometimes pooled into regional sharing systems. As a result, enormous databases of innocent motorists’ location information are growing rapidly.2”
Corporate Entities. Facebook knows our relationship networks and has developed facial recognition software. Google has seven advertising agencies and has acquired Boston Dynamics, a military robotics company. Online advertising is learning everything about us. The hacking industry is selling malware to other sovereign states, police, campus police, and others. Online ads track you even if you do not click on them.
These are just a few of the technology solutions offered by Alison Macrina to ensure privacy. Some are more extreme than others and all depend on the level of your own risk assessment.
- Keep your software up-to-date.
- Use free software (FOSS) that is open source rather than proprietary. Source code shared openly can be examined by people who can identify backdoors.
- Realize that storage in the cloud is just storage on a server somewhere out of your control. Secure and encrypted connections should be a concern.
- Passwords. Use 5 random common words so computer cannot figure out pattern. People are creatures of habit and that is how computers figure out patterns. Check out KeePassX, an open source, cross platform password manager that also includes a password generator. Roll a die five times and using Diceware’s list get your first word.
- Use encryption. The Electronic Frontier Foundation has a good explanation about encryption at https://ssd.eff.org/en/module/what-encryption and how strong encryption can avoid online surveillance.
- Install Tor Browser. The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, Tor prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.
- Add HTTPS Everywhere. HTTPS Everywhere is produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. HTTPS Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure.
- Change default browser to DuckDuckGo. DuckDuckGo does not track your searching and sell your information.
- Have only one antivirus software because having two lessens effectiveness. Check out ClamAV, an open source mail gateway scanning software. Malwarebytes is an anti-malware product but it is not free or open source. Malwarebytes only works on Windows; however, there are very few attacks on Macs. If your risk of surveillance is high, there is Detekt , a free tool which checks for governmental surveillance spyware.
- Look into Firefox privacy extensions like Privacy Badger, uBlock Origin, or NoScript which block ads and trackers.
These are just some of the technology tools and threats that Alison Macrina mentioned in her presentation. The Library Freedom Project website https://libraryfreedomproject.org/ has many more tools and information to consider.
So are you wondering why these surveillance threats are an issue for librarians? Intellectual freedom and the right to privacy are core values of the library profession. The Code of Ethics of our profession has two applicable principles:3
- We uphold the principles of intellectual freedom and resist all efforts to censor library resources.
- We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.
The threats and tools detailed in this article are those of Alison Macrina and the ACLU. Each librarian and each library will have to make their own threat risk assessments. There are trade-offs for using these technology tools. For example, even though DuckDuckGo does not track your search results, this search engine has a lot to be desired in returning extensive search results. And while Lebanon Public Library in New Hampshire decided to continue with their TOR relay after being challenged by the Department of Homeland Security, some law enforcement officials cite examples of TOR’s use by child pornographers and in illegal sales of large quantities of drugs and firearms.
Alison Macrina travels across the country giving her workshop, funded by a grant from the Knight Foundation, to train librarians about the threats to privacy and how to use various technology tools to educate and protect patrons. The threats to privacy and the increasing amount of unchallenged surveillance gives impetus to all of us to be more aware and learn more about this issue and these tools. The Library Freedom Project gives us much to consider.
Note: This blog post was written prior to the terror attack by ISIS in Paris. While we have to be vigilant in making sure our government stays within the law with respect to the threats identified in this presentation, balance is needed between safeguarding our basic rights and enabling our government to protect us from events like those in Paris. This point of balance is something that deserves thorough and thoughtful consideration.
1American Civil Liberties Union [ACLU]. (2015). Stingray tracking devices: Who’s got them? Retrieved from https://www.aclu.org/map/stingray-tracking-devices-whos-got-them
2ACLU. (2015). You are being tracked. Retrieved from https://www.aclu.org/feature/you-are-being-tracked
3American Library Association. (2015). Code of ethics of the American Library Association. Retrieved from http://www.ala.org/advocacy/proethics/codeofethics/codeethics