when the ads are on track: Sara M. Watson (16 Sep 2014), “Ask the decoder: Stalked by socks,” Al Jazeera, http://america.aljazeera.com/articles/2014/9/16/the-decoder-stalkedbysocks.html.
targeted at us specifically: Sylvan Lane (13 Aug 2014), “16 creepiest targeted Facebook ads,” Mashable, http://mashable.com/2014/08/13/facebook-ads-creepy.
data mining is a hot technology: Guy Gugliotta (19 Jun 2006), “Data mining still needs a clue to be effective,” Washington Post, http://www.washingtonpost.com/wp-dyn/content/article/2006/06/18/AR2006061800524.html. Phillip Segal (28 Mar 2011), “Data mining is dumbed down intelligence,” Ethical Investigator, http://www.ethicalinvestigator.com/internet/data-mining-is-dumbed-down-intelligence. Ogi Ogas (8 Feb 2013), “Beware the big errors of ‘Big Data,’” Wired, http://www.wired.com/2013/02/big-data-means-big-errors-people.
go backwards in time: Barton Gellman and Ashkan Soltani (18 Mar 2014), “NSA surveillance program reaches ‘into the past’ to retrieve, replay phone calls,” Washington Post, http://www.washingtonpost.com/world/national-security/nsa-surveillance-program-reaches-into-the-past-to-retrieve-replay-phone-calls/2014/03/18/226d2646-ade9-11e3-a49e-76adc9210f19_story.html.
Untangling this sort of wrongdoing: US Department of Justice (16 Dec 2009), “Credit Suisse agrees to forfeit $536 million in connection with violations of the International Emergency Economic Powers Act and New York State law,” http://www.justice.gov/opa/pr/2009/December/09-ag-1358.html. Office of the District Attorney, New York County (10 Dec 2012), “Standard Chartered Bank reaches $327 million settlement for illegal transactions,” http://manhattanda.org/node/3440/print. Office of the District Attorney, New York County (30 Jun 2014), “BNP Paribas Bank pleads guilty, pays $8.83 billion in penalties for illegal transactions,” http://manhattanda.org/node/4884/print.
blood taken from riders years earlier: Scott Rosenfield (23 Jul 2013), “Top 3 finishers in 1998 Tour test positive,” Outside Online, http://www.outsideonline.com/news-from-the-field/Top-3-Finishers-in-1998-Tour-Test-Positive.html.
a database called XKEYSCORE: Glenn Greenwald (21 Jul 2013), “XKeyscore: NSA tool collects ‘nearly everything a user does on the internet,’” Guardian, http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data. US National Security Agency (8 Jan 2007), “XKEYSCORE (training slides),” https://www.eff.org/document/2013-07-31-guard-xkeyscore-training-slides (page 2).
One called MARINA: James Ball (30 Sep 2013), “NSA stores metadata of millions of web users for up to a year, secret files show,” Guardian, http://www.theguardian.com/world/2013/sep/30/nsa-americans-metadata-year-documents.
Another NSA database, MYSTIC: Ryan Devereaux, Glenn Greenwald, and Laura Poitras (19 May 2014), “Data pirates of the Caribbean: The NSA is recording every cell phone call in the Bahamas,” Intercept, https://firstlook.org/theintercept/article/2014/05/19/data-pirates-caribbean-nsa-recording-every-cell-phone-call-bahamas. Julian Assange (23 May 2014), “WikiLeaks statement on the mass recording of Afghan telephone calls by the NSA,” WikiLeaks, https://wikileaks.org/WikiLeaks-statement-on-the-mass.html.
The NSA stores telephone metadata: David Kravets (17 Jan 2014), “Obama revamps NSA phone metadata spying program,” Wired, http://www.wired.com/2014/01/obama-nsa.
If you use encryption: I do not know whether this includes all encrypted SSL sessions. My guess is that the NSA is able to decrypt a lot of SSL in real time. Matthew Green (2 Dec 2013), “How does the NSA break SSL?” A Few Thoughts on Cryptographic Engineering, http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html.
NSA needed to increase its storage capacity: Barton Gellman and Ashkan Soltani (4 Dec 2013), “NSA tracking cellphone locations worldwide, Snowden documents show,” Washington Post, http://www.washingtonpost.com/world/national-security/nsa-tracking-cellphone-locations-worldwide-snowden-documents-show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca94801fac_story.html.
This is the point of: James Bamford (15 Mar 2012), “The NSA is building the country’s biggest spy center (watch what you say),” Wired, http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all.
The FBI stores our data, too: Kevin Poulsen (27 Jan 2014), “If you used this secure webmail site, the FBI has your inbox,” Wired, http://www.wired.com/2014/01/tormail.
The state of New York retains: Cyrus Farivar (27 Feb 2012), “Your car, tracked: The rapid rise of license plate readers,” Ars Technica, http://arstechnica.com/tech-policy/2012/09/your-car-tracked-the-rapid-rise-of-license-plate-readers. Steve Orr (26 Jul 2014), “New York knows where your license plate goes,” Democrat and Chronicle, http://www.democratandchronicle.com/story/news/2014/07/26/new-york-license-plate-readers/13179727.
AT&T beat them all: Declan McCullagh (19 Mar 2013), “Cops: U.S. law should require logs of your text messages,” CNET, http://news.cnet.com/8301-13578_3-57575039-38/cops-u.s-law-should-require-logs-of-your-text-messages.
three hops away from Alice: Philip Bump (17 Jul 2013), “The NSA admits it analyzes more people’s data than previously revealed,” Atlantic Wire, http://www.thewire.com/politics/2013/07/nsa-admits-it-analyzes-more-peoples-data-previously-revealed/67287.
Making sense of the data: Jonathan Mayer writes about the difficulty of analyzing this data. Jonathan Mayer and Patrick Muchler (9 Dec 2013), “MetaPhone: The NSA three-hop,” Web Policy, http://webpolicy.org/2013/12/09/metaphone-the-nsa-three-hop.
phone numbers common to unrelated people: Amy Davidson (16 Dec 2013), “The domino’s hypothetical: Judge Leon vs. the N.S.A.,” New Yorker, http://www.newyorker.com/news/amy-davidson/the-dominos-hypothetical-judge-leon-vs-the-n-s-a.
NSA documents note: Barton Gellman and Laura Poitras (10 Jul 2013), “NSA slides explain the PRISM data-collection program,” Washington Post, http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents.
total number of people being surveilled: Shane Harris (17 Jul 2013), “Three degrees of separation is enough to have you watched by the NSA,” Foreign Policy, http://complex.foreignpolicy.com/posts/2013/07/17/3_degrees_of_separation_is_enough_to_have_you_watched_by_the_nsa.
President Obama directed the NSA: Tony Bradley (17 Jan 2014), “NSA reform: What President Obama said, and what he didn’t,” Forbes, http://www.forbes.com/sites/tonybradley/2014/01/17/nsa-reform-what-president-obama-said-and-what-he-didnt.
This is what both the NSA: James Risen and Laura Poitras (20 Sep 2013), “NSA gathers data on social connections of U.S. citizens,” New York Times, http://www.nytimes.com/2013/09/29/us/nsa-examines-social-networks-of-us-citizens.html.
One of Facebook’s most successful: Vauhini Vara (23 Aug 2007), “Facebook gets personal with ad targeting plan,” Wall Street Journal, http://online.wsj.com/news/articles/SB118783296519606151.
Google . . . searches all of your Gmail: If either Google or Microsoft finds evidence of child pornography, it will report you to the police. Matthew Sparkes (4 Aug 2014), “Why Google scans your emails for child porn,” Telegraph, http://www.telegraph.co.uk/technology/google/11010182/Why-Google-scans-your-emails-for-child-porn.html. Leo Kelion (6 Aug 2014), “Microsoft tip leads to child porn arrest in Pennsylvania,” BBC News, www.bbc.co.uk/go/em/fr/-/news/technology-28682686.
The NSA does something similar: The PCLOB has stated that NSA collection under Section 702 of the FISA Amendments Act does not collect on the basis of keywords, although that’s just one authority. And there’s a lot of room for weaseling. Privacy and Civil Liberties Oversight Board (2 Jul 2014), “Report on the surveillance program operated pursuant to Section 702 of the Foreign Intelligence Surveillance Act,” http://www.pclob.gov/All%20Documents/Report%20on%20the%20Section%20702%20Program/PCLOB-Section-702-Report.pdf. Jennifer Granick (11 Feb 2014), “Eight questions PCLOB should ask about Section 702,” Just Security, https://justsecurity.org/7001/questions-pclob-section-702.
the NSA targets people: Jacob Appelbaum et al. (3 Jul 2014), “NSA targets the privacy-conscious,” Panorama, http://daserste.ndr.de/pano
rama/aktuell/nsa230_page-1.html.
the NSA chains together hops: Marcy Wheeler (15 Oct 2013), “About that May 2007 FISC opinion,” Empty Wheel, http://www.emptywheel.net/2013/10/15/about-that-may-2007-fisc-opinion.
the same location as a target: Marcy Wheeler (16 May 2014), “The ‘automated query’ at the telecoms will include ‘correlations,’” Empty Wheel, http://www.emptywheel.net/2014/05/16/the-automated-query-at-the-telecoms-will-include-correlations. Marcy Wheeler (28 Jun 2014), “NSA’s new-and-improved call chaining process, now with no calls required,” Empty Wheel, http://www.emptywheel.net/2014/06/28/nsas-new-and-improved-call-chaining-process-now-with-no-calls-required.
The NSA uses cell phone location: The program is code-named CO-TRAVELLER. Barton Gellman and Ashkan Soltani (4 Dec 2013), “NSA tracking cellphone locations worldwide, Snowden documents show,” Washington Post, http://www.washingtonpost.com/world/national-security/nsa-tracking-cellphone-locations-worldwide-snowden-documents-show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca94801fac_story.html.
The NSA tracks the locations of phones: US National Security Administration (2012), “Summary of DNR and DNI Co-Travel analytics,” https://www.eff.org/files/2013/12/11/20131210-wapo-cotraveler_overview.pdf.
The NSA has a program where it trawls: Julian Sanchez (11 Oct 2013), “Other uses of the NSA call records database: Fingerprinting burners?” Just Security, http://justsecurity.org/2013/10/11/nsa-call-records-database-fingerprinting-burners.
The NSA collects data on people: Barton Gellman and Ashkan Soltani (4 Dec 2013), “NSA tracking cellphone locations worldwide, Snowden documents show,” Washington Post, http://www.washingtonpost.com/world/national-security/nsa-tracking-cellphone-locations-worldwide-snowden-documents-show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca94801fac_story.html.
phones that were used by a particular target: The technique is basically CO-TRAVELLER. If there’s a phone that is always in the same network as your primary phone, it’s likely to be found in your pocket. US Department of Justice (13 Feb 2012), “Criminal complaint,” United States of America v. Jose Aguijo, et al., (Case number under seal), United States District Court, Northern District of Illinois, Eastern Division, http://www.justice.gov/usao/iln/pr/chicago/2013/pr0222_01d.pdf.
A single geofencing company: Hiawatha Bray (30 Apr 2014), “How location-based apps will shape the future of shopping,” Discover, http://blogs.discovermagazine.com/crux/2014/04/30/how-location-based-apps-will-shape-the-future-of-shopping.
Microsoft does the same thing: Lauren Johnson (9 Jun 2014), “Why Microsoft is wrapping location-based ads around retail stores: Tests significantly lifted foot traffic,” Advertising Week, http://www.adweek.com/news/technology/why-microsoft-wrapping-location-based-ads-around-retail-stores-158189.
Sense Networks uses location data: Hiawatha Bray (8 Jul 2013), “Cellphone data mined to create personal profiles,” Boston Globe, http://www.bostonglobe.com/business/2013/07/07/your-cellphone-yourself/eSvTK1UCqNOE7D4qbAcWPL/story.html.
Vigilant Solutions . . . collect license plate data: Ali Winston (17 Jun 2014), “Plans to expand scope of license-plate readers alarm privacy advocates,” Center for Investigative Reporting, http://cironline.org/reports/plans-expand-scope-license-plate-readers-alarm-privacy-advocates-6451.
the linking of identities: This article discusses the FBI’s plans to do just that. Electronic Privacy Information Center (Dec 2013), “The FBI’s Next Generation Identification program: Big Brother’s ID system?” Spotlight on Surveillance, https://epic.org/privacy/surveillance/spotlight/ngi.html.
I have an Oyster card: There were concerns about tracking people by their Oyster cards when the technology was introduced in London in 2003. Aaron Scullion (25 Sep 2003), “Smart cards track commuters,” BBC News, http://news.bbc.co.uk/2/hi/technology/3121652.stm.
the value of correlating different streams: Greg Weston, Glenn Greenwald, and Ryan Gallagher (30 Jan 2014), “CSEC used airport Wi-Fi to track Canadian travellers: Edward Snowden documents,” CBC News, http://www.cbc.ca/news/politics/csec-used-airport-wi-fi-to-track-canadian-travellers-edward-snowden-documents-1.2517881.
display personal information: Alessandro Acquisti, Ralph Gross, and Fred Stutzman (4 Aug 2011), “Faces of Facebook: Privacy in the age of augmented reality,” Black Hat 2011, Las Vegas, Nevada, http://www.heinz.cmu.edu/~acquisti/face-recognition-study-FAQ/acquisti-faces-BLACKHAT-draft.pdf.
software that correlates data: Scott Ellart (7 Dec 1999), “System and method for converting data between data sets (US 5999937 A),” US Patent and Trademark Office, http://www.google.com/patents/US5999937.
match your online profile: Cotton Delo (22 Feb 2013), “Facebook to partner with Acxiom, Epsilon to match store purchases with user profiles,” Advertising Age, http://adage.com/article/digital/facebook-partner-acxiom-epsilon-match-store-purchases-user-profiles/239967.
ExactData can sell lists of people: Caroline Cooper and Claire Gordon (2 Apr 2014), “The people making money off your drinking habits and STDs,” Al Jazeera, http://america.aljazeera.com/watch/shows/america-tonight/articles/2014/4/2/the-people-makingmoneyoffyourdrinkinghabitsandstds.html.
Chinese military hackers: Max Fisher (19 Feb 2013), “Chinese hackers outed themselves by logging into their personal Facebook accounts,” Washington Post, http://www.washingtonpost.com/blogs/worldviews/wp/2013/02/19/chinese-hackers-outed-themselves-by-logging-into-their-personal-facebook-accounts.
Hector Monsegur: Paul Roberts (7 Mar 2012), “Chats, car crushes and cut ’n paste sowed seeds of LulzSec’s demise,” Threatpost, http://threatpost.com/chats-car-crushes-and-cut-n-paste-sowed-seeds-lulzsecs-demise-030712/76298.
Paula Broadwell: Chris Soghoian (13 Nov 2012), “Surveillance and security lessons from the Petraeus scandal,” American Civil Liberties Union, https://www.aclu.org/blog/technology-and-liberty-national-security/surveillance-and-security-lessons-petraeus-scandal.
A member of the hacker group Anonymous: Dan Oakes (12 Apr 2012), “Hacking case’s body of evidence,” Sydney Morning Herald, http://www.smh.com.au/technology/technology-news/hacking-cases-body-of-evidence-20120412-1wsbh.html.
Israeli assassins were quickly identified: Ronen Bergman et al. (17 Jan 2011), “An eye for an eye: The anatomy of Mossad’s Dubai operation,” Der Spiegel, http://www.spiegel.de/international/world/an-eye-for-an-eye-the-anatomy-of-mossad-s-dubai-operation-a-739908.html.
techniques for anonymizing data: Paul Ohm (13 Aug 2009), “Broken promises of privacy: Responding to the surprising failure of anonymization,” UCLA Law Review 57, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006.
researchers were able to attach names: Michael Barbaro and Tom Zeller Jr. (9 Aug 2006), “A face is exposed for AOL Search No. 4417749,” New York Times, http://www.nytimes.com/2006/08/09/technology/09aol.html.
Researchers were able to de-anonymize people: Arvind Narayanan and Vitaly Shmatikov (18–20 May 2008), “Robust de-anonymization of large sparse datasets,” 2008 IEEE Symposium on Security and Privacy, Oakland, California, http://dl.acm.org/citation.cfm?id=1398064 and http://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf.
correlation opportunities pop up: Also for research purposes, in the mid-1990s the Massachusetts Group Insurance Commission released hospital records from state employees with the names, addresses, and Social Security numbers removed. Computer scientist Latanya Sweeney—then an MIT graduate student—demonstrated that she could de-anonymize records by correlating birth dates and ZIP codes with the voter registration database. Latanya Sweeney (Jun 1997), “Weaving technology and policy together to maintain confidentiality,” Journal of Law, Medicine and Ethics 25, http://onlinelibrary.wiley.com/doi/10.1111/j.1748-720X.1997.tb01885.x/abstract.
just a city, town, or municipality: Latanya Sweeney (2000), “Simple demographics often identify people uniquely,” Carnegie Mellon University, Data Privacy Working Paper 3, http://dataprivacylab.org/projects/identifiability/paper1.pdf.
Other researchers reported similar results: Philip
pe Golle (30 Oct 2006), “Revisiting the uniqueness of simple demographics in the US population,” 5th ACM Workshop on Privacy in the Electronic Society (WPES’06), Alexandria, Virginia, http://crypto.stanford.edu/~pgolle/papers/census.pdf.
identify people from their anonymous DNA: Melissa Gymrek et al. (18 Jan 2013), “Identifying personal genomes by surname inference,” Science 339, http://www.sciencemag.org/content/339/6117/321.abstract. John Bohannon et al. (18 Jan 2013), “Genealogy databases enable naming of anonymous DNA donors,” Science 339, http://www.sciencemag.org/content/339/6117/262.
Alfred Kinsey’s sex research data: Adam Tanner (11 Oct 2013), “Anonymous sex survey takers get identified in data dive,” Forbes, http://www.forbes.com/sites/adamtanner/2013/10/11/decoding-the-secrets-of-sex-data.
It’s counterintuitive: Arvind Narayanan and Vitaly Shmatikov (Jun 2010), “Myths and fallacies of ‘personally identifiable information,’” Communications of the ACM 53, http://dl.acm.org/citation.cfm?id=1743558.
We can be uniquely identified: Ryan Gallagher (25 Aug 2014), “The surveillance engine: How the NSA built its own secret Google,” Intercept, https://firstlook.org/theintercept/2014/08/25/icreach-nsa-cia-secret-google-crisscross-proton.
four time/date/location points: Yves-Alexandre de Montjoye et al. (4 Feb 2013), “Unique in the crowd: The privacy bounds of human mobility,” Scientific Reports 3, Article 1376, http://www.nature.com/srep/2013/130325/srep01376/full/srep01376.html.
these sorts of tweaks: I don’t mean to imply that it’s impossible to anonymize a data set, only that it’s very difficult to do correctly and easy to get wrong. So many people think that replacing sensitive data with random numbers is enough, but it’s not. Often, it doesn’t help at all.
Data and Goliath Page 30