Comprehending the scale of the surveillance in At-Least-I-Know-I’m-Free America today can be difficult. Only a few years ago people in the profession I’m training for would have considered the belief that one is constantly being watched to be diagnostic. Nowadays, who pays any attention to the cameras at intersections? People running red lights should get ticketed before they cause an accident and someone gets hurt. In the Bay Area we pay for public transit with a plastic card we keep and regularly replenish rather than the old paper ones that were consumed by the machines when they ran out. We can even link the card to our bank accounts and have it automatically withdraw what it needs, so we never stand in line at the ticket machines. Everyone knows we’re on camera when we’re shopping; that keeps prices down by preventing shoplifting. At work, in parking lots and garages, on public transportation, at theaters and other public places, we’ve grown accustomed to having our pictures taken for reasons of our own safety.
So accustomed, in fact, that we don’t stop to think about what could happen if all this information were gathered together, organized, and made readily available to the million and a half Americans with top-secret clearance. The scale of the Echelon/Five Eyes program is indeed hard to conceive. One way to approach it is from the top, imagining the amount of data being gathered and stored at the new NSA facility in Utah for example; but that becomes abstract quickly and loses the immediate connection to daily life.
Another approach is from the bottom, looking at what’s available to your neighborhood tinkerer or stalker. Suppose such a neighbor wanted to do something creepy, what could he get? (I don’t have actual data on this but I’m guessing it’s much more likely to be a “he”.) Well, here’s Brendan O’Connor, head of the security firm Malice Afterthought, telling Darlene Storm of Computerworld Blogs about his new product.
“Creepy Distributed Object Locator,” dubbed CreepyDOL for short, “allows anyone to track everyone in a neighborhood, suburb, or city from the comfort of their sofa.” … Do you have a spare $500? He promised that if you deploy a network of cheap CreepyDOLsensors, then you can “move up from small-time weirding out to the big leagues of total information awareness.”
CreepyDOL (PDF) consists of a bunch of small, cheap computers with “grenade-style” encryption. This means that all the nodes can be turned on using an encryption key on a flash drive. Then the flash drive can be removed and kept centrally, while the individual nodes are distributed by people without access to or knowledge of the key. The nodes are designed to be cheap enough for one-time use. Together they create a special kind of networked database in which they each have all the data almost all the time. The network is designed to cut off any node that starts misbehaving on the theory that it might have been stolen or compromised. To prevent someone from learning who placed the nodes and is gathering data, the nodes run Tor, The Onion Router, about which more in a future post; running Tor lets you move around the net without leaving records of your actual IP address.
CreepyDOL picks up wireless signals from smartphones, tablets, and other wireless devices as they pass by. Most of this information is useless, so CreepyDOL employs what O’Connor calls NOM filters — Nosiness, Observation, and Mining — to filter out the useful data. What data do they gather?
We deployed CreepyDOL nodes to several different locations in a populous, well-travelled, section of Madison, WI. To prevent badness, we programmed the NOM system to look only for traffic from devices we owned; no “random stranger” data was collected at any time. With that constraint, we were able to capture a significant amount of useful data about the devices, including photographs of their owners, correlation between devices owned by the same person, and some “this is where he hangs out”-type data.
“I take all this data, throw it together, and visualize it to show people with real faces and identities and histories moving around a map in 3D,” he told Forbes. “Even if you don’t connect, if you are wired on a network, we will find you. If you are a person in a city, we will find you, and we will do it all for very little money.”
What Andy Greenburg found to be “creepiest of all,” is that “O’Connor has even designed the software to grab the user’s photo if they visit a certain dating site that lacks SSL encryption, adding that to the target’s profile.”
If that level of surveillance is available to a neighborhood hacker for $500, imagine what the NSA could do with the coöperation of the biggest tech companies.