this post was submitted on 27 Jan 2024
525 points (99.6% liked)

Technology

59424 readers
2821 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

NSA is buying Americans' internet browsing records without a warrant::"Web browsing records can reveal sensitive, private information about a person based on where they go on the internet," said Sen. Ron Wyden.

top 49 comments
sorted by: hot top controversial new old
[–] [email protected] 102 points 9 months ago (2 children)

Sounds like the problem is more that they're for sale in the first place, not that they don't have a warrant. They don't need it because our privacy laws are so outdated and ineffectual(/nonexistent).

[–] [email protected] 16 points 9 months ago (1 children)

Yeah like I feel that the headlines are missing the forest through the streets. If there is enough important information available about individuals that the NSA would find it useful and worth buying, we need to ensure that it’s stopped at the source and not available to anyone.

[–] [email protected] 14 points 9 months ago (1 children)
[–] [email protected] 4 points 9 months ago

LOL. I swear it was autocorrect. I’m leaving it since I like this version better.

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago)
[–] [email protected] 60 points 9 months ago (1 children)

Do I like this? No. But I also don’t like that any other entity can do this either. But if we’re going to ban the government from doing this, we should also be banning the sale of this data to anybody.

[–] [email protected] 37 points 9 months ago (1 children)

This right here. All the people bitching about wanting to use Opera and wanting to use Chrome and wanting to use Edge and Brave, this is what we're trying to fight. This is what we're trying to minimize.

Even though the NSA is probably trying to use this for 'good' at the moment, It's not a hard stretch that a couple of changes in power later that information's still going to be there.

[–] [email protected] 25 points 9 months ago (2 children)

When the Snowden releases came out the promise was the NSA was only using their massive surveillance machine to hunt down Islamist terrorists.

But since then they've passed tips to local precincts regarding loose cash in transit so that it can be seized and used by police departments for margarita ice crushers and other luxuries. The NSA itself gets a cut of the take.

This is to say NSA efforts are being used to rob Americans using asset forfeiture, which is about as far from for good or in support of a good cause as you can get.

[–] [email protected] 5 points 9 months ago (1 children)

The NSA does not need money from asset forfeiture. This is one of the stupidest accusations I've heard of NSA. They have to be careful about how they use their intelligence to keep potential targets unaware of what they can or are snooping on. This would be the stupidest and most pointless use of their intelligence. Anyone they would share intelligence with must do so with the most absolute secrecy, and municipal and state law enforcement generally does not qualify. This doesn't mean they're not acting unlawfully, but knowing if they are is going to next to impossible.

[–] [email protected] 0 points 9 months ago (1 children)

As with much of the federal government, the NSA's information security is lax and outdated, and strict records that are supposed to be kept about who looks at what are not actually filed.

We're pretty sure Russia and China are unofficially privy to any data they want.

NSA was supposed to be an INFOSEC department, making sure that Eve was out of business. That changed after the PATRIOT act (though the movie Sneakers predicted this change in mission). The eliptic curve scandal was a dead giveaway.

That said, at this point NSA leaks stuff to other law enforcement, and fourth-amendment protections are circumvented with parallel construction. Asset forfeiture puts the proof of innocence on the prior owner, so there are no rights to begin with. (Though this is changing state by state.)

[–] [email protected] 5 points 9 months ago* (last edited 9 months ago) (1 children)

the NSA’s information security is lax and outdated

As someone who has read the unclassified reccomendations on infosec written by the NSA and CISA, no, it isn’t. The NSA has some sophisticated security infrastructure, and if stuxnet or eternal blue has shown us, their infosec capabilities are incredible.

we’re pretty sure Russia and China are unofficially privy to any data they want.

I have literally never heard anyone say this before and this goes everything I know about cybersecurity, intelligence, and geopolitics.

The NSA ECC bullshit was to support surveillance, not to weaken their own security. The theoretical vulnerability lies in the usage of the suggested parameters of their curve, not ECC itself. Making surveillance easier is something that the NSA has historically supported.

at this point NSA leaks stuff to other law enforcement

I genuinely have never seen anything to support this that is substantial.

Holy shit I cant believe you’ve made an anarchist defend the NSA but this is so damn wrong.

[–] [email protected] 1 points 9 months ago (1 children)

Apparently you don't read TechDirt, which I have for over a decade now, and NSA had been active in shenanigans and lax securityy since the wiretapping scandals of the aughts, and in 2023 has been leaking stuff to FBI without warrants (which is supposed to be unconstitutional but between the PATRIOT act and the Federalist-Society-dominated SCOTUS, we may be no longer legally protected from NSA surveillance as an unreasonable search).

The FISC has always been a rubber stamp court, so it shouldn't be necessary for law enforcement to circumvent warrants for NSA information, but it turns out it's just easier using the NSA backdoor access.

I will admit to a certain degree of cynicism. When official channels tell me something is secure or handled with respect to all ethical and civic concerns, and investigative journalists tell me the opposite, I trust the journalists more than I do the official channels. But then I've been through the aughts and the George W. Bush administration when the only sources of actual facts were from foreign sources, because the native news agencies were terrified of reprisals for failing to toe the line.

It's why when people are alarmed today that the fascist autocrats are here and SWATTING their political enemies, I can only quietly sip my coffee from the corner.

[–] [email protected] 3 points 9 months ago

apparently you don’t read TechDirt

I don’t read TechDirt

the NSA has … been leaking stuff to the FBI

Oh, I know about this, I thought you were talking about local law enforcement offices, which is not something I’ve seen.

As far as the unconstitutionality of the NSA’s actions, I fully agree with you. From the perspective of of an anarchist, I don’t exactly see any alphabet agencies or the branches of government in a good light. I fully expect the NSA to be involved in shenanigans, just as I expect the FBI or CIA to do so.

the FISC has always been a rubber stamp court so it shouldn’t be necessary for law enforcement to circumvent warrants for NSA information, but it turns out it’s just easier using the NSA backdoor access

If you are talking about the FBI when you saw law enforcement, the FBI has it’s own malware it uses, such as Magic Lantern historically, and certainly others that are not public. There is also some info about them possibly using the NSO group’s Pegasus spyware, which is obscenely hard to detect, and has, at times, been 0-click, meaning you don’t need to take any actions, and it has cleaned up evidence of tampering. Since the FBI has to make sure their evidence is admissible in court, they do need to make sure their evidence is gathered in such a way that it does not violate laws.

However, I have listened to interviews with people who argued their case was built on unconstitutional evidence, and claimed that the feds told them “if you try and attack the case like this, we will tack on more charges,” so I’m not saying they always deal with admissibility in court when starting investigations.

The only gripe I still have is the your statement about the NSA’s lax security, since the breaches I’ve read about have all been done by nation state actors, which tend to be the most capable groups in the world.

My experience with the NSA, as someone who works in security, does not indicate they have lax security. From their leaked tools (I <3 ghidra), to their security guidelines, to their malware like stuxnet, to their public tools like SELinux (and eventually ghidra), their security capabilities seem solid.

I don’t want this to come out as me liking the NSA, since I hate a lot of what they do. But as someone who is a huge security nerd and malware enthusiast, I find their tools fascinating, and do have some respect for them from that perspective, in the same way someone might like Kanye’s music and respect his talent, but hate his guts for being a nazi.

If there are any good techdirt articles, please send them my way, I’d love to read them

[–] [email protected] 2 points 9 months ago (1 children)

I mean I did put quotes around good :)

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago) (1 children)

Yes. I assumed you were assuming some of us would hold some of the usual centrist justifications for NSA, e.g. there are some serious meanies out there who might want to 9/11 or Pearl Harbor the US again, but risks of this could be drastically reduced by not engaging in military adventurism for sake our our industrialist plutocrats. Essentially, if the US stopped being an outrageous and brutal dick to the rest of the international community, then the numbers who would attack our civilians would be drastically reduced to fringe militant ideologues.

So yes, there are no valid justifications for NSA. It exists because the state and the legal departments of the state regard the US public as an enemy.

[–] [email protected] 1 points 9 months ago (1 children)

I'm certain they've caught bad guys ii would have wanted caught and stopped shit I would have wanted stopped. E.g. I'm certain they've stopped human trafficking.

But the world isn't black and white. They don't need to set us up to be a total f****** police state to do some good in the world

[–] [email protected] 2 points 9 months ago (1 children)

Yes, there's a balance that has to be struck between protection and liberty. Years ago I speculated what could happen if everyone was chipped into a system that monitored their vitals, with the resulting data we could track morbid outcomes (say heart attacks) to their core roots and then track people who are currently experiencing early warning signs and show the TRUE POWER OF PREVENTATIVE MEDICINE

The problem is, of course, so much data can be used for purposes against the interests of the public, and will once there are technicians privy to all that information. This was the original business model of Google: no-one looks at the data except its owner (e.g. I get to look at my own contacts lists) and Google profits from analysis of multiple data points. Only the police got the power of courts to look at the data, to the point where they wanted everyone who happened to websearch a given name, or whose phones were in a radius of a crime scene at a certain time.

You don't want to be a non-white or a known protestor who had business near a crime scene in the US.

So yeah, until we're able to lock up data so no-one but their intended audience has the capacity to read it, even when a court writes a warrant, we can't trust such all-encompassing systems, especially if the state is at risk of turning into an ideology-driven regime. (England, for instance, still has hard feelings between Catholics and Anglicans, and the Irish / UK border is a bit tense these days.)

[–] [email protected] 2 points 9 months ago

And unfortunately with the state of data protection, You can never be assured that that won't land in someone else's hands eventually.

[–] [email protected] 22 points 9 months ago* (last edited 9 months ago) (2 children)

This has been commonplace for decades. The government agencies went big into it after 9/11. Funny thing was that I found out about it from a competing company telling me about how the company I worked for at the time was doing it.

I should note that I'm firmly against it, just that it's not new.

It's illegal to spy on your own citizens in the US, but completely okay if someone else does the spying and you buy the data.

[–] [email protected] 9 points 9 months ago (3 children)

Hell, Verizon got caught installing spy hardware for the government in phone data centers in the mid-90's.

There was a brief storm about it, then the news media moved on to something else.

I'm sure it's still there, at every phone provider, or something like it.

[–] [email protected] 4 points 9 months ago

It was AT&T

[–] [email protected] 3 points 9 months ago

Verizon got caught installing spy hardware for the government in phone data centers in the mid-90's.

There was no Verizon until 2000. It might have been Bell Atlantic.

[–] [email protected] 1 points 9 months ago

Try puri.sm

[–] [email protected] 1 points 9 months ago

You may as well consider them government employees if they're doing it at the government's buying power.

[–] [email protected] 22 points 9 months ago

I wonder how much of this is to provide a plausible paper trail for parallel construction to hide illegal signals collection in legal proceedings.

"No your honor, we didn't find this out because of domestic spying programs, it was from this data we bought from Google."

[–] [email protected] 20 points 9 months ago (1 children)

props to senator wyden for declassifying this shit. oregon picks good ones.

[–] [email protected] 12 points 9 months ago (1 children)

Absolute legend. Held the confirmation of the next NSA Director until they declassified it.

Thank him here!

Also, he’s privy to classified information he can’t disclose. I’m thinking going forward he could say “I wish I could hold confirmation of the NSA Director again until they declassify XYZ“ and we would know he’s been plugged in to something unethical re: XYZ. Maybe it’s already possible to read in between the lines of his public statements.

[–] [email protected] 3 points 9 months ago

I'm thinking going forward he could say “I wish I could hold confirmation of the NSA Director again until they declassify XYZ“

I'm thinking he absolutely can't do that because

he’s privy to classified information he can’t disclose.

Oftentimes you can't even reveal what classified stuff you may have access to, as that info by itself could be classified. Giving little hints and letting people "read between the lines" would almost certainly count as mishandling classified information, especially if you're a high-profile politician doing that in public statements.

[–] [email protected] 11 points 9 months ago (1 children)

It's quite likely a lot of Americans' data is already being stored and perhaps mined in the Utah Data Center.

https://en.wikipedia.org/wiki/Utah_Data_Center

I would just assume your data could be there unless your computer has never been connected to the Internet. It's simply too easy to hide surveillance in the processor (in the form of remote administration capabilities), the operating system (with remote updates), or the browser, or in the numerous security holes or likely zero-day exploits out there. The state of computer security is an absolute joke, and your 4096-bit RSA key is not keeping your data safe.

[–] [email protected] 5 points 9 months ago

Here's the summary for the wikipedia article you mentioned in your comment:

The Utah Data Center (UDC), also known as the Intelligence Community Comprehensive National Cybersecurity Initiative Data Center, is a data storage facility for the United States Intelligence Community that is designed to store data estimated to be on the order of exabytes or larger. Its purpose is to support the Comprehensive National Cybersecurity Initiative (CNCI), though its precise mission is classified. The National Security Agency (NSA) leads operations at the facility as the executive agent for the Director of National Intelligence. It is located at Camp Williams near Bluffdale, Utah, between Utah Lake and Great Salt Lake and was completed in May 2014 at a cost of $1. 5 billion.

^to^ ^opt^ ^out^^,^ ^pm^ ^me^ ^'optout'.^ ^article^ ^|^ ^about^

[–] [email protected] 9 points 9 months ago (1 children)

Does anyone know where I can buy my own personal information?

[–] [email protected] 1 points 9 months ago

There's always shop.nsa.gov

[–] [email protected] 5 points 9 months ago

Kinda surprised they even needed to...

[–] [email protected] 5 points 9 months ago

We're all shocked, so shocked

[–] [email protected] 2 points 9 months ago

This is the best summary I could come up with:


NSA director Gen. Paul Nakasone disclosed the practice in a letter to Sen. Ron Wyden, a privacy hawk and senior Democrat on the Senate Intelligence Committee.

“Web browsing records can reveal sensitive, private information about a person based on where they go on the internet, including visiting websites related to mental health resources, resources for survivors of sexual assault or domestic abuse, or visiting a telehealth provider who focuses on birth control or abortion medication,” said Wyden in a statement.

By its own admission, the ODNI said at the time that commercially purchased data “clearly provides intelligence value,” but “raises significant issues related to privacy and civil liberties.”

Previous reporting shows the Defense Intelligence Agency bought access to a commercial database containing Americans’ location data in 2021 without a warrant.

Government agencies typically have to secure a court-approved warrant before obtaining private data on Americans from a phone or a tech company.

But U.S. agencies have skirted this requirement by arguing they do not need a warrant if the information, like precise location records or netflow data, is openly for sale to anyone who wants to buy it — though this legal theory remains untested in U.S. courts.


The original article contains 1,045 words, the summary contains 198 words. Saved 81%. I'm a bot and I'm open source!

[–] [email protected] 2 points 9 months ago

it turns out you can just buy the data now.

[–] [email protected] 1 points 9 months ago (1 children)

Ironically, what bothered me at first is the use of internet instead of Internet. An internet is a network of networks. The Internet is the global network of networks. I know that internet is becoming the standard but having been a network administrator, it does annoy me.

[–] [email protected] 2 points 9 months ago

Just heard a podcast mention this.

I like your distinction, though I would believe it’s an uncommon one today.

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago)

i tought this was common knowledge? like this is what they have been doing for a big while now?

[–] [email protected] 1 points 9 months ago (1 children)

That seems sketchy coming from an American institution. I suspect the Russians.

[–] [email protected] 6 points 9 months ago* (last edited 9 months ago) (2 children)

The difference between the US and Russia is that the US government has the good sense to maintain a veneer of privacy and freedom.

[–] [email protected] 1 points 9 months ago (1 children)

You misspelled "Lies and Deceit" and it's just odd that that always gets juxtaposed when describing exactly what you're saying.

[–] [email protected] 2 points 9 months ago (1 children)

You just described how that veneer is being maintained. 😛

[–] [email protected] 1 points 9 months ago

Yeah. I can smell the truth in lying media.

[–] [email protected] 1 points 9 months ago

I was being sarcastic but i 100% see your point.

[–] [email protected] 1 points 9 months ago (1 children)

I still wonder what they are buying and from who. If it's the ISP I kind of wonder what they still get from me since I don't use their DNS servers and the ones I point to are setup for DoH for all traffic at home. I also use other stuff for added privacy. It doesn't take a lot of effort, I hope more people start taking their networks seriously and setup some easy bare minimum precautions to help make it at least slightly harder to track you.

[–] [email protected] 2 points 9 months ago (1 children)

With the NSA's whatever the fuck they want budget, nothing's off the table. Dark web, Google, Microsoft, probably whoever will sell it and then they probably slapped them with a gag order If they're an entity likely to publicize it.

My pi holes are set up to pull dot and doh, but they still have to get there traffic from a provider. I should probably funnel that through my VPN but making my DNS unpredictably slow doesn't sound like much fun.

I'm sure ISPs will sell whatever they can see. Smart TV manufacturers use some crazy database to be able to detect what you're watching You know that's going off to everybody that would give them a $20 bill. Then anywhere where you've used the same email to sign up for multiple services all those services will be more than happy to sell their data.

Your bank, LexusNexis with credit data, your school, All the places that your parents and your kids use.

It's not that hard to use a password manager and a catch-all email and start diversifying your user accounts.

Tour and VPN start to degrade your service quality.

Using open source browsers and anonymizing as much as you can is good and yes even DNS over HTTPS plays a role in reduction.

In the end though, I wonder how much it really matters. If they just get one or two chunks out of that list, how much are the rest of it do they get for free or cheap. If you had the eye of sauron on you and they were really trying they would know everything you do.

[–] [email protected] 2 points 9 months ago

In the end though, I wonder how much it really matters. … If you had the eye of sauron on you and they were really trying they would know everything you do.

If the Fed specifically targets you, I imagine eventually they’ll dig up what they need one way or another. (Widespread E2EE should be a barrier of course.)

Given the average person will never be targeted, I think taking the lowest hanging fruit privacy protections is good for a little bit of peace of mind and a little bit of security against data leaks. NSA gets hacked? Maybe when the dump hits blackhat forums or The Pirate Bay it won’t be as obvious how much time you spend on UnixSocks.