We can be pretty certain that the National Security Agency (NSA) is tapping directly into the servers of more than just the nine leading Internet companies cited in the PRISM scandal. But how come the companies themselves can claim that they knew nothing about it? The answer is simple. They didn’t know.
For a while now, the NSA has had the legal power to search inside any US-owned processing service. And while they are never likely to be open about it, they have very likely been using a technique known as Deep Packet Inspection (DPI).
With DPI, all Internet traffic can be read, copied or modified, as can websites. DPI can also look deep into Cloud stores and see who is uploading or downloading, what is inside and who is looking for it. Websites can be blocked and so can specific items within sites such as a particular video on YouTube.
DPI has been used for years in the commercial world but only Tunisia, China, Iran and Kazakhstan legally use the system to curb dissidents. Nobody else wants to own up to it. Anybody on the receiving end would not necessarily know that they had been compromised.
So when Mark Zuckerberg says “Facebook is not and has never been part of any program to give the US or any other government direct access to our servers”, he is in all likelihood telling the truth.
Very soon, the Community Comprehensive National Cybersecurity Initiative Data Center in Utah will be on-stream, capturing all communication globally, including the complete contents of private emails, cell phone calls and Internet searches, plus all the personal data trails from parking receipts, bank transfers, travel itineraries and bookstore purchases. Another NSA data facility is already under construction in Maryland. Without DPI, these centers would be meaningless.
Data storage is remarkably cheap and getting cheaper every year. Analyzing and storing it all is now a cost-effective reality. The CIA proudly admits that “it is nearly within our grasp to compute on all human generated information.”
Under a recent amendment to the Foreign Intelligence Surveillance Act, Washington can legally access the personal data of any non-US citizen outside of the US if it is stored in a Cloud service run by a US company. This effectively gives them carte blanche to monitor journalists, politicians, activists and others world-wide.
Under the existing law – introduced in 2008 to retroactively legalize “warrantless wiretapping” – US agencies legally monitor phone calls and emails in and out of the country. Now “remote computing services” have been added to the list of targets which could literally mean anything stored on a computer other than your own.
Remarkably, this means the US can also access any British government documents stored online including ministerial files, local authority records, and public sector data.
At least four US companies are involved in the UK government’s G-Cloud project. Eventually, it is planned that the G-Cloud will hold the bulk of State data in addition to that of schools, charities, the BBC and police, even the Bank of England. Britain wants to see even greater use of Cloud storage across all sectors in what it describes as a robust “public cloud first policy”.
Now the cat is out of the bag – we know that everything we do online is open to scrutiny – it’s time to change the way we use the Internet.
Alan Pearce is the author of the new inter-active ebook “Deep Web for Journalists – Comms, Counter-Surveillance, Search” published by www.deepwebguides.com.