A partial transcript of Glenn Greenwald’s talk at the Socialism Conference in Chicago last Friday is available on The Dissenter. It should be required reading for all aspiring journalists and part of any school of journalism’s syllabus. For anyone just emerging from a long coma, Greenwald is the Guardian journalist who published the Edward Snowden revelations about the NSA and GCHQ secret surveillance programmes.
For me there are two big takeaways: that the Snowden revelations have exposed as much corruption within the mainstream media as they have within the intelligence services; and there is much more to come from Snowden.
Let’s take the former first. Governments cannot deny the revelations, so they are left with two options: downplay the effect and discredit the sources. So we get politicians saying loss of privacy is a small price to pay for security; if you don’t do anything wrong you have nothing to fear; we operate strictly within the law and uphold the rule of law. All of these are false, misleading arguments; but are rarely challenged by the media.
We also get a steady stream of suggestions and innuendo that denigrate both Snowden and Greenwald. Snowden is a fame whore traitor who has endangered the life of NSA agents and put the public at greater risk of terrorist attack; and he was probably in the pay of the Chinese government anyway. None of this is supported by any serious argument or fact. Greenwald, of course, is as much a traitor and should be prosecuted for espionage for doing his job as a journalist – that very job that most other journalists shy away from.
For the latter — that there is more to come — Greenwald said of one coming soon, “It talks about how a brand new technology enables the National Security Agency to redirect into its repositories one billion cell phone calls every single day, one billion cell phone calls every single day.”
Verbatim from the transcript, Greenwald added:
What we are really talking about here is a globalized system that prevents any form of electronic communication from taking place without its being stored and monitored by the National Security Agency. It doesn’t mean they’re listening to every call. It means they’re storing every call and have the capability to listen to them at any time and it does mean that they’re collecting millions upon million upon millions of our phone and email records. It is a globalized system designed to destroy all privacy and what’s incredibly menacing about it is it is all taking place in the dark, with no accountability and virtually no safeguards and the purpose of our story and the purpose of Edward Snowden’s whistleblowing is not singularly or unilaterally to destroy those systems. The purpose is to say that if you the United States government and the governments around the world want to create a globalized surveillance system in which we no longer have any privacy in our individual lives or on the internet you at least ought to have us know about it, have you do it in the sunlight so that we can decide democratically whether that’s the kind of system and the kind of world which we want to live.
It is probably knowledge of that to come rather than that already revealed that has persuaded the US government to block access to the Guardian for US soldiers. After all, they have all sworn an oath to defend the US Constitution; and the real enemy of the Constitution is now a moot point.
Back in April Google amended its Google Play developer policy. It was a simple addition: “An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism.”
Simple, but far-reaching. At a stroke, it eliminated the growing threat of ‘silent updates’ to Android apps. At the time, many people thought it was specifically aimed at arch display advertising rival, Facebook. It probably was.
Facebook had been secretly experimenting with silent updates to its new Facebook Home app. Once an app has been installed with acceptable and accepted permissions, it is able to update itself with new and expanded permissions secretly (silent updates); that is, without telling the user what was happening, or what new permissions were being enacted.
But by forcing those updates to go via the Play Store, Google is able to stop them being ‘silent’. Good job, really. Facebook’s Android app has been updated — but provided you got it from Play, it cannot update itself silently.
Sarah A. Downey, a lawyer and privacy strategist with Abine, did a simple blog: eighteen words and a graphic compilation of three screenshots:
Her comment: “Really, Facebook? Three screens of permissions? No thanks. We don’t have that kind of relationship.”
Says it all really. If Google hadn’t insisted on updates via Play, you might never know about it this update. And if you side-load an app — for example, straight from Facebook — you might still never know about it.
So, two lessons: get your apps from Play; and dump Facebook anyway.
What is a hack? No, seriously, I need to know.
Last weekend the People/Mirror reported that Scout7 had been hacked and Manchester City’s scouting database compromised.
Scout7 came back and said it hadn’t been hacked and the integrity of its systems was sound. But City’s database was accessed by someone other than City.
Scout7 was saying that as far as its systems were concerned, it was a legal access via genuine credentials — implying that City must have lost, mislaid, or had its password stolen. It’s an interesting idea. The implication is that if you lose your house-keys and someone finds them, gets in while you’re out, and reads your personal, private diary, you haven’t been burgled.
That, of course, is emotionally absurd. But Scout7 is saying that it (the housebuilder) cannot be blamed for the burglary and doesn’t need to do anything about it. We’ll come back to that.
Meantime, how does this apply to ‘breach notification’? Is a breach a hack? Is the illegal use of legal credentials by a clear bad guy something that will require notification? Will companies be able to claim, we weren’t breached because the hackers got in through legitimate passwords, therefore we don’t need to tell anyone?
Incidentally, Kurt Wismer has an interesting story equally hinging on lack of semantic clarity: was the poor targeting in Stuxnet down to some lax manager saying , ‘make me a virus’, when he really meant, ‘make me a trojan’? Worth reading.
But back to Scout7. No, it cannot avoid its liability by implying it was a customer’s fault for losing his/her password. We all know that passwords do not provide adequate access security. So relying on them, and not adding a second factor to the access control, is effectively building something not fit for purpose. So as far as I am concerned, it got hacked.
Goodle (that is, the UK’s ICO) is friendly with Google. You can see that in its behaviour over Street View (the collection, inadvertent or otherwise, of personal wifi data while driving round the streets of the world). Germany fined Google over it. Goodle just said stop it, don’t do it again, and get rid of what you’ve got.
When Google didn’t get rid of it, Goodle had to get really tough, and say get rid of it now, because we really, really mean it this time!
But back to Article 29. Problematically, Goodle, it is one of six EU member states chosen to take enforcement action against Google. CNIL, the French regulator, has already completed its task. It has instructed Google in exactly what it must do to come into conformance with French laws. Google has three months to comply before CNIL levies a fine.
Spain is likely to be next. The Spanish regulator announced on Thursday that it has “found evidence of five serious privacy law breaches — each punishable with fines of up to 300,000 euros ($395,000).” (AFP) An enforcement notice with threats will likely follow shortly.
Germany is hardly likely to take a softer line – generally speaking it is tougher than most other EU nations on matters of personal privacy (some can remember Nazi Germany, and most can remember Stasi Germany).
Then we have Italy, the Netherlands, and of course Goodle. My bet is that Italy and the Netherlands do the same as France and Spain. But what then? What about the UK? What’s a good Goodle to do if all the other nations slap Google as hard as they can? It’s a difficult position for a loyal Google Poodle.
A senior US businessmen recently told me (this was before PRISM erupted), “Europe worries too much about the PATRIOT Act being used to spy on people. The simple fact is, everyone’s doing it.”
It was like being told not to worry about that man shooting at me because there are other people with guns aimed at me as well.