NSA Watch: America, Meet ARDA

Demon Princess can see that she’s going to have to make this topic one of her regular rants, since with just a few hours spent looking into it, she’s unearthed more information about the devious bastards’ nefarious plans. Seems there’s more in store up ahead, so hang on to your hats.

In this issue: hello kiddies! It’s not only your future employers who’ll be looking at your social networking activities & refusing to hire you because of that bizarre tattoo on your ass &/or confessions in your blogs of indiscretions you’d rather that your parents, spouses & employers not see.

Today it’s the Pentagon that has in mind gathering data (and dirt, we daresay) from social networking sites like MySpace & Friendster. Read all about it here, in New Scientist: http://www.newscientist.com/article.ns?id=mg19025556.200

ARDA is a name we should all be getting to know:

“What is ARDA? It stands for Advanced Research Development Activity. According to a report entitled Data Mining and Homeland Security, published by the Congressional Research Service in January, ARDA's role is to spend NSA money on research that can ‘solve some of the most critical problems facing the US intelligence community’. Chief among ARDA's aims is to make sense of the massive amounts of data the NSA collects - some of its sources grow by around 4 million gigabytes a month.

Quoth the article: “New Scientist has discovered that Pentagon's National Security Agency, which specialises in eavesdropping and code-breaking, is funding research into the mass harvesting of the information that people post about themselves on social networks. And it could harness advances in internet technology - specifically the forthcoming 'semantic web' championed by the web standards organisation W3C - to combine data from social networking websites with details such as banking, retail and property records, allowing the NSA to build extensive, all-embracing personal profiles of individuals.

“Americans are still reeling from last month's revelations that the NSA has been logging phone calls since the terrorist attacks of 11 September 2001. The Congressional Research Service, which advises the US legislature, says phone companies that surrendered call records may have acted illegally.

Weirdly enough, the fact that our own Congressional Research service has advised obtaining the phone records may have been illegal hasn’t gotten much media coverage in the States.

“However, the White House insists that the terrorist threat makes existing wire-tapping legislation out of date and is urging Congress not to investigate the NSA's action.

“Meanwhile, the NSA is pursuing its plans to tap the web, since phone logs have limited scope. They can only be used to build a very basic picture of someone's contact network, a process sometimes called ‘connecting the dots’. Clusters of people in highly connected groups become apparent, as do people with few connections who appear to be the intermediaries between such groups. The idea is to see by how many links or ‘degrees’ separate people from, say, a member of a blacklisted organisation.

“By adding online social networking data to its phone analyses, the NSA could connect people at deeper levels, through shared activities, such as taking flying lessons. Typically, online social networking sites ask members to enter details of their immediate and extended circles of friends, whose blogs they might follow. People often list other facets of their personality including political, sexual, entertainment, media and sporting preferences too. Some go much further, and a few have lost their jobs by publicly describing drinking and drug-taking exploits. Young people have even been barred from the orthodox religious colleges that they are enrolled in for revealing online that they are gay.
…
“Other data the NSA could combine with social networking details includes information on purchases, where we go (available from cellphone records, which cite the base station a call came from) and what major financial transactions we make, such as buying a house.

“…Right now this is difficult to do because today's web is stuffed with data in incompatible formats. Enter the semantic web, which aims to iron out these incompatibilities over the next few years via a common data structure called the Resource Description Framework (RDF). W3C hopes that one day every website will use RDF to give each type of data a unique, predefined, unambiguous tag. ‘RDF turns the web into a kind of universal spreadsheet that is readable by computers as well as people,’ says David de Roure at the University of Southampton in the UK, who is an adviser to W3C. ‘It means that you will be able to ask a website questions you couldn't ask before, or perform calculations on the data it contains.’ In a health record, for instance, a heart attack will have the same semantic tag as its more technical description, a myocardial infarction. Previously, they would have looked like separate medical conditions. Each piece of numerical data, such as the rate of inflation or the number of people killed on the roads, will also get a tag.

“The advantages for scientists, for instance, could be huge: they will have unprecedented access to each other's experimental datasets and will be able to perform their own analyses on them. Searching for products such as holidays will become easier as price and availability dates will have smart tags, allowing powerful searches across hundreds of sites.

“On the downside, this ease of use will also make prying into people's lives a breeze. No plan to mine social networks via the semantic web has been announced by the NSA, but its interest in the technology is evident in a funding footnote to a research paper delivered at the W3C's WWW2006 conference in Edinburgh, UK, in late May.

“That paper, entitled Semantic Analytics on Social Networks, by a research team led by Amit Sheth of the University of Georgia in Athens and Anupam Joshi of the University of Maryland in Baltimore reveals how data from online social networks and other databases can be combined to uncover facts about people. The footnote said the work was part-funded by an organisation called ARDA.
…
“The ever-growing online social networks are part of the flood of internet information that could be mined…The research ARDA funded was designed to see if the semantic web could be easily used to connect people…”
************************************************************************************

OK, OK, to add to that bit of news, try this on top of it: a column dated June 12 by an attorney who was formerly head of the Justice Department’s computer crime unit. He writes, in an article for Security Focus, that something’s barrelling down the road straight at us that we ain’t gonna like, under the guise of protecting children from online predators, combatting organized crime & oh, yes, terrorism. In it he protests Internet Service Providers being made to function as an agent of a bloated & paranoid Big Brother-style state.

“Because ISPs create records of virtually everything that virtually everyone does virtually, our privacy is generally protected by the fact that these records are frequently purged. After all, we are talking about terabytes of data that serves no real function for the ISP. The only reason the records were maintained was to make sure that the packets got to their intended destination. In the case of records of long distance calls made, the phone companies kept these records so they could charge you for the long distance calls. With flat-rate billing, there is no need for them to keep any record that you called Wisconsin.

“What the FBI Director and Attorney General asked the ISPs to do was to retain - for a period of about two years - records of all Internet traffic. Indeed, they want to do this under the threat, express or implied, of legislation mandating such document retention. Now, the news reports were not clear about exactly what information the government wanted the ISPs to keep. Currently, with a few basic limitations, ISPs are not required to keep any records. If they want, they can delete all their records, including subscriber records.

“Now whenever government seeks to increase the powers of law enforcement at the expense of freedom or civil liberties, it always hauls out the troika of organized crime, terrorism and the protection of children. After all, who is opposed to preventing terrorism? Who is in favor of organized crime? And who can be opposed to protecting kids, after all?

“The problem is that these powers are not limited to cases of organized crime, terrorism or child protection - nor could they be for IP retention. After all, an ISP would have no way of knowing if records were going to be relevant two years hence in some investigation, and therefore they would be required to keep everything. Nor has the government proposed legislation that would say that the retained records may only be accessed pursuant to a court order in cases of child exploitation or protection. No, once retained, the records are subject to criminal or civil subpoena, investigative demand, National Security Letter, grand jury subpoena, search warrant, administrative demand, or even a secret request from the government pursuant to the powers of the President as Commander in Chief in a time of war. And unprivileged records can be subpoenaed by private litigants as well.

“Sure, it would make investigations easier if all kinds of records were created and stored forever. What the Attorney General fails to understand is that ISPs already strike a balance in favor of protecting the privacy of their users. The IP records they create are created solely for the purpose of making sure the connection is made, and serve no real ISP function thereafter. Therefore they are destroyed.

“The government is seeking to fundamentally change that balance and to make ISPs agents of the state in creating and retaining records not for their own purposes, but for the government's. As CNET's Declan McCulloch pointed out, Congress is considering making the retention rules mandatory. This is bad policy.
“Law enforcement already has the power to demand, in individual investigations, that ISPs retain specific records for 90 days, in 18 USC 2703(f). This can be extended to up to six months. This should be long enough to get a subpoena for the required records. The government wants two years? Why not twenty? Why not forever? I'd better stop typing before I give someone some ideas.

“Look, if records exist, they will be subpoenaed, stolen, lost or hacked. We already have a pretty good balance of retaining records when we need them and getting rid of them when we don't. Let's not spoil a system that works unless we have clear evidence that it is failing.”

For more on the legislation: http://news.com.com/Congress+may+make+ISPs+snoop+on+you/2100-1028_3-6072601.html?tag=st.rc.targ_mb