Early GIS in MI5?

Just finished reading Spycatcher by Peter Wright. You might remember this book for the attempt by Margaret Thatcher’s government to enjoin publication, only for the book to receive publicity and perhaps increased sales when it was eventually published (the lawsuits fell at each hurdle). The reason for the government’s action was that Wright, a former MI5 scientific officer and fairly senior counterintelligence (CI) officer, revealed a number of secrets and codewords, as well as various activities of the intel services (mostly MI5 but also MI6 and the CIA).

I remember this case at the time (the book was published in 1988, but the government I believe tried to get an injunction as early as 1985). Since I was living in the US at the time, there were not the press embargoes that were applied to the British media. In one case for example, a review of the book in the UK press could only be printed as a blank page, with a note saying that while in other countries the review appeared in the space, in the UK it could not be printed. (I’m not sure if these were D-notices, which as I understand it are voluntarily adhered to by the media, or some other legal injunction. By contrast, when the Guardian was preparing to publish the first Snowden documents, they decided to publish despite government requests not to.) What struck most people as going too far was that the British government continued its legal action for injunctions despite the fact that the book came out, and was available (eg in Scotland and the USA). This was an important early lesson for me, well before the web, of the globalization of information, and how out of date the UK government was.

Among the more notorious parts of the book was Wright’s growing claim that the  Director General of MI5, Roger Hollis, was a Soviet agent (spy). The best that can be said about this apparently is “nor proven,” to cite Scottish law. (Chapman Pincher has made the same claims, though he might be drawing on Wright’s material for this.)

In any case, most of Wright’s material covered the 1960s and various bugging operations, and his debriefing of Anthony Blunt, etc. It’s a good read. Stella Rimington, the MI5 chief, in a piece published the day before 9/11, heavily criticized Wright for being lazy and paranoid. She says that he wrote the book to name every codeword he could recall–which is quite a few actually. Hard to blame her for feeling this way, of course!

But to me a small comment made in the middle of the book is the most interesting. Wright says that in 1964 they had been working for four years on Movement Analysis, using data from MI5 surveillance agents known as the Watchers, to track movements of individuals and suspects. Wright comments that they had amassed millions of data.

This is possibly big spatial data avant la lettre. Of course today we have activity-based intelligence (ABI) sweeping through the intel community, but it goes to show that nothing is ever quite as new as it seems. I wonder what computer systems and analysis they used, and how “geographical” it was? Quite a bit, I imagine.

One of the names associated with the project, beside Wright himself, was Hal Doyne-Ditmas. (Funnily enough he was a friend of John McPhee, the geological and naturalist writer in the New Yorker.) It would be an interesting part of the history of GIS project to determine what this looked like, and how much was shared with the Americans (some, according to Wright).

An early use of GIS by MI5?

Bruce Schneier on iPhone cryptography

Security expert Bruce Schneier has a pretty comprehensive rebuttal to fears of criminals running amok now that the iPhone is becoming more secure (see my previous post on crypto-geographies).

Well worth reading (see also comments on differential geographies of access to crypto).

Crypto-geographies and the Internet of Things

Secret codes have long fascinated people. According to Secret History, a new history of cryptology by Craig Bauer, who was Scholar-In-Residence at the NSA Center for Cryptologic History in 2011-12, cryptography predates the Greeks. Many of these ciphers were relatively simple by today’s standards, involving either transposition or substitution (respectively systems where the letters are moved but not replaced, and where the letters are replaced, eg., A is replaced by Z, etc).

The now fairly well-known Enigma machine, deciphered by British scientists at Bletchley Park (and the subject of many books and a couple of movies) is pictured above. This was a German system of ciphering, used by the German Nazi regime during WWII. Less well-known (but undeservedly so) are the decryptions by the NSA and its predecessor group (The US Army Signals Intelligence Service located at Arlington Hall, a former girl’s school in Virginia) of the so-called Venona traffic. Venona refers to the project to decrypt Soviet diplomatic communications with its agents in the USA and elsewhere. These encrypted messages often referred to codenames of American spies working for the Soviets during the war. With the help of investigations by the FBI the US government was able to identify many of these people, based on the partial decryptions. According to the NSA and most (but not all) historians, these included Julius and Ethel Rosenberg, Klaus Fuchs, and several serving OSS personnel.

The Soviets were tipped off to the fact that the US was decrypting their messages (probably by Kim Philby, the British spy who was posted to the US for a time), and stopped using their one-time encryption pads. Nevertheless the project to decrypt the messages continued until the early 1980s, eventually yielding about 2,900 partially decrypted messages. They remained a closely guarded secret long after their operational worth had dwindled, and it was only with the publication in 1987 of Spycatcher, by Peter Wright, a former British intelligence officer, that the project was referred to by its codename in public. (Publication of Spycatcher was embargoed by Margaret Thatcher’s government in the UK, but Wright succeeded in publishing it in Australia anyway.)

Some terms: “Cryptography” is the science (and art) of creating ciphers. “Cryptanalysis” is the effort of deciphering them without the key. “Cryptology” is both of these, to include the assessment of the security of a cipher, comparing ciphers and so on. The words are Greek from kryptos (κρυπτός) meaning hidden, secret.

Is there such a thing as cryptologic geographies? If not, could there be, and of what would it consist? In other words, are there (non-trivial) geographies of encryption? Here are some ideas.

One of my earliest ideas of this was a geography of https, the secure version of web-browsing (now coming into vogue but still greatly variable). The New York Times recently laid down a challenge to make https default by the end of 2015 if other media companies would do the same. This is non-trivial, because if encrypted messages are more secure than non-encrypted ones, then the latter will reveal weaknesses in the internet. These weaknesses could be exploited. Second, if you are sending emails and other communications over the internet in non-encrypted form, then this is easier for governments to intercept and monitor.

And this is not just to do with messages you write, but also other parts of the personal datastream. For example, your location. What if you could record, but encrypt your geolocation to take advantage of services offered by apps (eg Google Maps) in such a way that they could not be intercepted, decrypted and exploited by third parties (including the government)? Would this mean that the web and internet would “go dark” as officials warn? And would criminals and terrorists be afforded protection in those dark spaces? That was certainly the message of the Attorney General and the FBI Director a few days ago in response to plans by Apple and Google to implement better encryption. AG Holder:

said quick access to phone data can help law enforcement officers find and protect victims, such as those targeted by kidnappers and sexual predators.

Justice Department officials said Holder is merely asking for cooperation from the companies at this time.

And how universal would this advantage to users, potential criminals and law enforcement be? And would those places where one of these had an advantage necessarily overlap with the others? That is, what would be the differential access to encryption from place to place or group to group–a digital divide of encryption?

Is there a political economy of encryption? Who are the companies and individuals working on encryption in the commercial sector? To what extent is there movement between the private and public sectors of both cryptology expertise and personnel? Further, to what extent is there better crypotography in the government and intelligence community than there is in the commercial sector? What are the implications of allowing backdoors to encryption algorithms that can “only” be broken by the government but not by third parties? (I’m thinking here of the well-known proposal in the 1990s for the “Clipper Chip” which allowed just such a backdoor for the NSA but was met with such opposition that it was not implemented.) Is such a backdoor safe from third party hacking, and if so, for how long? (And what is an acceptable definition of “safe” here?). A geographical analysis of these questions would imply some access to where and who has installed the systems in question, which might be provided by basic research efforts such as those carried out at the Oxford Internet Institute by Mark Graham and his colleagues.

Do other computer systems have vulnerabilities? That is, ones without designed-in backdoors? If so, where are they? When it comes to exploits and vulnerabilities, what are the implications of announcing them vs. hoarding them (eg, so-called zero-day exploits)? Is there differential access to knowledge about exploits and vulnerabilities? Where? Again, who makes money off this? What is the crypto- value-chain?

Speaking of hacking; there are a huge array of secret attempts (and thus crypto- if not cryptologic) to break into, disrupt, or exploit systems (and an equally expansive range of countermeasures). The Department of Defense has estimated there may be up to 10 million hacking attacks per day. Most of these are probably automated scans, according to Adam Segal, a cybersecurity expert at the Council on Foreign Relations.

What systems are vulnerable to these exploits, and what exploits are being carried out? Here we could examine mundane events such as DDOS, where antagonists attempt to bring down a web server to deny its proper function, to more exotic events such as the US/Israeli Stuxnet virus meant to disrupt Iranian nuclear programs (but which had effects well beyond Iran once the virus was in the wild). (For more on this virus/worm, see the Stuxnet Dossier [pdf] compiled by Symantec.)

We often hear in the news that certain countries (Russia, China) are more responsible for intrusions and exploits than others, but I’m not aware of any detailed work on this sort of cryptogeography. The recent JP Morgan vulnerability affected more than 83 million US households (who? why?), according to the NYT, and actually included another 9 banks not previously reported. The NYT also said the attack was carried out by hackers having “at least loose connections with officials of the Russian government.” But that is a very imprecise and sketchy account. Just recently, a new poll showed bipartisan low levels of confidence among Americans in the “government’s ability to protect their personal safety and economic security.” Here government is arguably failing at its job of providing security. Ferguson and domestic homicides were mentioned specifically in the AP story. Do people feel threatened by the JP Morgan hacks, the Target and other breaches?

There is surely a whole economy of knock-on effects that result from this; so again, we can speculate about a political economy of crytogeographies.

What would a better map of hacking attempts look like? Security companies and telcos track these data, as for example in this map created by Norse which describes itself as “a global leader in live attack intelligence.” Who is this company? How do they earn their money? More importantly, what is the nature of this market sector more generally?

mass-attack-norse-map-100315099-orig
(Click for live version.)

The above map however is to a large extent a misrepresentation because it only shows attacks on their honeypots, not the entirety of the internet, or even the entirety of a particular region or network.

A similar visualization, again covering the globe by country, is offered by Kaspersky Labs.

ScreenClip1
(Click for live version)

These are not per se all that analytically valuable, although they are visually striking (if somewhat derivative).

What do these attacks do, and to whom do they do it? It would be interesting to do a geopolitical analysis of the Stuxnet worm here, which has received a fair amount of coverage. Stuxnet would make an interesting case study, although it remains to be seen how representative it is (being created by state actors against the nuclear capabilities of another state). As stated above, most attacks are undirected and opportunistic. A Congressional Research Services (CRS) Report on Stuxnet examined the national security implications of the attack, and of course there is a long history of the study of cyberattacks and cyberwarfare going back several decades. But I’m not aware that geographers have contributed to this literature in a geopolitical sense.

For some, these concerns are especially paramount in the context of smart cities, big data and automated (“smart”) controls–including the so-called smart grid and the Internet of Things (IoT). Take utilities and smart meters for instance. There are minimally two concerns–that hackers could access smart controls and take command of critical infrastructure, and second, that data held in smart meters may be legally accessible under surveillance laws by the government. Another CRS report in 2012 warned that current legislation “would appear to permit law enforcement to access smart meter data for investigative purposes under procedures provided in the SCA, ECPA, and the Foreign Intelligence Surveillance Act (FISA)”. Although we hear a lot about surveillance of phone and internet communications, there is as yet much less on surveillance of other big data sources. Luckily I have a paper coming out on that topic but needless to say much more needs to be done.

Cryptologic geographies would appear to be a fertile field for investigation. Broadly conceived to include geopolitical implications, big data, regulation and policy, governance, security, the Internet of Things, cybergeographies, and justice, there is a need for intervention here to both clarify our understanding, and intervene in policy and political debate. Certainly other scholars are already doing so (eg., Internet Governance Project paper on whether cyberwarfare is a new Cold War, pdf).

The mass of connected computer systems and devices known as the Internet of Things will surely only intensify issues of security, encryption and governance. The crypto-geographies of these are highly important to sort through. This post is an attempt to highlight what issues are at stake and to provide some initial ideas.

Predicting OpenStreetMap needs by MapBox

A fascinating attempt to isolate where OSM might need more effort based on demand (not just lack of information).

Like many cool efforts this is more about some clever thinking and access to the right data than high math or heavy computation, and leads to some very actionable results.

Check out the innovative new style heatmap (first map in their blogpost) showing the top 50k tiles requested at zoom level.

New paper: “Collect it all”

I’ve posted the final manuscript draft of a new paper at SSRN: “Collect it all: National Security, Big data and Governance.”

Here’s the abstract.

This paper is a case study of complications of Big Data. The case study draws from the US intelligence community (IC), but the issues are applicable on a wide scale to Big Data. There are two ways Big Data are making a big impact: a reconceptualization of (geo)privacy, and “algorithmic security.” Geoprivacy is revealed as a geopolitical assemblage rather than something possessed and is part of emerging political economy of technology and neoliberal markets. Security has become increasingly algorithmic and biometric, enrolling Big Data to disambiguate the biopolitical subject. Geoweb and remote sensing technologies, companies, and knowledges are imbricated in this assemblage of algorithmic security. I conclude with three spaces of intervention; new critical histories of the geoweb that trace the relationship of geography and the state; a fuller political economy of the geoweb and its circulations of geographical knowledge; and legislative and encryption efforts that enable the geographic community to participate in public debate.

Keywords: Big Data, privacy, national security, geoweb, political economy

“Informatized subjects” — Gordon Hull

Gordon Hull at NewAPPS has a good discussion of data vs. information and how value is created by the turning of one into the other.

He also mentions Philip K. Dick’s influential book Ubik, since his piece is a discussion, in part, of an article by N. Katherine Hayles in TCS.

Here, I want to notice just one part of the argument: RFID tags, on her account, exist as both “devices” and “virtual presences,” negotiating this boundary by transmitting data from the world of things to the world of information.  As such (what follows is my extrapolation, not her argument, though I don’t think anything I’m saying here disagrees with her in any fundamental way), they are active participants in what one might call the “informatization” of subjectivity: treating subjectivity as primarily informatic, as the product of or constituted by information.

Nothing too new there perhaps, but there is a key implication he highlights that I think we’re really far from grappling with:

It seems to me that, insofar as RFID chips negotiate the boundary between informatics and objects, and transitions between those, they should be studied as sites for the primitive accumulation of capital.  That is, they are places where objects can become subsumed into capitalist market structures, while being dispossessed (following David Harvey’s terminology) of whatever value they might have had before. When RFID tags contribute to that process – as when, for example, they are used to produce revenue-generating metadata for large corporations by tracking consumer purchases – is when they ought to be scrutinized most carefully, and their political economy subject to the most careful critique, precisely because it is at these moments that they constitute us as subjects of global capital, or where such constitution needs to be resisted.

This has all sorts of provocative angles, not least how geolocational data and geolocational subjects get “informatized” and valorized.

Elden: Foucault’s Last Decade – Update 13

Stuart updates his work on his book Foucault’s Last Decade.

Foucault’s Last Decade – Update 13.

via Foucault’s Last Decade – Update 13.