Category Archives: Security

Crypto-geographies and the Internet of Things

Secret codes have long fascinated people. According to Secret History, a new history of cryptology by Craig Bauer, who was Scholar-In-Residence at the NSA Center for Cryptologic History in 2011-12, cryptography predates the Greeks. Many of these ciphers were relatively simple by today’s standards, involving either transposition or substitution (respectively systems where the letters are moved but not replaced, and where the letters are replaced, eg., A is replaced by Z, etc).

The now fairly well-known Enigma machine, deciphered by British scientists at Bletchley Park (and the subject of many books and a couple of movies) is pictured above. This was a German system of ciphering, used by the German Nazi regime during WWII. Less well-known (but undeservedly so) are the decryptions by the NSA and its predecessor group (The US Army Signals Intelligence Service located at Arlington Hall, a former girl’s school in Virginia) of the so-called Venona traffic. Venona refers to the project to decrypt Soviet diplomatic communications with its agents in the USA and elsewhere. These encrypted messages often referred to codenames of American spies working for the Soviets during the war. With the help of investigations by the FBI the US government was able to identify many of these people, based on the partial decryptions. According to the NSA and most (but not all) historians, these included Julius and Ethel Rosenberg, Klaus Fuchs, and several serving OSS personnel.

The Soviets were tipped off to the fact that the US was decrypting their messages (probably by Kim Philby, the British spy who was posted to the US for a time), and stopped using their one-time encryption pads. Nevertheless the project to decrypt the messages continued until the early 1980s, eventually yielding about 2,900 partially decrypted messages. They remained a closely guarded secret long after their operational worth had dwindled, and it was only with the publication in 1987 of Spycatcher, by Peter Wright, a former British intelligence officer, that the project was referred to by its codename in public. (Publication of Spycatcher was embargoed by Margaret Thatcher’s government in the UK, but Wright succeeded in publishing it in Australia anyway.)

Some terms: “Cryptography” is the science (and art) of creating ciphers. “Cryptanalysis” is the effort of deciphering them without the key. “Cryptology” is both of these, to include the assessment of the security of a cipher, comparing ciphers and so on. The words are Greek from kryptos (κρυπτός) meaning hidden, secret.

Is there such a thing as cryptologic geographies? If not, could there be, and of what would it consist? In other words, are there (non-trivial) geographies of encryption? Here are some ideas.

One of my earliest ideas of this was a geography of https, the secure version of web-browsing (now coming into vogue but still greatly variable). The New York Times recently laid down a challenge to make https default by the end of 2015 if other media companies would do the same. This is non-trivial, because if encrypted messages are more secure than non-encrypted ones, then the latter will reveal weaknesses in the internet. These weaknesses could be exploited. Second, if you are sending emails and other communications over the internet in non-encrypted form, then this is easier for governments to intercept and monitor.

And this is not just to do with messages you write, but also other parts of the personal datastream. For example, your location. What if you could record, but encrypt your geolocation to take advantage of services offered by apps (eg Google Maps) in such a way that they could not be intercepted, decrypted and exploited by third parties (including the government)? Would this mean that the web and internet would “go dark” as officials warn? And would criminals and terrorists be afforded protection in those dark spaces? That was certainly the message of the Attorney General and the FBI Director a few days ago in response to plans by Apple and Google to implement better encryption. AG Holder:

said quick access to phone data can help law enforcement officers find and protect victims, such as those targeted by kidnappers and sexual predators.

Justice Department officials said Holder is merely asking for cooperation from the companies at this time.

And how universal would this advantage to users, potential criminals and law enforcement be? And would those places where one of these had an advantage necessarily overlap with the others? That is, what would be the differential access to encryption from place to place or group to group–a digital divide of encryption?

Is there a political economy of encryption? Who are the companies and individuals working on encryption in the commercial sector? To what extent is there movement between the private and public sectors of both cryptology expertise and personnel? Further, to what extent is there better crypotography in the government and intelligence community than there is in the commercial sector? What are the implications of allowing backdoors to encryption algorithms that can “only” be broken by the government but not by third parties? (I’m thinking here of the well-known proposal in the 1990s for the “Clipper Chip” which allowed just such a backdoor for the NSA but was met with such opposition that it was not implemented.) Is such a backdoor safe from third party hacking, and if so, for how long? (And what is an acceptable definition of “safe” here?). A geographical analysis of these questions would imply some access to where and who has installed the systems in question, which might be provided by basic research efforts such as those carried out at the Oxford Internet Institute by Mark Graham and his colleagues.

Do other computer systems have vulnerabilities? That is, ones without designed-in backdoors? If so, where are they? When it comes to exploits and vulnerabilities, what are the implications of announcing them vs. hoarding them (eg, so-called zero-day exploits)? Is there differential access to knowledge about exploits and vulnerabilities? Where? Again, who makes money off this? What is the crypto- value-chain?

Speaking of hacking; there are a huge array of secret attempts (and thus crypto- if not cryptologic) to break into, disrupt, or exploit systems (and an equally expansive range of countermeasures). The Department of Defense has estimated there may be up to 10 million hacking attacks per day. Most of these are probably automated scans, according to Adam Segal, a cybersecurity expert at the Council on Foreign Relations.

What systems are vulnerable to these exploits, and what exploits are being carried out? Here we could examine mundane events such as DDOS, where antagonists attempt to bring down a web server to deny its proper function, to more exotic events such as the US/Israeli Stuxnet virus meant to disrupt Iranian nuclear programs (but which had effects well beyond Iran once the virus was in the wild). (For more on this virus/worm, see the Stuxnet Dossier [pdf] compiled by Symantec.)

We often hear in the news that certain countries (Russia, China) are more responsible for intrusions and exploits than others, but I’m not aware of any detailed work on this sort of cryptogeography. The recent JP Morgan vulnerability affected more than 83 million US households (who? why?), according to the NYT, and actually included another 9 banks not previously reported. The NYT also said the attack was carried out by hackers having “at least loose connections with officials of the Russian government.” But that is a very imprecise and sketchy account. Just recently, a new poll showed bipartisan low levels of confidence among Americans in the “government’s ability to protect their personal safety and economic security.” Here government is arguably failing at its job of providing security. Ferguson and domestic homicides were mentioned specifically in the AP story. Do people feel threatened by the JP Morgan hacks, the Target and other breaches?

There is surely a whole economy of knock-on effects that result from this; so again, we can speculate about a political economy of crytogeographies.

What would a better map of hacking attempts look like? Security companies and telcos track these data, as for example in this map created by Norse which describes itself as “a global leader in live attack intelligence.” Who is this company? How do they earn their money? More importantly, what is the nature of this market sector more generally?

mass-attack-norse-map-100315099-orig
(Click for live version.)

The above map however is to a large extent a misrepresentation because it only shows attacks on their honeypots, not the entirety of the internet, or even the entirety of a particular region or network.

A similar visualization, again covering the globe by country, is offered by Kaspersky Labs.

ScreenClip1
(Click for live version)

These are not per se all that analytically valuable, although they are visually striking (if somewhat derivative).

What do these attacks do, and to whom do they do it? It would be interesting to do a geopolitical analysis of the Stuxnet worm here, which has received a fair amount of coverage. Stuxnet would make an interesting case study, although it remains to be seen how representative it is (being created by state actors against the nuclear capabilities of another state). As stated above, most attacks are undirected and opportunistic. A Congressional Research Services (CRS) Report on Stuxnet examined the national security implications of the attack, and of course there is a long history of the study of cyberattacks and cyberwarfare going back several decades. But I’m not aware that geographers have contributed to this literature in a geopolitical sense.

For some, these concerns are especially paramount in the context of smart cities, big data and automated (“smart”) controls–including the so-called smart grid and the Internet of Things (IoT). Take utilities and smart meters for instance. There are minimally two concerns–that hackers could access smart controls and take command of critical infrastructure, and second, that data held in smart meters may be legally accessible under surveillance laws by the government. Another CRS report in 2012 warned that current legislation “would appear to permit law enforcement to access smart meter data for investigative purposes under procedures provided in the SCA, ECPA, and the Foreign Intelligence Surveillance Act (FISA)”. Although we hear a lot about surveillance of phone and internet communications, there is as yet much less on surveillance of other big data sources. Luckily I have a paper coming out on that topic but needless to say much more needs to be done.

Cryptologic geographies would appear to be a fertile field for investigation. Broadly conceived to include geopolitical implications, big data, regulation and policy, governance, security, the Internet of Things, cybergeographies, and justice, there is a need for intervention here to both clarify our understanding, and intervene in policy and political debate. Certainly other scholars are already doing so (eg., Internet Governance Project paper on whether cyberwarfare is a new Cold War, pdf).

The mass of connected computer systems and devices known as the Internet of Things will surely only intensify issues of security, encryption and governance. The crypto-geographies of these are highly important to sort through. This post is an attempt to highlight what issues are at stake and to provide some initial ideas.

New paper: “Collect it all”

I’ve posted the final manuscript draft of a new paper at SSRN: “Collect it all: National Security, Big data and Governance.”

Here’s the abstract.

This paper is a case study of complications of Big Data. The case study draws from the US intelligence community (IC), but the issues are applicable on a wide scale to Big Data. There are two ways Big Data are making a big impact: a reconceptualization of (geo)privacy, and “algorithmic security.” Geoprivacy is revealed as a geopolitical assemblage rather than something possessed and is part of emerging political economy of technology and neoliberal markets. Security has become increasingly algorithmic and biometric, enrolling Big Data to disambiguate the biopolitical subject. Geoweb and remote sensing technologies, companies, and knowledges are imbricated in this assemblage of algorithmic security. I conclude with three spaces of intervention; new critical histories of the geoweb that trace the relationship of geography and the state; a fuller political economy of the geoweb and its circulations of geographical knowledge; and legislative and encryption efforts that enable the geographic community to participate in public debate.

Keywords: Big Data, privacy, national security, geoweb, political economy

Surveillance costs–new study

Shortly after the Edward Snowden revelations began in June 2013 I wrote a Commentary for Society and Space open site on the costs of security.

One of the issues I addressed had to do with the economic and other costs of surveillance:

What does the US actually pay? One attempt at an answer to this surprisingly difficult question was recently provided by the National Priorities Project (NPP). Their estimate was that the US national security budget was $1.2 trillion a year.

A new report by the New America Foundation has further explored the costs of surveillance in terms of lost business opportunities to US companies, US foreign policy and cybersecurity:

  • Direct Economic Costs to U.S. Businesses: American companies have reported declining sales overseas and lost business opportunities, especially as foreign companies turn claims of products that can protect users from NSA spying into a competitive advantage. The cloud computing industry is particularly vulnerable and could lose billions of dollars in the next three to five years as a result of NSA surveillance.
  • Potential Costs to U.S. Businesses and to the Openness of the Internet from the Rise of Data Localization and Data Protection Proposals: New proposals from foreign governments looking to implement data localization requirements or much stronger data protection laws could compound economic losses in the long term. These proposals could also force changes to the architecture of the global network itself, threatening free expression and privacy if they are implemented.
  • Costs to U.S. Foreign Policy: Loss of credibility for the U.S. Internet Freedom agenda, as well as damage to broader bilateral and multilateral relations, threaten U.S. foreign policy interests. Revelations about the extent of NSA surveillance have already colored a number of critical interactions with nations such as Germany and Brazil in the past year.
  • Costs to Cybersecurity: The NSA has done serious damage to Internet security through its weakening of key encryption standards, insertion of surveillance backdoors into widely-used hardware and software products, stockpiling rather than responsibly disclosing information about software security vulnerabilities, and a variety of offensive hacking operations undermining the overall security of the global Internet.

These may end up being upper bounds of the costs (and consequences), but they are very helpful in identifying what is at stake here. I haven’t read the whole report yet, but the executive summary is here (pdf).

 

CFP: Spatial Big Data & Everyday Life (AAG 2015)

Call for Papers: Spatial Big Data & Everyday Life
American Association of Geographers Annual Meeting
21-25 April 2015
Chicago

Organizers:
Agnieszka Leszczynski, University of Birmingham
Jeremy Crampton, University of Kentucky
“What really matters about big data is what it does” (Executive Office of the President, 2014: 3).

Many disciplines, including the economic and social sciences and (digital) humanities, have taken up Big Data as an object and/or subject of research (see Kitchin 2014). As a significant proportion of Big Data productions are spatial in nature, they are of immediate interest to geographers (see Graham and Shelton 2013). However, engagements of Big Data in geography have to date been largely speculative and agenda-setting in scope. The recently released White House Big Data report encourages movement past deliberations over how to define the phenomenon towards identifying its material significance as Big Data are enrolled and deployed across myriad contexts – for example, how content analytics may open new possibilities for data-based discrimination. We convene this session to interrogate and unpack how Big Data figure in the spaces and practices of everyday life. In so doing, we are questioning not only what Big Data ‘do,’ but also how it is they realize particular kinds of effects and potentialities, and how the lived reality of Big Data is experienced (Crawford 2014).

We invite papers along methodological, empirical, and theoretical interventions that trace, reconceptualize, or address the everyday spatial materialities of Big Data. Specifically we are interested in how Big Data emerge within particular intersections of the surveillance, military, and industrial complexes; prefigure and produce particular kinds of spaces and subjects/subjectivities; are bound up in the regulation of both space and spatial practices (e.g., urban mobilities); underwrite intensifications of surveillance and engender new surveillance regimes; structure life opportunities as well as access to those opportunities; and/or change the conditions of/for embodiment. We intend for the range of topics and perspectives covered to be open. Other possible topics include:

• spatial Big Data & affective life
• embodied Big Data; wearable tech; quantified self
• algorithmic geographies, algorithmic subjects
• new ontologies & epistemologies of the subject
• spatial Big Data as surveillance
• Big Data and social (in)equality
• “ambient government” & spatial regulation
• spatial Big Data and urbanisms (mobilities; smart cities)
• political/knowledge economies of (spatial) Big Data

We welcome abstracts of no more than 250 words to be submitted to Agnieszka Leszczynski (a.leszczynski@bham.ac.uk) and Jeremy Crampton (jcrampton@uky.edu) by August 29th, 2014.
References:

Crawford K (2014) The Anxieties of Big Data. The New Inquiry. http://thenewinquiry.com/essays/the-anxieties-of-big-data/

Executive Office of the President (2014) Big Data: Seizing Opportunities, Preserving Values. The White House. http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf

Graham M and Shelton T (2013) Guest editors, Dialogues in Human Geography 3 (Geography and the future of big data, big data and the future of geography).

Kitchin R (2014) Big Data, new epistemologies and paradigm shifts. Big Data and Society (1): In Press. DOI: 10.1177/2053951714528481. http://bds.sagepub.com/content/1/1/2053951714528481.

 

Contractor receives $400K federal funds for automatic license plate reading

According to reporting by Bloomsberg News the IRS, the Forest Service and the U.S. Air Force’s Air Combat Command have awarded a contractor over $400,000 in contracts for its automated licence plate recognition (ALPR) system since 2009.

It’s not clear if the contracts to Vigilant Solutions are ongoing, given the context that Homeland Security dropped similar plans in February of this year following widespread opposition form civil liberties groups.

“Especially with the IRS, I don’t know why these agencies are getting access to this kind of information,” said Jennifer Lynch, a senior staff attorney with the Electronic Frontier Foundation, a San Francisco-based privacy-rights group. “These systems treat every single person in an area as if they’re under investigation for a crime — that is not the way our criminal justice system was set up or the way things work in a democratic society.”

Other countries (including the UK) have long had such systems in place.

If you go to the Vigilant website they have a long complaining blog post about the lies and distortions by civil liberties groups:

License plate readers are under siege nationwide, thanks to a well-funded, well-coordinated campaign launched by civil liberties groups seeking to take advantage of the growing national debate over surveillance. 

Unfortunately, the campaign led by the American Civil Liberties Union (ACLU) has deliberately clouded and even omitted those facts.

According to this article, Vigilant actually successfully used the First Amendment to overturn an anti license-plate recognition law in Utah:

Vigilant Solutions and DRN [Digital Recognition Network] sued the state of Utah on constitutional grounds, arguing that the law infringed on the First Amendment right to take photographs of public images in public places, a right that everyone in Utah shares.

The law was overturned, but Vigilant com,plains that state agencies were then barred from using any of the data collected, impacting their profits. They also complain about data retention limits.

What’s also interesting about companies such as this is that they illustrate the argument for understanding policing and military together (see this blog post by Derek Gregory for example).

Security and resilience

Capture

The journal Politics which is published by the Political Studies Association, has a new open access issue on resilience and security. The issue was edited by three people at Warwick University, James Brassett, Stuart Croft, and Nick Vaughan-Williams with whom I was not previously familiar.

I look forward to perusing this in detail soon, but it’s worth noting one thing here. The editors open by claiming there’s a kind of gap or slippage in how “resilience” as a concept is put into play (a productive gap they claim). As I noted earlier this year in reply to Mark Neocleous’s anti-resilience piece (with an open access follow-up in Society and Space here), if we are to make anything useful with the concept of resilience, then we need to understand how it can improve human well-being (as well as the related question of well-being for whom).

It looks on initial inspection as if the issue is more concerned with resilience than security, but it is good to see the two terms being put together. Pete Adey, Klaus Dodds and I have a cfp on (post)-security and sustainability that is relevant here. Despite the prevalence of “critical security studies” these three terms are rarely placed in conjunction.

(Via Stuart Elden)

cfp: AAG Tampa 2014: “What Space for the Post-Security State?”

AAG 2014 CFP

 “What Space for the Post-Security State?”

 Tampa, Florida, 8-12 April 2014

 Session organizers: Jeremy Crampton, University of Kentucky, Klaus Dodds, Peter Adey (Royal Holloway University of London)

 Session sponsored by the Political Geography Specialty Group

This session takes up recent challenges to the logics of security (Neocleous, Vine, the CASE Collective), and seeks papers that open up new ways of thinking about security through critiques, oppositions, limits, resistances, or different kinds of security altogether (e.g. alter-security).

The goal is to collectively sketch the contours of a possible “post-security” state in which security’s costs as well as its benefits are more critically understood. Where today’s security is usually positioned as “more is better” and “safer rather than sorry”, our goal is not to necessarily reject security, but rather to identify a range of different interventions, critiques (perhaps “affirmative” McCormack, 2012), alternatives, that might think with security in productive ways or, indeed, new ways.

Our agenda is to seek positions that are not always outside or external to security apparatus, or so unaware of their location that the where of security is lost. We seek perspectives that unsettle the relationship between security and the state, such as its (potentially ever greater) privately administered projects and outsourcing. What manners of security are possible that might be creative hybrids of the state-private-communal spectrum?  Can we identify alternative propositions to the pernicious investment of what Paul Amar has called the “human-security state” (Amar 2013), legitimized by appropriating a more progressive religious, gender, class and sexual politics?

Examples of possible paper topics include:

–ways in which the national security state is itself inherently insecure as evidenced through “moles,” spies, whistleblowing and “insider threats” such as Manning and Snowden;

–the environmental costs of security installations;

–the economic costs of security;

–military resource extraction;

–properties of violence (Correia, 2013);

–military landscapes;

–geographies of “baseworld”

–borderland securitization struggles;

–the admixtures of race, gender and rural-urban relations in modern incarceration regimes;

–health impacts of security including an estimated half million Americans with PTSD;

–“big data” and surveillance;

–histories of the security and surveillant state;

–private security and security outsourcing (security beyond the state);

–the sustainability of current practices of security or vulnerability and resilience to security.

– new languages or grammars of security and post-security

We seek papers that will address any of these or other related topics we have not listed. If in doubt, please contact us!

Our session deliberately seeks to continue and deepen interdisciplinary exchanges, and we welcome contributions from geography, political science, economics; sociology, environmental science, international relations, political sociology, psychology, computer science, the creative arts, and history.

If you are interested in participating, please submit an abstract of no more than 250 words to Jeremy Crampton (jcrampton@uky.edu). The conference discounted registration ends on October 23, 2013. For more information please see http://www.aag.org/cs/annualmeeting.