E-Surveillance and User Privacy

1
E-Surveillance and User Privacy

• Yvonne Gladden
• Lauran Hollar
• Tim Kennedy
• Grant Wood

2
E-Surveillance

• Surveillance The act of observing or the
  condition of being observed.
• Electronic Surveillance (US Government - FISA)
  the acquisition by an electronic, mechanical, or
  other surveillance device of the contents of any
  wire or radio communication
• License Plate
  Monitoring

3
Privacy

• The right of individuals to control or influence
  what information related to them may be collected
  and stored and by whom and to whom that
  information may be disclosed

Google Street View
4
Why is it Important?

• Impacts virtually everyone
• Internet
• Cell Phones
• Personal information
• Law Enforcement
• Evidence Collection
• National Security
• Drift Net Type Approach
• Keyword Detection

5
Legal Background

• e-Surveillance is not a new subject that the
  courts have had to deal with.
• In 1928 the U.S. Supreme Court ruled on a case
  about it.
• In 1934 this ruling was reviewed and changed.

6
Legal Background

• In 1967 the Supreme Court ruled that the
  government could not infringe upon a persons
  reasonable expectation of privacy.
• In 1968 Congress codified the requirements to
  obtain court authority for interception of oral
  and wire communication
• In 1986 this Act was amended to include
  electronic communication

7
e-Surveillance Techniques

• Spyware
• Network Monitoring
• Compromising Emanations (CE)
• Biometrics (hand scanning, iris scanning)

8
Spyware

• Various Threat Levels
• Identification Cookies (low)
• Associated (3rd party) Cookies (low med)
• Application based (medium high)

9
Spyware Infections
Key loggers send sensitive data (i.e. passwords)
to spyware controller
Commercial habits, and search keywords
Sends host name, IP addresses, and computer
processes
10
Associated Cookies
11
Delivery of App Based Spyware

• Piggybacking on other software
• Hidden in utility applications
• Execution of ActiveX or Java Applets

12
Network Monitoring

• Packet Sniffers
• Hardware Software
• Narus Semantic Traffic Analyzer
• State of the art monitoring software (Ultimate
  Net Monitoring Tool)
• Linux based
• Used by NSA in monitoring Internet traffic
• Used by ISPs to perform court-ordered monitoring

13
Compromising Emanations

• TEMPEST codename referring to study of CE
• Heavily researched in military applications
• Examples
• computer monitors (optical, electromagnetic)
• cpu (electromagnetic)
• keyboard (accoustic)

14
Compromising Emanations

• Soft Tempest
• method for preventing eavesdropping on monitor
  emissions
• works by using software to filter off some of the
  higher frequencies before they are sent to the
  monitor

15
Soft Tempest Example
Before
After
16
Biometrics

• Automated methods of recognizing a person based
  on a physiological or behavioral characteristic

17
Use of Biometrics

• Sec. 403(c) of the USA-PATRIOT Act specifically
  requires the federal government to "develop and
  certify a technology standard that can be used to
  verify the identity of persons" applying for or
  seeking entry into the United States on a U.S.
  visa "for the purposes of conducting background
  checks, confirming identity, and ensuring that a
  person has not received a visa under a different
  name."
• Enhanced Border Security and Visa Entry Reform
  Act of 2002, Sec. 303(b)(1), requires that only
  "machine-readable, tamper-resistant visas and
  other travel and entry documents that use
  biometric identifiers" shall be issued to aliens
  by October 26, 2004. The Immigration and
  Naturalization Service (INS) and the State
  Department currently are evaluating biometrics
  for use in U.S. border control pursuant to
  EBSVERA.

18
Uses of e-Surveillance Summary

• National Security (Government)
• ECHELON
• Carnivore (now defunct)
• Law Enforcement
• Finding Dealers of Child Pornography
• Finding Child Predators
• Corporate Security
• Employee Monitoring
• Internet Advertising
• Spyware
• Malicious Uses
• Identity Theft
• Credit Card Fraud

19
Techniques for Privacy Protection

• Firewalls
• software or hardware based
• Anti-spyware software
• Ad-Aware, Spybot, PestPatrol
• Encryption
• Tighter Security at OS Level
• FOOD
• Changes to Network Protocols
• DISCREET

20
FOOD

• System to prevent execution of malicious code on
  Windows/X86
• Prior to execution, checks hash of binaries
  against signature of allowed binaries if not
  allowed, execution denied
• Prevents unauthorized indirect branching
• Protects from buffer overflow attacks
• Cost 35 performance hit!
• Weakness Does not protect against scripted
  (interpreted) code attacks Perl, VB, etc

21
DISCREET (D-Core)

• New approach to user privacy
• Goals
• Allow users to take advantage of new services
  without worrying about their private information
  being misused
• Structure
• Three additional network layers (sub-layers of
  the Application Layer)
• Identity Layer
• Confidentiality Layer
• Policy Control Layer

22
Challenges

• Balancing user privacy vs. the need for
  information
• encryption if it is too good then criminals can
  communicate with impunity
• Balancing security and user friendliness
• Volume of Information (Mass Surveillance)
• Legal Issues
• FISA
• Patriot Act

23
Moving Forward

• Awareness
• 70 of American computer users claim to have
  anti-spyware software on their computer, only 55
  actually do
• Only 22 have an enabled firewall, updated
  anti-virus software, and anti-spyware software
  installed on their computers

24
Moving Forward

• Pass laws to make it tougher to collect personal
  information without consent, and to prohibit
  unfair deceptive practices using spyware
• I-SPY ACT (passed three times by House, currently
  in Senate committee)

25
Individual Contributions

• Lauran Presentation, Group Meeting
  Coordination, Improvement Opportunities
• Yvonne Presentation, Biometrics
• Tim Presentation, Legal Issues
• Grant Presentation, Technology Research

26
Conclusion

• Privacy will be an ongoing issue
• More capabilities lead to more security and
  ethical issues