Whistleblower Edward Snowden revealed back in 2013 the breadth and scale of the United States government’s internet surveillance program, PRISM.
Most mainstream media focussed on US citizens’ outrage that their government was conducting indiscriminate surveillance. Some covered the fact that long-time US allies, such as German Chancellor Angela Merkel, were also under surveillance.
But not widely reported was the extent to which this surveillance also sucked up the email, internet and voice communications of most people in the West (and perhaps the East).
In his autobiography Permanent Record, Snowden also revealed numerous National Security Agency (NSA) and Central Intelligence Agency (CIA) sponsored surveillance programs, a correlated example of which are TURBULENCE, TURMOIL and TURBINE.
He described how when you navigate to a website, send an email or SMS, make a voice or video call or upload something to the cloud, the web traffic (metadata and data of the request) pass through TURBULENCE.
He detailed TURBULENCE as comprising a few “black servers”, stacked on top of one another, installed in all major telecommunications providers in countries allied to the US as well as US embassies and military bases.
These servers run two critical tools — TURMOIL and TURBINE — that handle “passive collection” and “active collection” respectively. Passive collection refers to making a copy of the traffic and active collection refers to tampering with the originating computer.
In essence, Snowden revealed that all traffic from all users (at least in the West) is intercepted, copied and stored in perpetuity on servers operated by US intelligence agencies.
Stealing data
All internet traffic includes a small packet of identifying data; metadata. Metadata identifies the computer and software from which the traffic originates. It includes the computer type (PC, tablet, phone), the IP address that computer exposes to the internet, the Operating System running on the computer (Windows, OS X, Linux, Android, iOS) and its version, and the software (user agent) the traffic was generated from (Chrome, Firefox, Gmail) and its respective version.
As the metadata passes through TURMOIL, if the data in the request (which includes the metadata, geographic location, email address, credit card details, phone numbers) is flagged as comprising anything contained on a dynamic list of “suspicious” entries, TURBINE is activated.
TURBINE then identifies features of the computer from which the request originated (using the details in the request’s metadata).
You may have suffered the irritation of being told to “wait” while updates are applied on a computer running Windows. Sometimes, the “update” requires a period of “waiting” when shutting down and when restarting the computer.
The updates are, at times, a new security “patch” issued by Microsoft. Someone, somewhere found a “bug” that allowed someone else with malign intentions to steal data or install a virus or other software that could possibly gain access to the computer.
After receiving advice of a “bug”, Microsoft software programmers code the necessary changes to address and rectify the flaw — the “patch”.
However, until Microsoft is advised, the bug can be exploited, potentially to gain control of the computer by software designed to exploit the flaw.
Using the metadata, TURBINE selects an unreported or unpatched vulnerability and installs a program intended to compromise the originating computer.
This can be designed to collect more information, perhaps by activating any resident camera or microphone, or possibly even to allow remote control of the device.
Bugging exposed
The outrage which followed Snowden’s revelations, particularly in the US, primarily concerned the indiscriminate, warrant-less nature of the surveillance.
Normally, if any law enforcement agency wants to record conversations, tap into phone conversations or to intercept mail, especially when these were done using physical microphones, intercepting landline phone calls at telephone exchanges or reading correspondence, a warrant would be required. For this form of spying, a search warrant would usually be issued by a judge.
But internet surveillance of the kind exposed by Snowden was conducted by the NSA without a warrant, based on the technicality that the information, though collected and stored, was not searched — at least, not at the time of collection.
The US elites’ reaction, initially, was to kill the messenger: they called Snowden a “traitor” and demanded he be arrested, while threatening any country offering him asylum.
Later, the bulk surveillance was ostensibly halted, following the passage of the USA Freedom Act which proposed an end to the bulk collection of Americans’ metadata and reform of the Foreign Intelligence Surveillance Act (FISA).
Although these measures have allayed the fears of some in the US, the same cannot be said of the other Five Eyes nations of Australia, Canada, Great Britain and New Zealand or the NATO alliance.
There is no effective means to prevent bulk collection of data in the internet era, unless the devices associated with TURBULENCE or other programs are physically removed from telecommunications providers.
Removing them would disable unsupervised, warrant-less interception but it would not prevent law enforcement agencies from requesting the data from internet service providers by making the required applications for an appropriate warrant.
Whether the TURBULENCE servers (or any other bulk “collection” devices) have actually been removed anywhere in the world is speculation.
As long as they exist, there can be no guarantee of privacy.
Does encryption work?
But if our private conversations, messages, images and video are encrypted (Signal, WhatsApp or Telegram) are we are safe from prying?
No.
Even if Snowden’s revelations that the algorithms used to perform this encryption may have been compromised proves untrue, the creation of quantum computing — machines that use quantum physics to store data and perform computations — will invalidate any remaining belief of privacy.
Encryption is only “unbreakable” because it relies on extremely difficult mathematical problem solving, which modern computers can only perform over very long periods of time (in the order of thousands or even millions of years).
Even if encryption can be broken, it is the time it would take to do it that provides a degree of comfort.
However this may change with quantum computers, touted as being able to perform mathematical feats in seconds compared to traditional computers that would require millions of years.
This means that as long as the encrypted data is still around (it currently resides on servers operated by the NSA in Utah) when quantum computers become a reality (predicted to be within the next 10 years) it will be easy to decrypt that data.
The Australian government ban on Huawei’s participation in the 5G roll-out and the Five Eyes mobile networks is a pretext aimed at maintaining the status quo.
Whether Huawei equipment can be designed to harvest or subvert data flowing through a network of heterogeneous devices is at best moot. Some experts argue that it is not possible without detection, while others do not agree.
In any case, the inclusion of Huawei 5G equipment may prevent US and Western intelligence agencies from exploiting existing domestically-manufactured equipment.
Protocols such as Secure Socket Layer (SSL), Transport Layer Security (TLS) and Secure Hypertext Transfer Protocol (HTTPS) employ encryption to ensure the security of network and, particularly, internet traffic. Of these, both SSL and TLS are implemented in computer processors or chips installed in servers and other network devices.
If, as Snowden revealed, the NSA approached the National Institute of Standards and Technology with a request to subvert encryption standards by placing a flaw in the implementation of encryption algorithms, we know that it is at least possible for a similar request to have been made to security accelerator chip manufacturers.
That would open the doors to the unfettered decryption of most, if not all, encrypted traffic.
If these agencies cannot make such a request of Huawei, either because it is controlled by a “foreign adversary”, or because making the request would expose that they plan to continue unchecked mass surveillance, it would mean that wherever Huawei equipment is used, the exploitation of unreported security flaws, or deliberate flaws in encryption algorithms, may not be possible.
The loss of these valuable surveillance capabilities is not a welcome prospect for agencies that have become dependent on their drug of choice — easy spying.