Print Friendly and PDF
only search openDemocracy.net

They are spying on us and we know it

Instant messaging has become the main digital tool for social and political activism. As its use expands, so do doubts about its confidentiality. Español Português

Demonstration against PRISM in Berlin, organized by the Pirate Party, during United States president Barack Obama's visit. Mike Herbst/Wikimedia Commons. Some rights reserved.

For some years now, we have been witnessing the emergence of relational, cross-over, participative power. This is the territory that gives technopolitics its meaning and prominence, the basis on which a new vision of democracy – more open, more direct, more interactive - is being developed and embraced. It is a framework that overcomes the closed architecture on which the praxis of governance (closed, hierarchical, one-way) have been cemented in almost all areas. The series The ecosystem of open democracy explores the different aspects of this ongoing transformation.

Freedom of expression is one of the pillars of modern democracy, and the right to the privacy of our communications is a part of it. During the last century it was said that, in some dictatorships, they opened letters with steam - so that the peeping could go unnoticed -, they read the contents – to detect divergent thinking -, they closed the envelopes again, and let the letters reach their addressees - to avoid suspicions.

Today, when we send a message from the simulated intimacy our electronic devices give us, it is traced by a complex communication intercepting system. The root cause of the problem is this: the internet is a network designed for sharing information which, at the time it was created, was not intended for its current use – nor was the problem of privacy taken into account.

The problem is bigger than we can possibly measure. Whenever we connect to a website that does not have https - when a little padlock appears in our url - all the interactions we make are clear. This means that anyone who is viewing our connection – which goes through several intermediate servers - can read everything we write - passwords, emails, attachments - in addition to the url we are visiting.

When we talk about virtual communications, e-mail and messaging apps, the issue becomes even more complex. Gmail and Hotmail, the two most common providers, know all the content of all the emails we store with them. WhatsApp has been encrypted since April 2016 - but messages only. Telegram uses other encryption versions, and traditional SMS are not encrypted. In short: it is very easy to spy on us.

Massive spying

The internet design has always been the problem, but not even the most paranoid hacker in the world would have imagined the terrifying picture Snowden introduced us to in June 2013. The Five Eyes Alliance - the US, Australia, New Zealand, Canada, and the UK - spies on all internet users on a consistent, systematic and cumulative basis. Not a minor detail is the fact that the US invented the internet in the first place, and that it is the country that controls it the most.

Yahoo gave the National Security Agency (NSA), the US agency dedicated to digital espionage, full access to all its users’ emails. Google responded to the NSA’s requests but did not give them full access, and since the NSA deemed it insufficient, it chose to illegally enter Google’s servers and check the information anyway. No Internet company is free from these pressures.

Your electronic devices spy on you. It is not only Wikileaks that says so, but a US court: your SmartTV spies on you without asking for your consent. It not only records everything you are watching, but even when it is not on it can record and share your private conversations. The same thing happens when we activate our cell phone’s voice control: it listens to us.

All these data are being processed with the aim of spying on us massively. In this process, metadata are crucially important. Metadata are the data which describe the data: date of creation, modifications, size, format, GPS coordinates, among others. It is on the basis of this information that behaviours can be determined which the agencies analyze so as to gauge the degree of surveillance they need to apply to us.

Ads on the internet work in a similar way: how many times, after seeing a particular product on some web, does not this product chase us through ads on the other websites we visit? This is only advertising; just imagine what spy agencies can do. Think about what might happen if, by any chance, you have the misfortune to coincide twice in the same site as a person who is under government surveillance.

Programs to infect

Digital espionage is not only massive, it is also customized. The Five Eyes Alliance has been spying on government leaders like Angela Merkel, internet tycoons like Kim Dotcom, and has become so pervasive that even Donald Trump dares to be frivolous about it.

You can spy on a device in many different ways and to different effects: capturing everything written, sending all the actions you perform while browsing, accessing all your WhatsApp messages, using the webcam and the microphone unnoticed - among many others. The problem is so real that even Mark Zuckerberg and James Comey - director of Facebook and the FBI respectively - taped their laptop webcam as an anti-espionage measure.

There are companies like Hacking Team that sell spyware and their main clients are governments. Their exploits – i.e. programs for taking control over a computer - can be attached to a Word file and take control of your Mac or PC unnoticed, when the file is opened. Among Hacking Team’s top customers: the governments of Mexico, Italy, Morocco, Saudi Arabia and Chile.

But you do not have to be a government: a simple internet search can offer you some very advanced program licenses at a small cost - about 50 USD dollars. The slogan of one of the most popular of these programs is: "If you are in a committed relationship, have children, or manage employees, you have the right to know! Discover the truth, spy on their cell phone. »

The importance of privacy

"Arguing that you do not care about the right to privacy because you have nothing to hide is like saying you do not care about freedom of speech because you have nothing to say", Edward Snowden famously said in a debate on Reddit in 2015. There is nothing better than putting oneself in his position as a whistleblower to understand what is to be done.

Due the complexity of modern society, it is very often individuals with no media connections who get to know about some malpractice, a case of corruption, or a violation of human rights. Probably, their access to this information comes from knowledge picked up at their workplace, or at an organization they belong to, or the place where they live. If they publicly denounce this situation, it is quite likely that their way of life will be severely affected. In many cases, even if they denounce the fact anonymously, the accused may deduce the source.

Every society needs its citizens to denounce acts which harm and corrupt the community. But it must protect those who, through an act of courage, put themselves at risk by denouncing corruption, malpractices, or violations of human rights. This protection must be offered by both civil society and the state - through specific legislation protecting and encouraging whistleblowing.

In most Latin American countries there is no protection available for whistleblowers, nor is there an agency that protects officials who report malpractices within the public sector. This being so, and while we keep on waiting for protection mechanisms to be set up, civil society must propose measures so that people can report anonymously and safely. This can only be achieved with encryption.

If you do not have the key, it is not safe

In the physical space, when we want to keep something safe, we put it under lock and key. No one would ever think that a keyless door is safe. In the digital world you have to ask the same question: who has the key?

The first service to doubt is WhatsApp. They tell us they encrypt everything, but we do not have the key. We do not even have to put a password to generate it: from our number, the messaging service itself generates a key - which, of course, it controls. Messages are encrypted, but whenever WhatsApp (or its owner, Facebook) wants to, it can read them. The same happens with any other service that we do not have a password for.

The most common system for encrypting communications is PGP, which literally means "Pretty Good Privacy". It works with a public key system, which you share with everyone else, and a private key, which you are the only one to have. When someone wants to send you a message, they cipher it with your public key and you are the only one who can decipher it with your private key. The equivalent in the physical world would be to distribute open padlocks which, once closed, you are the only one who can open them.

Encrypting is the only way to keep communications and files private. If you have to send a message that you do not want to be tracked, forget about messaging and use PGP mail. Even better: use your own servers or non-intrusive services like riseup.net. For more information on this, check Tactical Tech’s Security in a Box manuals.

Arguing that you do not care about the right to privacy because you have nothing to hide is like saying you do not care about freedom of speech because you have nothing to say.

The future of communications

There is currently considerable tension between encryption and national security, and the national security theses have the upper hand. In 2014, the most heavily used and robust encryption program was discontinued for no apparent reason. In 2015, a judge in Spain considered the use of Riseup and encryption in private communications an aggravated circumstance. In 2016, the FBI admitted that it could break the iPhone encryption, and refused to share its finding with Apple.

These are just three examples, and we could go dig much deeper, but in the end we have to accept reality: our communications are becoming increasingly insecure. It is a global problem, which the non-politicized citizen has, and so does any activist, journalist, businessman, policeman or whistleblower. We are all on the same boat.

In order to change this trend and allow for safer communications, our governments should start promoting and distributing free software tools. This is the path that cities like Munich have begun to follow which, in the long run, will help them to break free from the big multinational corporations and  become self-sufficient in information technology and information management in a democratic context. Just think about this: in order to govern your country, all your MPs are using software that is owned and controlled by US companies - and yes, you can be sure that they are listening to them too.

About the author

Eduard Martín-Borregón es periodista de datos especializado en seguridad digital. Actualmente es Coordinador de Tecnologías para la Transparencia en PODER, organización cofundadora de Méxicoleaks y Perúleaks, que promociona la creación de nuevas plataformas de filtración anónima y segura en la región.

Eduard Martín-Borregón is a data journalist who specializes in digital security. He is currently Coordinator of Technologies for Transparency at PODER, an organization that co-founded Méxicoleaks and Perúleaks, and promotes the creation of new anonymous and safe whistleblowing platforms in the region.


We encourage anyone to comment, please consult the
oD commenting guidelines if you have any questions.