Another Reason Adopting 'Collect It All' Was A Bad Idea: China May Now Be Applying It To US Citizens' Personal Data
from the this-is-why-strong-crypto-is-your-friend dept
At the start of the year, we wrote about an important point made by Bruce Schneier and Edward Snowden concerning information asymmetry in the world of spying -- the fact that the US and the West in general have far more to lose by undermining security in an attempt to gain as much information as possible about other countries, than they have to gain. A fascinating analysis from Bloomberg indicates that this also applies to the "collect it all" mentality. The article raises the troubling possibility that both the huge OPM data breaches were not only the work of Chinese state actors, but part of a much larger plan:
Some investigators suspect the attacks were part of a sweeping campaign to create a database on Americans that could be used to obtain commercial and government secrets.
The Bloomberg article suggests that China started gathering first travel records, then health records, Social Security numbers and other personal information on Americans in an attempt to build an increasingly complete picture about huge swathes of the US population. Whether or not that new "collect it all" approach was directly inspired by the NSA's espousal of the idea is a detail: it was certainly brought to prominence by General Alexander's statements, and is now part of the common currency of surveillance.
"China is building the Facebook of human intelligence capabilities," said Adam Meyers, vice president of intelligence for cybersecurity company CrowdStrike Inc. "This appears to be a real maturity in the way they are using cyber to enable broader intelligence goals."
It is made possible by lax security, even for huge datasets, as the OPM fiasco shows. That means it is entirely plausible for the Chinese secret services -- and for those of other nations -- to try to collect information about every US or EU citizen, as people's lives move online, and their most personal data is stored in Internet-accessible databases.
Standing in the way of achieving that is the strength of the security protecting that information -- something that governments around the world are now threatening to undermine in the name of their own offensive surveillance capabilities. How many hundreds of millions of personal records must be lost before the authorities wake up to the fact that if they compromise encryption, the only thing they are certain to achieve is to make the task of "collecting it all" easier for China and other nations?
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: china, collect it all, dossier, espionage, privacy, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
One million low value targets vs One high value target
Before, if a foreign government or criminal group wanted to get detailed information on a lot of people, they would have to hit a lot of targets to get it.
By collected everything into a central location though, a single hack is enough to get everything, vastly increasing the value of whatever system has the data, and dramatically increasing the odds that it will be hacked, as the value of the contents means those who are trying to hack in are willing to spend significantly more resources attempting to do so, because they know it will be worth it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
They would sooner sign China the fuck on board with them before they stopped the collection AND publicly admit it!
[ link to this | view in chronology ]
It's Not Just Online Info
I don't live in the US but I do get a lot of phone calls from people who while they speak good English are clearly not native English speakers because they have a faint but nevertheless definable accent. Now having an accent does not necessarily mean much in letting you know where they are calling from in this day and age of mass migration but i say that because these callers INVARIABLY have much the SAME accent and they INVARIABLY claim to be calling FROM my own country. I mention that because each caller will (generally) give a first name; and that name is typically a typical English-language name. Like Jane or James.
Another indication that all is not as it seems is that many of these callers block caller ID info. However, in my country if you get an overseas call with a blocked caller ID it will report "OVERSEAS"; and that is what I sometimes get with some of these calls. But only sometimes. At other times I don't.
However, sometimes these calls do NOT block caller ID. If, however, you try to call the number back which caller ID provides what typically happens is that your phone won't connect. That plus other info (read on!) has led me to suspect that these particular numbers are simply relaying calls from some other source. I personally suspect that source to be a VOIP one, but that is mere suspicion on my part.
But to continue...
These callers represent themselves as being from energy or phone companies and try to induce me to change from my current provider to the one they claim to be calling from. Now in order to do these people have to record my call (they typically don't tell you that) and I would have to provide them with two pieces of identifying information. One is typically a birth date. Another is generally some kind of ID number.
Each of these callers, no matter who they claim to be from, typically follow the same spiel. (In fact the spiel is often SO alike I would say they have some kind of script in front of them, a script from a common source.)
If you try to query the people making these calls, sometimes the line will go dead. At other times you can lead them on to provide some info to allay your fears. This is typically a phone number they claim you can use to call them back on. Or at least to verify they are who they claim they are. One time I got such a number from one of them, who represented himself as being from a major telecom provider in my country. When I did call that number--a LOCAL call number for my country; let me emphasize that!--I wound up talking to a lady who turned out to be IN CHINA! At least that was where she claimed to be calling from.
I had initially thought these calls came from India, since that tends to have an armlock on the call centre business, but after that call, thinking back, I realised those accents those callers had could well have been Chinese.
When I dropped into an office of the telecom provider in question and spoke to someone about that call the person I spoke to denied that his company had authorised such calls.
I have also checked up on some of the caller ID provided phone numbers on the Net and find that I am not the only one getting these calls. In fact they appear to be a veritable plague!
I do not know whether this same plague exists outside my own country, but I suspect it probably does. Either way, it does seem that somebody in China is trying to build up a database of identifying info of people living in Western countries.
[ link to this | view in chronology ]
Re: It's Not Just Online Info
I figure I'll poison the well, I often answer but never give them accurate name/info. Sometimes, I get a call asking for {my fake name}, so am immediately aware it's a scam.
[ link to this | view in chronology ]
Re: Re: It's Not Just Online Info
By that I mean the information these people seek to gather is in a sense legit because in my country many phone companies and energy companies no longer have front offices. Therefore in order to get new clients they need to use the Net or the phone line to sell themselves. If they use the phone, the government REQUIRES them to gather identifying information in order to ensure that when a person's energy or phone provider is changed that they can verify that the person whose provider IS changed is the right person. The problem is that someone--presumably the Chinese--seem to have seen the potential for using that system to gather identifying information and are exploiting it, just as someone in Chinese seems to have seen the potential in using OPM's lax site security to gather info on millions of Americans.
[ link to this | view in chronology ]
Re: Re: It's Not Just Online Info
[ link to this | view in chronology ]
Re: It's Not Just Online Info
[ link to this | view in chronology ]
and then there's the FBI
Because data doesn't recognize nationality, substituting China for FBI is valid.
[ link to this | view in chronology ]
1. A foreign power with access to American citizens personal info and no qualms about any supposed rights the citizens have.
Or
2. A local government with access to their citizens personal info that has shown it believes it's citizens have no rights when the government says so.
About the same really save that the local government will do more harm with that info. As they will use it out of spite against their citizens while said foreign power will use it as an advantage.
[ link to this | view in chronology ]
Re: what is more terrifying
A foreign power can't tax me, or shut down my business.
A foreign power can't prevent me from travelling.
My "own" government can do all these things, tho. And more.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
When will it change?
BTW, in the OPM breach, are the security people like the FBI, NSA, DHS and HUD people included? It would be an amusing irony if the personal information of both the "grab it all" NSA types and the "backdoor everything" FBI types were hoovered up in the OPM breach.
Also, just for fun, if someone has a reason to believe that they are one of the compromised, in the OPM breach, should or should not that exposure exclude them from jury duty? After all, they could potentially be blackmailed for a verdict. Anyone care to try to escape duty on their next jury summons, pleading the OPM breach?
[ link to this | view in chronology ]
Re: When will it change?
It's funny to me that all the talking heads that go ape over any minor security issue are basically silent about this. This hack is the worst possible security risk, every single person with a national security clearance is at risk of being weaponized by the enemy. The only real solution is to get new people, but good luck selling that to the people that need to be fired.
[ link to this | view in chronology ]