Even without resorting to more aggressive, active attacks, the amount of information that can be obtained with simple network tools is staggering. This is exactly why the NSA has invested so much time and money in its passive Internet surveillance capabilities—and why even “drive-by” surveillance by anyone who can capture pieces of your daily life on the Internet is a potential hazard to your privacy.
After our brief one-week surveillance of Henn’s online activities, I joked that I could have written his story about data centers for him. And while that wasn’t quite true, we had uncovered a vast trove of information—the exact types of information the NSA could use as a digital fingerprint to identify and track any of us online:
- Most of the apps on Henn’s iPhone, based on application data while he was connected to the Wi-Fi
- The operating systems he used on personal computers, and the applications they ran—such as Microsoft Office, Outlook, Internet Explorer 7, Skype, and an app for syncing workout data from his wearable device
- Henn’s mobile phone number, unique device identifiers (UDID), model numbers, operating system versions, and cellular provider
- The addresses of e-mail and VPN servers and personal e-mail services
- Every website he visited and how often
- Cookies used to read paid websites
- Places he might be planning to travel
- The general content of Web search queries and which sites he visited as a result
- E-mail addresses and phone numbers he looked up online
- His patterns of activity—when he was working, using his computer for non-work purposes, or was active on a smartphone
Voluntarily opening up your online life to this kind of monitoring is not for the fainthearted, but the exercise was revealing.
“If you have even the foggiest idea of how technology works and you think about what you are actually doing online,” Henn said afterward, “you have probably realized some of this could happen to you. But going through it myself, it was still kind of shocking in the detail.” He also realized with surprise that anyone tracking his Internet usage “could actually know more about my own past than I did.”
Porcello, a security veteran, was himself chastened by data leaks from applications he frequently used—and he pointed out just how hard security is, especially for smaller companies. “We just look for apps that work and trust them,” he said, because they help get work done—and the average small business doesn’t have the time or resources to run penetration tests against every piece of software it uses.
Our experiment also highlighted my own lapses in daily operational security; playing NSA for a few days has made me want to dive deeper into my own Internet traffic to see where my network might leak personal data. That’s not because I’m concerned about being a government surveillance target; but I am concerned about what I, my children, and even my parents expose about ourselves online, even when we aren’t doing anything obviously wrong. Even if I make sure every application on every device in my house is up-to-date and do everything I can to lock things down, all I’m doing is minimizing my potential exposure—not removing it altogether.
Surveillance technology has become a commodity these days. While the NSA has invested untold billions to build its Internet collection capability, most users face more imminent threats of being surveilled while eating lunch in a mall food court by someone with a few hundred dollars’ worth of mobile hardware and some open-source tools. And businesses are at risk of widespread breaches by anyone with a thousand bucks and physical access to the corporate network.
Is the Internet a safer place than it was before we knew about Prism? In some ways. But for the vast majority of people online, a little paranoia remains a very healthy thing.
Read the full article on Ars Technica here: http://arstechnica.com/security/2014/06/what-the-nsa-or-anyone-can-learn-about-you-from-internet-traffic/