The revelations concerning the existence of the PRISM system have occupied a great deal of space in the mainstream media on both sides of the Atlantic Ocean. For those distrustful of the ways that governments use their legal powers to intrude into people’s daily lives, the public outing of PRISM shows another facet to the so-called ‘special relationship’ between the United Kingdom and the United States.
Others, however, take a more laissez-faire view. If that is what it takes to ensure society is not attacked out of the blue, then it is a necessary element of a wider approach to preventing acts of terrorism and criminal behaviour.
Indeed the degree of traction the topic gained in the wider media was perhaps surprising. Many works of fiction, movies and television series have to some extent already immunised the public. Many are no doubt puzzled at the debate. They perhaps took it for granted that such things were routinely occurring.
Monitoring social media
To take that view they would have had to have missed brief coverage of two reports emerging in the national media in the United Kingdom, of occasions when two potential spree-shooters (one in Manchester and one in Northampton) were stopped going to their schools and conducting a repeat of the kind of attacks all too often seen in America. One had complained of being bullied and that this was his opportunity for revenge.
The intelligence that stopped those attacks came from the FBI. They saw aberrant behaviour on the social media postings of the two individuals and decided to let the United Kingdom authorities know. If GCHQ was conducting such routine surveillance of actual content, surely they would have picked up the planned attacks and notified the police?
The speed with which all the leading players in the main internet companies have also rushed out statements is also indicative of the situation. Rather than believe the individuals involved, some elements of the press have resorted to analysing the precise syntax of their statements to see if these senior individuals were playing with words.
The word ‘direct’ has specifically come under great scrutiny. What did ‘direct’ access to the servers in various internet service suppliers actually mean? Did that suggest that a black box had been placed amongst their servers to harvest data? No, came the unified and very definite response from the internet service providers.
All this talk of trawling through vast quantities of data attempting to find patterns of behaviour that somehow are indicative of the precursors to a terrorist attack or criminal behaviour prompts a wider thought. To what extent could the intelligence agencies use wireless networks to collect material on suspects?
Go online these days in many locations around the United Kingdom and the plethora of networks that are possibly available on various devices has notably grown. Some are obviously private. Others are publically available.
For those providing free access to wireless networks, the idea of come and have a coffee or something to eat and bring your various hand-held devices with you is a matter of corporate survival. Those that originally tried to charge for access have now had to accept a different business model which has some free access time.
For the intelligence agencies, however, those signals that are so widely available (albeit at short range) they offer a multitude of possibilities for harvesting data. This is not a modern phenomenon. As desktop computer systems became more widely used in the 1980s and early 1990s, demonstrations showed that a well-equipped person sitting outside a building could capture images of what was displayed on the screen of a senior member of a large corporation. This had the potential to be hugely valuable, as some of the material captured had associated share price sensitivities.
At the time a new word entered the security lexicon. That word was ‘tempest’. Buildings and equipment holding sensitive information had to be tempest-proofed. Faraday cages provided one solution. They attenuated the signals to such low levels that anyone nearby would have found it really hard to obtain any information of value.
The contemporary equivalent of the tempest problem is the degree to which corporate and personal wireless networks are secure. With all the talk in America about Chinese cyber spies using the internet to steal military and economic secrets, it is possible to wonder if intelligence officials based at embassies, or indeed private citizens, may also be able to access personal networks.
Degrees of security
At present, the degree of security associated with the vast majority of privately owned wireless networks is minimal. Corporate networks of course benefit from the insight of professional information technology employees, whose task is to do all they can to protect the company’s intellectual property. This also applies to the increasing numbers of people that now try to work some of the time at home. The situation for private operators of wireless systems is, however, very different.
They are confronted with a plethora of advice on how to secure their domestic wireless networks. But they do face barriers. The most obvious one is the degree of technical jargon used to describe the security measures they need to take. Advice that instructs ordinary users to ‘carefully position their device’ in order to minimise ‘leakage’ may not readily chime with members of the public.
For those of us that remember the impact of tempest, this is easy to grasp. Just how many people really fine tune their firewall for example? How many leave their wireless devices on all day and all night? How many people have a first clue about what a Service Set Identifier (SSID) is could be a topic for an interesting survey.
It is possible to suggest that before you follow some of the advice proffered by some companies and disable it, you may need to try and grasp what it does.
Activating address filtering may also be beyond some domestic users. As always with security in any system, the problem is with the weakest point. How many private users of wireless networks really have the time and patience to routinely change their passwords or figure out how to enable encryption?
All of this suggests one important conclusion. The majority of domestically operated wireless networks are not as secure as they should be if people really want to maintain their privacy.
The debate over whether or not the intelligence agencies are accessing servers based overseas to intrude into people’s private lives is interesting, but quite irrelevant to most people in the 21st century. What might provoke a very different reaction would be the revelation that domestic wireless networks were somehow being intercepted.