Communication in a world of pervasive surveillance: Sources and methods: Counter-strategies against pervasive surveillance architecture
Jacob Appelbaum
jacob at appelbaum.net
Thu Mar 31 08:32:27 PDT 2022
Hello,
The original message below about my PhD thesis sent to this list was
not sent by me. I do not use protonmail and while I find the
impersonation to be a kind of semi-creepy flattery, it may be
something worse, of course. I'd encourage people to download my thesis
from the university library [0] or my university home page. I had no
interest in advertising the thesis here and I was mildly surprised to
see it pop up on the list, especially sent by someone using my name
with all the implications included. With that said, it has been sent
to the list and I hope it is an interesting read for people who want
to read it. Unlike my university library, the PDF on my home page [1]
does not watermark or edit the PDF on a per visitor basis. The PDF on
my home page is also slightly revised because of an unexpected book
printing error. The PDF on my home page also has an improved general
index, it fixes a small number of typographical issues, and of course
it should fix the surprising last minute print alignment errors.
People who want a printed copy are welcome to contact me privately by
email. I will probably mail you a book or maybe I will hand it to you
personally. The book is not for sale, and I probably won't send it to
people who won't read it. I have a limited number of printed books
that I am mailing myself at my own personal expense. I want to
encourage paper book readers to read it as well. With that said - I
find the PDF much more readable because of the extensive use of
hyperlinks and cross referencing, also it's trivial to search a PDF
and less so for a printed book. The general index in both the PDF and
the book should make it possible to ask smart questions of the thesis
directly. For example - look up a vendor or product, find out if they
are a collaborator or a target of large-scale adversaries (or perhaps
find that they are missing!), read the original source documents,
study the listed implants for the vendor in question, and then it
should be possible to consider how it could impact you in your
everyday life. It is not comprehensive of all the implants or programs
known in the world and things left out are not a critique of other
research. There is much work to be done in cataloging and indexing a
worldwide history of capabilities and programs. Bugged Planet [2],
Cryptome [3], and WikiLeaks [4] remain useful for finding further
original source documents and analysis of information on these topics.
As usual with this mailing list like many other forums, we can expect
some folks to dismiss matters written about in the thesis.
Surveillance targets and other politically exposed persons in danger
are frequently attacked by such people. We can also expect that those
same people will not discuss the substantial facts or cryptographic
designs, except superficially if at all, and they will attempt to
distract, divide, disrupt, degrade, and destroy. The usual JTRIG
playbook is to be expected when discussing topics such as JTRIG (see
chapter 4) and especially other secret services who collaborate with
JTRIG directly (again see chapter 4). Even those who simply wish to
copy their methods or obtain similar results will draw out a defense
of some capabilities; capabilities whose very existence is an abuse by
relying on suspect interpretations of law and politics (again see
chapter 4). In the usual spirit of the cypherpunks I encourage readers
to ignore any bad faith trolling by using client side filtering. We
can expect that the usual or even new elements of the controlled
opposition (especially in the anglophone-sphere) will seek to make it
personal, to speak poorly of individuals, and they will also denigrate
the struggles and issues faced by those individuals. They will also
project their own issues on others, and of course they will try to
draw out personal and professional fights relentlessly. We may also
see flooding of messages about many topics - like a manic eruption to
distract any would be reader by burying this email reply among many
other emails. I encourage everyone to ignore such bad faith
engagements; this thesis is part of a different conversation with
different goals. I hope this thesis sparks further discussion among
those cypherpunks who are still writing Free Software for all of
humanity and that it helps potential users who want to protect their
own privacy and security. I hope that any discussion enhances how we
build what we need to build, and that the results are usable by
regular people. There is still much to be done - but I firmly believe
we can make huge progress in protecting traffic in our own autonomous
spaces (homes, cafes, conferences, etc), and ideally we can also make
the same progress with the Internet as well.
Specific protocol design and implementation discussions using the
issue tracker pages of Vula [5] and REUNION [6] are welcome.
Kind regards,
Jacob
[0] https://research.tue.nl/en/publications/communication-in-a-world-of-pervasive-surveillance-sources-and-me
[1] https://www.win.tue.nl/~jappelba/Communication_in_a_world_of_pervasive_surveillance-phd-thesis.pdf
[2] https://buggedplanet.info/index.php?title=Main_Page
[3] https://cryptome.org/
[4] https://www.wikileaks.org/
[5] https://vula.link/
[6] https://rendezvous.contact/
On 3/30/22, Jacob Appelbaum <jakeappelbaum at protonmail.com> wrote:
> Communication in a world of pervasive surveillance
> Citation for published version (APA):
> Appelbaum, J. R. (2022). Communication in a world of pervasive surveillance:
> Sources and methods: Counter- strategies against pervasive surveillance
> architecture. Eindhoven University of Technology.
> Document status and date:
> Published: 25/03/2022
> Document Version:
> Publisher’s PDF, also known as Version of Record (includes final page, issue
> and volume numbers)
> Please check the document version of this publication:
> • A submitted manuscript is the version of the article upon submission and
> before peer-review. There can be important differences between the submitted
> version and the official published version of record. People interested in
> the research are advised to contact the author for the final version of the
> publication, or visit the DOI to the publisher's website.
> • The final author version and the galley proof are versions of the
> publication after peer review.
> • The final published version features the final layout of the paper
> including the volume, issue and page numbers.
> Link to publication
> General rights
> Copyright and moral rights for the publications made accessible in the
> public portal are retained by the authors and/or other copyright owners and
> it is a condition of accessing publications that users recognise and abide
> by the legal requirements associated with these rights.
> • Users may download and print one copy of any publication from the public
> portal for the purpose of private study or research. • You may not further
> distribute the material or use it for any profit-making activity or
> commercial gain
> • You may freely distribute the URL identifying the publication in the
> public portal.
> If the publication is distributed under the terms of Article 25fa of the
> Dutch Copyright Act, indicated by the “Taverne” license above, please follow
> below link for the End User Agreement:
> www.tue.nl/taverne
> Take down policy
> If you believe that this document breaches copyright please contact us at:
> openaccess at tue.nlproviding details and we will investigate your claim.
>
> Wer die Wahrheit nicht weiß, der ist bloß ein Dummkopf. Aber wer sie weiß
> und sie eine Lüge nennt, der ist ein Verbrecher." 1
> — Bertold Brecht, Das Leben des Galilei, Seite 71
>
> Appelbaum, Jacob R.. /Communication in a world of pervasive surveillance :
> Sources and methods: Counter-strategies against pervasive surveillance
> architecture. Eindhoven : Eindhoven University of Technology, 2022. 327 p.
> https://research.tue.nl/en/publications/communication-in-a-world-of-pervasive-surveillance-sources-and-me
>
> Best Regards
On 3/31/22, grarpamp <grarpamp at gmail.com> wrote:
>> https://research.tue.nl/en/publications/communication-in-a-world-of-pervasive-surveillance-sources-and-me
>> Appelbaum, Jacob R.. /Communication in a world of pervasive surveillance
>> :
>> Sources and methods: Counter-strategies against pervasive surveillance
>> architecture. Eindhoven : Eindhoven University of Technology, 2022. 327
>> p.
>
>
> CHAPTER 1
> Introduction
>
> "Wer die Wahrheit nicht weiß, der ist bloß ein Dummkopf. Aber
> wer sie weiß
> und sie eine Lüge nennt, der ist ein Verbrecher." 1
> -- Bertold Brecht, Das Leben
> des Galilei, Seite 71
>
> Electronic surveillance systems, in their twenty-first century
> totality, create an environ-
> ment of pervasive surveillance where most, if not all, communications
> channels are mon-
> itored in some capacity. Sociologists and other academic researchers
> define surveillance
> in many different ways [Mar15]. We consider the definition from Lyon
> from Surveillance
> Studies: "any systematic, routine, and focused attention to personal
> details for a given pur-
> pose (such as management, influence, or entitlement)" [Lyo14]. Today's
> Internet is the pri-
> mary terrain of struggle [GBC11, Kat90, Her00, Ziz08, Cun15, GE07]
> between those com-
> mitted to attacking electronic communications, whether in targeted
> [Bam16] surveillance
> of individuals or indiscriminate mass surveillance [Eur18, Eur78,
> Eur06, Eur84, Eur10,
> Eur87, Eur15, Eur16] of whole populations, and those committed to
> securing communi-
> cations from attack.
> The two most prevalent surveillance adversaries are state [Gre14b]
> and corporate
> [Zub19, Int21a, Int21b] actors, though in some situations there is no
> meaningful distinc-
> tion between these. Fusion Centers [Wik21i] for example, are an
> American domestic
> intelligence apparatus that aggregates data provided by government
> agencies, corpora-
> tions, and private persons, resulting at times in Americans being
> persecuted for engaging
> in constitutionally protected activities. Surveillance data of all
> kinds collected from other
> terrains [Goo21, War15b] readily merges into the Internet's IP traffic
> flows. This collec-
> tion is not merely through passive observation of our communications,
> but also through
> active interaction and exploitation, along with analysis of behavioral
> data, other systems
> data, and data at rest. To name just a few examples:
> · In-person, face-to-face meetings when personal or professional
> electronic equip-
> ment is present in the same room [ATL06, CCTM16].
> · Targeted and mass surveillance of telephone metadata and call
> content [SM13,
> GS14].
> · Targeted and mass surveillance of postal mail [Nix13].
> · Public and private video surveillance, especially when used in
> tandem with machine
> learning for identification based on height, gait, and/or
> facial structure among oth-
> ers [EKGBSBA16].
> · Stylometry of written text to identify anonymous authors [BAG12].
> · Analysis of video and images of biological structures such as
> veins, ear shape, as
> well as of body modifications such as piercings and tattoos [RP14].
> As new sources of data become available in nearly every realm of life,
> we find new surveil-
> lance tools being designed to exploit them. Understanding these
> surveillance practices is
> critical for building defenses.
> It is now commonly understood that the US Government does "kill
> people based on
> metadata" [Col14] including children [Sca13a, Bon13, Kri19, AR21],
> intentionally 2 and
> unintentionally. The state's capacity for violence is enhanced with
> additional surveillance
> capabilities. Historical as well as contemporary use of data and
> metadata to socially sort
> [Lyo03] has enabled human rights abuses such as persecuting political
> refugees [CM+ 17,
> DNI21], assassinations [Col14] and genocide [Bla12].
> Modern proponents of both targeted and mass surveillance regularly
> claim that grant-
> ing authorities surveillance powers will help to prevent terrorist
> acts. We know that
> while this is sometimes true [EM13, BSSC14], it is often false, with
> disastrous conse-
> quences [GRS14, Rot15]. We also know that the existence of
> interception capabilities
> puts both the operators [Bam16] and users of communication
> infrastructure at direct
> risk, and that the same surveillance methods intended for terrorists
> are diverted to tar-
> geting democratically elected leaders [JAS13]. This leads us to ask:
> In order to protect
> our societies from terrorist acts, must we leave ourselves vulnerable?
> Is it worth the
> trade-off to occasionally catch the least competent would-be
> terrorists, corrupt officials,
> spies, criminals, and thieves? The questions themselves seem absurd
> when the answer
> promotes criminality of all kinds: corporate espionage, economic
> warfare, government
> espionage, human-rights violations, lawfare, so-called "targeted
> killings" (assassinations),
> untargeted killings, etc. Yet an affirmative answer to those questions
> is an observable na-
> tional policy in countries around the world.
> The deployment of standardized communications protocols in the
> last century made
> it possible to perform surveillance in a highly automated fashion. We
> investigate some
> of these surveillance systems extensively with help from documents
> exposed by whistle-
> blowers, known and unknown, or other anonymous insiders. We compare
> the intentions
> and stated beliefs of surveillance adversaries with those of protocol
> designers, who in
> recent years have belatedly started to introduce the term
> surveillance, and later mass
> surveillance, into Internet-related protocol publications [FT14, BSJ+ 15a].
>
> 1
> "He who does not know the truth is merely a fool. But whoever knows it
> and calls it a lie is a criminal."
> 2
> The President of The United States of America is directly involved in
> some assassination decisions [Poi14,
> Par15], something of an explicit concern [Ken11] to the founders of the
> country.
>
More information about the cypherpunks
mailing list