The Special Section is part of Volume 11 of the journal and can be found here: http://ijoc.org/index.php/ijoc/issue/view/13

Graphic of a VPN, www.legacytec.com/Pages/VPN.html

Purpose:

A Virtual Private Network (VPN) network provides secure access to online data by creating a private network with which to access both the public Internet and other internal organisational networks. A VPN uses tunneling protocols thus encrypted data at the sending end and decrypted at the receiving end.

VPNs allow for greater privacy because data packets are encrypted as the move across the Internet making it difficult to know the activities of users. Additionally, it allows users to access private networks that run within organisations such as universities and companies. These allow users to access content that would not be available otherwise.

Techniques include, each have their own technical strengths and weaknesses [BPN01]:

• Layer 2 Tunnel Protocol (L2TP and L2TP/IPsec)
• Secure Socket Tunneling Protocol (SSTP)
• Internet Key Exchange (version 2) (IKEv2)
• OpenVPN

Capabilities:

• Tunneling – Creates a secure connect for data at both the sending and receiving ends of a network.
• Encryption – Data is packaged into secure envelopes, providing protection from packet sniffing [SCO01].
• IP cloaking – Masks the users originated IP address and allows people to appear as if they are accessing the Internet from another country or organisation.

Surveillance mitigation:

• Privacy – A secure and anonymous way to access content or conduct activities (e.g. online banking) on the Internet.

Vulnerabilities:

• VPN provider – The customer should ensure that their VPN service provider does not keep logs
• Decryption – Spiegel [SPI01] has reported that the NSA has a number of programmes that aim to compromise VPN security.

Layers of operation:

• Transport layer

Sources:

Best VPN (BPN)
1) https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs-sstp-vs-ikev2/

Spiegel (SPI)
1) http://www.spiegel.de/international/world/nsa-documents-attacks-on-vpn-ssl-tls-ssh-tor-a-1010525.html

Scott, C., Wolfe, P., Erwin, M (SCO), Virtual Private Networks. O’Reilly, 1999.
1) http://shop.oreilly.com/product/9781565925298.do

Web link

Publisher: Library Freedom Project

“data activism

We live in a time of data abundance, one in which data is not merely a commodity or a tool for surveillance, but also a metaphor of power. With the diffusion of ‘big data’, citizens increasingly engage in new social practices rooted in technology and data, which we term data activism. With data activism we indicate the broad range of socio-technical practices that take a critical approach to massive data collection. It emerges out of existing activism sub-cultures, such as the hacker and the open-source movements, but overcomes their elitist character to involve also ordinary users. It concerns both individuals and groups, and operates at different territorial levels, from local to transnational. It takes two forms. First, citizens increasingly resist by means of technical fixes the threats to civil and human rights that derive from corporate privacy intrusion and government surveillance (re-active data activism). Second, people take advantage of the possibilities for civic engagement, advocacy, and campaigning that big data offer (pro-active data activism). ‘Re-active’ and ‘pro-active’ identify two facets of the same phenomenon: both take information as a constitutive force in society capable to shape social reality [1], and are enabled (and constrained) by software. By increasingly involving average users, they are a signal of a change in perspective and attitude towards massive data collection emerging within the civil society realm.

[1] Braman, Sandra (2006). Change of State. Information, Policy and Power. MIT Press”

Funder: European Research Council

Website: https://data-activism.net/

Host institution (s): University of Amsterdam

Web link

Author(s): Tactical Tech

Web link

Author(s): Tactical Tech

Web link

Author(s): Electronic Privacy Information Centre

FASCIA, Washington Post, slide 1.

Purpose:

FASCIA is the US National Security Agency’s (NSA) data storage and analyse programme focused on mobile phone location metadata. Approximately 5 billion records per day are collected [WAH01]. The programme exploits the SS7 (Signaling System No. 7) data exchange protocol, which links mobile network providers together.

Two kinds of data are collected from mobile devices [WAH01].

• Information from phones, both mobile devices and landlines. This includes information held in these network such as location – known as Dialed Number Recognition (DNR) data.
• Information collected from the Internet – This includes personal data communications, known as Digital Network Intelligence (DNI).

Additionally it has the ability to analyse communication security (COMMSEC) behaviours such as Behaviours around communication security “frequent power-down, handset swapping, SMS behaviour” [NSA01].

The leaked documents show that the GCHQ works in partnership with the NSA in DNI collection, specifically to track location using the Google tracking cookie PREFID that is gathered with personal data communications. This cookie can be used to hack into devices [WAH02].

The FASCIA programme uses a variety of data analysis techniques to locate and track individuals using these two sources of data (DNR and DNI) including [WAH01; NSA01]:

• CHALKFUN: This is a ‘co-travel analytics’ tool that analyses “date, time, and network location of a mobile phone over a given time period, and then looks for other mobile phones that were seen in the same network locations around a one hour time window” [NSA01].
• DSD Co-Travel Analytic: Examines mobile Call Detail Records (CDRs) to predict “target locations and co-travelers by calculating time-based travel trajectories. Probable travel routes are calculated using observed locations and determining the most likely paths and travel times similar to that used in turn-by-turn navigation systems” [NSA01]. “The analytic predicts the approximate time that the target would theoretically arrive at each segment waypoint based on projected travel times between known locations.” It also “discovers candidate co-travellers that intersect locations along the buffered travel path.” The NSA whitepaper states that the “system has shown that more candidate co-travellers were discovered by analyzing the travel paths than by considering common meeting locations alone”. Future plans for the system include identifying “targets based on COMSEC behaviors such as identifying mobiles that are turned off right before convergence between two travel paths occurs”.
• TMI Co-Traveler Analytic: “The analytic is oriented to work on 7 to 30 days worth of regional collection.” It computes “target “closeness” based on latitude and longitude information.
• PACT NGA-NSA GATC Analytic: To identify Thuraya satellite phones.
• RT-RG Sidekicks: “compares average travel velocity between pairs of selectors to infer whether or not could co-travel would practically be possible. Locations are defined by CELL IDs (for GSM) or GEO-Hashes.”
• Scalable Analytics Tradecraft Center (SATC) Geospatial Lifelines Co-Travel QFD: This “applies the concept of “dwell times” to identify DNR co-travelers. Dwell times describe the time period spent at the beginning or ending destination. A location is considered a beginning or ending location if the dwell time at that location is greater than 2 hours.”
• SSG Common IMSIs Analytic: “Finds SIM card activity seen on cell tower panels in multiple areas (e.g.- border crossings commonly used by traffickers) … The analyst inputs areas of interest and time range. The analytic returns an excel file with a list of IMSIs seen in those areas at that time.”
• The Café project: “This analytic uses IP geolocation of active user/presence events as travel indication.” It focuses on targets who have travelled between two countries in a range of time between 30 days. It is also searchable by travel within “countries of interest” and “the days on which the countries were visited”.
• Other Data Sources: this includes information from other databases such as “air travelers on the same reservation number”, “users sharing a MAC address” and “similarities between IP addresses may indicate proximity on the same LAN” [NSA01].

Capabilities:

• Mobile phone network and internet analysis
• Pattern-of-life analysis

Data sources:

• Mobile networks
  • GCID: Global Cell-Tower ID – This is the unique number associated with any given tower. It acts as a proxy for location since
  • CELLID – mobile base station coordinates
  • VLR – (Visitor Location Registers); databases that track current associations between cellular users and towers, which can be used to infer a user’s location
  • IMSI – (International Mobile Subscriber Identity)
  • MSISDN – the telephone number associated with a SIM card indicating the country it was activated in and the service provider
• Internet data transfer
  • Mobile phone apps
  • IP address

Related programmes:

R6 SORTINGLEAD – Cloud-based version of CHALKFUN that includes additional features such as search by countries or locations of interest [NSA01].

HAPPY FOOT – Analytic tool that aggregates leaked location-based service data to map the physical locations of IP addresses [WAH01].

TAPERLAY –  The NSA’s tool for looking up the registered location of a mobile device — the provider and country where a phone was originally activated — in the Global Numbering Database [WAH01].

TUSKATTIRE – System used for metadata processing [WAH01]

JUGGERNAUT – A signals processing system that can process raw feeds between mobile carriers through the SS7 protocol [WAH01].

GHOSTMACHINE – The NSA’s cloud analytics platform [WAH03].

Layers of operation:

• Social layer: Aggregation of metadata from multiple sources, pattern-of-life analysis.
• Link layer – How devices connected to a physical layer share access to the physical medium and exchange data.
• Network layer – How data is routed between devices that may be connected to different link layers.
• Application layer – How applications provide services and exchange information over a transport layer.

Background:

FASCIA is the National Security Agency’s enormous database containing trillions of device-location records that are collected from a variety of sources. The leaked documents show the volume and types of device-location data collected. Mobile phone metadata analysis can reveal a high-level of detail regarding people’s movements.

When mobile devices are turned on and begin searching for wireless signals, they show their locations to any radio receivers in the vicinity. When a mobile phone connects to a network, it registers its location to one or more signalling towers that store this information in databases (known as Home Location Registers and Visitor Location Registers) maintained by telephone providers and clearing houses so that calls can be made and received.

These registers store a device’s approximate location using service providers positioning of devices by triangulating their distance between multiple towers in the vicinity. These can reveal the country, town, and even street level of the person. In addition, some mobile devices use WiFi and GPS signals to fix their locations, which provides geo-location data. Smartphones can also display their location through mobile apps, built-in location based services and IP addresses [WAH01].

Sources:

National Security Agency (NSA)   document, (provided by the Washington Post)

1) National Security Agency white paper: Summary of DNR and DNI Co-Travel Analytics
https://s3.amazonaws.com/s3.documentcloud.org/documents/888734/cotraveler-tracking-redacted.pdf

Washington Post (WAH)

1) http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/new-documents-show-how-the-nsa-infers-relationships-based-on-mobile-location-data

2) http://apps.washingtonpost.com/g/page/world/nsa-signal-surveillance-success-stories/647

3) http://apps.washingtonpost.com/g/page/world/ghostmachine-the-nsas-cloud-analytics-platform/644/#document/p2/a135353

4) http://www.washingtonpost.com/world/national-security/nsa-tracking-cellphone-locations-worldwide-snowden-documents-show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca94801fac_story.html

The Intercept – Applying Advanced Cloud-based Behavior Analytics, slide 1.

Purpose:

SKYNET is a behaviour profiling programme that attempts to identify “interesting travel patterns”, including how often a person travels and to where [SKYNET-02, Slide13]. Specifically, the programme aims to identify “courier-like travel patterns” [SKYNET-02, Slide20].

It achieves this by analysing mobile phone metadata that reveals both location and communication data from bulk call records [INT01]. Using this metadata SKYNET looks for patterns amongst different people who use phones in similar ways [SKYNET-02, Slide2].

For this programme “call data is acquired from major Pakistani telecom providers” but the technical means for obtaining the data is not divulged in the slides [INT01]. It uses a cloud computing technology to store and analyse  Call Data Records (CDRs) from Pakistani Telecoms uploaded to an NSA cloud [SKYNET-01, Slide6]. Analysis of the data examines [SKYNET-02, Slide3]:

• Pattern of life
• Social network
• Travel behaviour

This is done using geospatial, geotemporal, pattern-of-life and travel analytics [SKYNET-01, Slide3]. Specifically, by identifying a mobile phone’s IMSI or International Mobile subscriber Identity [SKYNET-01, Slide13]. This number is a unique identification associated with all mobile phones on a cellular network. It is stored as a 64-bit field and is sent by the phone to the network [TFA01].

Behaviours SKYNET attempts to identify include [INT01]:

• Who has traveled from Peshawar to Faisalabad or Lahore (and back) in the past month?
• Who does the traveler call when he arrives?”
• “Excessive SIM or handset swapping,”
• “Incoming calls only,”
• “Visits to airports,”
• “Overnight trips”

Capabilities:

• Mobile phone metadata storage and analysis
• Pattern-of-life analysis
• Travel analysis
• Social network analysis

Data sources:

• Mobile phone metadata
• Global System for Mobile Communications (GSM)
• International Mobile Subscriber Identity (IMSI)

Related programmes:

DEMONSPIT – dataflow of Call Data Records (CDRs) from Pakistan [SKYNET-01, Slide6]

MAINWAY – collection of telephone metadata

Layers of operation:

• Social layer: Aggregation of metadata from multiple sources, pattern-of-life analysis.

Background:

The SKYNET programme collected 55 million cell phone records from Pakistan to identify ‘interesting’ or ‘suspect’ behaviours [INT01].

Questions are being raised about the “method of identifying terrorist targets based on metadata” [INT01] because it may identify false positives especially when it comes to the activities of journalists who seek to contact terrorists. In particular an Al Jazeera journalist, Ahmad Muaffaq Zaidan was singled out as someone whose “movements and calls mirrored those of known Al Qaeda couriers” [INT01].

Partners:

• MIT Lincoln Labs [SKYNET-01, slide 3]
• Harvard [SKYNET-01, slide 3]:
• Pakistan Telecoms (unnamed) [SKYNET-01, slide 6]

Sources:

Intercept (INT)
1) https://firstlook.org/theintercept/2015/05/08/u-s-government-designated-prominent-al-jazeera-journalist-al-qaeda-member-put-watch-list/
2) SKYNET01 – https://firstlook.org/theintercept/document/2015/05/08/skynet-applying-advanced-cloud-based-behavior-analytics/
3) SKYNET02 – https://firstlook.org/theintercept/document/2015/05/08/skynet-courier/

Tech Faq (TFA)
1) http://www.tech-faq.com/imsi.html