Do You Like Online Privacy? You May Be a Terrorist

Posted: February 4th, 2012 by Gadget42

from Public Intelligence

Click to enlarge

A flyer designed by the FBI and the Department of Justice to promote suspicious activity reporting in internet cafes lists basic tools used for online privacy as potential signs of terrorist activity.  The document, part of a program called “Communities Against Terrorism”, lists the use of “anonymizers, portals, or other means to shield IP address” as a sign that a person could be engaged in or supporting terrorist activity.  The use of encryption is also listed as a suspicious activity along with steganography, the practice of using “software to hide encrypted data in digital photos” or other media.  In fact, the flyer recommends that anyone “overly concerned about privacy” or attempting to “shield the screen from view of others” should be considered suspicious and potentially engaged in terrorist activities.

Logging into an account associated with a residential internet service provider (such as Comcast or AOL), an activity that could simply indicate that you are on a trip, is also considered a suspicious activity.  Viewing any content related to “military tactics” including manuals or “revolutionary literature” is also considered a potential indicator of terrorist activity.  This would mean that viewing a number of websites, including the one you are on right now, could be construed by a hapless employee as an highly suspicious activity potentially linking you to terrorism.

The “Potential Indicators of Terrorist Activities” contained in the flyer are not to be construed alone as a sign of terrorist activity and the document notes that “just because someone’s speech, actions, beliefs, appearance, or way of life is different; it does not mean that he or she is suspicious.”  However, many of the activities described in the document are basic practices of any individual concerned with security or privacy online.  The use of PGP, VPNs, Tor or any of the many other technologies for anonymity and privacy online are directly targeted by the flyer, which is distributed to businesses in an effort to promote the reporting of these activities.

Share

Comments (2)

 

  1. Anonymous Coward says:

    Email, sent to leads@jric.org (the attached documents include the brochure cited in the article, a copy of the Anarchist’s Cookbook, and Amy Field Manual 3-06.11, “Combined Arms Operations in Urban Terrain”):

    Attached are three sample files. The first is a brochure, attributed to your organization as the distributing source. The next two are sample documents that I had on my computer at the time that I ran across your brochure, which I use below, to illustrate a point.

    I keep the first two files in the same directory on my personal laptop, titled “Hacking”. The last one is in a parallel directory called “Survival”. I also maintain the “Survival” files on a USB key. Many of the “Survival” files are (or were) published by the Federal government. In my home, I use Hydrogen Peroxide as a disinfecting agent and a mouthwash; I’m allergic to alcohol. At this time of year, I can’t fertilize my garden, but I still have a supply of fertilizer in my basement from last spring. I maintain a generous supply of cleaning chemicals in my home – I’m not a fan of either shopping or cleaning, and maintaining this supply serves to minimize the time that I spend on both activities. Acetone is a chemical that helps to clean paint brushes, and it is cheapest (by volume) when purchased in 5-gallon buckets. My next-door neighbor is a professional painter, and I obtained my supply through him – he doesn’t buy the stuff in small quantities, and you don’t want to store it in containers that were not designed to hold it – acetone is highly caustic and flammable. While I’m not personally particularly politically active, we are in an election year, so I do follow the candidates to some extent. Ron Paul, in particular, is famous for some rather unorthodox ideas and relationships – one of which is that he occasionally makes an appearance on the Alex Jones talk radio show, where a great many extreme and occasionally anti-government opinions are expressed – stopping just short of being subversive, at least on the radio show itself. One of my friends distributes DVDs on various conspiracy theories, and I maintain an archive of his materials, as a preparatory measure to combat his paranoia that, at some point, some government agency might decide to seize his literature. Publications like this brochure from your agency, feed that paranoia – and give me pause to wonder how justified his fears and suspicions might be. In today’s climate of fear over terrorism, few people are disinterested in news on the subject – which is perhaps why the media seems to report on every scrap of information that they can find involving “suspected terrorism”. To hear them tell it; everybody is a terrorist except whoever happens to be talking about it at the time. In your brochure, you sound a great deal like the fear-mongering media.

    I mistrust banks; they have screwed me before, so I have over half a dozen accounts – all with less than $10 in them. This is a preemptive measure to combat ChexSystems reporting; when a bank screws you, the first thing that they do is report you to ChexSystems so that you cannot open another account somewhere else, without first paying them whatever it is that they demand of you. While you can fight them in court over the issue, it’s still a fact that if you live on the grid, you still probably need the ability to cash checks, and this becomes prohibitively difficult and expensive for your average law-abiding citizen if they can’t get a checking account until their case is settled in court. The easiest way to ensure that your bank can’t screw you this way, is to open accounts at other banks, in advance of the event – that way, they can put you in ChexSystems all they like – you already have other accounts at other banks, and can move your banking to one of these preexisting accounts, without having to be re-approved through ChexSystems. I typically open fee-free accounts, and then deposit a dollar every couple of months just to keep them from going inactive. Once a year or so (whenever I’m low on cash; typically around Christmas), I drain them back down to a penny. I typically make my purchases with cash, because my wallet doesn’t charge overdraft fees when I, my wallet, or the vendor that I’m doing business with makes an error. When I, my vendor, or my bank makes an error, while using non-cash financial instruments, the bank is not so forgiving. While all of my financial instruments have the same name on them, at the moment; there have been times in the past when several of them had business names on them, and purchases made for the business had to be separated from personal purchases (and those of other businesses), for reasons largely dictated by the Internal Revenue Service – even when those purchases were made at the same time, and from the same vendor.

    I routinely employ cryptography and anonymizing tactics; right at the moment, I’m using an open 802.11 wireless network. I’d have attached a copy of the materials involved in WEP/WPA cracking and wireless hacking, but there is more of it than would be reasonable to include as an attachment. (There is absolutely no need for terrorists to use Internet Cafes with the ubiquity of easily-accessible wireless Internet access; any educational campus or residential neighborhood will suffice, and this approach permits them to operate from a position of privacy, and with relative impunity – and the equipment costs less than $100.) My home telephone service employs VoIP – but in all fairness, text-based non-real-time communications are a lot more popular, particularly across language barriers. I’m using text-based non-real-time communications to discuss this with you, right now. Add cryptography and perhaps a Facebook-vectored steganography, and you have well-concealed, private communications that can be developed in about 30 minutes by your average community college student, which is indistinguishable from web forum or email communications, when in use. Don’t think for a minute that it hasn’t or isn’t being done. I employ cryptography because people don’t need to see my porn collection, they don’t need access to my financial records or recorded telephone messages, and they don’t need access to my digital video security recordings of events in and around my property. If an enforcement agency were to raid my home, I’d likely employ my right to remain silent, to maintain the privacy of my encrypted data – and I should be thanked, for that. No one wants to see video footage of me, peeing in my own bathroom, trust me. I’m not all that attractive, and it’s none of anyone else’s business.

    I’ve had the cryptography discussion with members of the high-tech crimes task force of the (redacted – Someplace) FBI; if you’re doing Evil and you know it, on a computer, then you encrypt the entire hard disk with a random cryptographic key, unknown to anyone (including yourself). When the enforcement agency comes to seize it, the first thing that they will do is unplug the computer – rendering the entire drive unreadable, even to it’s owner. The question posed to me by the agents, at the time, was how you recover the information on the drive, after a power failure, raid, or other power-interrupting event – and the answer is simple. You don’t. The information on the computer, once consumed by it’s Evil-doing owner, has no other purpose or value than to serve as investigative evidence for some enforcement agency. Any unconsumed information on the computer at the time of a raid, loses it’s value to the owner of the system, the moment that he loses possession of the system. Very simply, if you are doing Evil, you don’t want a record of it – and random cryptographic encryption is an almost invariably effective way to ensure that no such record is available. It’s trivial to implement on Unix(-like) and windows operating systems, which includes Android (and probably Windows CE) phones. Next, everyone with an Android phone will be a terrorist… What I have never understood, is why this is a tactic that was well-known and well-understood by me, but not by Federal law enforcement, at the time.

    Everquest, Halo, and any number of popular online games come with in-game real-time voice and text communications that are popularly used at Internet Cafes; many even arrange gaming events, as a marketing tactic to boost revenues and the visibility of their services. Most of these games include content of a violent or extreme nature; that’s what attracts young people to play them.

    Multi-sim phones (phones that accept more than one sim card) and multi-sim cards (cards that allow software switching between emulated or cloned sim cards) are cheap and easy to get, particularly overseas. Only an idiot would still be seen switching sim cards.

    Everyone and their brother has throwaway email accounts with Gmail, Yahoo, Hotmail, or any of a thousand smaller providers – not that this is a preferred way to communicate for people trying to evade governmental monitoring. It is, however, singularly common to find people checking their AOL email from a terminal at the library, university, or Starbuck’s Coffee shop.

    I have technical background in software engineering, information security, and radio frequency communications. It’s not the least bit uncommon for me to be found downloading information about radio frequency electronics, timing circuitry (which is essential to synchronous digital communications), or remote management systems.

    (paragraph redacted; identifying information)

    Am I a terrorist? If it sounds like a stupid question, then perhaps the criteria by which I come to it (your brochure, in conjunction with my background and privacy habits) are to blame. I’m fairly certain that I am entitled to my privacy habits, and since Federal government has made irregular use of my background – even bears some responsibility for it – I’m pretty sure that I’m on firm ground, there. That just leaves your brochure…

    Terrorist organizations are smarter than this. They are “organized”, which is perhaps why they are called “organizations”. This approach might net you a few frightened perverts and the occasional isolated nut job with a truck full of cowflop – but the resources that it will cost following up false positives, are prohibitive. This is futile in the same way that putting armed National Guardsmen on the highway divider in front of the Golden Gate Bridge after 9/11 was futile; a terrorist with any sense would have attacked the bridge from a barge, below it, if that had been their target. Armed military service members on the bridge serve only to intimidate the public – just as the idea that your Internet Cafe operator might be judging you as a terrorist because you were shifty about downloading porn, fails to
    deter, impede, explain, attribute, or even influence terrorist behavior. It merely serves to intimidate the public. If you’re really, really lucky, more people will set up wireless broadband Internet access in their homes to avoid the necessity of using public hotspots – creating more opportunities for real terrorists and criminals to hack and anonymously use residential broadband wireless networks.

    This is not your best work. At least I hope not, because if this is your best, then you’re only catching the stupid, disorganized terrorists from third-world countries like Afghanistan – not the cyber-espionage specialists from such unfriendly places as China, where “organization” means something substantial. I’m a third-rate amateur nobody who hasn’t had a job in a year and a half, and even I can do better than this.

    (reposted from Public Intelligence forum)

Leave a Reply