Permanent Record

Permanent Record
Permanent Record by Edward Snowden

Book Review

This book has been on my to-read list for a long time now and I finally got the time to read it. It's super interesting to learn about the internal workings of the NSA, the motivations and challenges he faced as he made the decision to become a whistleblower. It was so engaging that I finished it in just a couple of days. There's quite a lot to learn and unpack from this book, especially so if you're not into tech. It's about time we all got interested in keeping our online identities private, and prevent random individuals or organizations from accessing our personal information without our consent.

Spoiler alert: If you want to read the book, you should stop reading here.


Surveillence

The first half of the book was about Edward Snowden's life which may not be interesting to some but I very much relate to it. From having a dad who brings home random gadgets and being a script kiddy that hacked games for fun.

But now onto the more serious part, the whistleblowing - why and how he did it. After 9/11, surveillance heightened During Snowden's time as a contractor in the NSA, he came across many different tools with codenames that are used by the people there. The ways they work is surprisingly similar to what I've experienced during my time in the Army, but I will not talk about it more in case I get exiled. Here are a few that I've noted down:

  • PRISM - Program that gives NSA direct unfettered access to data on the servers of tech companies like Google, Facebook, Microsoft
  • FOXACID - NSA servers that host malicious version of familiar websites
  • EGOTISTICALGIRAFFE - Exploiting a vulnerability in Tor browsers
  • EPICSHELTER - Snowden's de-duplication storage program to store intelligence for a long time
  • HEARTBEST - Snowden's readboard personalized for NSA operators to stay current
  • XKEYSTORE - Searching and analyzing real-time Internet data
even VPNs are not safe

I'd like to talk about the last one a little more, as it's by far the scariest thing I've heard, almost as if out of science fiction. They have an interface for you to type in anyone's address, phone number, IP address and pretty much go through the recent history of their online activity. Read their emails, browser history, search history, social media postings and set up notifications when the person became active. In some cases you can even replay what they were seeing on their desktop or themselves through the webcam. Some of the people working there even used it to stalk their former or current lovers, calling it LOVEINT.


Metadata

metadata from an email

Most of this intelligence is sorted using metadata. Metadata, or activity data, is usually more revealing - the unwritten, unspoken information that exposes the broader context and patterns of behavior. A photo's metadata, for example, will contain the location, date and time taken, camera maker and model etc. In short, the who what when where and how. With the huge amount of data communications happening in the world, metadata helps by providing a way to organize and understand the data. Therefore, it is important to be aware of the metadata that is being collected and shared, and to take steps to protect one's privacy if necessary, such as by turning off location services and opting out of any unnecessary data collection. But if only it was that easy.

The problem with data collection nowadays, is that there's a whole industry built on keeping it invisible and using it for various purposes without the knowledge or consent of the people whose data is being collected. All this information is then sent to analytics servers which uses AI to build detailed profiles of individuals in order to improve their engagement, or sometimes even abused. I'm sure everyone has experienced this before, where a new advertisement appeared which is coincidentally related to what you just searched on google.

The fact that we read story after story, year after year saying your data been breached, shows that companies do not take responsible steps to protect the personal information of their customers. Data privacy should be a fundamental right that should be respected and protected by all parties involved.


An issue of ignorance?

https://xkcd.com/1269/

Data has almost became a commodity with the rise of Big Data in the recent years, insanely valuable to big corporations. Before we all knew what was going on they were making billions of dollars, and once money becomes power, information becomes influence. However, why do we buy window shades to cover our windows, or close the door while taking a dump, but we are perfectly fine exposing ourselves online without a second thought?

Clouds, computers and phones have becomes our homes, just as personal and intimate as our actual homes nowadays. If you don't agree, then answer me this: would you rather let your friends hang out at your home alone for an hour, or let them spend even just 10 minutes alone with your unlocked phone?

It could be difficult to conceptualize the ways in which our data is being collected and used, especially when it is done in a seemingly benign way, such as through tracking cookies or mobile app permissions. If you're interested in learning how all this works in detail, I recommend reading Dataclysm by Christian Rudder.

Second, which is something that I'm also guilty of, is that the convenience of using certain online services or apps is worth the trade-off of their personal data being collected. It can be tempting to simply accept the terms and conditions or privacy policy of a service or app without fully reading them, especially if it means getting access to something that we want or need instantly.

Lastly, many are also not aware of the tools available to help them control the information they share and to safeguard their personal data.

Companies are exploiting people ignorance, writing long T&Cs which nobody will bother to read, and when we hit accept, we are actually agreeing to handle over the ownership of the data that we have created. Best part is they don't even break the law.


Privacy Tools

Just some of the tools off the top of my head

  • Linux - OS
  • ProtonMail/Tutanota - email
  • uBlockOrigin - adblock
  • BitWarden - passwords
  • Matrix/Signal - communications
  • DuckDuckGo - search engine
  • Aegis - 2fa
  • Bouncer - Permissions manager
  • Cryptee - Google Drive clone

And a cool project:

Solid - set of conventions and tools for building decentralized social applications


Last thoughts

Privacy has always been a big thing to me, come to think of it, it may have been due to the news of Snowden's whistle-blowing in 2013. Ever since I got my hands on my first smartphone, a cheap redmi 1s, I have rooted it, flashed a custom ROM (CyanogenMod), and installed all sort of privacy related apps (like xPrivacy, VPNs, duckduckgo) while deleting social accounts like Facebook to hide myself or prevent my data from being collected. I even remember installing Tails on a usb stick and using it for banking, but decided it was not worth the trouble soon after. But somewhere down the line, I started to pretty much accept all this, a combination of forced usage from institutions, convenience and dependence on many of the things that I use daily.

In Web2, few tech giants dominate the arena, holding so much power and data over everyone, forcing people to give away ownership of their data to participate in the digital social space. As the world is taking it's first steps towards Web3, it offers the possibility of decentralizing this power and giving users more control over their data and online interactions. Additionally, decentralization can also increase it's resistant to data breaches and outages.

While Web3 technologies are still in their early stages and there are challenges to overcome, I believe they hold the potential to provide greater security, privacy, and control for users. For Web3 to flourish and become widespread, it will be important for developers, users, and policymakers to work together to ensure that the security and privacy of these technologies are prioritized. Allowing people on the chain to be able to do transactions effortlessly with some level of privacy the same way we securely connect to website like https baked into the protocol. It's an interesting space, and 10 years later I would love to see how it turned out.

I really have to applaud Edward Snowden for having the courage to expose the extent of government surveillance on its citizens. His actions have sparked important debates about privacy, security, and democracy, and have led to an increased focus in cyber security.

Despite facing significant consequences, including exile and criminal charges, Snowden has remained committed to his principles and has continued to speak out about the importance of privacy. He gave an example using Arab Spring - Sometimes one person is all it takes, which is what gave him hope. It reminded me of the statue of Jeon Tae Il I saw at cheonggyecheon in Seoul, South Korea. I didn't know who or why it was there until I walked into the cheonggyecheon museum on the last few days of my trip.

No other way to end this except: