Intelligence Agencies Want To Target Surveillance Programs

IoT devices and cloud-based services represent the next frontier for digital surveillance, claims a new report.

A report from Harvard University's Berkman Center for Internet and Society tosses some cold water on the hotly contested debate over encryption vs. security, asserting that even if pro-encryption privacy advocates prevail, there are newly emerging avenues for intelligence agencies to conduct surreptitious digital surveillance.

The report, “Don't Panic. Making Progress on the Going Dark Debate,” predicted that in lieu of backdoors to encrypted messaging apps, law enforcement will increasingly turn to less fortified vectors to conduct offensive online investigations, including Internet of Things (IoT) devices, cloud-based services and apps whose business models rely heavily on customer data collection.

Reflecting the input of security experts across academia, civil society and the intelligence community, the report suggests that IoT devices, particularly those enhanced with networked sensors, cameras and microphones, could serve as especially powerful surveillance tools.

“These are prime mechanisms for surveillance: alternative vectors for information-gathering that could more than fill many of the gaps left behind by sources that have gone dark—so much so that they raise troubling questions about how exposed to eavesdropping the general public is poised to become,” the report cautions. For instance, smart TV manufacturers could potentially be ordered to let federal investigators eavesdrop on their customers' conversations via mechanisms that normally enable voice-based commands.

The report also notes that in some cases, “Market forces and commercial interests will likely limit the circumstances in which companies will offer encryption that obscures user data from the companies themselves.” For example, online service providers whose advertising models necessitate ample customer data collection will not be inclined to offer encryption services; therefore, their data would remain visible to investigators. Same goes for cloud-based services, as end-to-end encryption is currently impractical for any cloud-based features that require access to plaintext data, such as full text search.

The report also notes that metadata—still an important investigative tool—remains unencrypted and is likely to remain so in the future.

Paul Ferguson, threat research advisor at Trend Micro, told SCMagazine.com that he largely agreed with the report's premise. “The technology behind a lot of new and emerging services are not built around privacy or security, so it leaves a lot of wiggle room for an adversary to get access to sensitive information, whether that is browsing history, cell phone call detail records, ISP logs, etc.,” said Ferguson. In this instance, the adversary would be a domestic intelligence agency, though it could equally refer to cybercriminals or nation-state actors.

Merritt Maxim, senior analyst at Forrester Research, was less convinced that IoT devices and networked sensors currently constitute a viable channel for digital surveillance. “It's a possibility, but the [IoT] market is still emerging. There are no standards for exchanging or sharing data,” said Maxim. “As the market matures, and interfaces and data exchange become more standardized, it might be easier to gather data from sensors.”

SC Magazine: http://bit.ly/1R9uD1N

« Knowing Cognitive Computing
Protecting The Crown Jewels Of Corporate Data »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Cybsecurity Foundation (CSF)

Cybsecurity Foundation (CSF)

Cybsecurity is a non-profit NGO, which aims to work on improvement of security levels in the Polish cyberspace.

IPVanish

IPVanish

IPVanish has its roots in over 15 years of network management, IP services, and content delivery services. Now we're bringing these finely honed skills to VPN.

PROMIA

PROMIA

PROMIA is in the business of providing solutions that are designed to support highly secure, reliable, scalable and interoperable business applications.

BooleBox

BooleBox

Boolebox is the innovative suite of enterprise data protection applications that preserve the integrity and confidentiality of data from any unauthorized access.

Cellopoint

Cellopoint

Cellopoint is a leading manufacturer of information security and email lifecycle management (ELM) products.

Cybercrime Support Network (CSN)

Cybercrime Support Network (CSN)

CSN is a public-private, nonprofit collaboration created to meet the challenges facing millions of individuals and businesses affected each and every day by cybercrime.

Tutamantic

Tutamantic

Tutamantic develops software that reduces security risks and weaknesses during the architectural and design stages.

EuraTechnologies

EuraTechnologies

EuraTechnologies, the French incubator and accelerator, is a centre of excellence and innovation for startups and entrepreneurs with a focus on Digital, Data, Cybersecurity and IoT.

Chicago Quantum Exchange (CQE)

Chicago Quantum Exchange (CQE)

Chicago Quantum Exchange is an intellectual hub and community of researchers with the common goal of advancing academic and industrial efforts in the science and engineering of quantum information.

KrCERT/CC

KrCERT/CC

KrCERT/CC is the National Computer Emergency Response Team in Korea.

Prodera Group

Prodera Group

Prodera Group is a specialist technology consulting partner trusted to help navigate the complex and dynamic lifecycle of change and transformation.

ProCheckUp

ProCheckUp

ProCheckUp is a London-based independent provider of cyber security services, including IT Security, Assurance, Compliance and Incident Response.

Mindaro Insurance

Mindaro Insurance

Mindaro is adding the crucial piece of the cyber security puzzle that protects your organization from the financial ramifications of cyber attacks.

ERCOM

ERCOM

Ercom, a subsidiary of the Thales Group, is a French company known for its mobility security solutions.

Pixee

Pixee

Pixee fixes vulnerabilities, hardens code, squashes bugs, and gives engineers more time to focus on the work that counts.

Athena7

Athena7

Athena7 is a dedicated assessment practice committed to helping organizations understand how their infrastructure, backups, and security controls will withstand the latest threat actor tactics.