VPNs and Data Collection in the Age of Surveillance

2017-05-02

Chris Duckett ZDNet article (A VPN will not save you from government surveillance) is informative, if a little hyperbolic:

Under the laws that force telcos to store customers' call records, location information, IP addresses, billing information, and other data for two years, there is a small caveat for journalists that forces agencies to obtain a warrant when seeking to uncover a journalist’s source.

Neither the journalist, nor the telcos, will ever know that such a warrant existed, but these provisions were essentially a figleaf to shut up the Canberra press gallery under the auspices of protecting democracy and freedom of the press when the data retention laws were being considered – and it worked.

But journalist warrants are almost superfluous. By asking for the metadata of anyone considered to be a journalist’s source, agencies can still find out if communication with a journalist happened, and will therefore be able to skirt these provisions at will.

Upon the news that the AFP had handled the metadata of a journalist, the online outrage squad kicked into gear with a chorus singing the praises of Australia’s magic bullet to security in 2017: using a VPN.

He draws conclusions that seem valid to me but I think his dismissal of VPNs is a little premature. Perhaps a VPN for a journalist already under surveillance is a minor security measure, but I do think it’s a valuable measure. Meta data will go a long way to tracing an individual’s activity and preferences but the actual content of every message will certainly make things a lot easier.

It was a huge revelation to me that Australia has become so draconian. It makes me question every technology service with an office in Australia, which includes my favorite email company Fastmail. In 2013 they declared that they were not subject to US surveillance orders. You can read their full privacy policy to see how Australian data collection laws might apply.

I also enjoyed this look at the recent NSA changes from Techdirt:

First, the shutdown arrives on the heels of a yearlong denial of surveillance requests by the FISA court. This indicates the NSA was either still abusing its collection or the court no longer felt the program was constitutional, at least not the way the NSA was running it. The shutdown seems to reflect the NSA’s inability or unwillingness to shift towards more targeted surveillance methods – ones that won’t sweep up lots of US persons' communications inadvertently.

Later…

[T]he NSA’s authorities under executive order 12333 are vast, undisclosed and unconstrained by any need to explain its collections to the Fisa court. A former state department official who has warned Congress about 12333, John Napier Tye, has alleged that the NSA uses 12333 as a backup plan to route around legal restrictions on US surveillance. “To the extent US person information is either stored outside the United States, routed outside the United States, in transit outside the United States, it’s possible for it to be incidentally collected under 12333,” Tye told the Guardian in 2014.

Pandora’s Box is wide open and the powers will not be handed back. It’s also an arms-race as privacy becomes a feature in the marketplace.