Did you happen to pass by a cell tower in a major city around the time a crime was committed? We all have.
Well, your IEMI was included in a cell tower dump. Probably dozens of times.
Did you happen to drive your car over any bridge in the Bay Area lately? Did a municipal vehicle pass you and catch your license plate with their ALPR camera?
Guess what? Your name went through a database of an LEO search if they wanted to find a perp for that time/location.
Privacy has been dead for a long time. The worst part is people don’t care.
The Snowden files changed nothing. If there was ever a point in history where people would have given up their cell phones for their civil liberties, that would have been the time to do it.
I was mad then. I'm more mad now. Stop these arguments because it isn't like one implies the other. And who the fuck cares if someone wasn't but is now. What's the argument, that you're a hipster? That's not solving problems. I don't want to gatekeep people from joining the movement to protect rights. I don't care if they joined as a tin foil hat or just yesterday after having literally been complacent in these atrocities. If you're here now, that's what matters.
> Privacy has been dead for a long time. The worst part is people don’t care.
Bull, and bull.
There are plenty of people fighting back. I'm pretty sure me getting ads in languages I don't speaks is at least some good sign. Maybe I can't beat the NSA, sure, but can I beat mass surveillance? Can I beat 10%? 50%? 80%? 1% is better than 0% and privacy will die when we decide everything is binary.
People care. People are tired. People feel defeated. These are different things. If people didn't care Apple (and even Google) wouldn't advertise themselves as privacy conscious. Signal wouldn't exist and wouldn't have 50 million users. It's not time to lay down and give up.
> mingus88 36 minutes ago | parent | context | flag | on: Google Ordered to Identify Who Watched Certain You...
Cell phone tower data has been used for a decade now in pretty much the same way.
Did you happen to pass by a cell tower in a major city around the time a crime was committed? We all have.
Well, your IEMI was included in a cell tower dump. Probably dozens of times.
Did you happen to drive your car over any bridge in the Bay Area lately? Did a municipal vehicle pass you and catch your license plate with their ALPR camera?
Guess what? Your name went through a database of an LEO search if they wanted to find a perp for that time/location.
Privacy has been dead for a long time. The worst part is people don’t care.
> The Snowden files changed nothing.
They didn't change enough, but that isn't nothing.
I would argue “people don’t care” because… there isn’t a high enough number of people who suffer negative consequences from “their privacy being invaded”.
In Berlin there used to be a notification system if you were subjected to cell surveillance in Berlin. It was recently stopped [0]. IMHO we need the same for all IP assignment or account lookups. The problem IMHO is that we, individualy, and particularly vulnerable groups like journalists and activists, might be subject to far more of such activities than we know.
[0] https://netzpolitik.org/2024/rolle-rueckwaerts-berlin-beende...
The biggest change IMHO was the entire industry got off their collective assets to finally move to HTTPS.
More-generally, imagine if every citizen was entitled to a yearly report on all how many times law-enforcement received records containing their names or personally identifying information, except in cases that are formally unsolved and in-progress.
So a line item might be something like:
{Ref ID}, {Date}, "All Youtube accounts that watched {Video Title}"https://transparencyreport.google.com/https/overview
https://transparencyreport.google.com/safer-email/overview - transmitting email with some form of encryption is probably a bigger and completely unseen problem that is similar
If some person was able to pick me out from a lineup because they physically saw me then that wasn't private and privacy laws don't apply.
So for instance capturing my face on CCTV in a public place isn't a privacy violation, same with my license plate in a pulic place.
However what happens on my private property is a privacy violation if it is recorded without consent.
Certian information isn't private, and that being stored is fine. Where the line gets drawn is what's up for debate.
I surely would want my contact details and name saved by a company that I intend to do business with in either direction. However if they spam me with information I should be able to lodge an harrassment claim against them. It's not a privacy issue but a decency issue.
And the biggest enablers of violation are things like ring doorbells and dashcams. There is no comeback in my country, don’t know about the US.
Governmental and commercial cctv has checks and balances. Domestic just goes onto planet wide databases with no control.
Before Snowden encryption was something that was mostly seen as a way to protect login forms. People knew it'd be nice to use it for everything but there were difficult technical and capacity/budget problems in the way because SSL was slow.
After Snowden two things happened:
1. Encryption of everything became the companies top priority. Budget became unlimited, other projects were shelved, whole teams were staffed to solve the latency problems. Not only for Google's own public facing web servers but all internal traffic, and they began working explicitly on working out what it'd take to get the entire internet to be encrypted.
2. End-to-end encryption of messengers (a misnomer IMHO but that's what they call it) went from an obscure feature for privacy and crypto nerds to a top priority project for every consumer facing app that took itself seriously.
The result was a massive increase in the amount of traffic that was encrypted. Maybe that would have eventually happened anyway, but it would have been far, far slower without Edward.
I'm all for finding a balance, it's just that many times people are against surveillance that does actually improve security or enforcement but mildy infringes on their "rights" when in reality they never had privacy in that situation to start with and the use of technology didn't substantially change that.
Youtube being forced to give up personal information based on who viewed a video is something I don't see as an issue. How is this any different from any other website getting the exact same order?
If you are doing something shady you know how to obfuscate that information, if you aren't, sure your "privacy" was "violated" for sure but it was violated in a way that was legally allowed and by law enforcement at that.
Living in a surveillance state where I have no choice but for the government to be able to track every single transaction I make financially and being able to link my cell number amongst other details directly to me, I feel like if I had to try to fight that I would only be causing myself undue anxiety and I've got enough legitimate reasons to be anxious.
Google was driven not out of some panicked rush to protect user privacy, but to protect Google's collection and storage of user data.
Google has 10+ years of my email. It doesn't treat that like Fort Knox because it gives a shit about my privacy; it treats it like Fort Knox because it wants to use that for itself and provide services to others based off it.
You do know that Google was heavily seed-funded by the NSA, right?
I guarantee the very wealthy or politically powerful have plenty of very-well-hidden cameras surrounding their properties.
Those rules are to keep you from catching and proving the powerful doing something they shouldn't.
If they're not guilty, why are they running?"
This is complete BS. Technology made it scalable to track where everyone is and query it historically. This used to require tailing someone so it couldn’t be done at scale.
Anytime you willing share data with a 3rd party the law assumes you aren't keeping it private.
https://en.wikipedia.org/wiki/Pen_register
If you want to keep something private don't share it outside of your house.
“Security
Tailscale and WireGuard offer identical point-to-point traffic encryption.
Using Tailscale introduces a dependency on Tailscale’s security. Using WireGuard directly does not. It is important to note that a device’s private key never leaves the device and thus Tailscale cannot decrypt network traffic. Our client code is open source, so you can confirm that yourself.”
What I said is for this specific point a smart criminal won't get caught and you too can very easily obfuscate that very same data.
Data isn't free and processing big data isn't cheap. As much as Google has the data, that means they need to store that data.
You know what used to happen before and still happens now, an example. I live in a restricted access area. Restricted in the sense rhat to get in some guy needs to take your name and license plate.
For many many businesses parks in my country that is still the defacto. There isn't really a camera watching that other than general CCTV that probably doesn't have the resolution to pick up text on our license plates. It's cheaper for them to literally pay a guy to stand at a boom and get that information than to install the technology required to track that automatically.
It’s not an invasion of privacy. But it is a problem for other reasons
https://nobaproject.com/modules/eyewitness-testimony-and-mem....
The adtech industry made data and its processing not just free (as in more than covered by the ad revenue) but outright profitable.
This is frankly a one-in-a-lifetime gift to the government because we've not only built an unaccountable industrial-grade spying machine but the government doesn't even have to pay for it as it pays for itself and incentivizes its own expansion.
What changed after Snowden was how Google encrypts traffic on its network, according to an article quoting you at the time.[5]
[1]https://gmail.googleblog.com/2010/01/default-https-access-fo...
[2]https://googleblog.blogspot.com/2011/10/making-search-more-s...
[3]https://www.zdnet.com/article/yahoo-finally-enables-https-en...
[4]https://techcrunch.com/2012/11/18/facebook-https/
[5]https://arstechnica.com/information-technology/2013/11/googl...
if [pecadillo] must remain secret when your nieghbour is investigated for [crime?] then encrypt at least twice, and obfusicate the original message
2 examples are not having an amazon prime account and running my own mail server.
Apple looked at the pen register cases and realized the best position to be in as a third party is to not possess usable data.
The US case from my point of view is trying to fore Apple to share user data with third parties.
[1] https://en.m.wikipedia.org/wiki/Firesheep [2] https://www.imperialviolet.org/2010/06/25/overclocking-ssl.h...
Most people are helpless to make change. Greater than one million adults serve in uniform services of some kind where they literally must comply. The ad budgets and massive, overflowing volumes of money generated by "surveillance capitalism" buy the consent of the mercenary finance occupations. None of this means "nobody cares"
People even got internal schwag shirts made of the iconic "SSL added and removed here" note [1]. It became part of the culture.
Over a decade later I still see most environments incur a lot of dev & ops overhead to get anywhere close to what Google got working completely transparently. The leak might have motivated the work, but the insight that it had to be automatic, foolproof, and universal is what made it so effective.
[1] https://blog.encrypt.me/2013/11/05/ssl-added-and-removed-her...
You're right that I might be mis-remembering the ordering of things, but I'm pretty sure by the time Snowden came around the vast majority of traffic was still unencrypted. Bearing in mind that lot of Google's traffic was stuff you wouldn't necessarily think of, like YouTube Thumbnails, map tiles and Omaha pings (for software update). Web search and Gmail by that point made up a relatively small amount of it, albeit valuable. Look at how the Chrome updater does update checks and you'll discover it uses some weird custom protocol which exists purely because at the time it was designed Google was in a massive LB CPU capacity crunch caused by turning on SSL for as many services as possible. Omaha controlled the client so had the flexibility to do cryptographic offload and was pushed to do so, to free up capacity for other services.
> What changed after Snowden was how Google encrypts traffic on its network, according to an article quoting you at the time.[5]
That also changed and did so at enormous speed, but I'm pretty sure by June 2013 most external traffic still didn't have TLS applied. It looks like Facebook started going all-SSL just 8 months before Snowden.
But otherwise you're totally right. I suspect the NSA got a nasty shock when the internal RPCs started becoming encrypted nearly overnight, just weeks after the "added and removed here" presentation. The fact that Google could roll out a change of that magnitude and at that speed, across the entire organization, would have been quite astonishing to them. And to think... all that work reverse engineering the internal protocols, burned in a matter of weeks.
It depends of the local cost of labor, also the technology is easier to scale, imagine New York City having employees at the bridges writing all the entering license plates! And searching through those records how many times a certain plate entered the city on a given time frame. To me the problem with technology is that they’re used for lazy policing to just inflate the numbers of solved cases. There were cases of cops feeding hand-drawn suspects to face recognition software. Every case becomes a “throw something to the wall and see what sticks”.
Edit: Here it is. Only 25% of YouTube's traffic was encrypted at the start of 2014. https://web.archive.org/web/20160802000052/https://youtube-e...
And then promptly moved most things behind cloudflare, which is MITMing everything, undoing the benefit of HTTPS.
Remember "SSL added and removed here!"? Now it happens at cloudflare.
Legitimately if an investigator put a hard drawn sketch through facial recognition and that was even remotely allowed into evidence by the court then the suspect evidence wasn't the issue
For the German context, and for the kind of CCTV I'm talking about, it makes no sense thou.
Tailnet lock helps mitigate this by requiring that node public keys are signed by a trusted signing node, but it isn't bulletproof.
https://github.com/iamcryptoki/snowden-archive/blob/master/d...
It's heavily redacted but the parts that are visible show they were targeting BigTable replication traffic (BTI_TabletServer RPCs) for "kansas-gaia" (Gaia is their account system), specifically the gaia_permission_whitelist table which was one of the tables used for the login risk analysis. You can see the string "last_logins" in the dump.
Note that the NSA didn't fully understand what they were looking at. They thought it was some sort of authentication or authorization RPC, but it wasn't.
In order to detect suspicious logins, e.g. from a new country or from an IP that's unlikely to be logging in to accounts, the datacenters processing logins needed to have a history of recent logins for every account. Before around 2011 they didn't have this - such data existed but only in logs processing clusters. To do real time analytics required the data to be replicated with low latency between clusters. The NSA were delighted by this because real-time IP address info tied to account names is exactly what they wanted. They didn't have it previously because a login was processed within a cluster, and user-to-cluster traffic was protected by SSL. After the authentication was done inter-cluster traffic related to a user was done using opaque IDs and tokens. I know all about this because I initiated and ran the anti-hijacking project there in about 2010.
The pie chart on slide 6 shows how valuable this traffic was to them. "Google Authorization, Security Question" and "gaia // permission_whitelist" (which are references to the same system) are their top target by far, followed by "no content" (presumably that means failed captures or something). The rest is some junk like indexing traffic that wouldn't have been useful to them.
Fortunately the BT replication traffic was easy to encrypt, as all the infrastructure was there already. It just needed a massive devops and capacity planning effort to get it turned on for everything.
Getting rid of First Past The Post voting in favor of something like Ranked Choice voting would allow people to vote 3rd party with no chance of a spoiler effect. This would introduce competition into the electoral process, improving the quality of candidates available to choose from. Even from within the current two mainstream political parties.
Like what? I'm saying both sides of the connection would be given the wrong public keys by the coordination server. The private keys of which would be held by a MITM.
I don't agree. NSA can hack/pressure smaller companies much easier than a giant like Apple.
That we are nothing in the ocean of people who don't care. Someone upended their entire life to whistleblow on the government doing it as hard proof and no one cares (from a statistical POV, not a "literally 100% of the population" way).
They cared more about the boston bombing the month prior, which while tragic is a statistical molecule compared to the impact of what Snowden revealed.
>There are plenty of people fighting back.
This can be a game of numbers, but it isn't. This can be a game of power, but it isn't. Not enough people are fighting back and not enough powerful people are fighting back.
>People care. People are tired. People feel defeated. These are different things
well it sounds like they gave up. Different words, samae results
Mail servers, sure. The big issue there is another annoying pseudo-monopoly issue where so many major email servers assume anything not from [major email server] is spam, so you may not even get to communicate properly. More sticks for the fire.
Scale. This isn't "supbpeona to get all of Bob's info", it's "subpeona to get information on all of the people's info tangentially related to bob". Imagine if this was as tangential as "who watched this video with 10m views"? is the YT history of 10m people worth it? Is it even useful?
The issue comes down to whether or not "Youtube" is a public place. All logistical terms point to "no", hence this story.
>your "privacy" was "violated" for sure but it was violated in a way that was legally allowed and by law enforcement at that.
That isn't how court orders work. They cannot make a single order to search an entire neighborhood's worth of houses because of drugs or whatever. That'd be N orders which may or may not go through based on the arguments made.
Society, please stop making it true.
>Most people are helpless to make change.
you get even 10,000 people to petition something to the government and you can get something rolling. This relatively moderate post probably had 10,000 views. You don't need to do much but you just got to get enough people to care enough to spend 10 minutes making a request. If they can't even do that much... well, they don't care.
This is the issue with an individualistic mindset, you hyperfocus on what immediately benefits you. Not the wider community around you which is needed for such petitioning.
Occasionally people have a vanity domain email that bounces back to me. I have to search the headers for the actual email address and re-send.
[0] Because, among other things, the whole "Surprise and Delight" doctrine demands internal controls and secret-keeping discipline not that far off from an actual intelligence agency
