NEW DELHI :In July 2015, when WikiLeaks published internal email records of Hacking Team, an Italian surveillance vendor, it gave a rare peek into the shopping basket of Indias intelligence agencies. One agency wanted to infect the mobile phones or SIM cards of all the subscribers in sensitive areas to continuously track their location with high accuracy", another was looking for a one-click solution to infect any type of platforms, models, etc. by just sending an SMS, without knowing any background about his target (sic)".
The agencies were enquiring about the Remote Control System (RCS), Hacking Teams flagship surveillance product. It is sold exclusively to intelligence and law enforcement agencies, and is designed to remotely monitor targets: it could copy files, record Skype calls, read emails and instant messages, capture typed passwords, and turn on a devices webcam and microphone to spy on the user.
Emails reviewed by Mint show that a multitude of Indian agencies were secretly negotiatingeither directly but mostly through a third-party contractorwith the Italian firm. It is, however, unclear whether the deals went through or not.
The spying features of RCS are strikingly similar to recent revelations about Pegasus, the spyware built by Israeli cybersecurity company NSO Group that targeted WhatsApp users and facilitated the complete takeover of the device to capture all its activity. Facebook-owned WhatsApp sued the company for installing surveillance malware on the phones of 1,400 users across four continents, including at least two dozen Indians activists, journalists, lawyers and academics.
Like Hacking Team, NSO Group claims it only sells software to government authorities. While the Indian government hasnt acknowledged any transaction with NSO Group, the 2015 email dump suggests this is standard practice. The agencies have been asking around for products that allow for intercepting WhatsApp messages since at least 2016," a senior security researcher who works closely with Indian intelligence agencies told Mint on condition of anonymity.
The WhatsApp hack has once again brought to light the concerns over surveillance abuse in India. The debate is often framed as a trade-off between user privacy and national security. Officials say there are processes in place to check misuse of power, but as the WhatsApp episode highlights, its not just suspected terrorists but civil rights activists who are often at the receiving end of intrusive state surveillance.
Actually, what we know about the surveillance regime in India is just the tip of the iceberg. Even without the deployment of expensive solutions like Pegasus to hack into your device, the government has ample sources to learn about your whereabouts from the data trails you leave behind. Heres how you can try to stay ahead of the snooping game.
Fallacies about encryption
Traditionally, surveillance is imagined as law enforcement listening to telephonic conversations or reading text messages of targets. In the cyber age, this extends to internet traffic: the state wants similar capabilities for digital communication including emails, instant messaging and VoIP calls (like Skype).
Here, encryption protects your information. Through publicly known mathematical algorithms, computer programs can turn a plain text (I will meet you at Punjabi Bagh, 8pm") into a cipher text through a special key. Only those having access to the key can decrypt the information to infer the meaning; for the rest its gibberish. WhatsApp for instance is end-to-end encrypted, meaning only the sender and receiver can read the content.
Thats why the Indian government wants WhatsApp to trace the origin of a message flagged as unlawful by law enforcement, a demand the American company says it cant deliver as WhatsApp itself doesnt have access to the special key to decrypt the information.
Encryption is important, and it provides some degree of protection from mass surveillance. But its not the end of the game: a malware attack on your mobile phone can take control of your device and will make your communications naked to the attackers eyes.
The power of malware
Imagine a castle with hundreds of doors. Dozens of security guards are deployed at every gate to protect the fort. You are sure no one can enter the castle. But one small entrance in an obscure corner is unknown and unprotected. The opponent, however, discovers it first and uses the route to enter the castle, breaching security.
In cybersecurity parlance, if the castle is your device or software, that unknown gate is a zero-day vulnerability", meaning you have zero days to protect your system if the attacker knows about a vulnerabilitya security weakness unintentionally designed in a piece of softwarebefore you do. This is exactly what happened in the case of the latest hack. Pegasus exploited an unknown security vulnerability to remotely instal spyware on the targets device.
Zero-day exploits are traded in the market. Many companies have bug bounty programs" where security experts are paid to report bugs in their products, a smart way to outsource security. Attackers have many ways to infect the target vulnerabilities with malware. First, sending infected PDF files or images sent as email attachments: if downloaded and opened, you inadvertently infect your own computer. Most of these are well-targeted campaigns to make the content look appealing enough for you to trust.
Then, just visiting a compromised Web page could instal dangerous software on your device, without you downloading any attachment or giving additional permission. Victims may come across such links through social media posts or email links. This attack usually takes advantage of a security flaw in the Web browser and aims to auto-run the exploit code to take over the device.
As a special case of this attack, a set of niche but popular websites that a target group regularly visits are infected with malware. When users visit the website next time, it is ready to infect the target group with malware. In September, TechCrunch reported that a number of malicious websites used to hack into iPhones over a two-year period were targeting Uyghur Muslims", most of whom live in Chinas Xinjiang state.
How do you protect yourself from malware attacks? If an attacker gets hold of a zero-day, you barely have any option. But as a precaution, you should ensure you use the latest version of the software. Outdated software is like a castle with open doors known to everyone but without any guards. Still, most people dont: According to the latest data from analytics firm StatCounter, only 33% of Indian smartphones are running the latest version of Android.
Moreover, cheaper smartphones, which ship with their own customized version of the Android operating system, are late to ship updates, leaving their users vulnerable to known attacks (See graphic for more ways to counter snooping).
M stands for metadata
Most people imagine government surveillance in terms of content: tapping phone calls to listen to conversations, ability to read the complete text of emails and messages. But more is happening under the hood: even without knowing the details of content, a lot can be inferred about ones whereabouts.
Just by the act of using a service, be it making a call or browsing the internet, we leave a valuable trail of data with telecom companies and internet service providers (ISPs): it includes call detail records (whom did you speak with, when and for how long), the location and IMEI number (which uniquely identifies a wireless phone or device) of both the caller and recipient, and the Web browsing history.
This is called metadata", everything except the content of the communication, and can be far more revelatory than most people imagine. Connect the dots and it provides an intimate lens into a persons life.
Sample what companies and governments can infer from metadata: they know you called a phone sex line in the night but dont know what you talked about; they know the people you speak with every day, once in a month or once in a year, revealing your close and distant contacts; they know you called a suicide prevention hotline but the topic is not known; they know if an informant is repeatedly talking to a human rights activist or journalist, but dont know what is being revealed; they know a girl called a gynaecologist, spoke for a half hour, then called a man whom she often speaks with late in the night, and then called the local abortion clinics number later that day; they know the websites you visit and time you spend looking at the content (no, incognito mode doesnt protect you from the eyes of the ISP).
The contents of calls are far more difficult to analyze in an automated fashion due to their unstructured nature," Edward Felten, a professor of computer science and public affairs at Princeton, explained in an affidavit filed by American Civil Liberties Union challenging the legality of the National Security Agencys mass collection of Americans phone records. A groups metadata can reveal intricacies of social, political, and religious associations," he wrote, adding: Given limited analytical resources, analyzing metadata is often a far more powerful analytical strategy than investigating content."
Location, location, location
Moreover, mobile phones are perennially giving away our location to the telecom companies through the signals they broadcast. By observing the signal strength that different towers receive from a particular subscribers mobile phone, operators can calculate where that phone must be located.
Location tracking is more than just knowing where you are at a given point in time: it could be used to try to find out whether certain people are in a romantic relationship, to find out who attended a particular meeting or who was at a particular protest, or to try and identify a journalists confidential source", the Electronic Frontier Foundation explained in a blog post.
In India, telecom licences require operators to provide direct access to all communication data and content to authorities even without a warrant. In 2009, the government announced it was building a Central Monitoring System that will provide it centralized access to the countrys telecommunications network and facilitate direct monitoring of phone calls, text messages, and Internet use by government agencies, bypassing service providers", the Human Rights Watch noted in 2013.
There is not much you can do to protect metadata surveillance, especially for calling and location tracking data. You can use a VPN (virtual private network) service to protect your browsing activity from the ISP or Tor browser for anonymous browsing, but both have their limitations.
The lack of law
The general saying that the law lags technological innovation by at least a generation does not apply to India. The country has no laws governing mass surveillance. For targeted interception, there are two main Acts governing the legal provisions for surveillance in India. First, the Indian Telegraph Act, 1885, which allows for the interception of telephonic calls and messages. Second, the Information Technology (IT) Act, 2000, which has provisions to intercept digital information including data stored on a computer, internet traffic and other data flows.
There is one key difference between the two Acts: The grounds under the IT Act are wider and lack some of the safeguards under the Indian Telegraph Act. Under the latter, there should be a condition of a public emergency" or interest of public safety" for intercepting the information. There is no such requirement under the IT Act, which makes it more powerful.
As India heads towards framing laws to protect user data and privacy, it remains to be seen if the state will curb its own powers of illegitimate surveillance to snoop on its citizens.
In conclusion
The truth is, cyberspace warfare is asymmetrically skewed towards the attacker, who needs to take advantage of just one weakness to exploit you. Defenders need to protect everything.
Which is why, when framing a digital security plan, it is not useful to ask a question like whether X technology is safe or not". Merely using Signal (a highly recommended encrypted instant messaging app) or Tor (that allows anonymous Web browsing) is not the solution. The recommended approach is to define what you are protecting, from whom, how much convenience you are willing to trade-off and then take specific security steps for clearly defined goals.
By adopting best practices to be secure online and following a plan, you can make it difficult for anyone to spy on you. But in the extreme case, if a nation-state really wants to target you, it probably can: your efforts will introduce roadblocks, make it financially more expensive to snoop on you, but nothing can offer a guarantee of complete privacy.
Samarth Bansal is a freelance journalist based in Delhi. He writes about technology, politics and policy.
Read the original post:
Smart users guide to the snooping game - Livemint
- Tor Browser Bundle - Free download and software reviews ... [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Tor - Official Site [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Tor Browser (M-S0FT) - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Downloading torrents in utorrent using tor browser - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Tor Browser installieren [Tutorial deutsch] - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- TOR BROWSER KURULUM+KULLANIM - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- tor browser descargar e instalar - Video [Last Updated On: May 2nd, 2014] [Originally Added On: May 2nd, 2014]
- Entering the Deep Web-Deep Web Url link (2014) - Video [Last Updated On: May 6th, 2014] [Originally Added On: May 6th, 2014]
- Red Onion Tor Browser for iPhone - Video [Last Updated On: May 10th, 2014] [Originally Added On: May 10th, 2014]
- working referral link to agora hidden market place -new url ( onion site ) - Video [Last Updated On: May 13th, 2014] [Originally Added On: May 13th, 2014]
- how to install TOR Browser On LINUX - Video [Last Updated On: May 17th, 2014] [Originally Added On: May 17th, 2014]
- Tor Browser Free Download/Install|Free Latest Version|64/32 bit Windows|2014 - Video [Last Updated On: May 17th, 2014] [Originally Added On: May 17th, 2014]
- How to Install the New Tor Browser in Kali Linux - Video [Last Updated On: May 19th, 2014] [Originally Added On: May 19th, 2014]
- Grams Darknet black market search engine demo - Video [Last Updated On: May 19th, 2014] [Originally Added On: May 19th, 2014]
- How to download and use Tor browser [4K] - Video [Last Updated On: May 20th, 2014] [Originally Added On: May 20th, 2014]
- Free App Lets the Next Snowden Send Big Files Securely and Anonymously [Last Updated On: May 22nd, 2014] [Originally Added On: May 22nd, 2014]
- How to get free 7 day trials for XBL works as of May 2014 - Video [Last Updated On: May 24th, 2014] [Originally Added On: May 24th, 2014]
- Free Access to Deep Web (HIdden Wikki)(Tor Browser)-free 2014 - Video [Last Updated On: May 27th, 2014] [Originally Added On: May 27th, 2014]
- Cybersecurity official uses Tor but still gets caught with child porn [Last Updated On: September 1st, 2014] [Originally Added On: September 1st, 2014]
- Federal Cybersecurity Director Found Guilty on Child Porn Charges [Last Updated On: September 1st, 2014] [Originally Added On: September 1st, 2014]
- Browse Anonymously, Browse Safely - The App Center [Last Updated On: September 1st, 2014] [Originally Added On: September 1st, 2014]
- Tor Browser for iOS - Free download and software reviews ... [Last Updated On: September 1st, 2014] [Originally Added On: September 1st, 2014]
- Softonic - Tor Browser - Download [Last Updated On: September 1st, 2014] [Originally Added On: September 1st, 2014]
- Review: Tor Browser Bundle lets you browse in anonymity ... [Last Updated On: September 1st, 2014] [Originally Added On: September 1st, 2014]
- Guide to using the Tor Browser Bundle for secure communication - Video [Last Updated On: September 1st, 2014] [Originally Added On: September 1st, 2014]
- What is the Tor Browser? - Tor Project: Anonymity Online [Last Updated On: September 1st, 2014] [Originally Added On: September 1st, 2014]
- Tor Browser - Problem Connecting? [Last Updated On: September 1st, 2014] [Originally Added On: September 1st, 2014]
- Hack-Bypass Hotspot (Mikrotik) With Tor Browser - Video [Last Updated On: September 4th, 2014] [Originally Added On: September 4th, 2014]
- Using tor-browser on ubuntu 14.04 LTS - Video [Last Updated On: September 7th, 2014] [Originally Added On: September 7th, 2014]
- Download Tor Browser Bundle 3 6 5 For Win, Mac, Linux - Video [Last Updated On: September 8th, 2014] [Originally Added On: September 8th, 2014]
- Tor browser NOT SAFE without this quick step - Video [Last Updated On: September 12th, 2014] [Originally Added On: September 12th, 2014]
- Why a thinly sourced, unverified report about Comcast has the Web in an uproar [Last Updated On: September 16th, 2014] [Originally Added On: September 16th, 2014]
- Comcast Denies It Will Cut Off Customers Who Use Tor, The Web Browser For Criminals (CMCSA) [Last Updated On: September 16th, 2014] [Originally Added On: September 16th, 2014]
- Comcast calls rumor that it disconnects Tor users wildly inaccurate [Last Updated On: September 16th, 2014] [Originally Added On: September 16th, 2014]
- Guns, drugs and freedom: the great dark net debate [Last Updated On: September 18th, 2014] [Originally Added On: September 18th, 2014]
- How to instal Tor Browser - Video [Last Updated On: September 20th, 2014] [Originally Added On: September 20th, 2014]
- How to use the Tor Browser to surf the web anonymously [Last Updated On: September 23rd, 2014] [Originally Added On: September 23rd, 2014]
- Download and Install Tor Browser Bundle - Video [Last Updated On: September 24th, 2014] [Originally Added On: September 24th, 2014]
- TOR Browser: Safe to use 2014? - Yahoo Answers [Last Updated On: September 25th, 2014] [Originally Added On: September 25th, 2014]
- install tor browser for kali linux 1.0.9 - Video [Last Updated On: September 26th, 2014] [Originally Added On: September 26th, 2014]
- Alex Jones Interviews Creator of TOR Browser- Infowars September 2014 - Video [Last Updated On: September 29th, 2014] [Originally Added On: September 29th, 2014]
- Dreaming of a Tor Button for Firefox [Last Updated On: September 30th, 2014] [Originally Added On: September 30th, 2014]
- Tor Executive Director Hints At Firefox Integration [Last Updated On: September 30th, 2014] [Originally Added On: September 30th, 2014]
- Install tor browser on kali linux - Video [Last Updated On: September 30th, 2014] [Originally Added On: September 30th, 2014]
- How to install TOR browser bundle on sparkylinux 32bit - Video [Last Updated On: October 1st, 2014] [Originally Added On: October 1st, 2014]
- Firefox could be adding built-in Tor support for improved private browsing [Last Updated On: October 2nd, 2014] [Originally Added On: October 2nd, 2014]
- Download Tor Browser Windows 3.6 Keygen Crack [No Survey] - Video [Last Updated On: October 2nd, 2014] [Originally Added On: October 2nd, 2014]
- Tor Browser Bundle: Download & Start - Tutorial deutsch - Video [Last Updated On: October 4th, 2014] [Originally Added On: October 4th, 2014]
- Morsay Enqute exclusif les combats de Rue - Video [Last Updated On: October 5th, 2014] [Originally Added On: October 5th, 2014]
- With This Tiny Box, You Can Anonymize Everything You Do Online [Last Updated On: October 13th, 2014] [Originally Added On: October 13th, 2014]
- Tor Browser Cheat TankPit - Video [Last Updated On: October 13th, 2014] [Originally Added On: October 13th, 2014]
- Anonabox plug-and-pay router wants to bring Tor to the masses [Last Updated On: October 15th, 2014] [Originally Added On: October 15th, 2014]
- Anonabox Promises Total Online Anonymity That's Easy, Open Source, and Cheap [Last Updated On: October 15th, 2014] [Originally Added On: October 15th, 2014]
- Investors flock to tiny device that promises online anonymity [Last Updated On: October 16th, 2014] [Originally Added On: October 16th, 2014]
- This tiny box anonymises all your online actions [Last Updated On: October 16th, 2014] [Originally Added On: October 16th, 2014]
- How to run all your Internet's programs thru Tor Browser - Video [Last Updated On: October 16th, 2014] [Originally Added On: October 16th, 2014]
- Tails 1.2 : Released with Tor Browser 4.0 - Video [Last Updated On: October 21st, 2014] [Originally Added On: October 21st, 2014]
- Tor Browser Windows 3.6 Crack Download Free / Download No Survey 2014 - Video [Last Updated On: October 21st, 2014] [Originally Added On: October 21st, 2014]
- How to Use the Tor Browser Bundle - Video [Last Updated On: October 22nd, 2014] [Originally Added On: October 22nd, 2014]
- Access Blocked site using Tor Browser and chrome [2014] - Video [Last Updated On: October 26th, 2014] [Originally Added On: October 26th, 2014]
- Be Anonymous Online : TOR Browser - Video [Last Updated On: October 26th, 2014] [Originally Added On: October 26th, 2014]
- Tor Browser 4.0 is released | The Tor Blog [Last Updated On: October 27th, 2014] [Originally Added On: October 27th, 2014]
- Menggunakan TOR Browser - Video [Last Updated On: October 29th, 2014] [Originally Added On: October 29th, 2014]
- How to install and run TOR browser on Kali Linux - Video [Last Updated On: October 30th, 2014] [Originally Added On: October 30th, 2014]
- How to install and use the Tor browser in windows... - Video [Last Updated On: October 30th, 2014] [Originally Added On: October 30th, 2014]
- Setup Tor Browser on Mac OS 10 - Video [Last Updated On: October 31st, 2014] [Originally Added On: October 31st, 2014]
- Facebook Just Created a Custom Tor Link and That's Awesome [Last Updated On: November 1st, 2014] [Originally Added On: November 1st, 2014]
- How to Use Deep Web Using Tor Browser - Video [Last Updated On: November 1st, 2014] [Originally Added On: November 1st, 2014]
- Facebook opens up to Tor users with new secure .onion address [Last Updated On: November 1st, 2014] [Originally Added On: November 1st, 2014]
- How to use the Tor browser and the Open PGP applet - Video [Last Updated On: November 1st, 2014] [Originally Added On: November 1st, 2014]
- tor browser [MEDIAFIRE][NO SURVEY] - Video [Last Updated On: November 1st, 2014] [Originally Added On: November 1st, 2014]
- Facebookcorewwwi.onion ( Preview ) - Video [Last Updated On: November 2nd, 2014] [Originally Added On: November 2nd, 2014]
- How to use Tor for Facebook (Windows, Mac & Linux) [Last Updated On: November 4th, 2014] [Originally Added On: November 4th, 2014]
- Tor Browser Bundle - Secure your Web surfing - [Free Download] - Video [Last Updated On: November 5th, 2014] [Originally Added On: November 5th, 2014]
- The Law Scores a Victory Against Dark Net Denizens [Last Updated On: November 8th, 2014] [Originally Added On: November 8th, 2014]
- Tor Browser New 4 - Video [Last Updated On: November 9th, 2014] [Originally Added On: November 9th, 2014]
- How to (Install- Enable) Flash Player on Tor Browser - Video [Last Updated On: November 9th, 2014] [Originally Added On: November 9th, 2014]
- Tor Browser New 2 - Video [Last Updated On: November 9th, 2014] [Originally Added On: November 9th, 2014]
- Tor Browser New 1 - Video [Last Updated On: November 9th, 2014] [Originally Added On: November 9th, 2014]
- Developer edition and privacy are Firefoxs 10th birthday present for the world [Last Updated On: November 10th, 2014] [Originally Added On: November 10th, 2014]