The emergence of a shadowy domestic espionage group sheds light on how the government collects online data
(updated below – with clarification/correction)
Forbes‘ technology writer Andy Greenberg reports that at the Defcon Security Conference yesterday, an individual named Chet Uber appeared with revelations about the case of accused WikiLeaks leaker Bradley Manning and government informant Adrian Lamo. These revelations are both remarkable in their own right and, more important, highlight some extremely significant, under-examined developments unrelated to that case. This is a somewhat complex story and it raises even more complex issues, but it is extremely worthwhile to examine.
Uber is the Executive Director of a highly secretive group called Project Vigilant, which, as Greenberg writes, “monitors the traffic of 12 regional Internet service providers” and “hands much of that information to federal agencies.” More on that in a minute. Uber revealed yesterday that Lamo, the hacker who turned in Manning to the federal government for allegedly confessing to being the WikiLeaks leaker, was a “volunteer analyst” for Project Vigilant; that it was Uber who directed Lamo to federal authorities to inform on Manning by using his contacts to put Lamo in touch with the “highest level people in the government” at “three letter agencies”; and, according to a Wired report this morning, it was Uber who strongly pressured Lamo to inform by telling him (falsely) that he’d likely be arrested if he failed to turn over to federal agents everything he received from Manning.
So, while Lamo has repeatedly denied (including in his interview with me) that he ever worked with federal authorities, it turns out that he was a “volunteer analyst” for an entity which collects private Internet data in order to process it and turn it over to the Federal Government. That makes the whole Manning case all the more strange: Manning not only abruptly contacted a disreputable hacker out of the blue and confessed to major crimes over the Interent, but the hacker he arbitrarily chose just happened to be an “analyst” for a group that monitors on a massive scale the private Internet activities of American citizens in order to inform on them to U.S. law enforcement agencies (on a side note, if you want to judge what Adrian Lamo is, watch him in this amazing BBC interview; I’ve never seen someone behave quite like him on television before).
In terms of what they mean for the Manning case, those revelations require a lot more analysis, but I want to focus on the much more important aspect of these revelations: namely, what Project Vigilant does as well as the booming private domestic espionage industry of which they are a part. There’s very little public information about this organization, but what they essentially are is some sort of vigilante group that collects vast amount of private data about the Internet activities of millions of citizens, processes that data into usable form, and then literally turns it over to the U.S. Government, claiming its motive is to help the Government detect Terrorists and other criminals. From the Forbes report:
According to Uber, one of Project Vigilant’s manifold methods for gathering intelligence includes collecting information from a dozen regional U.S. Internet service providers (ISPs). Uber declined to name those ISPs, but said that because the companies included a provision allowing them to share users’ Internet activities with third parties in their end user license agreements (EULAs), Vigilant was able to legally gather data from those Internet carriers and use it to craft reports for federal agencies. A Vigilant press release says that the organization tracks more than 250 million IP addresses a day and can “develop portfolios on any name, screen name or IP address.”
They’re tracking 250 million IP addresses a day, compiling dossiers, and then turning them over to federal agencies — with the ability to link that information to “any name.” As this June, 2010 article from the Examiner — one of the very few ever written about the group — put it:
Project Vigilant has been operating in near total secrecy for over a decade, monitoring potential domestic terrorist activity and tracking various criminal activities on the Web. In a series of exclusive interviews with some of the group’s leaders, it’s clear that the people doing this work are among the most sophisticated and experienced experts in today’s rapidly moving world of Internet security.
In case you doubt the seriousness of this group, consider the list of its officials, which includes Mark Rasch, who headed the DOJ’s Internet Crime Unit for 9 years; Kevin Manson, a retired Homeland Security official; George Johnson, who “develop[ed] secure tools for the exchange of sensitive information between federal agencies” for the Pentagon; Ira Winkler, a former NSA official; and Suzanne Gorman, former security chief of the New York Stock Exchange. These are people with extensive, sophisticated expertise in compiling highly invasive data about individuals’ Internet activities, and more so — given their background — how to package it in a way that can be used by federal agencies.
* * * * *
Project Vigilant is but one manifestation of a booming and unaccountable industry: groups which collect vast amounts of highly informative data about American citizens — particularly their Internet activities — and then sell it or otherwise furnish it to the U.S. Government. A separate Examiner article described how Project Vigilant is funded by BBHC Global, a highly secretive ”information security firm” — see if you can find any information about it — whose Managing Director, Steven Ruhe, drapes himself in the same creepy, vigilante-patriot language as the group which he funds:
In the fight against terror, the U.S needs all the help it can get, even if that assistance comes from unpaid volunteers. For the past 14 years, a significant volunteer group of U.S. citizens has been operating in near total secrecy to monitor and report illegal or potentially harmful activity on the Web.
Flying “under the radar” and carefully discouraging any press coverage that focused on the group, Project Vigilant has quietly operated in the eddies and whirlpools of Internet research, feeding tips and warnings to federal, state and military agencies. The group claims over 500 current members, although their names and identities are still mostly secret. Their members comprise some of the most knowledgeable experts in the field of information security today and include current employees of the U.S. government, law enforcement and the military. . . .
The group’s collaboration with the U.S. Government is handled through another highly secure web portal which supports protected email, chat and other features.
Project Vigilant is funded by BBHC Global, an information security firm based in the Midwest, and private donations. Uber’s boss is Steven Ruhe, the Managing Member of BBHC Global. “I’ve always been a small town guy with big dreams,” said Ruhe who was born and raised in Nebraska and sells Amway products on the side. “This work is for a really good cause.”
Project Vigilant is organized and run on a structure not unlike that of the military. Uber himself will serve only two more years in his “tour of duty” as the Project’s Director and then another member will take his place.
“This is the most rewarding thing I’ve ever done in my life,” said Uber. “I’m helping keep our country safer.”
Uber told Computer World that he decided to divulge his group’s role in directing Lamo to turn into an informant because he thought that Lamo’s patriotic act was being unfairly disparaged.
What’s really going on here is that the ability to construct dossiers on citizens’ Internet activities has increased dramatically over the last several years, as increasing parts of citizens’ private lives take place online. Put another way — and this isn’t news — online privacy has all but evaporated. Virtually every step anyone takes online — from the websites they visit to the transactions they engage in — are not only now stored and tracked by multiple companies, but are then compiled and made available to a wide variety of groups. As a Wall St. Journal article from this weekend documents, the original impetus for this comprehensive tracking was a commercial one: the more websites and advertisers know about you, the more they can make use of that knowledge, from auctioning you to various advertisers, selling the data about you, and catering messages and ads to your profile. As the ACLU’s long-time privacy expert Chris Calabrese told me this morning, “virtually every step you take online is now tracked by numerous mechanisms and instantly processed.”
But it’s the re-packaging and transfer of this data to the U.S. Government — combined with the ability to link it not only to your online identity (IP address), but also your offline identity (name) — that has made this industry particularly pernicious. There are serious obstacles that impede the Government’s ability to create these electronic dossiers themselves. It requires both huge resources and expertise. Various statutes enacted in the mid-1970s — such as the Privacy Act of 1974 — impose transparency requirements and other forms of accountability on programs whereby the Government collects data on citizens. And the fact that much of the data about you ends up in the hands of private corporations can create further obstacles, because the tools which the Government has to compel private companies to turn over this information is limited (the fact that the FBI is sometimes unable to obtain your “transactional” Internet data without a court order — i.e., whom you email, who emails you, what Google searches you enter, and what websites you visit –is what has caused the Obama administration to demand that Congress amend the Patriot Act to vest them with the power to obtain all of that with no judicial supervision).
But the emergence of a private market that sells this data to the Government (or, in the case of Project Vigilance, is funded in order to hand it over voluntarily) has eliminated those obstacles. As a result, the Government is able to circumvent the legal and logistical restrictions on maintaining vast dossiers on citizens, and is doing exactly that. While advertisers really only care about your online profile (IP address) in order to assess what you do and who you are, the Government wants your online activities linked to your actual name and other identifying information. As Calabrese put it: “it’s becoming incredibly easy for these companies to link your IP information to who you really are, by, for example, tracing it to your Facebook page or other footprints you leave with your identifying information.” As but one example, The Washington Post recently began automatically linking any visitors — without their knowledge or consent — to their logged-in Facebook page. The information turned over to the Government is now easily linkable — and usually linked — to the citizens’ actual identity.
An incredibly prescient 2004 Report from the ACLU documented the flourishing problem back then. This was its title:
The Report documents how two early Bush era surveillance programs were killed by Congress for overreaching: one — the Total Information Awareness project from John Poindexter — which would have data mined virtually all online data to detect individuals of interest to the Government, and a second — the Terrorism Information and Prevention System (TIPS) — which was designed to recruit 1 million private citizens to inform the Government of suspicious acts. But as the ACLU Report warned, both projects ended up being developed in alternative forms. Indeed, a wide array of government agencies have created countless programs to encourage and formally train various private workers (such as cable installers, utilities workers and others who enter people’s homes) to act as government informants and report any “suspicious” activity; see one example here. Meanwhile, TIA has been replicated, and even surpassed, as a result of private industries’ willingness to do the snooping work on American citizens which the Government cannot do.
Oftentimes, private corporations simply turn over whatever information the Government requests even in the absence of legal compulsion. They do so due to a variety of motives: an eagerness to build profitable relationships with the Government, fear of regulatory or legal reprisals if they resist, or a belief that they are being patriotic. Numerous large corporations, such as airlines, have been caught voluntarily turning over to the Government vast amounts of invasive information about their passengers. And, of course, the illegal Bush NSA spying program was accomplished by the voluntary (though highly profitable) participation by most of the telecom industry, which literally turned over unfettered access to the Government to their customers’ calling and Internet records and even communication content.
But it’s the emergence of a private market for this data — whereby the Government pays corporations to collect, process and then furnish it — that has vastly elevated the Government’s ability to collect such data about citizens. As the ACLU Report put it, this arrangement provides the best of all worlds for the Government and the worst for citizens:
The use of private-sector data aggregators allows the government to insulate surveillance and information-handling practices from privacy laws or public scrutiny. That is sometimes an important motivation in outsourced surveillance. Private companies are free not only from complying with the Privacy Act, but from other checks and balances, such as the Freedom of Information Act. They are also insulated from oversight by Congress and are not subject to civil-service laws designed to ensure that government policymakers are not influenced by partisan politics. . . .
In light of this, it’s not surprising that — just as is true for all of their surveillance activities — government officials have been actively developing ways to recruit private corporations into spying on American citizens for them. The FBI created a particularly creepy program — called InfraGard — in which 23,000 companies (including most of the Fortune 500) are in an information-sharing program with federal law enforcement agencies. From the ACLU Report:
The program has more than 10,000 members organized into 79 local chapters; the list of participating companies is kept secret. Members wishing to participate fully must undergo a security check and obtain clearance by the FBI. The Cleveland Plain Dealer described it as a “a vast informal network of powerful friends,” a “giant group of tipsters” created by the FBI under a “philosophy of quietly working with corporate America” in order to “funnel security alerts away from the public eye and receive tips on possible illegal activity.”
But there is evidence that InfraGard may be closer to a corporate TIPS program, turning private-sector corporations — some of which may be in a position to observe the activities of millions of individual customers — into surrogate eyes and ears for the FBI. . . .
There is a long and unfortunate history of cooperation between government security agencies and powerful corporations to deprive individuals of their privacy and other civil liberties, and any program that institutionalizes close, secretive ties between such organizations raises serious questions about the scope of its activities, now and in the future.
Another option open to government agencies seeking information on individuals is to simply purchase it on the open market. As private-sector information-gathering has exploded in recent years, so has the amount of data that is now available to the government (and any other customer) willing to pay the price. Although government information-purchasing was once a minor matter, the explosion of private-sector data collection has begun to significantly undermine the laws meant to protect Americans from government snooping.
Just to bring us full circle: Chet Uber, the Executive Director of Project Vigilant, was one of the founding members of InfraGard (and again: how incredibly lucky for the U.S. Government that the alleged WikiLeaks leaker, sitting in Iraq, just happened to pick one of Uber’s underlings as the total stranger to whom he allegedly confessed his grave National Security crimes).
* * * * *
It’s really beyond dispute that one has virtually no privacy from the Government. That’s not just true in theory, but in practice, as the Government seriously escalates the various ways it maintains dossiers on citizens. Many privacy advocates have long taken some comfort in the fact that this data is too vast for the Government to figure out how to use, but with the aid of private industry and these strangely well-funded and sophisticated groups, there are clearly efforts to make this snooping far more useful and manageable.
Many people are indifferent to the disappearance of privacy — even with regard to government officials — because they don’t perceive any real value to it. The ways in which the loss of privacy destroys a society are somewhat abstract and difficult to articulate, though very real. A society in which people know they are constantly being monitored is one that breeds conformism and submission, and which squashes innovation, deviation, and real dissent.
The old cliché is often mocked though basically true: there’s no reason to worry about surveillance if you have nothing to hide. That mindset creates the incentive to be as compliant and inconspicuous as possible: those who think that way decide it’s in their best interests to provide authorities with as little reason as possible to care about them. That’s accomplished by never stepping out of line. Those willing to live their lives that way will be indifferent to the loss of privacy because they feel that they lose nothing from it. Above all else, that’s what a Surveillance State does: it breeds fear of doing anything out of the ordinary by creating a class of meek citizens who know they are being constantly watched.
But even those who think that way should appreciate the real importance of these developments. Consider the rage that has been directed over the last week toward WikiLeaks. They are predictably accused of being America’s Enemy, in alliance with Al Qaeda, a Terrorist group, etc. etc. One of their volunteers — U.S. citizen Jacob Appelbaum — was detained for three hours at the airport yesterday when re-entering the country from a foreign trip, denied access to a lawyer, had his cellphones seized and his laptop searched, and was told he’d likely be subjected to this treatment every time he left the U.S. and tried to re-enter. Why has WikiLeaks provoked such animosity? Because they committed the gravest sin: they breached the Absolute Wall of Secrecy behind which our Government, and its private National Security and Surveillance State partners, operate. That’s why WikiLeaks is so despised, deemed such a threat: because they are undermining in very modest ways the absolute secrecy of these power factions, and many citizens have been trained to believe in the justifiability of that pervasive secrecy as well.
But while these factions demand total secrecy for their actions, they simultaneously demand that you have none for yours. They want to know everything about what you do — and are knowing all of that — while you know nothing about what they do. The loss of privacy is entirely one-way. Government and corporate authorities have destroyed most vestiges of privacy for you, while ensuring that they have more and more for themselves. The extent to which you’re monitored grows in direct proportion to the secrecy with which they operate. Sir Francis Bacon’s now platitudinous observation that “knowledge itself is power” is as true as ever. That’s why this severe and always-growing imbalance is so dangerous, even to those who are otherwise content to have themselves subjected to constant monitoring.
UPDATE: For an important correction and clarification about Project Vigilant, see here.