2008-09-23

Snoop software makes surveillance a cinch

"THIS data allows investigators to identify suspects, examine their contacts, establish relationships between conspirators and place them in a specific location at a certain time."

So said the UK Home Office last week as it announced plans to give law-enforcement agencies, local councils and other public bodies access to the details of people's text messages, emails and internet activity. The move followed its announcement in May that it was considering creating a massive central database to store all this data, as a tool to help the security services tackle crime and terrorism.

Meanwhile in the US the FISA Amendments Act, which became law in July, allows the security services to intercept anyone's international phone calls and emails without a warrant for up to seven days. Governments around the world are developing increasingly sophisticated electronic surveillance methods in a bid to identify terrorist cells or spot criminal activity.

However, technology companies, in particular telecommunications firms and internet service providers, have often been criticised for assisting governments in what many see as unwarranted intrusion, most notably in China.

Now German electronics company Siemens has gone a step further, developing a complete "surveillance in a box" system called the Intelligence Platform, designed for security services in Europe and Asia. It has already sold the system to 60 countries.

According to a document obtained by New Scientist, the system integrates tasks typically done by separate surveillance teams or machines, pooling data from sources such as telephone calls, email and internet activity, bank transactions and insurance records. It then sorts through this mountain of information using software that Siemens dubs "intelligence modules".

This software is trained on a large number of sample documents to pick out items such as names, phone numbers and places from generic text. This means it can spot names or numbers that crop up alongside anyone already of interest to the authorities, and then catalogue any documents that contain such associates.

Once a person is being monitored, pattern-recognition software first identifies their typical behaviour, such as repeated calls to certain numbers over a period of a few months. The software can then identify any deviations from the norm and flag up unusual activities, such as transactions with a foreign bank, or contact with someone who is also under surveillance, so that analysts can take a closer look.

Included within the package is a phone call "monitoring centre", developed by the joint-venture company Nokia Siemens Networks.

However, it is far from clear whether the technology will prove accurate. Security experts warn that data-fusion technologies tend to produce a huge number of false positives, flagging up perfectly innocent people as suspicious.

"These systems tend to produce false positives, flagging up innocent people as suspicious"

"Combining two different sources of data has the tendency to increase your false-positive rate or your false-negative rate," says Ross Anderson, a computer security engineer at the University of Cambridge. "If you're looking for burglars in a run-down district where 50 per cent of men have a criminal conviction, you may find plenty. But if you're trying to find terrorists among airline passengers - where they are extremely rare - then almost all your hits will be false."

Computer security expert Bruce Schneier agrees. "Currently there are no good patterns available to recognise terrorists," he says, and questions whether Siemens has got around this.

Whatever the level of accuracy, human rights advocates are concerned that the system could give surveillance-hungry repressive regimes a ready-made means of monitoring their citizens. Carole Samdup of the organisation Rights and Democracy in Montreal, Canada, says the system bears a strong resemblance to the Chinese government's "Golden Shield" concept, a massive surveillance network encompassing internet and email monitoring as well as speech and facial-recognition technologies and closed-circuit TV cameras.

In 2001, Rights and Democracy raised concerns about the potential for governments to integrate huge information databases with real-time analysis to track the activities of individuals. "Now in 2008 these very characteristics are presented as value-added selling points in the company advertisement of its product," Samdup says.

In June, the PRISE consortium of security technology and human-rights experts, funded by the European Union (EU), submitted a report to the European Commission asking for a moratorium on the development of data-fusion technologies, referring explicitly to the Siemens Intelligence Platform.

"The efficiency and reliability of such tools is as yet unknown," says the report. "More surveillance does not necessarily lead to a higher level of societal security. Hence there must be a thorough examination of whether the resulting massive constraints on human rights are proportionate and justified."

Nokia Siemens says 90 of the systems are already being used around the world, although it hasn't specified which countries are using it. A spokesman for the company said, "We implement stringent safeguards to prevent misuse of such systems for unauthorised purposes. In all countries where we operate we do business strictly according to the Nokia Siemens Networks standard code of conduct and UN and EU export regulations."

Samdup argues that such systems should fall under government controls that are imposed on "dual-use" goods - systems that could be used both for civil and military purposes. Security technologies usually escape these controls. For example, the EU regulation on the export and transfer of dual-use technology does not include surveillance and intelligence technologies on the list of items that must be checked and authorised before they are exported to certain countries.

The problem is that surveillance technologies have developed so rapidly that they have outpaced developments in export controls, says Samdup. "In many cases politicians, policy-makers and human-rights organisations lack the technical expertise to adequately assess the impact that such technology could have when it is exported to repressive regimes."

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.