27 June 2006

Monitoring your interests c/o The Justice Department

My thanks to Lastango at Dailypundit for posting this article and this previous on the topic of the Justice Department requiring Internet Service Providers to keep track of what the Citizenry does on the Internet. Now, being such an astute organization, they have actually realized that various nefarious individuals actually do this thing called *using the internet to exchange information and files*... remotely! That's right, the actual paper mail message and the dumpster-diving to find information is no longer the best way to find out what is going on in messages between individuals. And so the Justice Department realizes that it must do something.... and since this internet-thingy goes around the entire world, why, almost anything could be flooding electronically onto Our Shores.

Why, with so much going on the entire Nation is at risk! So that means that the entire Citizenry *must* be monitored, as you just never know who is doing what and what that nice lady two floors down with the cute dog is looking at on the internet! Society is at risk and so all of society must be observed, yes?

That is, apparently, the attitude of the Justice Department on how to go about finding criminals that also use the internet. And, thus, this MSNBC article on this is a bit on the chilling side to anyone who actually believes in freedom of expression and the free-flow of ideas. Lets take a gander at what is going on:

Five leading online service providers will jointly build a database of child-pornography images and develop other tools to help network operators and law enforcement better prevent distribution of the images.
Ok, they are going to get images that are a crime to distribute for money but, by all accounts, not to actually have in one's possession. That is, there is a for-cost criminal liability for dealing in such things, but if given away freely, then there can be no instance of 'commerce'. So, these five firms want a dirty picture library of child pornography.... just a quick question.... how safe will this be from hackers? I mean, picture this... the entire library is kept online at a secure site so that its images may be used via various groups to see if someone is dealing in child porn or just exchanging pictures of children from the family photo album. So, beyond the fact that there is a presumption of innocence in such transfers, what happens when the security safeguards of this system are thwarted and the images are transferred to, say, an off shore mirror site or sites in Nations not having much in the way of child porn laws or Internet law enforcement? Why, these five companies will have done us a great service by collecting all of this material together for *free* distribution, thus taking the monetary incentive out of the entire thing! Such swell folks!

Let us continue:

The companies pledged $1 million among them Tuesday to set up a technology coalition as part of the National Center for Missing and Exploited Children. They aim to create the database by year's end, though many details remain unsettled.
Now $1M these days doesn't get you much in the way of looking at damned near anything. And for the proposed system this might just be an engineer or two looking at the problem and saying if it is within the scope of what is possible given the state of the internet today. Figure that is good for 3 engineers having two meetings and a bit of 'fact finding' in the Bahama's for those meetings. Don't forget the secretary to take notes!

And just which companies are doing this? Well here they are:

The participating companies are Time Warner Inc.'s AOL, Yahoo Inc., Microsoft Corp., EarthLink Inc. and United Online Inc., the company behind NetZero and Juno.
Time to ditch that AOHELL account, and maybe get some nice encryption add-ons to your Instant Messaging. I hear that there are various Open Source pieces of software to do just that. As to what to say to these companies: Go To Hell. I plan on moving soon, and getting a nice company that will respect my privacy and only yield up information about me for this little thing known as a "Search Warrant". You might want to do the same, too.

Ah, now how will these folks find out about what sort of images you are looking at? Read on from later in the article:

Plans call for the missing children's center to collect known child-porn images and create a unique mathematical signature for each one based on a common formula. Each participating company would scan its users' images for matches.
Oooooo! Sounds scary, doesn't it? 'Unique digital signature' for each image! Now you are hitting in my territory, as I used to work in a related field of how to ensure that images could not be ripped off and all sorts of watermarks and such removed and still have a visually viable image. After over 3 years of looking I can say that the only way to do so is in a 'closed loop' system with proprietary image types and limited forms of software so that licensing schema must be built into the system and the images. Unfortunately, that sort of thing disappears after the first screen capture.

In the age of Photoshop and adjusting hue, color, contrast balance and the such like, there is no way to make a 'unique digital signature' for any image at any scale that will be valid across all possible uses of that image and all methods of encoding it. A bit more on this topic since it is a fun hobby horse to ride, for all the bouncing it does. Lets say you take a standard raster image off the net... a JPEG say. Now, JPEG is a nice international standard for lossy transport of images. There are encoding schema within JPEG for loss-less encoding, but those are mostly used for commercial purposes so that accurate color rendition is kept with a good encoding schema to ensure that there is, indeed, no loss of image tonality, sharpness and so on due to the compression schema. There are, indeed, lossless compression schema available for compression, but they do not save much file space, an so are limited in their use. Being lossy, most JPEG images are compressed with a degradation of some tonality and sharpness but are still 'visually' appealing. Zoom into any JPEG image using an image viewer, say Irfanview, and you will see the compression defects.

So, here begins the problem of the 'unique digital signature'. Will you be using a pristine first generation original file or a multi-generational file that has undergone many re-compressions, each losing some of the tonality and sharpness that characterize the image? Tough one, isn't it? There are some algorithms out there that will do such comparisons for visual rendition of images. The problems is, however, digital image raster editors, of which the best known is Adobe Photoshop. Now, the good folks at Adobe *tried* to include a means in which their software would not, actually, decode images of banknotes. They put in all sorts of algorithms and did all sorts of tricksy things and the result? The Photoshop community found a workaround in about 24 hours. Nice try, fellas! Banknotes are damn near identical in image composition and looking for mask clues within the note so as to stop rendering seemed a certain way to stop the digital remastering of such images taken from high resolution scanners.

Didn't work.

The first strike against such a system: the Photoshop effect of using the various tools available to add noise, soften, change intonation and color schema and, generally, give a totally different digital signature to a raster image from that of the check image.

So, lets clear that hurdle! Some software does a good job with this and using fuzzy logic for comparison is a good way to use an image to image check. Next up, then, on the thwarting side: change raster image type. Yes, there are tens if not hundreds of methods for encoding all sorts of raster bitmap images. Some are even more lossy than JPEG, but use other mathematical approaches to save visually appealing material and discard things not really necessary for visual quality. Again, this is not for the commercial graphics industry, but for the casual user and viewer of images. Now, once you have your grand raster library and 'unique digital signatures' you will be confronted with a file type that is not one you used to get your signatures. In point of fact, you may not even *recognize* that it IS a raster image unless you have a cross-index of every major and most widely distributed minor raster file encoding methods. So, now you have TWO processing steps to check: First change the image over to something the system will understand and decode it, then do your document check against a fuzzy logic search system.

This is not insurmountable, however, and can be automated... right up to the point a little used variant of, say, JPEG encoding is introduced. JPEG had many and extreme variants in its early life and not all of them fell under the JPEG standard. Most were proprietary and then discontinued. They are 'orphans'. People who have the software and can do the encoding can exchange images with individuals who have the old decoder and use that, and modern software will NOT read the file in any way, shape or form as JPEG. The header information is totally out of whack for the file. And I can think of two or three right off the top of my head that fit this, and the companies have *still* not released the encoding schema. Even worse, some of those companies are GONE and their digital assets are no where to be found, so all that is left is the compiled binaries.

So, second strike: use older encoding schema that are proprietary or change over to little used schema that will not be easily converted for rapid checking against a master database of 'unique digital signatures'.

Third up is Steganography. Take a nice image of a landscape... then take a second image and turn it into binary data to subtly alter the original image, but not so much as to degrade it visually. Send file. The 'unique digital signature' is of the visually appealing file and not the hidden steganographic one. In fact, many such files are passed on the internet and many users don't even *know* they have images with secretly encoded information in them. With the proper tools, such images can be examined for steganographic presence, and then the type of steganography being used needs to be determined. Then the hidden information, in this case the digitally encoded image, can be extracted. Bingo! You have just won the way to thwart the Justice Department with commercially available and freely available software. A system to find steganographically hidden information will take processing time galore to see if an image actually *has* hidden information within it and, if it does, how it was encoded and then how to decode it and then determine what that digital information actually *is*. Terrorists do this quite often an are targeted for such examination. That is *because* it is intensive work to decode the information that it is limited as a useful tool to those things important enough to require such in-depth examination.

So, third strike: Steganography via turning one image into digital information and encoding it within a second, innocuous image, so only those who know what to look for can retrieve the information.

This is fun, isn't it? Now, lets take a look at the next freely available technology: encryption. With encryption a digital file is encoded so that it may pass securely between two users that share encryption schema. The foremost of these uses long prime numbers and personal keys and a public/private key system to do such encryption. Public keys are put out by individuals and freely available for anyone wishing a secure communications method with them. A set of digital data is taken along with the recipient's public key and your private key and encrypted. To decrypt the information the recipient takes the sender's public key and their own private key and the un-encrypted message pops out. The internet uses this constantly for secure communications and it is generally well known how to do this. And anyone wanting privacy in their communications uses this as a matter of course.

But wait! There is more! Lets say you take that encrypted information and *hide* it via steganography. Then, when a system has churned through the file, finds that there is hidden data, retrieves the data it then has a jumbled message that is encrypted and cannot be decrypted without knowing WHO encoded it and WHO it is meant for. And since it is passed via steganography, perhaps through a Usenet posting or via a listserv for groups, people will see the original image and not suspect that it has hidden information, while the recipient will know where to look and retrieve that information.

But the best is yet to come! Also add into this that the file is encoded using a little known raster image file type and you have one hell of a processing problem. Finding the image via steganography, finding it encrypted and then putting lots of time to decrypt the information (most of which will most likely be variants of: "u 5uCk d00d!") and then converting it from one file type to another *if* you can figure out which type it is to start with....

Strike four: Encryption mixed with the above.

Am I done yet? No, decidedly NOT. As many individuals tend to send large numbers of files they like to use a file packing system that does some compression. This is known as creating a ZIP archive, but the general terminology covers a wide range of compression technologies for digital files. And some of these compression schema have encryption BUILT INTO THEM so that it can be easily used for passing files securely. And, like so many good things, some are available freely via Open Source Software. Making this even more joyous is the fact that a single archive can be subdivided into multiple parts so that they can be put back together at their destination. Which means that a file can be broken up, sent via multiple email accounts, listserves or other means, and then extracted, pieced back together, un-encrypted, files opened, steganography software used to remove encoded images, those images decrypted and all done as a matter of course and can even be done as a batch job on a PC. Total time to get and decode, etc. varies by the number of images and file size, etc. But it is minor overhead if you know what you are doing.

Strike 5: Archiving, encryption of the archive and multipart dispersal of it across multiple distribution methods so that no full file ever goes to the 'unique digital signature' database.

And the best part of all of this is that you are just exchanging pictures of puppies or kittens or wildflowers or whatever and only someone looking in-depth will be able to get an idea that something strange is going on.

With all of this in mind, think upon this next quote:
AOL, for instance, plans to check e-mail attachments that are already being scanned for viruses. If child porn is detected, AOL would refer the case to the missing-children's center for further investigation, as service providers are required to do under federal law.
What, exactly, is the purpose of this? Terrorists are already using similar means as outlined above to distribute information. Child pornographers can easily do the same. And this is even before we get into anonymizing networks and such things, in which the exact location of an originating file can only be guessed at based on traffic load for that network.

And further:
Ryan said that although AOL will initially focus on scanning e-mail attachments, the goal is to ultimately develop techniques for checking other distribution techniques as well, such as instant messaging or Web uploads.
So, they now want to start profiling YOU the customer, beyond the already highly invasive marketing they do, they will now start seeing if you are doing the things I outlined above and exchanging *secrets* to put society at risk. And what is worse, is that this would *require* companies to monitor the Citizen so as to give a patina of distance between the Government and those doing the observing. They forget that if this is required by LAW then the direct connection between requiring surveillance and reporting it is established and the presumption of innocence goes away.

Remember THAT little bit in our society? Innocent until proven guilty. Not having your life intruded upon unless there is *suspicion* of wrongdoing. How about the concept of a "Search Warrant"? Whatever did happen to Amendments I, IV, V, IX and X?

The United States Government has nor right nor capability to require domestic espionage by companies upon the Citizenry of the United States without justification and then may only do such things under a "Search Warrant" with a presumption of innocence. We the People are to be free of Government intrusion in Our lives save for there being probable cause against an individual. Without probable cause, this requirement is a fishing net to be dragged across the populace in the hopes that a bad apple or two will be found.

The article notes that these fine companies already offer services to combat spam and viruses.... and I wish to offer those seeking solace in that a moment to reflect upon their INBOX. Chock-a-block with SPAM and pornography AFTER they have been weeded through, sometimes two or more times before arriving at my INBOX. Now lets say some hackers get ahold of that master database of images and marry it up to some easily available SPAM emailers and start sending a flood of this stuff across the Nation... for free. Possibly from an off-shore location where server space is rented via anonymous payment.

We the People will ALL be suspects, then.

And those doing the real work will *still* work around the system easily to achieve their ends.

This is an exchange of liberty for ZERO added security. In fact it poisons the public channels of communication with suspicion as all our communications are liable for interception by those with *good intentions* and the rights held only to We the People put at peril by a bureaucracy that figures all communication is suspect and so must be examined. Also keep in mind that the FBI has twice in the past 10 years tried to reconcile all of its databases and give its Agents a way of intercommunicating amongst them so as to make the finding of data easier. After billions were spent, both attempts failed and they are *still* coping with this problem.

Warming thought that the incompetent and incapable feel themselves the master of this new technology to the point they no longer can even figure out how to investigate people and must send out dragnets that impugn the entire online population with a presumption of guilt.

Let us hope that this concept dies a quiet and unmourned death.

No comments: