Another Reason Adopting 'Collect It All' Was A Bad Idea: China May Now Be Applying It To US Citizens' Personal Data

from the this-is-why-strong-crypto-is-your-friend dept

At the start of the year, we wrote about an important point made by Bruce Schneier and Edward Snowden concerning information asymmetry in the world of spying -- the fact that the US and the West in general have far more to lose by undermining security in an attempt to gain as much information as possible about other countries, than they have to gain. A fascinating analysis from Bloomberg indicates that this also applies to the "collect it all" mentality. The article raises the troubling possibility that both the huge OPM data breaches were not only the work of Chinese state actors, but part of a much larger plan:

Some investigators suspect the attacks were part of a sweeping campaign to create a database on Americans that could be used to obtain commercial and government secrets.

"China is building the Facebook of human intelligence capabilities," said Adam Meyers, vice president of intelligence for cybersecurity company CrowdStrike Inc. "This appears to be a real maturity in the way they are using cyber to enable broader intelligence goals."
The Bloomberg article suggests that China started gathering first travel records, then health records, Social Security numbers and other personal information on Americans in an attempt to build an increasingly complete picture about huge swathes of the US population. Whether or not that new "collect it all" approach was directly inspired by the NSA's espousal of the idea is a detail: it was certainly brought to prominence by General Alexander's statements, and is now part of the common currency of surveillance.

It is made possible by lax security, even for huge datasets, as the OPM fiasco shows. That means it is entirely plausible for the Chinese secret services -- and for those of other nations -- to try to collect information about every US or EU citizen, as people's lives move online, and their most personal data is stored in Internet-accessible databases.

Standing in the way of achieving that is the strength of the security protecting that information -- something that governments around the world are now threatening to undermine in the name of their own offensive surveillance capabilities. How many hundreds of millions of personal records must be lost before the authorities wake up to the fact that if they compromise encryption, the only thing they are certain to achieve is to make the task of "collecting it all" easier for China and other nations?

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 17 Jul 2015 @ 1:46am

    One million low value targets vs One high value target

    If for no other reason than how it centralizes all the information such that it can be easily scooped up in one hack, the 'collect it all' idea is a terrible one.

    Before, if a foreign government or criminal group wanted to get detailed information on a lot of people, they would have to hit a lot of targets to get it.

    By collected everything into a central location though, a single hack is enough to get everything, vastly increasing the value of whatever system has the data, and dramatically increasing the odds that it will be hacked, as the value of the contents means those who are trying to hack in are willing to spend significantly more resources attempting to do so, because they know it will be worth it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Jul 2015 @ 4:59am

    How many hundreds of millions of personal records must be lost before the authorities wake up to the fact that if they compromise encryption, the only thing they are certain to achieve is to make the task of "collecting it all" easier for China and other nations?
    Yeah... they don't care about any of that. So long as they can insider-trade, leverage political enemies, protect their private sector partners/employers, run narco-ops etc...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Jul 2015 @ 5:57am

      Re:

      Exactly, why should they care? They are reaping the same damn rewards that China will get from it.

      They would sooner sign China the fuck on board with them before they stopped the collection AND publicly admit it!

      reply to this | link to this | view in chronology ]

  • identicon
    Stephen, 17 Jul 2015 @ 6:05am

    It's Not Just Online Info

    IMHO it is not just online info the Chinese are collecting about (non-Chinese( people. (Pardon the length of this post!)

    I don't live in the US but I do get a lot of phone calls from people who while they speak good English are clearly not native English speakers because they have a faint but nevertheless definable accent. Now having an accent does not necessarily mean much in letting you know where they are calling from in this day and age of mass migration but i say that because these callers INVARIABLY have much the SAME accent and they INVARIABLY claim to be calling FROM my own country. I mention that because each caller will (generally) give a first name; and that name is typically a typical English-language name. Like Jane or James.

    Another indication that all is not as it seems is that many of these callers block caller ID info. However, in my country if you get an overseas call with a blocked caller ID it will report "OVERSEAS"; and that is what I sometimes get with some of these calls. But only sometimes. At other times I don't.

    However, sometimes these calls do NOT block caller ID. If, however, you try to call the number back which caller ID provides what typically happens is that your phone won't connect. That plus other info (read on!) has led me to suspect that these particular numbers are simply relaying calls from some other source. I personally suspect that source to be a VOIP one, but that is mere suspicion on my part.

    But to continue...

    These callers represent themselves as being from energy or phone companies and try to induce me to change from my current provider to the one they claim to be calling from. Now in order to do these people have to record my call (they typically don't tell you that) and I would have to provide them with two pieces of identifying information. One is typically a birth date. Another is generally some kind of ID number.

    Each of these callers, no matter who they claim to be from, typically follow the same spiel. (In fact the spiel is often SO alike I would say they have some kind of script in front of them, a script from a common source.)

    If you try to query the people making these calls, sometimes the line will go dead. At other times you can lead them on to provide some info to allay your fears. This is typically a phone number they claim you can use to call them back on. Or at least to verify they are who they claim they are. One time I got such a number from one of them, who represented himself as being from a major telecom provider in my country. When I did call that number--a LOCAL call number for my country; let me emphasize that!--I wound up talking to a lady who turned out to be IN CHINA! At least that was where she claimed to be calling from.

    I had initially thought these calls came from India, since that tends to have an armlock on the call centre business, but after that call, thinking back, I realised those accents those callers had could well have been Chinese.

    When I dropped into an office of the telecom provider in question and spoke to someone about that call the person I spoke to denied that his company had authorised such calls.

    I have also checked up on some of the caller ID provided phone numbers on the Net and find that I am not the only one getting these calls. In fact they appear to be a veritable plague!

    I do not know whether this same plague exists outside my own country, but I suspect it probably does. Either way, it does seem that somebody in China is trying to build up a database of identifying info of people living in Western countries.

    reply to this | link to this | view in chronology ]

    • identicon
      David, 17 Jul 2015 @ 6:39am

      Re: It's Not Just Online Info

      I guess what you're describing is many of the robocalls, or at least the front-end 'appointment setters'. Especially the "free diabetic meter" one.

      I figure I'll poison the well, I often answer but never give them accurate name/info. Sometimes, I get a call asking for {my fake name}, so am immediately aware it's a scam.

      reply to this | link to this | view in chronology ]

      • identicon
        Stephen, 17 Jul 2015 @ 9:41am

        Re: Re: It's Not Just Online Info

        I guess what you're describing is many of the robocalls, or at least the front-end 'appointment setters'. Especially the "free diabetic meter" one.
        They're undoubtedly "robocalls", but the example you gave does not really apply here. These particular robocalls are (just MHO) exploiting a weakness in the way my country's energy and phone companies do business in today's world.

        By that I mean the information these people seek to gather is in a sense legit because in my country many phone companies and energy companies no longer have front offices. Therefore in order to get new clients they need to use the Net or the phone line to sell themselves. If they use the phone, the government REQUIRES them to gather identifying information in order to ensure that when a person's energy or phone provider is changed that they can verify that the person whose provider IS changed is the right person. The problem is that someone--presumably the Chinese--seem to have seen the potential for using that system to gather identifying information and are exploiting it, just as someone in Chinese seems to have seen the potential in using OPM's lax site security to gather info on millions of Americans.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Jul 2015 @ 10:47am

        Re: Re: It's Not Just Online Info

        I always try to take up their time, too! I've never got a return call with my fake info, though.

        reply to this | link to this | view in chronology ]

    • identicon
      Klaus, 17 Jul 2015 @ 6:59am

      Re: It's Not Just Online Info

      I have a personal rule to never pick up anonymous calls. Another rule, I never provide personal information to anyone who phones me.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Jul 2015 @ 6:45am

    and then there's the FBI

    Who are busy arguing it's still too hard for China to gather data.
    Because data doesn't recognize nationality, substituting China for FBI is valid.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Jul 2015 @ 8:00am

    hmm now what is more terrifying.

    1. A foreign power with access to American citizens personal info and no qualms about any supposed rights the citizens have.

    Or

    2. A local government with access to their citizens personal info that has shown it believes it's citizens have no rights when the government says so.

    About the same really save that the local government will do more harm with that info. As they will use it out of spite against their citizens while said foreign power will use it as an advantage.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Jul 2015 @ 9:12am

    When will it change?

    I'm a pessimist. The situation won't change until some nasty group uses clearly purloined data to perform something nasty to some one (or more) very important people. Then things will change, not before. Until the VIP's see a target specifically and exclusively painted on them, and effectively used, they will allow no change since they are obtaining too much money and power as things are.

    BTW, in the OPM breach, are the security people like the FBI, NSA, DHS and HUD people included? It would be an amusing irony if the personal information of both the "grab it all" NSA types and the "backdoor everything" FBI types were hoovered up in the OPM breach.

    Also, just for fun, if someone has a reason to believe that they are one of the compromised, in the OPM breach, should or should not that exposure exclude them from jury duty? After all, they could potentially be blackmailed for a verdict. Anyone care to try to escape duty on their next jury summons, pleading the OPM breach?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jul 2015 @ 12:24pm

      Re: When will it change?

      They got all the SF-86 forms.. these are 170+ page documents they use to vet for national security clearances. If it's something about you worth knowing about it's probably in there.

      It's funny to me that all the talking heads that go ape over any minor security issue are basically silent about this. This hack is the worst possible security risk, every single person with a national security clearance is at risk of being weaponized by the enemy. The only real solution is to get new people, but good luck selling that to the people that need to be fired.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.