The worst fears of data retention and warrantless wiretapping has come to fruition. Cell networks are being hacked for call records.
We are seeing yet another “Drew Wilson was right” moment. Hackers have been hacking into various cell phone networks and stealing their call records.
Since the Canadian Lawful Access debates of the mid-2000’s, one of the arguments I’ve used against it is that such data would become available and can theoretically be stolen by malicious third parties. This argument was used against the American Warrantless Wiretapping debates, Europe’s data retention debates, and the Australian anti-encryption laws. Some gave a passing nod to the idea while others simply straight up ignored it. Funny thing is: reality doesn’t care whether people see an idea as crazy or not. It just does what it does.
Now, a report off of TechCrunch is highlighting not only that it is dangerous to be collecting such data, but that people are already suffering the consequences of such data collecting processes. From the report:
The hackers have systematically broken in to more than 10 cell networks around the world to date over the past seven years to obtain massive amounts of call records — including times and dates of calls, and their cell-based locations — on at least 20 individuals.
Researchers at Boston-based Cybereason, who discovered the operation and shared their findings with TechCrunch, said the hackers could track the physical location of any customer of the hacked telcos — including spies and politicians — using the call records.
Lior Div, Cybereason’s co-founder and chief executive, told TechCrunch it’s “massive-scale” espionage.
Call detail records — or CDRs — are the crown jewels of any intelligence agency’s collection efforts. These call records are highly detailed metadata logs generated by a phone provider to connect calls and messages from one person to another. Although they don’t include the recordings of calls or the contents of messages, they can offer detailed insight into a person’s life. The National Security Agency has for years controversially collected the call records of Americans from cell providers like AT&T and Verizon (which owns TechCrunch), despite the questionable legality.
The thing here is that if we weren’t collecting such data for the sake of “security”, this wouldn’t even be happening. These operations of collecting such data opens up a vulnerability in the worlds communication systems for malicious third parties. Those third parties know full well that such records are useful for whatever they intend on doing, so the motivation has always been there.
Now that we are seeing this argument go from (as skeptics might think) theoretical to reality, the question is, will this cause people to re-think how we intend on deploying surveillance systems. For some individuals, it might, but for government (especially the spy community), the likely answer is no. There’s going to be a continued push to more surveillance and less privacy. As we saw last September, the spy agencies from the 5 eye nations are demanding backdoor access to all encryption. So, chances are, at worst, they will see this as a simple PR issue (if they even see it as an issue at all).
In that case, what is the more logical choice? In this case, there needs to be a complete rethinking of how we need to approach security. Already, there is proof that “collect it all” is a policy that puts the population at greater risk. It’s not even a question at this stage. Instead, there needs to be an emphasis of encouraging better security and empowering citizens with reliable encryption.
That, of course, is often interpreted as “don’t do investigations anymore” when, really, it’s saying, “fall back on more tried and true methods of investigation”. Question people, arrest suspects, undercover operations, etc. These are activities that can take place when we are not collecting every bit of personal information that moves. Obviously, this common sense is a long shot, but that’s not to say that there’s anything wrong with pointing it out.
Unfortunately, such hijacking of log gathering and backdoor access will gradually become more and more of a problem as time goes on. The question is, when will people have enough of it. As we’ve seen with the countless leaks and breaches over the past few years, it seems people generally don’t see a problem with having their information stolen – at least for the time being.
Drew Wilson on Twitter: @icecube85 and Facebook.
