The Gemalto Debacle - Fraud, Mass Surveillance and E-Privacy

Recent reports reveal that the UK’s GCHQ has hacked into computers belonging to Dutch multinational Gemalto, to gain access to encryption keys used for mobile telecommunications. They did this by targeting particular Gemalto staff that had access to files containing the keys, and scouring their interoffice emails. The keys were shared with the NSA, GCHQ’s partner in crime, and can be used to decrypt telephone conversations and metadata without needing to acquire judicial warrants. We know that other SIM card manufacturers, such as Giesecke & Devrient, have also been targeted.

The tool used to detect and target the employees was the NSA tool X-Keyscore , a tool for searching the vast quantity of packet data collected from the public internet via fibre-optic taps. In order to identify particular targets in this huge quantity of unstructured data (estimated in the Snowden documents to be more than 20 terabytes per day) a so-called “selector” is used, which can pick out packets of data sourced from a particular target’s computer. These selectors can be IP addresses if the target uses static or otherwise constant source IP addresses, if these can be ascertained, but with the widespread and increasing use of Network Address Translation hardware in domestic and office premises, or when targets use the TOR IP proxy network, other longer lasting selectors must be used.

According to the Snowden documents selectors are usually the values contained in third-party tracking cookies. For example, once a target’s facebook page has been identified (as we are told it was in the Gemalto hack), the values of unique identifier cookies are harvested from the HTTP headers in the request that accessed the page. The web is littered with tracking beacons such as the ubiquitous Facebook Like button so that whenever a page containing one is visited by the target, the presence of the same value in a third-party request means the target can be detected. Cookies in the Google.com, Yahoo.com and other domains can obviously also be used for this purpose. Almost every web site contains a reference to at least one of these domains, so that a request is sent to it whenever a site is visited. These unique identifying cookie values last for multiple years (up to 8000 years in a recent “cookie” sweep reported by the ICO) and can be reliably used to single out internet traffic from the same individual over a long period. Of course the source (and destination) IP address would also be used as a short-term filter for packets created as embedded third-party requests, but it would not need to be constant for more than a few minutes as the long term persistent identifier is contained in a cookie.

Although the recent revelations concern the activities of spying agencies such as GCHQ the data available through hacking into SIM manufacturers would be immensely valuable to organised criminals. In Europe as in much of the world the vast majority of credit and debit card transactions and authenticated online access to bank accounts is now done with EMV or “chip&pin” cards, usually manufactured by these same companies. These chips contain access keys and tokens such as SDA, CDA and DDA, similar to the Ki and OTA keys used for GSM, that are held by the SIM manufactures and communicated to banks so they can recognise their customer’s cards. If GCHQ/NSA can hack into Gemalto computers to access this data so can organised crime, with the incentive honeypot of trillions of Euros transacted every day or accessible through online banking. Although criminals may lack the passive taps that State agencies have built up, they could use the behavioural advertising infrastructure to deliver backdoor access software to target’s computers, a process known as malvertising. Criminals have already been detected using targeted advertising urging users to click a link so that their computer can be infected with backdoor software.  Once infected they can be subject to identity or actual theft, and their computers can be enlisted without their awareness into criminally directed botnets.

These attacks show the standards that underlie the internet and the web have fundamental weaknesses. Designed for a more trusting environment of academics and engineers these protocols are now inappropriate for a network of billions responsible for much of the world’s commerce, and where criminals can make off with huge gains. Because session state and authentication is communicated using fixed long term identifiers, usually in cookies, individuals can be invisibly tracked by anyone, and often for evil intent. With what laws we have to protect personal data online hardly being enforced, and many of the companies with the resources to redesign for security having a vested interest in the status quo, very little is being done to fix this.

What are needed are new protocols for session establishment, role based authentication and transacted identity. People should have control over how much of their physical identity is communicated when they use the net, with the default being complete anonymity. Only when they agree should further identity information be exchanged, making the frictionless targeting of individuals impossible. Removing the ability to track us will make online criminals' lives much harder, while creating a transparent, consent based and user controllable mechanism for audience enrolment could create new opportunities for advertising and marketing.

In Europe we have a well-established body of fundamental rights based law that already makes actions that endanger personal data illegal.

The ePrivacy directive of 2002 called upon member states to outlaw “listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned”. Directive 2002/58/EC Article 5(1). The amendments to the directive of 2009 also prohibited “… the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user …” without the user’s explicit consent.[*] Directive 2009/136/EC Article 5(3)

The wish to retain persistent third-party cookies (and similar long term "selectors") for the purposes of surveillance could have been the motivation in some quarters for the ridiculing and undermining of the Data Protection and ePrivacy directives. Although some in Government could have been misled by the behavioural advertising lobbyists, it is also possible that they turned to GCHQ as a repository of technical knowledge, and were given advice supporting the interests of mass surveillance. There is no reason that protocols could not be designed to support targeted surveillance with transparent judicial warrants, a far more adult and civilised way to protect the rule of law than these sneaky and economically dangerous methods.

Enforcing these laws would put a stop to much of behaviour that enables intrusions by evil doers. It would also put pressure on internet companies , international standards and web governance bodies to address the inherent weaknesses of the internet and marshall the resources needed to get them fixed.

Although State sanctioned spy agencies may claim that the scope of the rights and obligations in Article 5 could be restricted according to Article 15(1) “when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security”, this is unlikely to be in line with the European Court of Justice April 2014 ruling that found ”by requiring the retention of those data and by allowing the competent national authorities to access those data, the [Data Retention Directive] interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.” Judgment in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others.