Do As We Say, Not As We Do: The Indictment of StealthGenie’s Hammad Akbar

Do you remember when your dad would expound upon you the dangers of smoking after his fifteenth cigarette that day? Even as a pimply-faced, hormonal teenager, the irony was not lost on you.

Now, well into adulthood, we are again being scolded by our overseers for doing exactly what they practice with regularity.

The owner of a mobile app called StealthGenie, a Pakistani man called Hammad Akbar, has been indicted in the U.S. state of Virginia by a grand jury for “conspiracy, sale of a surreptitious interception device and marketing of a surreptitious interception device” under the federal Wiretap Act.

In a statement regarding the indictment, U.S. Assistant Attorney General and Head of the Justice Department’s Criminal Division, Leslie R. Caldwell, said: “…The criminal division is committed to cracking down on those who seek to profit from technology designed and used to commit brazen invasions of individual privacy.”

Let’s take a quick look at this Wiretap Act. It’s actually quite straightforward.

According the Wiretap Act, it is illegal to “intentionally, or purposefully intercept, disclose or use the contents of any wire, oral or electronic communication through the use of a ‘device.’”

Sounds like a pretty good law, and I would say Mr. Akbar’s StealthGenie app certainly violates it. StealthGenie allows users to install the app on the phone of anyone they choose, allowing these other users to monitor almost everything that goes on with the device. They can track the phone’s location on a map, they can listen to phone calls in near-real time, they can read texts, emails and calendar entries, they can look over the contacts list and see the web browsing history—all without the device owner’s knowledge.

According to Akbar, it is most commonly used by people who suspect their significant others of infidelity.

Is it nefarious? Absolutely. Should it be allowed? That depends on your ideological viewpoint, I suppose. However, it does violate the law, and the law is the law. End of story.

The problem is, this indictment should set a precedent where any person or entity using a “surreptitious interception device” should likewise be prosecuted under the Wiretap Act. And that includes the government and its agents.

In the modern age, and thanks to such monumental documents like England’s Magna Carta and the U.S. Constitution, rule of law applies to everyone equally. In fact, such documents were often drafted less for the protection of the greater society from individual criminals and private criminal elements and more for the protection of the greater society from would-be tyrants and power-mongers. In other words, they protect the people from the government, not vice versa.

A striking example would be America’s much-debated 2nd Amendment. “The right to bear arms” was not originally intended for the Ted Nugent’s of the world. It wasn’t so vigilantes and family men could protect their homes and properties from invaders—as important as that may be—or shoot a trophy deer. It was intended so the citizenry could stand up against the emergence and infringement of a tyrannical ruler. You see, tyranny was a big deal back then—and not surprisingly. The Enlightenment was a response to roughly six thousand years of tyrannical ruling elite classes: nobility, clergy, emperors and kings.

Unfortunately, it’s still relevant today. The only difference is that nobility doesn’t go by Duke and Earl anymore, but rather Senator and Representative. And the sprawling network of clergy keeping a watchful eye on the private behavior of the population doesn’t come in the form of robed priests and bishops. Today, they’re simply bureaucrats in an office building in Virginia with access to the largest, most technologically advanced surveillance apparatus in history. And just like always, the rules don’t apply to them.

But pay no attention to the man behind the curtain. Instead, prosecute entrepreneurs who only follow his example.

The only truly just thing to do at this point is to let the Hammad Akbar’s of the world go free or uphold rule of law and prosecute the spooks, bureaucrats and politicians whose “brazen invasions of individual privacy” make StealthGenie look like child’s play.

Do As We Say, Not As We Do: The Indictment of StealthGenie’s Hammad Akbar

Want to Combat Domestic Surveillance? Let’s Change the Deal with Google

The people of the formerly free world have again been dragged into a war not of their own choosing. This time, the enemy is not a nation, or an ethnic group, or even an idea. We have become the enemy. We have become the subject of undue scrutiny, paranoia, distrust, imprisonment and violence.

It is often our habit, in cases of great injustice, to look to our leaders for solutions. We ask for statutory, constitutional or regulatory protections. We cast our eyes toward the politicians, asking for the power of government to support their people and validate the mandate we gave them as our elected representatives.

There is no hope for that now. The U.S. government, the British government, the Canadian government, the Australian government, the government of New Zealand and many more have become the perpetrators of this injustice against their own people. Furthermore, they possess vast resources, technology and knowledge. They have the capability to exploit any computer, break nearly any encryption and they have the coercive power to silence much dissent.

In instances such as these, the solutions must come from us. We have the numbers and the knowledge. Do we have the will?

There are only a few methods with which we can approach security when browsing the Internet. One is encryption, but that only works if both parties cooperate and are willing to maintain secrecy. So, it’s not really much of a solution.

Another is hiding in the crowd. Currently, Tor is the best option for this method, allowing users to bounce their Internet traffic off of numerous other Tor users’ computers before it ultimately rejoins the network. The last person in the chain is called an exit node operator. One must volunteer to become an exit node operator—and not many people do. In fact, Tor has begun offering to pay exit node operators because they don’t have enough for the system to really work very well. We’ll see if it works.

The problem is, exit node operators take on a lot of risk. When Internet users look at child pornography or use a stolen credit card to buy something, this illegal activity is connected to an IP address. When those Internet users do it through Tor, that IP address is going to be that of an exit node operator.

These guys have been blacklisted, raided, arrested, manhandled, etc. because, unfortunately, bad guys exist and Tor is a great place for them to hide. That’s why not too many people are lining up for the job of exit node operator and consequently, why Tor is quite slow and cumbersome. Tor data from thousands of users is funneled through a handful of exit node operators. Google’s home page is about a seven-second ordeal. Just imagine trying to watch a YouTube video, if Tor were able to protect your anonymity while doing so.

So, how can we avoid the problems inherent in Tor, maintain the Internet speeds we’ve all grown accustomed to, still keep the bad guys in the shadows and remain anonymous all at the same time? It’s a tall order, but it’s possible.

If we target a specific application, rather than attempting to anonymize all web activity, then we can have our privacy and our speed. Simply put, we change the deal with Google. Right now, the deal is that Google gives us the ability to find any information our hearts and souls desire, and in exchange we give Google our actual hearts and our actual souls.

That’s not a great deal, but let’s be honest. You can’t beat ’em. Google’s search capabilities are unmatched—they’ve constructed an absolute wonder of the digital world. Search results are lightning fast and incredibly thorough. Their maps capabilities would have Magellan green with envy. Who wants to settle for a second rate search experience?

The problem is, Google has betrayed us. Eric Schmidt, Google’s Executive Chariman brushed domestic surveillance aside recently, saying:

“There’s been spying for years, there’s been surveillance for years, and so forth, I’m not going to pass judgement on that, it’s the nature of our society.”

Those aren’t the words most of us want to hear from one of the higher-ups in our most widely-used companies. We want to see outrage, indignation and counteraction from Google, Microsoft, Facebook and all the rest of them. But they aren’t forthcoming.

What we need is a new way to use Google like people use Tor. If Google searches are bounced off of millions of user’s computers and everyone is potentially an exit node, we have our ability to hide in the crowd. We have plausible deniability when it comes to our search engine use.

Furthermore, Google already polices itself for illegal activity like kiddie porn and fraud. So, online criminals will have to continue lurking the depths of the Internet if they wish to continue their behavior.

Government spooks will still be able to see what goes on in our smartphones, hack our computers, read our email and, yes, find our search engine data. But that would be an incredibly expensive and drawn-out process—and at least we wouldn’t be handing out our search engine habits on a silver platter.

Such an endeavor, socially, must act like a movement. If no one is willing to be an exit node operator—as is the case with Tor—it won’t work. But with hundreds of millions of Google users, such a movement is entirely possible.

Here’s how it can work: A browser add-on joins you with other participants using similar techniques to those employed by the Bittorrent file sharing protocol to implement distributed trackers. The plugin would operate much like Tor as an exit node, only instead of allowing arbitrary TCP connections it would be strictly limited to performing search queries on Google.

Such a system would solve the incentive problem stunting Tor. Everyone would be an exit node by default. Nobody would be enabling credit card fraud because it would be impossible to buy anything through you. You would not be enabling child pornographers because Google tries to avoid hosting that type of content anyway. You would not be helping botnet operators hide their command and control systems from network operators and security researchers. You might proxy some unsavory searches, but the combination of all the queries your browser submits to Google would be so random that anything embarrassing or incriminating couldn’t be attributed to you with any certainty.

There would definitely be some security challenges to solve, but it would be easier and more productive to overcome those technical problems than trying to pay Tor exit node operators. After all, Bittorrent is doing just fine in spite of powerful adversaries who would love to see its demise. Just how much money would it take to anonymize 25% of global search traffic with Tor? Based on what we’ve seen so far, is it reasonable to believe Tor can really scale to the size necessary to achieve that?

If the spooks want our souls, let’s make them pay one hell of a high price. Let’s force them to turn Microsoft, Apple, and Samsung’s update services against us, because that’s extremely expensive both operationally and politically. Let’s force them to use their zero day exploits against our endpoints because while they still dominate that space at least we have the ability to bring technical countermeasures to the fight. Their advantage battling us as vulnerability researchers and exploit developers is based entirely on information asymmetry, and even as they win battles, they lose information advantage just by fighting us. Just as the surveillance state slowly crept up on us we will slowly erode its potency, and eventually we’ll snuff it out.

Want to Combat Domestic Surveillance? Let’s Change the Deal with Google