Well, perhaps not anything… The Albert Hall might be going too far (unless you claim to be a person in the image) but basically if you claim the images shows your house/car/person it will be removed. Even claiming on the flat above shops works.

I suppose this is due to all the controversy over privacy and Google’s desire to make removal as easy as possible. It’s certainly a good way to sabotage rival businesses by making them harder to find.

Luckily, you can opt out here and it seems to be based on modem MAC address so it should stay off, unlike Phorm which uses a cookie.

This might suggest that the logging is done by DNS servers. If that is the case, the simply changing to use alternative DNS server (e.g. OpenDNS) would avoid this monitoring. Of course, OpenDNS is itself an unknown quantity. I am looking for better alternatives.

It seems likely that this is how the monitoring works. The Cleanfeed censorship system works by matching IP addresses at edge routers and sending hits to a proxy server for testing of specific URLs. The overhead of trying to log actual HTTP accesses and then do a reverse DNS lookup would appear to be too high to make it realistic.

A quick overview of what we are up against. In the UK the following is recorded:

• Every IP address assigned to an internet connection
• Every web site visited
• Every email address sent from and sent to and time of sending
• Every instant messenger screen name
• Time and destination of every instant message
• IP address at the time of every website/email/IM access
• Every phone number dialled from and to, time of call and duration
• Location to within a few feet of any mobile phones at time of call
• All mobile cell information related to a mobile phone (e.g. times and locations, so they know where your phone is whenever it’s turned on)
• Postal data, basically what is written on the outside of any letter/package
• Vehicle location, recorded by CCTV cameras with automatic numberplate recognition

Other information is probably kept too. The police also have the capability to record phone conversations (and probably email/IM as well), and turn any phone that is turned on into a listening device (bug). Presumably if they did this with your mobile phone you would notice the battery draining pretty fast though. (Source: http://en.wikipedia.org/wiki/Telecommunications_data_retention

Basically, it’s a modern high-tech surveillance society, and now the police are looking at trying to hack people’s PCs/wifi and trying to install viruses on target computers.

The first line of defence is your home network. It needs to have a secure firewall. Due to the possibility of there being flaws or backdoors in commercial routers, it’s probably best to use a well tested open source router such a m0n0wall or pfSense. If you have wifi, it needs to be secured with WPA2 and a very strong password (i.e. at least 60 characters, and a mix of upper/lowercase letters, numbers and punctuation.)

Physical security of your PC is important. Make sure you can see the back of it, so that if someone installed a hardware keylogger you would spot it.

You need to harden your OS from attack. Obviously using a strong password is a start, but really you need to use TrueCrypt to encrypt your entire HDD. Since you can be forced to reveal your password or face two years in prison, you should use TrueCrypt’s hidden OS feature and set up a dummy OS you can reveal the password for. Since there is no way to prove that there is a hidden OS, you are protected. Be sure to make the dummy OS look realistic – it needs to have files saved on it, applications installed, the web browser used. You should use it at least once a week to keep file access dates current. If possible, it should be used for non-sensitive use regularly.

There is are vulnerabilities in TrueCrypt if the attacker has physical access to your PC. Firewire and PCMCIA ports can be used to dump the computer’s memory and recover the encryption key, as well as read files off the HDD. It is therefore necessary to disable Firewire and PCMCIA ports. I have seen devices that exploit this vulnerability in use. You should also disable the Windows “autorun” feature on all drives to prevent similar attacks via CDs or USB flash memory. The workstation should remain locked when not in use, and require a password to unlock. The system should be powered down as often as possible.

In theory if an attacker has access to the machine while an encrypted OS is loaded, they could recover the key from the computer’s RAM, either by rebooting it into a special Linux OS or by removing the RAM and placing it in another PC. The best defence against this is to prevent the attacker gaining access to the key in RAM by performing an emergency shut-down (i.e. press the power button). TrueCrypt will clear the key on shut-down. Setting the BIOS to do a full memory test and setting a BIOS password do it cannot be disabled will erase the key during the POST cycle. None of this is foolproof.

An alternative method would be to use an OS that leaves no traces on the PC for sensitive things, such as a Linux Live CD. TrueCrypt could be used for data storage, with the above issues in mind.

Securing the OS against police viruses and keyloggers is vitally important. Up to date anti-virus software from a non-UK company (e.g. Avira) is essential. Never open email attachments. Use a secure browser such as Firefox, with Java/Javascript/Flash/etc disabled. Make sure your PC has it’s own firewall as your network may be penetrated, either via WiFi or another virus infected PC.

For accessing the internet, at a minimum you should use a VPN service terminating in a less draconian country. Relakks seems to be a possibility. Using Tor is also a good idea. Any internet related software needs to be carefully checked for security. Using open source software is a good idea. Remember to validate any checksums available on downloads.

At all times remember that all communications and movements of your mobile phone and car are being monitored. CCTV is everywhere, and virtually unavoidable. Plausible deniability is the key. Try to avoid anything that can create a paper trail for police fishing expeditions. If you think you details may have been compromised (e.g. bank details, identity theft) report it immediately – the police usually don’t bother to check but it will be of vital importance in court.

Even if you do all this, all it takes is to be in the wrong place at the wrong time to have your life destroyed:

‘I was falsely branded a paedophile’ (BBC News)
Police witness on perjury charge (Men’s Aid)
Student researching al-Qaida tactics held for six days (Guardian Online)
A hard look at file-sharing evidence (BBC News)
Judge rules out child porn charge (BBC News)
Four suicides in child porn case (BBC News – most of the accused were later cleared)

There is a judgement to be made. Loss of freedoms and liberties vs. protection from attack. We make this loss of life to benefit judgement all the time. We sent troops overseas, knowing some will die but judging it a worthwhile sacrifice. People die in road accidents, but not enough to make us want to ban cars.

In London, 52 people died in the 7/7 attacks. Unlike the examples I gave, that was a one-off event, not a yearly loss. Even in 11/9, only around 3,000 people died compared to over 11,000 a year from gun crime in the US, and again it was a one-off event. There is simply no way to argue that terrorism is deadly enough to warrant taking away fundamental freedoms from millions of innocent citizens.

Many people simply respond with rather extreme cases, demanding answers to questions such as “can I see your credit card records then?” or “would you mind having cameras in every room of your house, including the bathroom?” These kinds of arguments are not that helpful, because they don’t show why some limited surveillance by government agents (police, secret services, even local councils) is not acceptable. The typical argument is that if some small loss of privacy (and privacy itself is a horribly undefined and vague word) then it should not be a problem for anyone not trying to conceal illegal behaviour.

Privacy is not really about hiding potentially bad things like crimes though. Humans are social creatures, and it is easily demonstrated that surveillance causes “chilling effects” – people change their lawful behaviour, despite not having done anything wrong or there being much theoretical likelihood of potentially embarrassing information being exposed to the public.

A good example would be the recent case involving Kevin Bankston, a smoker. Google has been photographing streets in the US and then allowing people to browse the photos on the web. Those who have nothing to hide should have no fear of this, since their lawful actions in public should not be a problem for them. However, Mr. Bankston has been keeping the fact that he was a smoker secret from his family, and Google exposed him. Smoking is perfectly legal, of course. In the UK similar schemes have been tried, such as allowing people to view local CCTV on their televisions at home.

Because of surveillance, people are often not willing to say or do things they otherwise might. That is not just a loss for the individual, it’s a loss for society as free speech and the free flow of ideas is harmed, as is freedom to engage in any lawful activity one chooses. For example, a person might wish to protest against the cult of Scientology, but doing so will certainly invite extra surveillance such as having CCTV cameras pointed at you and the police pointing cameras at you. The police could potentially monitor your phone calls or email, just to make sure you are not planning any illegal action.

Compare this with East Germany of Soviet Russia. Even people behaving legally were constantly monitored, which resulted in oppression of political expression and freedom. In theory, those people should have nothing to hide, but surveillance is akin to investigation and like it or not does affect the way people behave and think. Fear that information may be erroneously recorded or misinterpreted, saved and used against an individual at a later date is unfortunately both strong and real.

Much information gathered on individuals cannot be challenged or even viewed by that individual. The Police National Computer is an obvious example. It certainly contains many errors, but no individual has the right to examine the data held about them or to have errors corrected.

Worse still, technology makes aggregation – the combination of many small bits of information – much easier. People argue that giving up small items of information should not be of concern to someone with nothing to hide, but in combination these many small pieces can be used to build up a detailed picture of an individual, and infer even more. Such information is now being used to try and predict behaviour in the future, and it is pretty hard to refute potential future actions.

How data is handled and used is also a big issue. Taking national ID cards as an example, it is not clear who will have access to data on them and how it will be used. For example, should Blockbuster be allowed to require an ID card as the only acceptable proof of ID? How will NHS staff be prevented from checking to see if a particular person ever had an STD and leaking that information to the press or that persons friends?

What if you campaign in favour of choice for women seeking abortions, and your address is made known to pro-life campaigners who then turn up at your house to protest and harass you? You broke now laws, have nothing to “hide”, but expect a certain degree of privacy when it comes to private details such as address.

The question of oversight and accountability is key here. The government and acquire virtually any information they want if they can show good reason for needing it, such as investigation of a crime. The police have the power to obtain normally private information in certain circumstances, as do many other bodies for whom the information is pertinent (social benefit agencies, for example). The key is that generally they must show a non-trivial reason for needing the information, such as strong suspicion of a crime.

There are simple ways to defeat this, and although not 100% reliable they are pretty effective.

You have to consider what sort of situation this attack is likely to be used in. The attacker would have to get to the machine while it is powered on, but be unable to access it due to software security (passwords etc). So, they reboot the system and try to recover the encryption keys from RAM, or remove the RAM from your computer (possibly after freezing it) and install it in their own machine.

Why would you need to put the RAM in another machine if you could just hit the reset button? Well, the reset button might be disconnected, or the BIOS might be set up to do a full memory check which would overwrite every byte in RAM. The only way to be sure to avoid the BIOS wiping RAM would be to power the machine off, reset the BIOS and power it back on. Note that in laptops, even resetting the BIOS (which is typically very difficult as it involved opening the laptop up) often does not clear the power-on password.

A note about UK law here. The RIP Act means that the police can force you to hand over passwords. Luckily Truecrypt features plausible deniability, but it might be hard to argue that you didn’t know the power-on password for your laptop. That’s the biggest problem with that law – instead of the police having to prove you are guilty, you have to prove you are innocent. So, it’s probably not a good idea to rely on the power-on password.

So, the attacker wants to freeze the RAM and put it into their own machine for reading. It’s going to be hard to freeze it, transport it to the new machine and install it without data loss, but for arguments sake let’s say it’s possible. Certainly, the CITP paper seems to think it is.

Most machines have a case open switch, which could be used to trigger a memory wiping program. Assuming the program was intelligent things like encryption keys could be erased in nanoseconds, and the entire RAM in a few seconds. The attacker would have to power off before opening the case, increasing the time before they can freeze the RAM and thus increasing data loss. The power button itself could also be used as a trigger, in case the attacker is stupid enough to press it instead of pulling the plug.

Anyone worried about being raided should probably set up a panic switch, or at least be ready to hit the reset button to allow the BIOS to clear the RAM. Truecrypt should ideally be configured to dismount any encrypted volumes when the machine is sleeping or the screensaver is engaged, although that’s not always practical (e.g. with boot volume encryption).

The ideal solution would be a PCI-e card with a small amount of RAM for encryption keys, a microprocessor and battery/capacitor. As soon as power goes off, the uproc would securely erase the RAM. Maxim make ICs that do just that, all we need is an implementation. It’s a shame USB can’t be used, or any cheap uproc would do, but USB devices cannot be mapped to memory address space.

Of course, even this wouldn’t prevent any open documents, cached directory listings etc from being recovered.

A program to wipe the physical RAM on shut-down of Windows would be ideal, but not trivial to write since it would need a complex driver to access RAM and figure out which bits can be cleared (because you don’t want to crash the OS). A simpler but less effective method would be a program that simply requests allocation of non-paged RAM (i.e. physical RAM) repeatedly until allocation fails (and presumably RAM is filled up) – similar to how Eraser‘s free disk space wipe works.

Really, this kind of attack, assuming you are reasonably well prepared for it, is not particularly effective. For anyone worried about law enforcement, setting the BIOS to do a full memory test and setting a BIOS password is probably enough to prevent it in most cases. An improvement would be to make sure your BIOS does a full memory test by default (i.e. after being reset). Some mobos do that, if yours doesn’t a BIOS editor might fix that.

The second page of the article has an amazing quote from Phorm claiming that their service “enhances privacy” by not storing any data. Well, Google don’t store data about me either, because I delete their cookies every time I close my browser and my IP is both dynamic and shared. Unlike Google, I can’t simply opt out of Phorm by blocking their cookies or just not using their service.

1. It wasn’t me, my wifi was hacked
2. It wasn’t me, you got the wrong name to go with that IP address
3. It wasn’t me, my MAC has been cloned
4. It wasn’t me, my PC was infected with a trojan
5. It wasn’t me, I run a Tor node
6. It was a legal download
7. I’ll sign up for a cheap VPN service anyway
8. If you disconnect me I’ll sue you in court for falsely accusing me of a crime and libel
9. Copyright infringement is a civil offence, so you had better sue me as well and have the evidence to prove it
10. People will just move to another ISP. If you try to ban them from all ISPs, people will definitely sue you.
11. These are just pathetic scare tactics

It either won’t happen or it will fail massively. I guess we will have to wait and see which one it’s going to be.

If this quote doesn’t get you to read it, I don’t know what will: “SmartWater is a liquid with a unique identifier linked to a particular owner. “The idea is for me to paint this stuff on my valuables as proof of ownership,” I wrote when I first learned about the idea. “I think a better idea would be for me to paint it on your valuables, and then call the police.”