Forgot your password?
typodupeerror
United States Communications Privacy

MIT Project Reveals What PRISM Knows About You 221

Posted by samzenpus
from the follow-the-data dept.
judgecorp writes "MIT's Immersion project sifts your Gmail, and constructs a map of your associations. Without opening a single message, it gives a clear view of who you connect with. It's a glimpse of some of what the NSA PRISM can do. From the article: 'You can assume that if the NSA is looking at your email, the information in Immersion is similar to what they will see. Consider that they probably see all of your email addresses (and not just Gmail) and that the metadata is examined along with the metadata from everyone you’ve corresponded with, and you can see just how much can be inferred from this data alone.'"
This discussion has been archived. No new comments can be posted.

MIT Project Reveals What PRISM Knows About You

Comments Filter:
  • by PPH (736903) on Monday July 08, 2013 @12:01PM (#44216417)

    What now? Are they water-boarding people for information?

  • Reverse honeypot (Score:3, Interesting)

    by Anonymous Coward on Monday July 08, 2013 @12:07PM (#44216467)

    I always thought it would be interesting way to figure out a way to seed surveillance and information gathering networks with unique information you could then watch for to see where it "leaks out". For all the worry about NSA surveillance, my real fear is that is that it's actually a front for commercial operations. (My theory is that the NSA is mostly a headless monster of a "Security Industrial Complex" that lives off of milking the public for money in exchange for useless services and general industrial espionage. It's really the perfect scam because you can avoid any investigation of conflict of interest with 'state secrets' privilege) It would be a real coup to find your honeypot information leaking in to commercial databases.

    More than a decade ago I registered a few domains with bogus names. To this day I still get offers in the mail for "Longdong McPorksword", even though mining whois data for commercial purposes has always been supposedly illegial (well, a terms of service violation at least)

    • For all the worry about NSA surveillance, my real fear is that is that it's actually a front for commercial operations.

      That's deep theory.

      • by arth1 (260657)

        Not really. The US of A government is commercial by nature, and ironically I think this is at least somewhat caused by all the legislation designed to keep the government from competing with business. Because income is harder to get openly, the government has to be inventive in acquiring remuneration.

    • Hell companies figured that out long ago and don't need the NSA to do it for them. Every company out there seems to offer a store brand credit card, savings card, or some other program that is free to join and offers some token benefit. People snap them up to save $0.06 on a case of soda every 3 months. Now toss in that there are cross promotions between multiple companies and you can gather all sorts of info. For example in my area there is a grocery chain that has a rewards card that provided you with a f
    • by bmk67 (971394)

      I always thought it would be interesting way to figure out a way to seed surveillance and information gathering networks with unique information you could then watch for to see where it "leaks out".

      Unsurprisingly, you aren't the first to think of this.

      http://en.wikipedia.org/wiki/Canary_trap [wikipedia.org]

    • Spammers might just be using a database that was built upon an old one that still had your pseudonym in it, and since the emails don't bounce, they keep sending them. You'd need to "reseed the system" to detect any new leaks, I guess...

  • Their analysis comes up completely blank.

    Why?

    Because I use POP3 rather than the bullshit IMAP for my mail access. There is nothing on the server, so there is nothing to analyze.
    • Re: (Score:2, Informative)

      by mjr167 (2477430)
      Um... so your emails don't go through the internets? How does that work? Even though you tell the server to delete it, it still passes through the server...
      • "Um... so your emails don't go through the internets? How does that work? Even though you tell the server to delete it, it still passes through the server..."

        I knew somebody would bring this up. :)

        No, of course the email goes through the 'net. But consider: trying to separately store and analyze each separate event takes vastly more resources than doing periodic static analysis of the contents of your email folder.

        Conclusion: they probably don't. Almost certainly, they simple take periodic snapshots. While they may analyze traffic too, that's still not the same thing.

        • by mjr167 (2477430)
          You don't store the email unless it is 'interesting'. You store the metadata about the email in order to establish relationships. Facebook does this kind of processing and even provides an API to access their graphs. I think you vastly over estimate how hard this is.
          • "You don't store the email unless it is 'interesting'. You store the metadata about the email in order to establish relationships. Facebook does this kind of processing and even provides an API to access their graphs. I think you vastly over estimate how hard this is."

            I didn't say it was difficult. My statement was that it was costly. Two different things.

            If it is worth their while, maybe they do it.

            But as for Facebook: again, I doubt they make shadow copies of everything. Instead they analyze what is in place. Metadata? I suppose. But the bodies of the emails (in the case of Gmail) probably aren't stored. Analyzed for content when they go through? Perhaps.

            • by xaxa (988988)

              Well, the earlier /. story mentioned that GCHQ (UK) stores *three days* worth of data flowing through Britain (where almost all the high-speed cross-Atlantic cables terminate), and the metadata from that for 30 days.

              A shadow copy of all the text in email or Facebook is easy. Adding the media is more costly, but not that much.

            • I didn't say it was difficult. My statement was that it was costly. Two different things.

              It's too costly now. The real problem isn't what they are doing with this system at the moment. It may very well be that they are doing things we'd consider evil, but it's not like we're getting thrown into camps for complaining about it yet. The real problem is what they will eventually use this for. The un-checked power this gives the government is terrifying. It's like they're holding a gun to everyones head, just in case they turn out to be a terrorist and you're arguing that bullets are too expensive f

          • by hairyfeet (841228)

            At the end of the day nothing anybody can do or say will change the fact that the threats we are looking at now is not something the guys who originally built the Internet even imagined so no shit its easy, the thought of having to worry about big brother, billion dollar malware orgs, rogue governments and cyber attacks? never even crossed their minds!

            Its the same arguments I've been making for HTML, you have this thing that was NEVER designed to do anything close to what its doing now and instead just kind

            • This argument is a bit like saying 'writing was never designed for privacy, we should build a language that obfuscates by default.' There is nothing wrong with sending in plain-text by default, as long as you have methods to go private when necessary. Its a trust issue, not a technological one.
        • by Wraithlyn (133796)

          trying to separately store and analyze each separate event takes vastly more resources than doing periodic static analysis of the contents of your email folder

          Scanning the 10,000 pieces of email in my inbox, over and over again, is more efficient than tracking each individual piece as it comes in? That doesn't really follow.

    • I thought places like Google and Yahoo retain e-mail for several years in order to facilitate all future subpoenas. Who's to say the NSA doesn't have access to a shadowcopy of these e-mails directly on the server/s?

  • by 0111 1110 (518466) on Monday July 08, 2013 @12:19PM (#44216571)

    So the purpose of this is what? To reassure us that the NSA is telling the truth and that they really do only view metadata? I think at this point it is quite safe to assume that any official announcement from the NSA is a lie. If MIT really wants to simulate seeing what the NSA can see then they should give you a view of every form of online communication plus any voice communication. The content. Not just the fucking metadata.

  • Wolfram Alpha does similar analysis with your Facebook data. Those bubble charts reveal some amazing insights on seemingly insufficient amounts of data.

  • last week
    they also know i follow the NYC sports teams and the email alerts i receive from fatwallet and slickdeals
    along with my ereaderIQ author alerts for kindle books price drops

    that's why i didn't buy that Orson Scott Card book over the weekend. the NSA would have found out

    • by timeOday (582209)
      Do they also know whether you're paying taxes on your mail order purchases and side-job income? (I mean, not that they would have gone to all the trouble of collecting the data just for that, but now that it's sitting right there...)
      • by alen (225700)

        NSA collected evidence cannot be used in court. judges have thrown out evidence collected with a lot more legality behind it

        • by timeOday (582209)
          Proving who collected the evidence that started an investigation down a certain path is like proving that a job candidate was turned down for age discrimination. For example, a politically-interested insider could make an anonymous tip to a newspaper reporter about a candidate in an election. The reporter confirms the tip by interviewing somebody who they otherwise wouldn't have known to talk to, and so on... I think there is a general problem that a society with too many one-way mirrors becomes lopsided
          • by alen (225700)

            that's not a court of law you idiot
            in a court of law there is something called chain of custody for criminal cases. you have to prove the evidence was collected legally

            NSA has been doing this for decades. so far they haven't politicized any data they collect. probably because their money comes from congress and they have to testify to congress on a regular schedule

            • by timeOday (582209)
              Most wielding of power doesn't occur in a court of law. And when it does, how much of the backstory actually comes to light?

              Look at insider trading, what percent of occurrences do you think are actually discovered and successfully prosecuted? Proving where information came from - such as the idea to look at a few disparate sources and put them together in a certain way - can be accomplished only to a certain degree.

              If you look at past corrupt officials that did a lot of damage with much less powerful

  • Aaannnd it's Slashdotted.

  • Far from it (Score:4, Insightful)

    by timeOday (582209) on Monday July 08, 2013 @12:39PM (#44216813)
    The power of an integrating capability isn't what it can glean from ONE source (gmail), but rather the cross product of combining MULTIPLE sources. (gmail, facebook, phone records, credit report, amazon purchases? banking transactions?...) This cross-cutting capability is really the only portion that is unique/specific to government. (Except there is also a vast and shadowy industry of buying and selling the same personal information on private markets which we also know very little about).
  • The tool shows what the NSA could know about you if they had access to your gmail. However, Google rather staunchly maintains that the NSA does not have any access to Google user data, with the exception of specific information about specific individuals when proper legal documentation has been provided and reviewed by Google's legal team, and even then the NSA does not have access to Google's servers; Google retrieves the specific data requested by the order and delivers it to the requestor.

    In addition t

    • Re:Misleading title (Score:5, Interesting)

      by MozeeToby (1163751) on Monday July 08, 2013 @01:06PM (#44217059)

      The problem is that now, thanks to the PRISM leaks, no one believes Google. Not even a little bit. And yes, they can be legally compelled to lie and if they are so compelled they will be shielded from any consequences of those lies, just like the phone companies were the first time a massive warrantless wiretapping program leaked 5 years ago.

      • by swillden (191260) <shawn-ds@willden.org> on Monday July 08, 2013 @01:20PM (#44217213) Homepage Journal

        The problem is that now, thanks to the PRISM leaks, no one believes Google. Not even a little bit.

        That is a problem, indeed. It's why Google has filed suit against the DoJ, because Google can't provide the details needed to defend itself.

        And yes, they can be legally compelled to lie and if they are so compelled they will be shielded from any consequences of those lies

        Cite? As far as I know, the telecoms never lied. They refused to answer, and then eventually admitted to it. I could be wrong, however, since my memories of the details are fuzzy. But a few web searches seem to support my recollections. Yes, they definitely were shielded from any legal consequences.

        But even if Google were shielded from legal consequences, Google could not be shielded from the extremely severe and irreparable PR consequences. Google might be able to recover from proof of the allegations by coming clean and promising to do better, but proof that the allegations were true and that Google lied would be disastrous for a company with Google's current business model. Remember that unlike the telecoms which have local monopolies, a national oligopoly and fairly high switching costs, Google's competition is just a click away.

        I see three options:

        1. Google is telling the truth.
        2. Google is lying and is absolutely certain that it can never, ever be proven.
        3. Google's executives are idiots.

        I know 3 is false, and arguably it would have to be true for Google's execs to believe that their lies could never be proven, per 2. I think they're telling the truth.

        (Disclaimer: I should mention that I work for Google. However, if the PRISM allegations were supported, I probably wouldn't be working for Google much longer, and neither would an awful lot of other people, including many who are far more talented and valuable than I am.)

        • by chill (34294)

          4. Google is compelled by law to lie.
          5. The NSA is tapping the routers one step up from Google's data centers and Google's hands are clean, but the NSA has all the data anyway.

          #5 would be my guess, but should be stymied by always using an SSL/TLS connection to Google. Of course, I doubt the *SMTP* connections delivering mail to/from Google servers are all encrypted, regardless of the webmail interface.

          • by swillden (191260)

            4. Google is compelled by law to lie.

            I don't believe that's possible, and I'm certain that Google would fight it, hard, because of the potential for damage to Google's business.

            I doubt the *SMTP* connections delivering mail to/from Google servers are all encrypted, regardless of the webmail interface.

            Google uses SMTP over TLS whenever possible. Unfortunately, most other mail providers don't support it, so I believe SMTP traffic to and from Google is often unencrypted. Email from one Google account to another doesn't have that problem, of course.

          • by Sir Holo (531007)
            Probably #4.

            GW Bush issued a presidential order that companies are immune from the consequences of breaking any laws that the data-sharing orders might compel them to commit.
    • by xaxa (988988)

      I don't think Google could be legally compelled to lie

      I'm not so optimistic, but in any case there's plenty of scope for carefully hiding the truth.

      "we do not provide any government, including the US government, with access to our systems. Nor do we allow goverments to install equipment on our networks or property that gives them access to user data."

      What about equipment "just outside" their networks, or accessing whatever Google considers non-user data?

      I'd be surprised if (unknown to Google) they aren't employing some people who also work for the NSA.

      "Third,

      • by swillden (191260)

        What about equipment "just outside" their networks, or accessing whatever Google considers non-user data?

        Well, since nearly all Google traffic is encrypted, equipment just outside their networks wouldn't do much good. And Google considers all data in any way related to users to be user data

        I'd be surprised if (unknown to Google) they aren't employing some people who also work for the NSA.

        That could certainly be. However, Google security is pretty deep, and focuses at least as much on securing against insider threats as outsider threats. Those NSA employees would have to be extremely well-placed. (I work for Google, on security infrastructure, which means I know whereof I speak, but also that I can't provide

    • They don't need access to the servers to be able to read your gmail at all. They are making a whole-sale copy of they internet, you simply compel google to give up their certs, replicate their infrastructure and software and have a real-time copy of the same info under your control being fed by shadow copy of the Internet. All google did then was provide the government with the software capabilities to run a gmail infrastructure and not the content, government gets access to content.
  • If you visit the page using Firefox with JavaScript disabled, they suggest you to download Google's Chrome, i.e. to give even more of your data to NSA. We should at least recommend Chromium (the open-source part of Chrome) in such cases instead of the binary distribution from Google.
  • by csubi (950112) on Monday July 08, 2013 @01:37PM (#44217339)

    At least the NSA says it doesn’t read the contents of your email. Google does, and it admits that it does.

    Like I believe NSA does not look at the contents... If it weren't for Snowden, we would still not know about PRISM.

  • by ideonexus (1257332) on Monday July 08, 2013 @02:55PM (#44218005) Homepage Journal

    I allowed Immersion to review my gmail, and I don't think it really reflects what PRISM is accessing in any way. All it did was go through my emails and build a standard social network map out of my emails based on who was in the address lines. My understanding is that PRISM is actually analyzing the content of my emails. Immersion is neat, but it really seems like the developers are trying to promote their own software by attaching it to the surveillance scandal.

    As for Immersion itself. It is a neat application and it's fun to see a chart of everyone you interact with an how they are all networked together. If you're interested in seeing your Facebook and Twitter networks modeled in a similar way, you can use the open-source NodeXL plugin for Excel [ideonexus.com], which let's you harvest your data from these social networks and build your own visualizations. It's actually much much more robust than Immersion and you don't have to give a third-party access to your accounts since you run it from your local machine yourself.

  • by mha (1305) on Monday July 08, 2013 @03:32PM (#44218343) Homepage

    ...a lot of rich Nigerians, quite a few Viagra and p. enlargement sellers, a number of individuals who know jobs that pay thousands of dollars that you can do from home, a handful of real estate executives, and more.

If you think the system is working, ask someone who's waiting for a prompt.

Working...