Three days after the Guardian's Optic Nerve story and the operational implication that has been working through the engagement conversations is the same one that surfaces with each new Snowden disclosure: the data-residency advice we have been giving for nine months is, in any technically meaningful sense, only as good as the weakest jurisdiction the data transits. The Optic Nerve programme — GCHQ, with NSA cooperation, intercepting and storing webcam images from approximately 1.8 million Yahoo Messenger users in a six-month period in 2008 — is one of the more targeted-but-bulk programmes the Snowden documents have revealed. Yahoo Messenger video sessions transit US infrastructure (Yahoo is US-headquartered) and apparently transit through tap points where GCHQ intercepts the unencrypted webcam traffic. GCHQ stored the imagery in full quality, ran facial-recognition queries against it, and — per the internal documents — had to write an internal policy about what to do with the nude content the dragnet captured.
The technical specifics matter because they tell us about the threat model the policy infrastructure was operating under. Yahoo Messenger video in the 2008-2010 period was unencrypted in transit between users — the protocol shipped with no encryption beyond the optional TLS tunnel for the chat session metadata, and the actual video stream was sent in clear. Anyone with tap-level access to traffic between Yahoo and the user, or between Yahoo data centres, could capture the video stream. GCHQ had that access. The implication for the 2014 engagement-team material on real-time communications is that the post-Snowden privacy-and-encryption methodology needs to extend to voice and video sessions in a way that the original draft had treated as a lower priority. End-to-end encryption of real-time traffic is now a question I need to write about for the spring engagement-team material.
The wider point — which I have been making since the original PRISM post and which Optic Nerve sharpens — is that the Snowden disclosures keep producing operationally novel information rather than just confirming what the previous disclosures had established. The Verizon order was about telephone metadata; PRISM was about platform-cooperation; Tempora was about fibre-tap collection of bulk traffic; Optic Nerve is now about video-stream collection and facial-recognition-driven analysis of stored imagery. Each disclosure has expanded the operational picture in a direction that the previous picture would not have entirely predicted. The combined shape is sharper than any of the individual disclosures, and the story of what GCHQ and NSA can do is, on present evidence, still being written. Bruce Schneier on the Optic Nerve material has been the right starting point for the technical analysis; the legal-and-policy commentary from Cindy Cohn at the EFF has been the running source for the activist response.
I am going to write less about Mt. Gox, which has filed for bankruptcy in Tokyo this week with approximately 850,000 bitcoins missing — about $450 million at the exchange rate at the moment of the filing — than the topic deserves, because I have been drafting the wider piece on commercial security infrastructure and state-level surveillance and the Mt. Gox story, while interesting, fits a different category. The short version: Mt. Gox was running for years on infrastructure that was, by the post-mortem accounts now circulating, technically inadequate; the bitcoin-flow analysis that has been done since the suspension of withdrawals in early February shows a sustained operational outflow over the past several years that the company either did not detect or did not disclose. The structural lessons for clients with cryptocurrency exposure are continuous with the post-Silk-Road conversations from October. I will write more when there is more to say; the legal and forensic processes around Mt. Gox are going to take years.
For the Hedgehog SOC, the post-Optic-Nerve detection-content question is bounded — we cannot detect at the SOC level whether GCHQ is collecting Yahoo Messenger traffic, because the collection is happening at infrastructure we do not see — but the engagement-team material on real-time-communications security is being updated. The clients who use video conferencing for sensitive discussions (which is several of the secondments) are being advised to move to platforms with end-to-end encryption guarantees, where such platforms exist. The current candidate list is short. Silent Circle's Silent Phone is one option; the various OpenPGP-and-OTR-based desktop tools are usable for chat but have not solved the video problem; ZRTP-based softphones exist but have substantial operational friction. There is no comfortable answer in 2014.
The wider piece I have been writing for six months is being finalised this month. I expect it to land in late March or early April, after the engagement-team review has caught the obvious mistakes. The post-Optic-Nerve material has not changed the argument substantively — the argument is robust to additional disclosures of this kind, and is in some ways what the disclosures support — but it has added one more case study to the body of evidence the piece draws on.
The next post is probably the long-form piece, the continuing Mt. Gox forensics, or whatever surfaces from the new Intercept publication that Greenwald has just launched with Pierre Omidyar — the first Intercept story landed on the tenth and the editorial roadmap suggests substantially more Snowden material in the pipeline.