The news of government mass surveillance keeps coming, as two more stories reveal that spy agencies in the US and the UK plotted to record the browsing habits of every internet user.
First up is a story from The Intercept about Karma Police, a seven-year-old program launched by the British spy agency GCHQ designed to catalog visits to porn sites, social media and news sites, as well as activity on search engines, chat forums, and blogs. As previously reported, GCHQ has tapped more than 200 undersea cables as part of its spying partnership with the NSA, siphoning gigabytes of data each day. Karma Police describes how some of that data is used to build a profile of a users' web browsing and search engine histories, Skype calls, and other communications via email, instant messaging and text. The Intercept notes that the surveillance isn't targeted but instead indiscriminately tracks the activity of many users to uncover patterns and relationships.
In the US, the war over encryption backdoors continues with a new government memo obtained by the Washington Post, which shows that a taskforce explored four possible ways the government might deal with the encryption standoff between law enforcement and spy agencies on the one hand and technology companies and the public on the other.
Among the most controversial options discussed? Exploiting the automatic software updates vendors push out to customers. Under a court order, a company could be compelled to embed spyware in an update to infect a targeted customer’s phone or tablet. The memo warned, however, that this tactic could backfire by calling into question "the trustworthiness of established software update channels," which could lead customers to opt out of updates, leaving their devices less secure and open to attacks from other sectors. Ironically, that's exactly the criticism that arose in the security community in 2012 when researchers discovered that Flame, a nation-state spy tool believed to have been developed by the US and Israel, subverted the Microsoft Windows Update system to install itself on targeted machines. Sources told the Washington Post that while the software update option and others were considered by the task force, the government has no plans to pursue them.
