Interview: Andre Mendes-‘Safety on the Line’ Report with Freedom House

andre-mendes-1

The report Safety on the Line: Exposing the Myth of Mobile Communication Security is a 2012 mobile technology study jointly produced by the BBG and Freedom House.  The study looked at mobile use and mobile security risks in 12 countries: Azerbaijan, Belarus, China, Egypt, Iran, Libya, Oman, Saudi Arabia, Syria, Tunisia, Uzbekistan, and Vietnam.  BBG and Freedom House hope to inform users and developers about the current variety of operating systems, applications and mobile protocols on the market in order to explore each item’s capacity to protect security and privacy and to combat censorship and surveillance

Andre-Mendes

Andre Mendes

 

The Office of Digital and Design Innovation (ODDI) wanted to gain more insight into the use of this document by speaking with Andre Mendes, Director of the Office of the Office of Technology, Services and Innovation at the Broadcasting Board of Governors.


 


1.      Why was the BBG-Freedom House report produced and what is it? 

Safety-on-the-Line-Report-BBG-Freedom-House-1Mendes: We have been following the migration of content consumption patterns among our audiences and potential audiences.  It became very obvious in these developing markets, the use of mobile is exploding and Internet access and usage via those platforms is substantially increasing.  So we figured it was time to take an in depth look at what that market entails and also how security concerns are handled along every level of the technology stack.

We cooperated with Freedom House to jointly sponsor a report that would look at 12 of the up and coming mobile markets where we would be interested in seeing our mobile utilization (increased) and (where we could) do an in depth analysis of mobile platform security.  (The risk analysis) encompassed the entire ecosystem and examined everything from the service providers (even at the state level) where we looked at the telecommunications organization providing the basic infrastructure, all the way up to the code writers that build applications for the smart phone platforms that are literally flooding these markets.  We looked at every piece of the puzzle that composes the mobile arena.

 

[Image above: “Big 5 Market Share, May 2012” & “Growth Rate”, p. 70]

 

2.      What were the report’s conclusions?  Was there anything that surprised you?

Mendes: Nothing in the report was a complete surprise.  Obviously, some of our expectations in terms of platform ubiquity were validated–with the mobile platform either being thoroughly ensconced into the ethos of these countries or very quickly becoming so.  In some (countries), the entire infrastructure is under the control of government–with everything that entails.  Also in some countries, there are some handsets with operating systems that are actually being customized in order to add additional data collection mechanisms to disable (data collection).

What we found was a situation where (under the) most authoritative regimes the end user is the most at risk for unauthorized data collection for tracking—allowing for in depth exploration to identify people, purposes, associations, meetings, and so on.

 

3.      Do any of the new emerging phone technologies help or hurt end users?

Mendes: Well I mean I don’t know if the iPhone 5 brings any security enhancing measures to the table, but it’s not a platform that we expect to find in these countries any time soon.  In fact, previous iPhones were not secure because they had the ability to track locations and movements on Google Earth across national borders.  It was very distressing.  Some of that is inherent on any phone.  But say you have an account in a government-controlled telecommunications environment.  They’ll be looking at your roaming patterns, they’ll be looking if you are crossing borders and getting authenticated elsewhere.  This will happen if you don’t take the precaution of using different SIM cards or different phones.  (Government telecommunications companies) can even go as far as looking at the people you associate with and the proximity to establish patterns.

Safety-on-the-Line-BBG-Freedom-House-3
BLACKBERRY

Safety-on-the-Line-BBG-Freedom-House-4
[Images above: Security ratings of Android vs. Blackberry mobile platforms, p. 84, 87]

Not too long ago I read an essay positing that, given enough data, (corporate) telecommunications companies could predict your future behavior based on your past utilization patterns.  For example, if you go to the same restaurant at the same time every Wednesday, they can do massive data mining to determine what time you’ll get there.  What we got was an assurance that all of the fantastic functionality that enables some of the great abilities that these phones have (such as the convenience of being able to search for the nearest ATM, to get pizza restaurant recommendations, or to buy movie tickets) are quite a double edge sword, because they allow for massive collection of utilization data.  The original intent was commercial utilization of course, to sell you more stuff or entice you to go to a certain place when you’re doing a search—but, unfortunately, it can be used for nefarious purposes by authoritarian regimes that are less interested in selling you stuff and more interested in making sure that you’re not circumventing any of their thought control, content control, or movement control plans.  Whether we like it or not, this is pervasive and only likely to increase.

 

4.             How should and where should people be enticed to upload content?

Mendes: From a convenience standpoint, a mobile phone is almost a pre-requisite for modern living. Therefore, curtailing its entrance into a particular country, city, location, stadium, or arena is virtually impossible.  Effectively what we’ve done is enable any citizen with a modern mobile phone to be a citizen journalist—by virtue of the ability to capture both audio and video that can be sent anywhere in the world immediately by using the existing telecommunications network.

The truth is, nowadays, if you buy a phone for $300 you have an HD-capturing-machine, which would have cost you about $120,000 10 years ago. Now you can capture content at 1080p and 30 frames per second that is actually a usable source of broadcast quality material.  It is a bit of a Pandora’s box in terms of how it creates an environment where content from anywhere can be captured and distributed as long as there is enough bandwidth to carry the traffic.  The same technology that enables financial progress and economic advantage to these authoritarian regimes is, at the same time, providing people with tools that enable information acquisition and consumption and escape.  This creates a very interesting quandary—which explains why (governments) probably want to control the entire infrastructure to the utmost degree.

Safety-on-the-Line-BBG-Freedom-House-6[Image above: “Market Penetration”, p. 92]

 

5.      Why did TSI/BBG commission the report?

Mendes: We are very intent on providing people with unfettered access to the Internet.  As (mobile) platforms become more and more relevant, especially in those countries where access to (personal computers) or cyber cafes is somewhat controlled or impossible from an economic standpoint, then it becomes one of the most important strategic platforms going forward.   As such, we want to make sure we are aware of the security frailties of the environment so that we can properly warn and educate our audiences and our content contributors about the inherent risks associated with it.  We’re not going to be able to completely mitigate them, but at least we need to make sure we’re dealing with people who have a minimum understanding of some of the risks that they’re exposing themselves to.

 

6.      How have the results of the report been disseminated?

Mendes: We have published them online and have also talked with several other institutions that are interested in further publicizing the report.  We’re cooperating with the U.S. State Department in terms of that distribution and we’ve made the content available on Capitol Hill to some of our appropriators and to some of the staffers that deal with the BBG on a regular basis.  So we’re hoping that more and more people get to read it and take advantage of the report.  It has proven invaluable to us in terms of determining future strategies and our ability to convince some of our providers to implement the security measures recommended in the report.

 

7.      What is the IAC program at TSI?  What are the goals of IAC?

Mendes: TSI is the Technology, Services and Innovation branch of the BBG and is responsible for broadcast distribution on a global basis—from short wave stations to Internet and mobile distribution.   Within that organization, we operate the Internet Anti-Censorship (IAC) division that is funded separately by Congress.  IAC’s intent and mission is to ensure that people who live in environments that actively promote censorship of the Internet are able to access tools, techniques and capabilities to allow them to access information by whatever means they can in an unfettered manner. It’s a relatively simple mandate that we’re fulfilling by providing access to the tools while helping to increase the security to the end user.

Safety-on-the-Line-BBG-Freedom-House-5[Image above: “Reasons for Use of Circumvention Tools”, p. 72]

 

8.      How does the work at IAC interact with the rest of the agencies? 

Mendes: We have a substantial amount of interaction with the BBG broadcast networks to coordinate how our tools are distributed via their or the vendor’s websites.  (We do this by) sharing information about the availability of these tools—such as proxy servers—through the broadcasts.  For example, we’ll announce the availability of a proxy server on a radio broadcast or on a TV broadcast.  Our satellite TV and radio with slate distribution into China, Tibet, and Iran has a running list of proxy servers available for people that are watching us on satellite TV.  So we have to coordinate with (the networks) very closely (to distribute) these messages and software tools that their audience can use.

 

9.            How will IAC interact with ODDI in the future?

Mendes: ODDI is putting forth new platforms and new capabilities in the mobile environment.  It is dealing with the Pangea integration, looking at the integration of audio/video platforms, and its going to be working with other platforms that will be commissioned and deployed on mobile platforms so there needs to be close integration with IAC. (This is) to ensure that if we provide people with an application to access VOA,  RFE/RL or for that matter any other Internet content, they will have the right tools in their platform that enable them to get past the firewall.  If you have an application, but nobody can get to it, there is no point (to owning it).  I think there needs to be a close relationship (between ODDI and IAC) to help make our information available to people in these suppressed countries.

 

10.            Based on the report, do you have any recommendations for our journalists?

Mendes: By and large, I’ve found that different organizations will pick different tools (based on their needs).  As a government agency, it’s very difficult to make broad recommendations without going through a very elaborate and defensible process.  At the end of the day, all of these platforms have flaws, so there’s not a perfect bullet out there.  I think as all of these platforms evolve the struggle will be between the functionality that is so desired within free societies for convenience and the lack of confidentiality and anonymity that is brought on by virtue of data collection and possible mis-utilization.

This will be a case where commercial interests will dictate more access to data and more correlation between geographical locations, utilization patterns and access to databases, versus the dark side of that, which is the usage of that data aggregation by nefarious regimes and 3rd party applications (which you can’t control at all).  A government owned telecommunications company can collect your information at whatever interval they desire to do by virtue of triangulation and storing that data.  It is going to be a constant interplay between those things.  People need to be very aware that, effectively, an overwhelming majority of people that are unwilling or unable to go through annonymization of their platforms, are effectively giving up an enormous amount of privacy for the sake of convenience.

 

Safety-on-the-Line-BBG-Freedom-House-7[Image above: “Security Desired”, p. 37]

 

The same is true online on a desktop, or at a cyber cafe where someone can be looking over your shoulder, or by participating on an email chain, or by participating in a physical demonstration parading down the streets.  There is always a built in danger when taking on dissident-like activities.  You can’t be protected against all of the dangers that ensue.  People should just be aware that when you’re in a mobile environment and are an active user, you might be exposing yourself in ways that you don’t understand.  Hopefully this report will shed a little light on that.  It will also bring to the table the opportunity to deal with hardware, software, application and operating system manufacturers to make them aware that they should—at the very least—put in place some tools that enable the opt in or opt out type of functionality for some of these identity (masking or) unmasking features.

 

There’s no free lunch… if people want to be bad they will be bad. And if a government really wants to find you and you’re using regular tools, yee shall be found.Safety-on-the-Line-BBG-Freedom-House-8[Image above: "The Guardian Datablog14 analyzed over 300 records of people on riot-related charges before English magistrates’ courts to see where people lived and when the riots took place in London. The map shows where riots and looting took place in each part of the city.", p. 34]

Safety-on-the-Line-BBG-Freedom-House-9[Image above: "CCTV cameras in London, recorded thousands of hours of video footage of looters and rioters. Operation Withern15 at the Metropolitan (London) Police is an operation to collect information about those involved in the London riots. Photographs of the rioters were released to the general public in the hopes that witnesses will come forward to identify suspects.", p. 34]

- – - -

(Thank you to Andre Mendes, Will Sullivan, and Rob Bole for their contributions to this post.  To contact Mendes: amendes@bbg.gov)

(The foregoing commentary does not constitute endorsement by the US Government, the Broadcasting Board of Governors, VOA, MBN, OCB, RFA, or RFE/RL of the information products or services discussed.)

The following two tabs change content below.
April Deibert

April Deibert

April Deibert is the Multimedia Blogger/Producer for the Office of Digital & Design Innovation. Follow her on Twitter: @BBGinnovate and @AprilDeibert.

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *