Edward Snowden: How Your Cell Phone Spies on You

Are you aware at all of the current state of surveillance and what, if anything, has changed since your revelations? Yeah, I mean, the big thing that's changed since I was in 2013 is now it's Mobile First, everything. Mobile was still a big deal, right? And the intelligence community was very much grappling to get its hands around it and to deal with it. But now people are much less likely to use a laptop than use a desktop than use, you know, God, any kind of wired phone than they are to use a smartphone. And both Apple and Android devices, unfortunately, are not especially good in protecting your privacy. Think right now. You got a smartphone, right? You might be listening to this on a train somewhere in traffic right now. Or you Joe right now. You got a phone somewhere in the room, right? The phone is turned off, or at least the screen is turned off. It's sitting there. It's powered on. And if somebody sends you a message, the screen blinks to life. How does that happen? How is it that if someone from any corner of the earth dials a number, your phone rings and nobody else's rings? How is it that you can dial anybody else's number and only their phone rings, right? Every smartphone, every phone at all, is constantly connected to the nearest cellular tower. Every phone, even when the screen is off, you think it's doing nothing. You can't see it because radio frequency emissions are invisible. It's screaming in the air, saying, Here I am. Here I am. Here is my IMEI. I think it's Individual Manufacturers' Equipment Identity and IMEI, Individual Manufacturers' Subscriber Identity. I could be wrong on the break out there, but the acronyms are the IMEI and the IMSI. And you can search for these things. They're two globally unique identifiers that only exist anywhere in the world in one place, right? This makes your phone different than all the other phones. The IMEI is burned into the handset of your phone. No matter what SIM card you change to, it's always going to be the same. And it's always going to be telling the phone network it's this physical handset. The IMESI is in your SIM card, right? And this is what holds your phone number, right? It's basically the key, the right to use that phone number. And so your phone is sitting there doing nothing, you think, but it's constantly shouting and saying, I'm here. Who is closest to me? That's the cell phone tower. And every cell phone tower with its big ears is listening for these little cries for help and going, All right. I see Joe Rogan's phone. I see Jamie's phone. I see all these phones that are here right now. And it compares notes with the other network towers and your smartphone compares notes with them to go, Who do I hear the loudest? And who you hear the loudest is a proxy for proximity, for closeness, distance, right? They go, Whoever I hear more loudly than anybody else, that's close to me. So you're going to be bound to this cell phone tower and that cell phone tower is going to make a note, a permanent record, saying this phone, this phone handset with this phone number at this time was connected to me. And based on your phone handset and your phone number, they can get your identity, right? Because you pay for this stuff with your credit card and everything like that. And even if you don't, it's still active at your house overnight. It's still active on your nightstand when you're sleeping. It's still whatever. The movements of your phone are the movements of you as a person. And those are often quite uniquely identifying. It goes to your home. It goes to your workplace. Other people don't have it. Sorry. And anyway, it's constantly shouting this out and then it compares notes with the other parts of the network. And when somebody is trying to get to a phone, it compares notes. The network compares notes to go, where is this phone with this phone number in the world right now? And to that cell phone tower that is closest to that phone, it sends out a signal saying, we have a call for you. Make your phone start ringing so your owner can answer it. And then it connects it across this whole path. But what this means is that whenever you're carrying a phone, whenever the phone is turned on, there is a record of your presence at that place that is being made and created by companies. It does not need to be kept forever. And in fact, there's no good argument for it to be kept forever. But these companies see that as valuable information. This is the whole big data problem that we're running into. And all this information that used to be ephemeral, where were you when you were eight years old? Where'd you go after you had a bad breakup? Who'd you spend the night with? Who'd you call after? All this information used to be ephemeral, meaning it disappeared, right? Like the morning dew. It would be gone. No one would remember it. But now these things are stored. Now these things are saved. It doesn't matter whether you're doing anything wrong. It doesn't matter whether you're the most ordinary person on earth, because that's how bulk collection, which is the government's euphemism for mass surveillance, works. They simply collect it all in advance in hopes that one day it will become useful. And that was just talking about how you connect to the phone network. That's not talking about all those apps on your phone that are contacting the network even more frequently, right? How do you get a text message notification? How do you get an email notification? How is it the Facebook knows where you're at? You know, all of these things, these analytics, they are trying to keep track through location services on your phone, through GPS, through even just what wireless access points you're connected to, because there's a global, constantly updated map. There's actually many of them of wireless access points in the world, because just like we talked about, every phone has a unique identifier that's globally unique. Every wireless access point in the world, right? Your cable modem at home, whether it's in your laptop, every device that has a radio modem has a globally unique identifier in it. And this is standard term. You can look it up. And these things can be mapped when they're broadcasting in the air, because again, like your phone says to the cell phone tower, I have this identifier, the cell phone tower responds and says, I have this identifier. And anybody who's listening, they can write these things down. And all those Google Street View cars that go back and forth, right, they're keeping notes on whose Wi-Fi is active on this block, right? And then they build a new giant map. So even if you have GPS turned off, right, as long as you connect to Wi-Fi, those apps can go, well, I'm connected to Joe's Wi-Fi, but I can also see his neighbor's Wi-Fi here, and the other one in this apartment over here, and the other one in the apartment here. And you should only be able to hear those four globally unique Wi-Fi access points from these points in physical space, right? The intersection in between the spreads, the domes, of all those wireless access points. And it's a proxy for location. And it just goes on and on and on. We could talk about this for four more hours. We don't have that kind of time. Can I ask you this? Is there a way to mitigate any of this personally? I mean, shutting your phone off doesn't even work, right? Well, so it does in a way. It's yes and no. The thing with shutting your phone off that is a risk is, how do you know your phone's actually turned off? It used to be when I was in Geneva, for example, working for the CIA. We would all carry, like, drug dealer phones. You know, the old smartphones, or sorry, old dumb phones, they're not smartphones. And the reason why was just because they had... Removable batteries. ...the removal bags, where you could take the battery out, right? And the one beautiful thing about technology is, if there's no electricity in it, right? If there's no go juice available to it, if there's no battery connected to it, it's not sending anything, because you have to get power from somewhere. You have to have power in order to do work. But now, your phones are all sealed, right? You can't take the batteries out. So, there are potential ways that you can hack a phone where it appears to be off, but it's not actually off. It's just pretending to be off, whereas in fact, it's still listening in and doing all this stuff. But for the average person, that doesn't apply, right? And I gotta tell you guys, they've been chasing me all over the place. I don't worry about that stuff, right? And it's because if they're applying that level of effort to me, they'll probably get the same information through other routes. I am as careful as I can, and I use things like Faraday Cages, I turn devices off. But if they're actually manipulating the way devices display, it's just too great a level of effort, even for someone like me, to keep that up on a constant basis. Also, if they get me, I only trust phones so much. So, there's only so much they can derive from the compromise. And this is how operational security works. You think about what are the realistic threats that you're facing that you're trying to mitigate. And the mitigation that you're trying to do is what would be the loss, what would be the damage done to you if this stuff was exploited. Much more realistic than worrying about these things that I call voodoo hacks, right? Which are like next level stuff. And actually, just a shout out for those of your readers who are interested in this stuff. I wrote a paper on this specific problem, how do you know when a phone is actually off, how do you know when it's actually not spying on you? With a brilliant, brilliant guy named Andrew Bunny Huang. He's an MIT PhD in, I think, electrical engineering. Called the Introspection Engine. It was published in the Journal of Open Engineering. You can find it online. And it'll go as deep down in the weeds, I promise you, as you want. We take an iPhone 6. This was back when it was fairly new. And we modified it so we could actually not trust the device to report its own state, but physically monitor its state to see if it was spying on you. But for average people, right, this academic, that's not your primary threat. Your primary threats are these bulk collection programs. Your primary threat is the fact that your phone is constantly squawking to these cell phone towers as it's doing all of these things. Because we leave our phones in a state that is constantly on. You're constantly connected, right? Airplane mode doesn't even turn off Wi-Fi, really, anymore. It just turns off the cellular modem. But the whole idea is we need to identify the problem. And the central problem with smartphone use today is you have no idea what the hell it's doing at any given time. Like, the phone has the screen off. You don't know what it's connected to. You don't know how frequently it's doing it. Apple and iOS, unfortunately, makes it impossible to see what kind of network connections are constantly made on the device and to intermediate them. Going, I don't want Facebook to be able to talk right now. I don't want Google to be able to talk right now. I just want my secure messenger app to be able to talk. I just want my weather app to be able to talk. But I just checked my weather and now I'm done with it so I don't want that to be able to talk anymore. And we need to be able to make these intelligent decisions on not just an app-by-app basis but a connection-by-connection basis, right? You want, let's say you use Facebook because, you know, for whatever judgment we have, a lot of people might do it. You want it to be able to connect to Facebook's content servers. You want to be able to message a friend. You want to be able to download a photograph or whatever. But you don't want it to be able to talk to an ad server. You don't want it to talk to an analytics server that's monitoring your behavior, right? You don't want to talk to all these third-party things because Facebook crams their garbage into almost every app that you download and you don't even know what's happening because you can't see it, right? And this is the problem with the data collection used today is there is an industry that is built on keeping this invisible. And what we need to do is we need to make the activities of our devices, whether it's a phone, whether it's a computer, whatever, more visible and understandable to the average person and then give them control over it. So, like, if you could see your phone right now, and at the very center of it is a little green icon that's your, you know, handset or it's a picture of your face, whatever, and then you see all these little spokes coming off of it. That's every app that your phone is talking to right now or every app that is active on your phone right now and all the hosts that it's connecting to. And you can see right now, once every three seconds, your phone is checking into Facebook and you could just poke that app and then boom, it's not talking to Facebook anymore. Facebook's not allowed. Facebook's speaking privileges have been revoked, right? You would do that. We would all do that. If there was a button on your phone that said, do what I want but not spy on me, you would press that button, right? That button is not, does not exist right now. And both Google and Apple, unfortunately, Apple's a lot better at this than Google. But neither of them allow that button to exist. In fact, they actively interfere with it because they say it's a security risk. And from a particular perspective, they actually aren't wrong there. But it's not enough to go, you know, we have to lock that capability off from people because we don't trust they would make the right decisions. We think it's too complicated for people to do this. We think there's too many connections being made. Well, that is actually a confession of the problem right there. If you think people can't understand it, if you think there are too many communications happening, if you think there's too much complexity in there, it needs to be simplified. Just like the president can't control everything like that. If you have to be the president of the phone, and the phone is as complex as the United States government, we have a problem, guys, this should be a much more simple process. It should be obvious. And the fact that it's not, and the fact that we read story after story, year after year, saying all your data has been breached here, this company's spying on you here, this company's manipulating your purchases or your search results, or they're hiding these things from your timeline, or they're influencing you or manipulating you in all of these different ways, that happens as a result of a single problem. And that problem is an inequality of available information. They can see everything about you. They can see everything about what your device is doing, and they can do whatever they want with your device. You, on the other hand, owned the device. Well, rather, you paid for the device, but increasingly these corporations own it, increasingly these governments own it, and increasingly we are living in a world where we do all the work, right? We pay all the taxes. We pay all the costs. But we own less and less, and nobody understands this better than the youngest generation. Well, it seems like our data became a commodity before we understood what it was. It became this thing that's insanely valuable to Google and Facebook and all these social media platforms. Before we understood what we were giving up, they were making billions of dollars. And then once that money is being earned, and once everyone's accustomed to the situation, it's very difficult to pull the reins back. It's very difficult to turn that horse around. Precisely, because the money then becomes power. Right. The information then becomes influence. That also seems to be the same sort of situation that would happen with these mass surveillance states. Once they have the access, it's going to be incredibly difficult for them to relinquish that. Right, yeah, no, you're exactly correct. And this is the subject of the book. I mean, this is the permanent record, and this is where it came from. This is how it came to exist. The story of our lifetimes is how intentionally, by design, a number of institutions, both governmental and corporate, realized it was in their mutual interest to conceal their data collection activities, to increase the breadth and depth of their sensor networks that were sort of spread out through society. Remember, back in the day, intelligence collection in the United States, even in Sigan, used to mean sending an FBI agent to put alligator clips on an embassy building, or sending in somebody disguised as a workman, and they put a bug in a building. Or they built a satellite listening site. We call these foreign satellite collection. We're out in the desert somewhere. They built a big parabolic collector, and it's just listening to satellite emissions, right? But these satellite emissions, these satellite links, were owned by militaries. They were exclusive to governments, right? It wasn't affecting everybody broadly. All surveillance was targeted because it had to be. What changed with technology is that surveillance could now become indiscriminate. It could become dragnet. It could become bulk collection, which should become one of the dirtiest phrases in the language, if we have any kind of decency. But we were intentionally...this was intentionally concealed from us, right? The government did it. They used classification. Companies did it. They intentionally didn't talk about it. They denied these things were going. They said, you agreed to this, and you didn't agree to nothing like this. I'm sorry, right? They go, we put that terms of service page up, and you clicked that. You clicked a button that said, I agree, because you were trying to open an account so you could talk to your friends. You were trying to get driving directions. You were trying to get an email account. You weren't trying to agree to some 600-page legal form that even if you read, you wouldn't understand. And it doesn't matter even if you did understand, because one of the very first paragraphs in it said, this agreement can be changed at any time unilaterally without your consent by the company, right? They have built a legal paradigm that presumes records collected about us do not belong to us. This is sort of one of the core principles on which mass surveillance from the government's perspective in the United States is legal. And you have to understand that all the stuff we talked about today, the government says everything they do is legal, right? And they go, so it's fine. Our perspective as a public should be, well, that's actually the problem, because this isn't okay. The scandal isn't how they're breaking the law. The scandal is that they don't have to break the law. And the way they say they're not breaking the law is something called the third-party doctrine. A third-party doctrine is a legal principle derived from a case in, I believe, the 1970s called Smith versus Maryland. And Smith was this knucklehead who was harassing this lady making phone calls to her house. And when she would pick up, he just, I don't know, sit there heavy breathing, whatever, like a classic creeper. And, you know, it was terrifying, this poor lady. So she calls the cops and says, one day I got one of these phone calls and I see this car creeping past my house on the street. And she got a license plate number. So she goes to the cops and she goes, is this the guy? And the cops, again, they're trying to do a good thing here. They look up his license plate number and they find out where this guy is, and then they go, well, what phone number is registered to that house? And they go to the phone company and they say, can you give us this record? And the phone company says, yeah, sure. And it's the guy. The cops got their man, right? So they go arrest this guy and then in court, his lawyer brings all this stuff up and they go, you did this without a warrant. That was, sorry, that was, that was the problem was they went to the phone company and they got the records without a warrant. They just asked for it or they subpoenaed it, right? Some lower standard of legal review. And the company gave it to him and got the guy. They marched him off to jail. And they could have gotten a warrant, right? But it was just expedience. They just didn't want to take the time. The small town cops, you can understand how it happens. They know the guy's a creeper. They just want to get him off to jail. And so they made it by simply the government doesn't want to let it go. They fight on this. And they go, it wasn't actually, they weren't his records. And so because they didn't belong to him, he didn't have a fourth amendment right to demand a warrant be issued for them. They were the company's records and the company provided them voluntarily. And hence no warrant was required because you can give whatever you want without a warrant as long as it's yours. Now here's the problem. The government extrapolated a principle in a single case of a single known suspected criminal who had, they had real good reasons to suspect was their guy and used that to go to a company and get records from them and establish a precedent that these records don't belong to the guy. They belong to the company. And then they said, well, if one person doesn't have a fourth amendment interest in records held by a company, no one does. And so the company then has absolute proprietary ownership of all of these records about all of our lives. And remember, this is back in the 1970s. You know, the internet hardly exists in these kinds of contexts. Smartphones, you know, don't exist. Modern society, modern communications don't exist. This is the very beginning of the technological era. And flash forward now 40 years. And they are still relying on this precedent about this one, you know, pervy creeper to go, nobody has a privacy right for anything that's held by a company. So long as they do that, companies are going to be extraordinarily powerful, and they're going to be extraordinarily abusive. And this is something that people don't get. They go, oh, well, it's data collection, right? They're exploiting data. This is data about human lives. It is data about people. These records are about you. It's not data that's being exploited. It's people that are being exploited. It's not data that's being manipulated. It's you that's being manipulated. And this is something that I think a lot of people are beginning to understand. The problem is the companies and the governments are still pretending they don't understand or disagreeing with this. And this is why my end to me of something that one of my old friends, John Perry Barlow, who served with me at the Freedom of the Press Foundation. I'm the president of the board, used to say to me, which is, you can't awaken someone who's pretending to be asleep.