Why Social Network Analysis Doesn't Catch Terrorists
The recent whistleblower disclosures that the NSA has obtained phone calling databases from major phone companies (and under an Executive Order, these same phone companies are being given immunity by the president from complying with SEC disclosure rules regarding these transactions), are being excused in the press as necessary in fighting terrorism. They say the NSA is doing what is called "social network analysis" of calling patterns to establish connections between phone numbers, locations, and persons at those locations as a means of ferreting out the social networks that make up al Qaeda sleeper cells. The problem is, it doesn't work.
What is a social network? Most people are familiar with the term from popular websites like Friendster, Multiply, Tribe, Plaxo, etc which work on the principle of Six Degrees of Separation, where participants invite their friends to join and create links to them, as well as upload information about themselves: where they are located, what books or movies or music they like, what schools they went to, their profession, etc. Such sites also allow people with similar interests to get to know each other online, whether or not they've ever met.
Anti-terror and anti-crime agencies are interested in analysing social networking in order to learn how to ferret out criminal and terrorist organizations (so they say), though there is also evidence (including reports from inside the FBI) that the FBI is using the same techniques to spy upon non-mainstream political groups across the spectrum, from libertarians, to pot-legalizers, to anti-abortion, anti-war, and other various pacifist or civil liberties groups.
The idea is that since terror and organized crime groups organize under cellular structures, discerning connections made via phone call records, email, SMS, or social network site links illuminates these cellular structures at the same time as the innocent social networks of law abiding persons. If any one person's name shows up in other intelligence gathered as a person of interest in terror or criminal acts, it logically follows that that persons entire social network is to be suspected of being a sleeper cell, gang, or "crew".
The problem with this assumption is that it makes the unwarranted assumption that the parties to a true sleeper cell or criminal group are not going to be aware of possible indirect surveillance (which a pragmatic person engaged in illegal activity should assume as a given) and take countermeasures to prevent exposure via such indirect methods, such as traffic analysis, or more specifically social network analysis.
What possible countermeasures am I talking about? There are a whole range of tactics that can be used. One major tactic is to use intermediaries, particularly anonymizing intermediaries. Anonymizing websites have been common since the dawn of the internet.
Another is to create a lot of fake traffic, to increase the information load of those monitoriing and reduce their certainty as to their results. Still another is the use of cut-outs: made up persons with fully fleshed out networks of their own, who are virtual intermediaries.
Still another is to use non-interceptable traffic. The use of peer-to-peer techniques avoids central servers that can easily be sniffed for packet traffic, though this creates direct network links that can be discerned into the social network database, thus one wants to use a peer to peer to peer relay system to embed intermediaries in the peer network.
The relative importance of nodes and edges in a social network can be obtained through what are called centrality measures. For example, eigenvector centrality (the importance of a node in a network) uses the eigenvectors (a vector unchanged by a transformation, in this case the individual person, phone, website or physical address represented by a node in a social network) of the adjacency matrix (a graph of the network nodes and connections) to determine nodes that tend to be frequently visited. An example is the page rank algorithm used by Google. The principal eigenvector of the modified adjacency matrix of the WWW-graph representation gives the page ranks as its components.
An effective terror, insurgency, or criminal organization will engage in counter-surveillance activities that 'fog up' their adjacency matrix with lots of fake nodes or actual incognizant intermediaries (girlfriends, relatives, etc) and create lots of false traffic that screws up estimates of which nodes are the important ones.
A very effective means of practicing this is simply to embed one's illicit network within a larger and more active lawful network, such that the signals of illicit activities are drowned out in the noise of the larger network.
So, in conclusion, it should be obvious to anyone that the excuses given by the government for its breaches of our privacy rights for sake of "national security" are NOT to detect terrorist groups, but are instead intended to monitor lawful political activities that are in opposition to or dissention against those currently in control of the government apparatus.
What is a social network? Most people are familiar with the term from popular websites like Friendster, Multiply, Tribe, Plaxo, etc which work on the principle of Six Degrees of Separation, where participants invite their friends to join and create links to them, as well as upload information about themselves: where they are located, what books or movies or music they like, what schools they went to, their profession, etc. Such sites also allow people with similar interests to get to know each other online, whether or not they've ever met.
Anti-terror and anti-crime agencies are interested in analysing social networking in order to learn how to ferret out criminal and terrorist organizations (so they say), though there is also evidence (including reports from inside the FBI) that the FBI is using the same techniques to spy upon non-mainstream political groups across the spectrum, from libertarians, to pot-legalizers, to anti-abortion, anti-war, and other various pacifist or civil liberties groups.
The idea is that since terror and organized crime groups organize under cellular structures, discerning connections made via phone call records, email, SMS, or social network site links illuminates these cellular structures at the same time as the innocent social networks of law abiding persons. If any one person's name shows up in other intelligence gathered as a person of interest in terror or criminal acts, it logically follows that that persons entire social network is to be suspected of being a sleeper cell, gang, or "crew".
The problem with this assumption is that it makes the unwarranted assumption that the parties to a true sleeper cell or criminal group are not going to be aware of possible indirect surveillance (which a pragmatic person engaged in illegal activity should assume as a given) and take countermeasures to prevent exposure via such indirect methods, such as traffic analysis, or more specifically social network analysis.
What possible countermeasures am I talking about? There are a whole range of tactics that can be used. One major tactic is to use intermediaries, particularly anonymizing intermediaries. Anonymizing websites have been common since the dawn of the internet.
Another is to create a lot of fake traffic, to increase the information load of those monitoriing and reduce their certainty as to their results. Still another is the use of cut-outs: made up persons with fully fleshed out networks of their own, who are virtual intermediaries.
Still another is to use non-interceptable traffic. The use of peer-to-peer techniques avoids central servers that can easily be sniffed for packet traffic, though this creates direct network links that can be discerned into the social network database, thus one wants to use a peer to peer to peer relay system to embed intermediaries in the peer network.
The relative importance of nodes and edges in a social network can be obtained through what are called centrality measures. For example, eigenvector centrality (the importance of a node in a network) uses the eigenvectors (a vector unchanged by a transformation, in this case the individual person, phone, website or physical address represented by a node in a social network) of the adjacency matrix (a graph of the network nodes and connections) to determine nodes that tend to be frequently visited. An example is the page rank algorithm used by Google. The principal eigenvector of the modified adjacency matrix of the WWW-graph representation gives the page ranks as its components.
An effective terror, insurgency, or criminal organization will engage in counter-surveillance activities that 'fog up' their adjacency matrix with lots of fake nodes or actual incognizant intermediaries (girlfriends, relatives, etc) and create lots of false traffic that screws up estimates of which nodes are the important ones.
A very effective means of practicing this is simply to embed one's illicit network within a larger and more active lawful network, such that the signals of illicit activities are drowned out in the noise of the larger network.
So, in conclusion, it should be obvious to anyone that the excuses given by the government for its breaches of our privacy rights for sake of "national security" are NOT to detect terrorist groups, but are instead intended to monitor lawful political activities that are in opposition to or dissention against those currently in control of the government apparatus.
posted by Mike Lorrey at 3:27 PM
1 Comments:
Mike, you make some interesting points, but stretch your argument too far. We have 5 years' worth of empirical data now, and the evidence doesn't support your conclusion. Please see my response to your comment at my post, Understanding the NSA data mining.
Post a Comment
Links to this post:
Create a Link
<< Home