The CIA Recognized the need to fight technology

We reached a milestone of the digital society, some sort of an enlightenment, which is the recognition of the need to fight technology in order to survive.

    A few days ago the Deputy Director of the CIA, Dawn Meyerriecks delivered a keynote address at the GEOINT2018 conference, claiming that advancements of the use of technology make it difficult for the CIA operatives to move freely – even when they aren’t physically tailed by the local counter-intelligence.

    This is because, it’s been said, some 30 countries are now able to track operatives trough CCTV systems that are linked with facial recognition systems.

    She then went on to the conclusion that new and creative ways are needed to tackle this problem, because technological advances in the Identity Intelligence field could eventually make it very hard for their agents to operate. Her remarks called for more inventions and more integration between existing and future techs as one way to go.

    But perhaps it is the time to understand that surviving the future depends whether one is on the offensive side or one is on the defensive side. Because being on the offensive means that there are plenty of resources available, and that these are grouped together for the intelligence and/or military preparation of the playground. But being on the defense in a foreign land is something else. It is safe to say that an operative deep behind the lines is best to keep as low a  profile as it is possible, in order to avoid detection. And to attain this an operative must fully fit into the landscape. And let me tell you: it’s not solely about  the survive of an undercover operative. Because if a well-trained and experienced field agent can not evade AI-powered mass surveillance it means not a single one of us could.

    Surely this is no news for anyone in this business, only there is the new problem of the digital footprint’s size. If it is too small, it is suspicious because one is moving freely in a country without having identifiable database records, social media profiles, an established identity connected to telecommunication subscriptions, etc. So this makes an operative becoming a question mark on the screen of the adversary. And the authorities of the adversary will want to find the answer to that question. If the digital footprint is too large, it is suspicious because repressive countries do not like individuals with too many connections, too many social profiles and generally too verbose people.

    This is just a short writing, so I just want to take a look at two fields that are important: the question of the CCTV & facial recognition combo and the question of the digital identity.

    To estimate the capabilities of contemporary video surveillance systems one has to break it down to three factors:

  • the sensitiveness of the cameras,
  • the ability of facial recognition applications to correctly identify individuals,
  • and the ability to gather, store and use biometric data of individuals.

The sensitiveness of the cameras of video surveillance systems can be taken as limitless. The available resolutions for the video systems are growing by each day passed, but for example 50 Megapixel cameras could be bought off the shelf and there is a working 570 Megapixel camera used in the research into dark energy. Because “the higher the megapixel count on a camera sensor, the greater amount of detail that can be captured in a picture” (a quote from the Quora.com) it means that the datasets of any facial recognition system grows accordingly. The color depth measurement, anti-blurring, motion-distortion machine learning algorithms, etc. are all became operational in this field. It can be said that the sensitiveness is a question of technology and thus it is assumable that the specs will be better by the time.

The ability of facial recognition applications to correctly identify individuals is something that laymen cannot properly guess. But if we take a look at the open source advertisement of such commercial systems, which are obviously the watered-down versions of their tier 1 peers, we found that these are offering almost 100% accuracy. If you take a look at the products of the leaders of this industry segment (for example NEC and Panasonic, two prolific CCTV producers) you’ll find that they sell AI-assisted packages to anyone. The number of the existing applications is in the tens of thousands.

    These commercial products are already offering accurate identification even when the appearance of the surveilled individual is significantly differs from the stored biometric data, like wearing sunglasses, a surgical mask, a rubber mask, having a tablet in front of her/his face with a spoofing video playing, having aged several decades since her/his picture taken, etc. These systems offer accurate identifications when the face is angled (up to 45 degrees to the left or right or 30 degrees up or down), according to the promotional materials. Also, even commercial off-the-shelf CCTV systems are having a night vision capability and we know that there are advanced researches into night-time infrared heat-sensitive facial recognition, so the operatives of today might not necessarily “own the night”.

    So, it is safe to say that there really is a capability to ID anyone who enters the viewing angle of a CCTV camera.

    But as I wrote earlier, it is perfectly easy to spoof the whole show by going after the least protected part of the systemread my article here about that vulnerability vector.

    The ability to gather, store and use biometric data of individuals is a more tricky question. It is obvious that the state institutions store biometric data of its own residents and those who legally enter their respective territories. According to open sources, the United States, the People’s Republic of China, the United Kingdom, Singapore and many more countries made much headway in this field, storing biometric data of the majority of their residents and permanently using facial recognition in public spaces to locate suspects and/or persons of interest.

    But having the biometric data of the operatives of another country? Well, that is a whole other thing. Of course there is an opportunity to clandestinely record those who are entering the embassy of a foreign country, etc. but these people would be only a very small portion of those who might actually be a covert operative. So there must be other ways to collect these data. There is always some kind of co-operation between security agencies of states with common interests, so that is one way to gather such data – if another country already identified such agents.

    Some states might go the extra mile by dispatching its own teams to hot spots around the world to find those foreigners who work with local security apparatuses. These people – if could be recorded – will definitely be likely contenders to pop up somewhere else in a covert manner sooner or later, so it is a good one. For example during the invasion of Afghanistan starting in 2001 and the 2003 invasion of Iraq, many states sent their assets to identify western operatives – to include Iran, Russia and the People’s Republic of China.

But the most feasible way to collect such biometric data is to resort to reconnaissance in the very heart of the adversary. You don’t have to think about something very special here, just a camera installed somewhere near the roads leading to a HQ of an interesting agency. If it is able to record the faces, well then it fulfills its purpose. And it is a quite cost-efficient way too. I really don’t want to elaborate whether it is happening or not, but I would like to note that not that long ago it came to light that many states intercepted / eavesdropped cell phone calls and messages in Washington D.C. using commercially available ‘Stingray’ devices. So, let’s assume that if it is do-able and feasible, they will record the faces of the employees of all security agencies. Not only because it’s been done by basically all states since the early days of the Cold War but because there is no use of a massive surveillance system without the ability to tell who’s the enemy to watch out for.

    The question of digital identity could be even more important for tracking unknown operatives. The big data-driven solutions which are designed to mine data from all accessible databases in a real-time manner (like contemporary Activity-Based Intelligence frameworks) are not only able to single out all relevant information pertaining to an individual, but usually create visualized graphs of the connections of the individual to other individuals, states, companies, political views, etc. (How these big-data-driven systems helped to ID intelligence operatives near-real-time has been discussed in one of my earlier articles here.)

    And here comes the interesting part. The basic problem of having a not-so-suspicious asset is to have a usual-looking digital fingerprint to it. In the augmented reality framework it is down to roughly the following aspects:

  • the individual can be identified (if not then it could be a signal which automatically makes her/him suspicious in a surveillance state),
  • the individual is having a smartphone on her/him,
  • the International Mobile Equipment Identity (IMEI) identifier of the phone, the International Mobile Subscriber Identity (IMSI) identifier of the SIM card and the Mobile Subscriber ISDN (MSISDN) Number of the subscriber all point to the same verified individual,
  • the geolocation signals emitted from the embedded global positioning system of the mobile phone is corresponding to the geolocation of the sighting of the given individual,
  • the smartphone is running social media applications with the individual being logged in to these and social media profiles can be interpreted as belonging to an individual with a valid reason to be at that location (e.g. a local fellow),
  • the physical appearance of the individual is akin to the local population,
  • there are no records implying that the individual is having any traceable connection to persons of interest to the party who is doing the surveillance (like previous residency, school, workplace, political affiliation, etc.).

So, how is it possible to overcome these obstacles? Well, probably there are two ways to go. First would be to foster virtual entities, including social media profiles and even personal IDs. This is done nowadays in a surprisingly wide scale in the West, by sending moles among the undocumented refugees for example. These individuals can – over time – gather more and more documents and records that will one day make them legit – and use-able for these purposes. While this way it is possible to foster virtual identities, but there are also some shortcomings, like the susceptibility to big-data-driven analysis – e.g. failing when filters like ‘born abroad’ are used. If such virtual identities are created without having an actual individual to ‘carry the mask’ then it would be a tremendous work to have a profile that is good enough to pass checks. For example in order to make it seemingly legit, one has to move the phone from place to place, create connections (perhaps on the basis of mutual interests), communicate, etc. This is a monstrous task and who knows whether or not it’s going to work. Yet, there is a booming industry of fostering fake social media profiles (most notably in Asia), so it is quite likely that there are thousands of purpose-built profiles for future intelligence operations for Facebook, VKontakte, Weibo and other platforms.

A cheaper and more professional approach would be to add an extra layer of operatives. They would be modern-day derivatives of the Cold War spy couriers and purveyors. Their job would be to locate individuals in a target country, whose identity could be borrowed complete with their digital fingerprints. By closely examining these individuals it would be able to assume their identity for a short time frame operation – or to replace them if  a long-term operation is to be mounted. How such a replacement could be brought about… well I leave it to your imagination. If an operative is prepared by reading all messages, posts, etc. of the individual she/he is going to replace it could easily assume that individual’s place. If she/he could be masqueraded to be a lookalike (this goes both ways too: it is possible to re-upload all photos of the targeted individual after doctoring it to fit to the future operative’s facial impressions, so as to have a recorded set of biometric big data at the disposal-  of the future enemy.) then with cautious movement and keeping oneself to the rule of engage in meetings with sources only outside of CCTV ranges, it could be done – maybe for years or decades on end.

And yes, finally we might conclude also that these developments will eventually lead to recruiting more locals to do the sensitive work, but the general rule is that the more repressive a state is the more difficult it is to find and recruit a trustworthy agent within its borders.

So, possibly most money will be spent to spoof the system 🙂