Some University College London students and others, have been trying out their Web 2.0 skillz by producing a smartphone App and Location Based Services web map called Sukey, in support of the student / anarchist protests, which are nominally about the Conservative / Liberal Democrat coalition Government financial cutbacks, due to the appalling state of the economy, which was ruined by the incompetence of the previous Labour government.
"Sukey" is meant to be a pun on the nursery rhyme "Polly put the kettle on, Sukey take it off again"
"Kettling" is the police jargon for the controversial tactic of surrounding crowds of peaceful protesters and preventing them from dispersing and going home for several hours, even when they are fed up with the protest. Demonstrators are also photographed and video surveilled and attempts are made to gather names and addresses from those who are ignorant of their legal rights not to do so unless actually arrested.
Despite making bold claims about the "security" of Sukey e.g. "Sukey is safe" and "Your data is safe with Sukey" here is nothing about any mobile phone anonymity techniques which might pose some problems to securocrats and their automated Single Point of Contact systems for grabbing Communications Traffic Data and Subscriber Details from mobile phone network companies
There is not even any basic advice about (not) taking anything but untraceable, disposable mobile phones to a demonstration or protest.
A tool for non-violent demonstrations.
Which, if it actually works, can also be easily misused by others.
To keep peaceful protesters informed with live protest information that will assist them in avoiding injury, in keeping clear of trouble spots and in avoiding unnecessary detention.
The application suite gives maximum information to those participating in a demonstration so that they can make informed decisions, as well as to those following externally who may be concerned about friends and family.
It should make full use of the crowd in gathering information which is then analysed and handed back to the crowd.
The success of the project will be measured by user feedback according to the primary and secondary success criteria listed below.
Keeping people safe on demonstrations.
Anyone can use it.
Ensuring protesters are kept informed of the official demonstration route together with en-route amenities (eg WiFi, Toilets, Tube stations, First Aid, Coffee shops, Payphones etc).
Provide a live viewing platform for interested parties not at the demonstration.
Which will also provide a Communications Data analysis and data mining opportunity for UK police and intelligence agencies, foreign intelligence agencies and corporate spies.
Key Elements of Solution
1. How we can help you to help each other
Inform and educate.
Find out what is going on as it happens.
No matter what happens, sign up to the free SMS system.
SMS text messages are never free of charge.
Who is paying for this ?
What's in it for the user?
What are you getting?
Stay informed and make the right decisions during the demonstration.
Avoid trouble spots and risking injury.
Get live demonstration news as it happens.
Allow political organisers and manipulators to track the progress of the demonstrations they have organised, remotely, at a safe distance.
Allow political organisers and manipulators to feed false information to the police etc. and to manipulate some or all of the demonstrators into creating diversions to allow either peaceful media stunts or violent attacks, unhindered by the police etc.
Allow the forces of law and order / repression, yet another intelligence source to help to track the demonstrations they are policing or repressing, remotely, at a safe distance.
Why contribute information?
Help other peaceful demonstrators.
Provide an accurate view of events as they happen.
Accurate ? Just the facts, with all of the facts, with no political bias at all ?
Even large , well funded media organisations and the police are not capable of doing that.
Show what goes on in protests.
We exist to support decisions - be a part of it.
2. Sources of information
Information crowd sourced from demonstrators out on the street.
The Sukey website urges people to publish digital photos to Twitpic and / or Flickr, but
it does not provide any of the easily available automatic software tools or even any advice, about removing or anonymising some or all of the Exif meta data embedded in such images, which can and will be used to help hunt down protesters and to prove that the photographers were present at a particular location and time.
None of the #sukey tagged photos on Twitpics, for example, appear to have had their Exif metadata removed, there are a couple examples of photos published from HTC Desire HD and HTC Wildfire phones
Up to the minute information from social and traditional media.
3. Information Presentation
Simple to use, uncluttered display
Must have a degraded version for lower spec phones
Must show freedom of movement and support fast decisions
4. Back End Data Processing
Use of Swarming Algorithms
It seems unlikely that existing Swarming Algorithms which simulate animal behaviour in unconstrained free air or water space, can be directly applicable to the behaviour of crowds of humans
Computer simulation modelling of the various permanent and temporary barriers to movement across all of the streets and protest target buildings of central London, is far harder than the existing state of the art studies and simulations of people flows in comparatively simple and well controlled sports stadia or airports or railways stations etc.
Use location data to detect freedom of movement
Presumably the mean Twitter and Google GPS data rather than GSM or 3G mobile phone cell transmitter Location Based Services data and triangulation.
Prioritisation of Messaging and Reports to and from crowd
Coalesce multiple reports of same event
Exactly the classical real time Command and Control problems faced by those who are policing such demonstrations.
There seem to be some reports that Sukey.org might be using the open source crisis mapping tool SwiftRiver to try to achieve this.
Must process footpaths and open spaces - not just roads
No user identifiable data to be stored. Ever.
Regular User Security reviews throughout build
Encrypt locations on data requests
This is all very misleading !
This encryption of cannot do anything to hide the Communications Traffic Data cell phone Location Based Data Services and Subscriber Details ,which are controlled by the mobile phone networks and third party companies like Twitter and Google.
Such Communications Traffic Data is automatically handed over to the police and intelligence agencies, without any Court Order or Judicial Warrant of any sort, under the Regulation of Investigatory Powers Act 2000 Part 1 Chapter II Acquisition and disclosure of communications data
Neither the student protesters nor the Sukey App developers and operators have any control over this at all..
Neither do they have any control over the Google Latitude system, which they are encouraging people to sign up their smartphones to, and then to allow Sukey.org to track via Google Maps. What difference does any Sukey.org encryption make, when Google retains all your data and then sells or gives it law enforcement or intelligence agencies as requested ?
Encryption Keys to be generated either by users or automatically and undiscoverable by team.
Junk all identifiable data from Apache logs
Protected from DDOS and seizure
Multiple routing options
Multiple servers/server locations
Multiple resilient, secure computers and communications infrastructure cost money.
Who is paying for this ?
Who exactly is in charge of the Sukey system ?
The "Security overview" page is partly re-assuring, but also rather worrying.
Sukey is safe
At the very earliest stages of building Sukey we had a meeting where we divided the team into groups. The groups were: Data Input, Data Processing, Presentation, Security. In other words, security has been a key issue right the way through Sukey's design and build and has received as much focus as any of the more visible aspects of the project.
The team members involved on the security side are a mix of commercial information security experts and computer nerd under/post graduates who love nothing better than a complex algorithm. One of our key team members has technical commercial data security patents in his name and has provided information security consultancy to IBM, Lockheed Martin, and to the NHS.
All data received by Sukey is anonymised using secure encryption that is known to be unbreakable in less than 10 years using current computer technology. The process we use ensures that we can't decrypt any personal identifiers in the information sent to us. Even with a court order.
Attention to detail on security has been a hallmark of the project â€" both person identifiable security and the overall security and resilience of the Sukey service against infrastructure attack or failures.
Your data is safe with Sukey.
Is it really ?
The use of encryption does not automatically mean anonymity for users of or contributors to Sukey.org.
Following It would be much more reassuring if the Sukey.org people mentioned exactly which encryption algorithm they were using, instead of making speculative claims about its alleged strength. The fact that they have not done so gives rise to the suspicion that they have attempted to write their own encryption software, an approach which is fraught with danger for the users of Sukey.org.
What is wrong with using standard AES 256 encryption via a TLS session, especially for data which will be out of date in less than an hour after which it should be securely deleted from computer memory and never needs to be stored on a computer hard disk at all ?
it would be more impressive, if the Sukey.org team with their "attention to detail" had actually demonstrated their commitment to the use of strong encryption, by running a https:// session encrypted version of the Sukey.org website . However there is currently no Digital Certificate installed.
Similarly, there is no published PGP Public Encryption and / or Digital Signing Key available either, only Google gmail accounts, which are vulnerable Mutual legal Aid law enforcement requests
It looks as if the Sukey.org team need to be reminded that "Even with a court order." is irrelvant in the United Kingdom, - no court order is needed by the Police for access to Communications Data ( which must be Retained for at least a year) and none is required for Cryptographic Keys either.
The Regulation of Investigatory Powers Act 2000 Part III Investigation of electronic data protected by encryption etc. does not require a Poice constable to get the prior permission of any Court, before serving a Section 49 Notice on someone , forcing them to hand over their cryptographic de-cryption keys , or the de-crypted plaintext. A Court only comes into play if and when you are deemed to have refused to comply with such an order, when you are facing up to 5 years in prison or up to 10 years in prison if the magic words "national security" are mentioned.
It will be interesting to see if the Sukey.org team does actually release its software source code to the public as it has promised, whilst it works on an improved version for the next protest.
Until they do so, you should avoid using the Sukey.org App and website, from anything except an anonymous mobile phone, unless you wish to attract Police , Intelligence Agency and corporate surveillance onto yourself and your family, friends and business associates,
If Sukey is not (yet) suitable for the streets of London, then it would be positively dangerous to deploy it or anything similar, in trouble spots like Tunisia or Egypt etc.
N.B. mobile phones actually require quite a bit of effort to initially obtain and maintain in an untracked, anonymous state.
See our website http://ht4w.co.uk. Hints and Tips for Whistleblowers etc. which covers some basic mobile phone anonymity techniques, removing Exif meta data from digital images, and some other anonymity techniques.