That gaggle of elite geeks who have been arguing against the horrible possibilities an internetworked world offers to fraudsters and state bullies for years have often said that one day, there’ll be a horrible crunch. A disastrous moment of truth. As Chernobyl finished the reputation of nuclear power for 20 years, the Privacy Chernobyl will kibosh all those monster database schemes for the foreseeable future. The subtext is perhaps that whatever the damage may be, it’s the collateral damage we have to accept to stop the bastards overrunning us.
What if, however, the first people to catch it were pompous German executives? Some would fear this wouldn’t draw any moral reaction from the public – who cares what happens to the bastards? Others might think it’s precisely their outrage that would finish the buggers quickest. It seems, though, that the Privacy Chernobyl might already have happened, in Germany. Scandal has been raging around Deutsche Telekom for a while; the monster telco, one-third state-owned, has been caught spying on members of its supervisory board, and much worse, journalists and trade union reps. Der Spiegel burst the story, interviewing the boss of a Berlin information security firm that was given the raw data from DTAG’s systems to analyse. He’s singing like a canary. DTAG promised that it was all over by the time the current CEO took over, but it turned out that the security firm was receiving money years later, money that came from the same cost-centre as the CEO’s office.
But this is far from the worst that might have happened. It wasn’t so much the content of the calls that was being spied upon, but rather their metadata. This is something one learns quickly on joining the telecoms industry – it’s the signalling that matters. The SS7 signalling traffic on a mobile network contains a treasure of information on who telephones, with whom, and from which geographic locations. Matching the dumps of data, they would have been able to trace the movements of the targets, their social networks, and who they met with.
It gets worse. Last week, Der Spiegel revealed that Lufthansa had also trawled its frequent flyer files in order to find out who a particular hack was getting information from. The real killer was, though, the suggestion that the two companies’ security departments might have swapped data – it turns out there is a strong old boys’ network between the security organisations German industry set up during the extreme-left terrorism of the 1970s, and something like a black market in database tables. Lufthansa’s frequent flyer programme offers benefits on all kinds of other stuff, including railway tickets and their own virtual mobile phone operator (MVNO), and a credit card – there’s a lot there already, but the kicker is that most big German companies outsource their expenses management to the same Lufthansa division that runs the loyalty scheme. And the journos were run through the same analysis.
Quite possibly, an entire corporate elite’s movements, communications, and tastes may be compromised. Everyone involved is already in the deep shit, as the rights to privacy and to freedom of the press are guaranteed by the German constitution, to say nothing of the ordinary law. If the radioactive smoke isn’t already billowing over the countryside, the containment vessel is bulging and glowing.
But there’s an odd detail here – T-Mobile USA refused to participate in illegal surveillance operations, like Qwest and no other US telcos. I have always believed that the reason for this was that T-Mobile, alone among telcos, has on-network transatlantic roaming. Due to the fundamental principles of GSM, T-Mobile subscribers from Germany, Holland, the UK, or indeed any other T-Mobile network in Europe, would have been spied on in the US with the involvement of T-Mobile in their home country, because their Home Location Register (HLR) would have been queried for every network transaction that occurred in the US. (It’s the signalling, remember.) This would have obviously had very serious legal consequences back in Europe.