This article is also available in Spanish here.
“If privacy is outlawed, only outlaws will have privacy. At no time in the past century has public distrust of the government been so broadly distributed across the political spectrum, as it is today.” — Philip Zimmermann, creator of Pretty Good Privacy (PGP)
Welcome back to this week’s edition of the z3r0trust Privacy Newsletter. Allow me to set the stage for this week’s edition by putting the current timeframe into context a bit. The world has been grappling with the Coronavirus (SARS- CoV-2) pandemic for the better part of 2020. A couple of different vaccines are nearing the final stages of trial testing but it will still take several months to distribute the vaccines to willing recipients. The COVID19 tracing app co-venture by Apple and Google have played almost no factor in controlling the spread of the disease in the U.S. There was a lot of concern initially about the privacy risks such an app would invite but it appears that privacy advocates were successful in getting the word about opting out of such apps.
It is also important to highlight that the United States 2020 Presidential Election has concluded. The official declaration of who won has yet to be announced by the Electoral College representatives from each state and Donald Trump’s court challenges are still pending. However, Joe Biden and Kamala Harris appear to the winning parties although Trump and his cronies refuse to concede that he lost. Thus far, it appears that there was no legitimate evidence of fraud in the election though despite many false claims otherwise. There were, however, widescale attempts by the Trump administration and the republican party (GOP) to suppress Democrat voters by limiting the number of polling places in republican-controlled states and cutting back on the US Postal Service’s ability to collect, deliver, and process mail-in voter ballots.
You’ll recall in last week’s edition that I covered how much of your voter information is available to the public. Beware of who can legally access your private voting information as there are many republicans desperately searching through voter records to find some evidence of fraud. Trump’s defeat was an important victory for digital privacy for the simple fact that under his reign of tyranny, several government agencies he is responsible for, abused their authority by violating the Fourth Amendment Constitutional privacy rights of countless American citizens. To date, officials in charge of ICE, CBP, and DHS have yet to be held accountable for their crimes. There is still much work to be done in government with respect to privacy legislation at all levels of government. The fight for our privacy is a fight that has to be a continuous fight. Otherwise, there are those that will undermine our privacy to serve their greedy purposes. We must fight for our right to privacy or it will disappear forever.
We are at a critical juncture in the formation of meaningful digital privacy legislation around the world. The U.S. — EU Privacy Shield (also known as “Schrems II”) was struck down by the European Court of Justice (ECJ). California passed a stricter version of the CCPA, the CPRA, and Michigan passed Prop 2 requiring police to get a search warrant before seizing electronic data. There have been motions in the Senate to enact privacy legislation at the national level similar to what the EU’s GDPR provides but thus far those efforts have fallen short. It is an exciting time to be alive and see the battle for basic privacy human rights being played out before our eyes.
This week in digital privacy, the privacy landscape is rough. I discuss police partnerships with Ring surveillance camera live feeds, why Zoom got spanked by the FTC, as well as how the ACLU & EFF are battling Clearview AI on behalf of your privacy.
Police Are Quietly Hijacking Your Ring Camera For Surveillance
Police Are Tapping Into Ring Cameras to Expand Surveillance Network In Mississippi
The police department in Jackson, Mississippi is partnering with two companies to stream surveillance footage from Ring…
In Jackson, Mississippi, the police department there has been given the green light by its city council for a 45-day pilot program that allows police to tap into Ring surveillance cameras in real-time. Think about this for a minute. You, as a Ring customer, paid for the camera and the monthly Cloud video storage fees to use the service, and now Amazon who owns Ring is partnering with law enforcement agencies to allow them to access your private video camera surveillance. Does that sound right to you? Residents and businesses have to sign a waiver for their Ring camera feeds to be accessible by the police department but how does any Ring customer know if their surveillance video feed is private or not? They don’t.
Amazon is making out big despite it being your purchased surveillance equipment and your Cloud storage fees. PILEUM and Fusus are the two tech companies that are partnering with the police department to stream the video feeds to their Real-Time Crime Center. Ring says that this is not their program but as the Electronic Frontier Foundation (EFF) previously reported, Ring has been involved in similar proprietary partnership programs in other cities. This came as a shock considering that Jackson, Mississippi, banned their police department from using facial recognition software technology.
One has to wonder how long before police want access to surveillance cameras inside our homes if you have them? Just for security reasons, of course. Police departments defend these types of technology partnerships by saying that it will help them proactively solve crimes and with real-time community policing but who is going to monitor the program for abuses by law enforcement officers and when does this added surveillance monitoring cross the line by becoming too much monitoring? I can just imagine it now, “Hey, Officer Burke, it’s time to cut to 1245 Westminton St. Miss Jacobs might be sunbathing in her backyard again. This camera can just see over the neighbors’ fence…” Ring and Amazon should be ashamed of themselves.
Data Breaches & Privacy Exposures
Millions of hotel guests worldwide have their private details exposed
Sloppy security settings mean another leaky cloud bucket. A sloppy lack of security by a hotel reservation platform has…
In a surprise to literally no one, another AWS S3 bucket containing hotel guest data belonging to Prestige’s Cloud Hospitality was discovered to be leaking the private customer data of over 10 million guests since 2013. Cloud Hospitality is an online Spanish hotel reservation platform and the data leak was discovered by security researchers working for Website Planet. In the 24.4 GB of exposed data were customer names, email addresses, and even credit card information with corresponding CVVs and expiration dates. So far, there doesn’t appear to be any evidence that this data was improperly accessed by cybercriminals. However, this certainly appears to be the type of incident that would qualify for punitive measures under the EU’s General Data Protection Regulation (GDPR) for this egregious security lapse of the software used to manage the hotel booking site. Prestige partnered with an investigative firm to determine if the customer data was posted on the Dark Web for sale but the search did not reveal any evidence of exposure yet. That doesn’t mean that the data wasn’t copied and that it won’t be posted at a later date, however.
Info of 27.7 million Texas drivers exposed in Vertafore data breach | ZDNet
Vertafore, a provider of insurance software, has disclosed this week a data breach, admitting that a third-party…
The insurance software provider Vertafore was the victim of a data breach that affected 27.7 million Texas drivers during the pandemic between March 11 and August 1, 2020. Apparently, an employee saved just 3 little data files in an unsecured external storage service but later found that someone had accessed the files. This was an obvious lack of privacy and security awareness training on the part of Vertafore for the employee to not know where to securely save files containing Personally Identifiable Information (PII) such as driver’s license numbers, names, dates of birth, home addresses, and vehicle registration histories. Vertafore is now contacting affected victims, all 27.7 million of them, about the data breach and will offer driver’s one year of free credit monitoring and identity restoration services.
Hackers Steal 46 Million Records from Kids' Game Developer
Tens of millions of users have been affected by a data breach at the developer of popular online playground Animal Jam…
Young kids, aged 4-to-8-years-old, playing the online game Animal Jam developed by WildWorks have become the unwitting victims of a data breach affecting 46 million accounts. The account data consists of approximately 12,635 parent accounts which contained full names, billing addresses, and another 16,131 accounts with only names. The 7 million stolen passwords were encrypted but the company did not comment on whether the password hashes were also salted. Additionally, 32 million account usernames were stolen but these represent an extremely low privacy risk as the account names are generic and without PII identifiers. WildWorks will conduct a forced password reset for all users in response to the breach.
FTC Requires Zoom to Enhance its Security Practices as Part of Settlement
Note: The FTC will host a conference call TODAY for media at Noon ET. The Call-in number is 844-291-6360 and the access…
The pandemic has been good for business for Zoom Video Communications, Inc. and other tech companies that offer video teleconferencing services that have proven to be crucial for employees working from home, students, and for people in general. However, Zoom just got spanked by the Federal Trade Commission who settled with the company and as a result, is requiring the company to implement more stringent cybersecurity controls after,
“…allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users.”
If you recall, since 2016 Zoom claimed to offer users End-to-End Encryption (E2EE) achieved through using 256-bit AES encryption to secure video conference sessions. However, that was discovered to be a false claim because the entire time Zoom maintained the decryption keys that could enable Zoom employees to access customer video conferences. It also turns out that recorded meetings were not encrypted immediately upon completion of the meeting as Zoom claimed but instead were left unsecured in data servers for up to 60 days before Zoom would transfer it to a secure Cloud container.
Disturbingly, Zoom also secretly installed its ZoomOpener web server app on users’ Mac computers without their permission users, which bypassed the Safari browser malware safeguards and would launch the Zoom app and join users to a meeting making their Macbooks less secure and at increased privacy risk. But even after deleting the Zoom app from their devices (computers and phones), the app would sometimes automatically reinstall itself. This is why I always tell smartphone users to be very careful about which apps they install onto their phones and which browser extensions they add. Those apps are damn near the same as Remote Access Trojan (RAT) tools used by malware developers to ensure persistence on devices.
As a result of these violations, the FTC did not impose any fines for the time being but did order Zoom to develop new safeguards for its app, implement a vulnerability management program, and deploy safeguards such as Multi-Factor Authentication (MFA).
Clearview's Faceprinting is Not Sheltered from Biometric Privacy Litigation by the First Amendment
Clearview AI extracts faceprints from billions of people, without their consent, and uses these faceprints to offer a…
EFF filed an amicus brief in the case of ACLU v. Clearview AI explaining why Clearview AI’s assertion that their “faceprinting” technology is wrong and how it is not protected by the First Amendment of the Constitution. They are a for-profit company, this has zero to do with free speech. As you may recall, Clearview AI is being sued in the state of Illinois for violating the state’s Biometric Information Privacy Act (BIPA) law which requires opt-in by consumers before their likeness can be scraped as Clearview does online. In fact, Clearview is currently the subject of 10 different lawsuits.
Clearview AI is facing a lot of pushback here in the U.S. for the way in which the Chinese-owned company and its cocky CEO thought it could stroll on in and just start scraping facial imagery from multiple sites without anyone’s permission. Just because we post our images online doesn’t give companies carte blanch to do with it whatever they choose to. These ass hats are profiting off of our imagery that we posted online out of our volition, selling it to law enforcement agencies and DHS, ICE, CBP. Maybe you didn’t like the image or whatever and decided to remove it. It could still have been scraped by Clearview AI who will now share your new facial imagery in their database that they sell access to. Seem fair to you?
The ACLU is defending all of our privacy rights with this lawsuit because a favorable judgment against Clearview AI will have ripple effects across all the entire country and will force the company to stop Web-scraping imagery without permission. But, sadly it's already too late. The damage has already been done. Clearview AI has already sold their facial recognition software (FRS) to countless clients who are using it right now. Punitive damages will mean little against a company like Clearview AI who is raking in the profits and other companies are watching how the court battles play out to learn how they should best market similar AI-powered FRS technology services.
Featured Privacy Tactics, Techniques, Tools, & Procedures
As privacy is becoming increasingly important to more and more people, some companies are beginning to innovate new privacy-enabling technologies and services that aim to help people keep their private data safe. You might remember how in part 16 I featured the Paranoid Home that blocks smart speakers from always listening unless you say the magic unlock word. But there are other privacy-focused companies that are emerging in the privacy space such as Inrupt created by Tim Berners-Lee who you may recognize as the inventor of the World Wide Web (www) or the internet as it is known today.
Inrupt would allow customers to essentially containerize their private information which could then be shared temporarily with other companies in a portable, protected manner using technical privacy protocols which as of yet remain unspecified. Perhaps we will see some new internet protocols come of this. It is very impressive that this company has Tim Berners-Lee as their CTO and Bruce Schneier as their chief security architect. I’m excited to learn more about this innovative technology as I am sure you are, too. If widely adopted, it has the potential to fundamentally change how the internet works.
NIST SP 800–53r5 Privacy Control of the Week
The National Institute of Standards and Technology (NIST) is responsible for publishing the standards for many precise units of measure used in all sorts of technologies. They also publish the standards that federal information systems are required to adhere to in terms of cybersecurity controls. Each week I’ll feature a different control.
PM-27 PRIVACY REPORTING
a. Develop [Assignment: organization-defined privacy reports] and disseminate to:
1. [Assignment: organization-defined oversight bodies] to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and
2. [Assignment: organization-defined officials] and other personnel with responsibility for monitoring privacy program compliance; and
b. Review and update privacy reports [Assignment: organization-defined frequency].
Discussion: Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. For federal agencies, privacy reports include annual senior agency official for privacy reports to OMB, reports to Congress required by Implementing Regulations of the 9/11 Commission Act, and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements.
Related Controls: IR-9, PM-19.
Control Enhancements: None.
References: [FISMA], [OMB A-130], [OMB A-108].
In layman’s terms, this privacy control deals with reporting and it requires that organizations utilize some kind of standardized privacy report format to disseminate privacy information to oversight bodies and privacy professionals who are responsible for the privacy monitoring of federal information system data. It also requires that the report be updated at defined intervals. Typically you can find the privacy report formats in the listed references or an organization may have their own approved version.
Low-Tech Privacy Tips
Use DuckDuckGo instead of Google. Put a camera cover on your smartphone camera and webcams at home. Disable the Bluetooth and Near-Field Communication (NFC) options on your smartphone whenever you’re not using them. Smartphones are the new focus of cyber criminals, so go through your smartphone and remove any apps that you don’t use on at least a monthly basis. Every app your install on your phone is a possible attack surface. Install anti-virus software and a Virtual Private Network (VPN) on your smartphone. Update all of your electronic devices to the latest software and/or firmware versions. Instead of writing passwords down, use a password manager to remember them for you and so they can be longer and unique for each website. Remove stickers from your car, they only serve to single you out to those who may recognize or try to follow you. Blend in with the locals, don’t try to stand out wherever you’re at. Wear a hat of some sort, this will make it more difficult for surveillance cameras to identify you. As I mentioned in a previous edition, they sell ball caps now that have LED lights sewn into them to confuse facial recognition software. Decrease your digital footprint as much as possible wherever you can. The less you post online, the better.
That does it for this edition of the Digital Invisibility newsletter. Thank you for reading and I hope you check back in for the next edition. Until next time.
Trust No One. Verify Everything. Leave No Trace.