z3r0trust Privacy Newsletter #6.20

“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” ― Benjamin Franklin, Memoirs of the life & writings of Benjamin Franklin
How well do you trust Google and Apple with your personal information? Enough to let them and government health officials as well as possibly other government officials or law enforcement organizations (LEOs) track your physical location everywhere you go? That is what contact tracing apps will allow for, the geographic tracking of you via your GPS-enabled smartphone. More specifically, it will track you via Bluetooth technology through your smartphone from your home address to your place of work, your relatives’ house, church, the grocery store, or anywhere else you go.
There are still unknowns such as who exactly will access be shared with and once COVID-19 has been beaten into submission through mass inoculation or herd immunity, when do they stop monitoring all the folks who forget to uninstall the app from their devices? You may be wondering how secure Bluetooth technology is? Unfortunately, I don’t have good news for you there either. The answer is that Bluetooth is not very secure at all with long-known and exploited vulnerabilities. In fact, you should always turn off Bluetooth when you’re not actually using it because it is a possible attack vector that can be easily exploited on your smartphone or other Bluetooth-enabled devices.
“I couldn’t possibly give an informed opinion on the true security of Bluetooth, and I strongly suspect that the protocol designers couldn’t either,” says Matthew Green, a cryptographer at Johns Hopkins University
As predicted, government and health officials at all levels are calling for contact tracing to help stem the increase of COVID-19 infections through more testing which I have no issues with. What I take issue with is tech companies like Google and Apple who have a demonstrated history of abusing app permissions collaborating on a joint-venture contact tracing app for governments around the world to use to track their citizens. In the U.S., there are already way too many surveillance mechanisms and private user information of Tech products that are being shared with or being made available to LEOs and government agencies for intelligence-gathering purposes.

At the risk of appearing unsympathetic to our current global pandemic situation, it is the author’s humble opinion that we should not install software applications such as contact tracing apps on our smartphones because we already know that those app permissions will be abused and the technology will be misused by Google, Apple, and any government agencies they share the information with. They have proven this so many times before. Why would it be different now during a pandemic? The pandemic is not an excuse to further erode people’s privacy and what efficacy contact tracing apps will provide.
I like to refer to smartphones as the “Rectangle of Mistrust.” Each app you download needs some type of trust permissions to operate on your device except for those that come automatically installed on the device with the operating system. Each app is developed by an entire team of people that maintain the application or provide some type of service that you were interested in enough to decide the application. Maybe you use Waze for driving directions — Google acquired Waze in June 2013. Maybe it’s the Facebook app that basically tracks everything you do as Wired’s David Weld wrote about at the link below. My aim with all of this is not to regurgitate information that has already been published elsewhere, only to highlight certain information from time-to-time in my research work.
Contact Tracing CounterHack
Look, we all want to see the end of COVID-19 and to be able to resume normal life as soon as possible. At the risk of seeming like Captain obvious, privacy-minded individuals will simply not install any type of contact tracing apps on their smartphones. I know of smartphone owners who have gone to the trouble of deleting all the apps off of their smartphones for privacy reasons. I would recommend if you’re that concerned about privacy to just stick with a basic flip cell phone instead of paying for a smartphone. Remember the Ben Franklin quote above. Those who give up their freedom from spying whether its Big Tech or Big Brother to obtain some measure of temporary safety deserve neither liberty nor safety. Once voluntarily given, your privacy will never be voluntarily returned to you by Tech companies or the government. Kiss it goodbye.
Some right-wing Republican extremists have tried to subvert the meaning of this quote as an excuse not to wear facemasks because it infringes upon their Constitutional freedoms but that is the dumbest, most baseless argument I’ve ever heard. Facemasks have been shown to slow the spread of the disease. Facemasks have everything to do with health risks and very little to do with personal privacy, at least in this context. Your current state of online privacy and information security is the result of a series of tiny decisions you made leading up to this moment. Do not all of a sudden play the victim card when you discover that your smartphone has been spying on you via app permissions or vulnerabilities that you should have taken the time to patch.
TikTok

No matter what the social networking website, you will always find negative elements of society that feel emboldened by a false sense of anonymity and strength in numbers whether they be racists, pedophiles (some pedos now refer to themselves as “MAPS” on various social media platforms, minor-attracted persons), political extremists or what have you. We know this, yet we still decide to use social media despite all of that because it’s popular and “fun,” right? I seem to remember all of those “Just Say No To Drugs” commercials which explained how drugs were popularized by the cool crowd. Social media is a tool that can be used for good and bad intentions. They are as many malicious users, if not more than fun-loving, innocent users on these social media sites. However, even innocent use can lead to violations of your personal privacy unbeknownst to the user.
With the Chinese-owned and ByteDance-developed TikTok app, however, not only do you have usual social media platform cesspool, but we also see a situation in which the app developers are clearly exploiting its user base as is explained below by Reddit user Bangorlol who reverse-engineered the application. It’s pretty eye-opening, to say the least, and goes much deeper than what the company admits to collecting on their website which I outline below. The real question though is how much access the authoritative Chinese government has to the user data to include censorship?


Let’s drill down a bit on TikTok shall we? On TikTok’s website, we find that they have offices in the U.S. in Los Angeles and New York.

Let’s take a look at what their Privacy Policy says:

Like most other social media apps or apps, in general, TikTok collects information that your device shares with it from the device itself and third-party apps. No surprises there. I don’t like it but those are the expected tradeoffs for using most apps on a smartphone.

Now we start to peel back the layers and see that TikTok is also collecting payment information and phone contacts, which also isn’t uncommon.

TikTok also collects information from OTHER social media networks like Facebook, Instagram (Facebook owns IG), and Twitter to include your contact lists from those sites. That is a bit a reach don’t you think? Why do they need that information? Oh, yes. So they know who your friends are and so they can market their platform to those people as well and potentially snoop on them via your device. TikTok goes out and searches for publicly available information about you most likely so that they can share it with their advertisers and analytics companies they partner with — data brokers. Of course, they’ll get your connection IP address and geolocation-related data. This is pretty standard so you may want to use a proxy server like a reputable, paid-Virtual Private Network provider or Tor before connecting to the app.
Here where it starts to get a little more interesting though and not in a good way. TikTok also collects browsing and search history data to include content you have viewed in the platform and browser cookies. Wow! So, not only do they track what you viewed on their app but also everything else you look at in your browser via tracking cookies that are capable of tracking every click you make. That’s not normal or necessary, that is the opposite of online privacy. That is Big Tech and Big Brother China teaming up to snoop on everything you do online.

TikTok scans and analyzes messages you send on the platform which is a bit creepy. The geolocational data they collect is actually pretty standard but they obviously want it all — your timezone, screen resolution settings, OS (iOS, Android, etc.), the filenames and filetypes, keystroke patterns or rhythms- what? Why on Earth do they need that information? Keystroke patterns and filenames on my device — are you kidding me? No, absolutely not. I would never install this app on any device I own.

How much information do you need to see that this is bad tech? This is a terrible app for security and privacy even from what the company publicly admits to collecting. If you look at what was discovered in the reverse-engineering of the app you see that TikTok is collecting a lot more than other apps like Facebook, Google, or Twitter and what’s more, TikTok tries to hide some of what they’re collecting. Pixel tags as web beacons for browser cookies show you the lengths that they are willing to go to track everything you do online. Perhaps the most disturbing part of all of this though is the fact that TikTok shares the information they collect with other service providers and business partners — for a fee, they don’t mention that part though. Hmm? Where have we seen this before? Oh, yes. Facebook and the UK-based Cambridge Analytica. That’s right, data mining. The app created by Aleksandr Kogan of Cambridge Analytica was a political advertising app that not only harvested the personal data of the Facebook users that completed survey questions but also of the users’ Facebook friends which in turn sold the data of American voters to political campaigns and ultimately provided assistance and analytics to the Ted Cruz and Donald Trump campaigns.
Could TikTok potentially be used by the Chinese government to influence U.S. political elections? It probably already is folks. That is the scary nature of the world we live in today. In fact, the TikTok app is so much of a risk that it could possibly be used as an instrument to snoop on U.S. government officials. Senator Josh Hawley [R-MO] introduced S.3455 — No TikTok on Government Devices Act on 3/12/2020.
While I agree that there are risks with installing any apps on a government computing device, TikTok is no different than Facebook in the types of data it collects from users. The difference is, of course, it’s a Chinese-owned company that is susceptible to CCP influence. This is all just political security theater. The threat of TikTok to average Americans is null.
Cheap Tech Privacy Hacks for Mobile Devices
- Use Signal for encrypted text messaging. Hint: Both you and your text message recipient need to both install and use Signal for the encrypted messages to flow securely.
- Use ProtonMail or the K-9 Mail app on your device which is open source and supports use with OpenKeychain’s Easy PGP app for encrypted emails.
- Use Telegram for private chat and video messaging. Telegram uses very strong End-to-End Encryption (E2EE) that consists of 2048-bit RSA encryption along with 256-bit symmetric Advanced Encryption Standard (AES) encryption. Telegram’s encryption is so solid that several governments have outright banned this app because they couldn’t backdoor the encryption to snoop on their citizens.
- Use the Hushed app to create burner phone numbers for instances in which you have to give your phone number out to marketers or send texts, multimedia to someone you don’t necessarily trust. Hushed allows you to manage fake burner phone numbers in one app. It’s not my favorite price — free, but it’s not expensive either.
- Use the DuckDuckGo privacy-themed search engine app to search for stuff on the internet from your smartphone or other mobile devices. The DuckDuckGo browser doesn’t log your browsing history or data like Google, Yahoo, or Bing do.
That does it for this installment. For loads of affordable privacy hacks and information surrounding digital privacy, I encourage you to check out the links below.
Trust No One. Verify Everything. Leave No Trace.