Jan 15
z3r0trust Privacy Newsletter #2–21
*Note: This article was originally published by the author on February 27, 2021. A concise monthly privacy digest with experienced security insights. This article is also available in Spanish here.
“Nor has he spent his life badly who has passed it in privacy.” ~Horace
Welcome to the February 2021 edition of the z3r0trust Privacy Newsletter. Please join me as I continue this lifelong journey down the digital privacy rabbit hole and I spread awareness along the way on how to maximize user privacy and security online.
There was an excellent article published in Wired’s Backchannel recently by Arthur Holland Michel that discussed how surveillance capitalism is ubiquitous now and how these CCTV surveillance camera systems are being integrated into Artificial Intelligence (AI)-powered automated fusion software systems like Citigraf and Valcri to investigate crimes by employing the full extent of surveillance monitoring systems (public/private), automated license plate readers, facial recognition systems, and many other information feeder systems.
If you wonder why digital privacy laws haven’t seen major reform nationwide in the U.S., consider just how lucrative of a market this industry has become now. These companies, the law enforcement agencies, and the governments they market their tech services to, could not care less about your individual privacy rights. This technology is marketed as ‘smart city’ tech and relies on the fusion of surveillance monitoring systems and other information-rich databases like phone company records, bank records, DMV, sex offender registries, people finder address databases, etc.
These are companies like Palantir, Babel Street, Clearview AI, Cisco, Microsoft, Amazon, and Motorola to name a few. There is a huge market for these types of spyware investigatory services and their clients have very deep pockets because well, they are mostly government agencies who can afford to contract their services with your taxpayer dollars. From a government agency perspective, it’s not hard to imagine how the desperate need for technological security superiority outweighs the ethics of whether this technology will be used illegally to spy on everyday Americans.
Nevertheless, each year federal intelligence, law enforcement, and research agencies like the CIA, FBI, NSA, NGA, NRO, and DARPA dump millions upon billions of taxpayer dollars into companies that are working to design these types of automated “click-here” GUI information systems that have the capability to track and monitor people in real-time. This isn’t a new development, rather this stuff has been in the works for decades. Only now, with each passing year, this type of technology is growing in sophistication and functionality. The military has many different application needs for technology such as this in its Global War On Terrorism (GWOT) among other purposes.
Mind you, individual states like California can each pass their own privacy laws just as they have done to legalize marijuana. But the federal law is not bound by state law and federal agencies will not follow state laws in the enforcement of their laws or not use particular surveillance monitoring tools they have at their disposal. The technology industry is very complicated and nuanced with little federal oversight and regulation, and an abundance of entrepreneurial opportunities for those that seek to exploit the present ambiguous conditions. While undoubtedly there are good practical applications of this technology, it can and will be used inappropriately and illegally against innocent citizens. We already saw how CBP and ICE abused these types of technology services under the former Trump administration. It won’t stop anytime soon.
Apple vs. Facebook: The War Over User Privacy
There has been a lot of back and forth in the press about comments made by Apple’s Tim Cook and Facebook’s Mark Zuckerberg. For those uninitiated, Apple stands for user privacy, and well, to put it bluntly, Facebook’s Zuckerberg doesn’t.
“If a business is built on misleading users on data exploitation, on choices that are no choices at all, then it does not deserve our praise. It deserves reform.” — Tim Cook
This battle of the tech titans has been a long time coming and quite frankly, I am here for it. Let me go pop some popcorn and flop down in my recliner to watch the show. Seriously, this needs to happen because Congress isn’t doing enough to regulate big tech companies like Google, Amazon, Facebook, Apple, and Microsoft (i.e., GAFAM). You see, Facebook’s and Apple’s business models are like polar opposites. If Congress can’t be expected to do its job and protect Americans’ consumer privacy from tech companies who exploit it and view users as their ‘product,’ then I expect tech companies will battle it out with their competing business models and hope that data privacy will win out in some measure. In any event, this will be interesting to watch as it plays out.
Apple’s iOS 14 App Tracking Transparency (ATT) policy tracking prompt is affecting other tech companies also. iOS 14 will require iPhone, iPad, and Apple TV app developers to request permission from users to collect their random advertising identifier (known as “IDFA” or “Identifier for Advertisers”), which is used by advertisers to deliver personalized ads and track how effective their ad campaigns are. Google has reportedly stated that it will stop collecting advertising identifiers in iOS apps as a result of this new policy. My only question with this is why it’s taken this long for Apple or any other tech company to implement similar policies?
Privacy Exposures
So much data hosted online, so much of it insecurely configured…
Security researcher @OverSoftNL (Twitter) revealed that the FootfallCam 3D plus counting camera is an Internet of Things (IoT) device security nightmare. The 3D camera is PoE (Power-over-Ethernet) but it comes factory-shipped with super-sloppy configuration settings that instruct it to establish its own network, separate from yours, with a broadcasted SSID and a default password (i.e., 123456) that is hardcoded and unchangeable! There is no Python file authentication and anyone can connect to the device’s network with the default SSID password with ‘sudo’ ability to run as root and wreak havoc on whatever networks it’s connected to. I hope you realize how scary bad that is.
If you’re serious about information security and privacy, you might want to abstain from purchasing IoT devices until such time as the company decides to implement proper security measures.
In a shocking surprise to literally no one, Facebook’s ad system allows users to target ads at specific US military groups potentially with misinformation and/or ads for military equipment such as ammunition, body armor, or gun magazines despite being told by lawmakers to halt military equipment ads. It’s not hard to see how this feature could potentially be misused by foreign threat actors as security researcher Andrea Downing mentioned in a Wired article.
This is yet another example of just how backward Facebook’s ethics are as a company. Everything with Facebook is profit over ethics. From Zuckerberg on down. Let us remind ourselves that user privacy and ethics are not strong points that Facebook is known for. It is amazing that Facebook even had the nerve to ban Trump after the Capitol insurrection riots from its platform. If Twitter hadn’t done it, I doubt Facebook and others would have done it. This is the same Facebook ad platform that was abused by QAnon among other groups to incite the riots in the first place. Misinformation/disinformation peddling seems to be Facebook’s specialty.
Amazon stated in its bi-annual transparency report that it “processed 27,664 government demands for user data in the last six months of 2020, up from 3,222 data demands in the first months of the year, an increase of close to 800%.” Some of those data requests involved IoT devices sold by Amazon as well. Reportedly, most of the data requests came from government officials in Germany, Spain, Italy, and the U.S. Of course, this information comes on top of the fact that Amazon-owned Ring doorbell cameras have been shared with over 2,000 U.S. law enforcement partners. Ready to ditch Ring yet? Look into Wyze.
The new iPhone-only, audio chat social media app Clubhouse has come under scrutiny for its apparent lack of user privacy. You must be invited to join, encouraged to invite two other contacts from your phone’s contact list, conversations are temporarily recorded for potential legal investigation purposes and so are obviously not end-to-end encrypted. The app does not comply with the EU GDPR because it encourages users to invite a friend and collects and stores information about non-user phone numbers without their permission. Expect to see litigation against Clubhouse in the near future if they don’t change course and correct these privacy deficiencies soon.
On top of the Clubhouse privacy concerns mentioned above, the app was temporarily debuted in China before censors blocked it on 8 February 2021 probably because Chinese users were openly discussing Uighur concentration camps in Xinjiang, the Tiananmen Square protests, and user police interrogation experiences. Clubhouse is an American-based company and was founded by Bay Area entrepreneurs and alumni of Stanford University, Paul Davison, and Rohan Seth, but the parent company is Alpha Exploration Co.
The concern with Clubhouse is that researchers from the Stanford Internet Observatory discovered some of Clubhouse’s backend IT infrastructure traces back to a Chinese-owned company called Agora, located in Shanghai. On top of that, Clubhouse was transmitting unique user IDs and chatroom IDs in plaintext and the raw audio data would have been accessible to Agora who could be forced to share data with Chinese authorities who have been known to prosecute citizens who have been critical of Chinese policy in the past.
In what I suspect will be a privacy-focused, non-profit tech company trend, Quad9, announced that it is moving its offices to Zurich, Switzerland. Quad9 offers privacy-focused domain resolver services. Currently, the EU GDPR Swiss option is a more private solution for American customers as it is not subject to the prying eyes of the U.S. government authorities.
The catch 22 though is that the U.S. and EU are in the midst of a battle of how data can be transferred across borders between the two entities and the Privacy Shield 2.0 will determine what privacy information elements must be shared with U.S. authorities. So, just because a tech company moves to Switzerland doesn’t necessarily mean that it won’t be sharing any sensitive data with the U.S. If it offers services in the U.S., then it will be required to adhere to U.S. laws such as California’s Consumer Privacy Rights Act (CPRA).
NurseryCam has suspended service across 40 UK daycare centers after an attacker was able to exploit a loophole in the service’s security that exposed the PII of approximately 12,000 service subscribers. Security researcher Andrew Tierney (@cybergibbons) has previously notified NurseryCam that the service was configured to use had issues with its HTML code that leaked the IP address, username, and password for the DVR in daycare centers when using ActiveX to view the cameras.
In yet another example of how risky it is to use online dating apps because of the sensitive personal information they store, the ShinyHunters hacking group has claimed responsibility for breaching the MeetMindful dating app and publishing PII resulting in more than 2.28 million members. The published PII includes among other things body details, geographic location details, Facebook user IDs, and authentication tokens. The ShinyHunters hacking group is known to focus on compromising misconfigured Cloud environments.
For those involved in this breach, they should take immediate action to change passwords and ensure two-factor authentication (2FA) is implemented on their accounts that offer it. I would also be concerned about the device permissions that attackers could exploit via the Facebook API auth tokens, such as real-time location tracking, the device’s camera, and microphone. The Facebook app is well-known for requiring too much device access.
An attacker going by the name of “pompompurin” has reportedly breached and published the details of 3.2 million DriveSure users on the Raidforums hacking forum to include some backend files and folders from the website. It seems as though we’ve reached the point in data breaches whereby attackers routinely publish the sensitive PII or attempt to auction it off on these shady darknet .onion sites. One would think that if resources were allowed for it, law enforcement would want to target the takedown of these sites. Perhaps they don’t have the necessary resources and the volume of data breaches is just too high.
Privacy-related Legal Developments
The U.S.’s Biden administration and the EU are reportedly collaborating on what the “Privacy Shield 2.0” will look like after the Court of Justice of the European Union invalidated multiple data transfer vehicles. But only because the U.S. is forced to now after the court decision. There is a lot more to this story than face value but it’s outside the scope of this monthly digest, feel free to check the link above for more details.
One would hope, as a privacy-minded individual, that the U.S. would use this opportunity to craft its own GDPR-like sweeping national privacy reform law. Maybe that’s being naive to hope Congress would do their jobs impartially and protect the privacy interests of over 330 million Americans considering that it’s been over 20 years since any national privacy legislation was passed by Congress as evidenced by the timeline above. However, until such time as a new data transfer agreement can be reached with the EU, data transfers to the U.S. are on hold.
As a U.S. citizen, I will add that I applaud the EU for defending the privacy of their citizens in this manner. Now, why can’t the U.S. do the same? The U.S. Congress has intentionally delayed privacy law reform for decades largely due to corporate lobbyist interests and I think it is about time the U.S. reform privacy law for all of its citizens and show the entire world that we are a leader in data privacy practices.
Privacy Tips
If you need to share files, host a website, or chat anonymously, check out the latest version of OnionShare developed by privacy expert Micah Lee among others. OnionShare is available for macOS, Windows, and Linux. It’s an open-source privacy tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network.
GrapheneOS is an open-source privacy-focused mobile Android device operating system for those who want nothing to do with Google but own Android devices. Graphene used techniques like sandboxing, exploit mitigations, and the permission model. GrapheneOS developers have created their own hardened Chromium browser called Vanadium. For data backup, an externally developed encrypted backup app called Seedvault is also included with GrapheneOS.
Browser Privacy
Test your web browser privacy with this Electronic Frontier Foundation (EFF) tool called “Cover Your Tracks” to determine how much of a fingerprint your browser has. Notice that my browser has a randomized fingerprint which is what you want to see.
Now, to address the issue where my software isn’t checking for “Do Not Track” policies. I can enable stronger protection within the Brave browser Privacy and Security settings. By enabling the “Send a ‘Do Not Track’ request with your browsing traffic.”
In closing, I want you to consider the state of the world with regard to surveillance monitoring, internet tracking, and how little personal privacy you have. Consider whether the technology you use right now in your personal life, in your home, is helping or hindering your efforts to improve or maintain your privacy. Consider if the technology you own is worth it or if it represents too great of a risk for the reward you get in return for owning it. Next time you sign up for another random website, consider if you really need another website login. If you do, hopefully, you’re using as little of your true identity as possible so that when the website is breached, you’re not putting yourself at risk of identity theft or credit card fraud. If you feel so inclined, there are volumes more that I’ve written about privacy and security located at the links below. Stay aware and anonymous my friends.
Never Trust. Always Verify. Think Like An Adversary.
Additional Privacy Resources
z3r0trust Privacy Newsletters: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, #4–20, #5–20, #6–20, #32–20, #33–20, #8–20, #9–20, 16, 17, 45–20, 46–20, 47–20, 48–20, #1–21, #2–21, #3–21, #6–21
*Privacy-related articles also published by the author can be found here.
Other helpful privacy info: EFFector | Atlas of Surveillance | Privacy Tools | IAPP | ACLU | PogoWasRight.org | DataBreaches.net
