z3r0trust Privacy Newsletter #45–20
*Note: This article was originally published by the author on November 8, 2020. This article is also available in Spanish here.
“People have entrusted us with their most personal information. We owe them nothing less than the best protections that we can possibly provide.” — Tim Cook, White House Cybersecurity Summit, February 2015
Greetings readers. Welcome to this post-election edition of the Digital Invisibility newsletter. Rejoice, a new era is upon us. I have made the decision to make this series a weekly newsletter now. I’m going to reduce the content length of what has been a sporadically published series of privacy-themed articles, some of which have been a bit long in the tooth to read due to the vast number of privacy developments occurring over the span of a month. Weekly newsletters will be shorter, quicker for me to write, and numbered sequentially by the week number followed by a dash and year. Previously published editions can be found at my profile link. This newsletter will be a curated list of privacy-related news and information. This week in digital privacy, I look at privacy as it relates to voter information, internet user privacy expectations, and the passing of the CPRA.
How Private Is Our Voting Information?
Transparency is paramount in America’s democratic voting process. So, it should not come as a major surprise that your voter information is considered public information. Depending on which state you reside in, your voter information may be accessible to anyone or limited to certain groups and researchers.
State voting records include your name, address, and party affiliation but that’s not all. According to Findlaw, states can collect and store other personally identifiable information (PII) such as your date and place of birth, gender, father’s name or mother’s maiden name, Social Security Number, military ID, passport number, drivers’ license, signature, current and past home addresses, voting district, email address, phone number, party affiliation, when you voted previously, who you voted for, absentee ballot, precincts, registering agency, required assistance, prior felony convictions, last date of jury duty, active or inactive status, and even the date when the information was last updated. That is a lot of PII to be publicly accessible.
Does anyone else see a problem here? I sure do. From a national level, each state should be limited to what they’re allowed to provide to the public. The public should not have access to anything except the bare minimum information such as name, address, party affiliation, and voter record. Then, only if there is a valid need to disclose that information for an officially recognized purpose. Otherwise, kindly fuck off. The last thing I want is 20,000 political spam phone calls and text messages every time there is an election. They do not need my phone number. Unfortunately, our spineless lawmakers care more about lobbyist kickbacks from wealthy donors and corporations than they do about passing meaningful privacy legislation for Americans.
For now, we are stuck with state statutes that define who can request a voter list, what information can be publicly shared and with whom, and how that information can be used. In some counties, your voting record may be requested by and shared with political parties and candidates, law enforcement, government officials, businesses, scholars, journalists, and even members of the general public. See the National Conference of State Legislatures for more information.
Findlaw does mention that certain states have programs that allow you to keep confidential at least some part of your voter record. People who qualify for protection include:
- Victims of domestic violence — every state EXCEPT GA, IL, MI, SC, SD, TN, WY
- Crime victims, people with protective orders, and family members — TX, OK, NY, MD, KS, HI, VA, DE, CA
- Law enforcement officers — VA, OK, MT, MO, MD, LA, HI, CA, AZ
- Spouses of law enforcement — TX, OK, HI
- Reproductive healthcare medical providers, employees, volunteers, or patients — CA
- Retired state and federal judges and attorneys — VA, TX, OK
- Foster parents — VA
- Uniformed service members — OK
- Pre-registered voters under the age of 18 — CO
- Victims and witnesses under protection — MO, MD
- Any voter who requests that their record be classified as private — UT, NV, DC, AK, AZ
Lawful access to voter records can reveal a lot about each one of us who participates in the process. Now, there have of course been problems with unlawful access to voting records. As fellow cybersecurity experts have repeatedly warned, America’s voting systems are vulnerable to hacking or malicious manipulation as they currently exist. Some more than others because each state county is allowed to use its own systems. In 2018, millions of voter records from 19 states were illegally offered for sale by an unknown threat actor on the Dark Web.
No Reasonable Expectation of Privacy on the Internet
Internet users need to understand that there is no reasonable expectation of privacy when they visit websites or use any other types of services provided by an Internet Service Provider (ISP). You have to take affirmative action to gain privacy online. You, the user, are the product as a general rule of thumb and we, as users, are required to consent to ISP Terms of Service and Privacy Policies. In fact, even websites that may not offer any type of services often use browser cookies to track your activity on their websites and likely also have figured out how to collect and monetize this data. Users are surfing the Web on infrastructure that was built and that is maintained by companies and other users who owe you, as a visitor, no expectation of privacy. Our online privacy expectations have to be tempered in accordance with this basic understanding. That doesn’t mean we can’t keep pushing for better privacy protections but we shouldn’t expect total privacy on the internet.
However, we, as users, can create our own measure of privacy to a limited extent. There are many steps we can take to improve our privacy. We can do this by limiting what information we choose to put online in the first place or whether we even want to use a particular online service (e.g., Facebook that has a really bad privacy track record). We can use monikers, handles, callsigns, or other false identifiers to obscure our true identities. There is nothing wrong with that. The ISP is still able to collect certain identifying technical information about the device you connect with such as the type of computing device (e.g., a smartphone, a computer, tablet), the type of operating system (OS) the device is operating with, and the IP address you connect from.
Data Breaches & Privacy Exposures
Ransomware is proving to be the “next generation” of data breach threats as it has evolved in recent years to include extorting money from infected victims and leaking segments or total dumping of sensitive data on the Dark Web. If a system is infected with ransomware then there is a very high probability that the attackers were also able to exfiltrate data from the infected systems. Ransomware infections are just a different type of data breach. What is worse is that foolish organizations continue to pay ransomware cyber criminals making it a lucrative business venture.
If nobody paid these criminals, there would naturally be less motivation to continue the ransomware infections. Especially, if as does happen occasionally, the cybercriminals are apprehended by law enforcement authorities. Even after being paid a ransom amount by dumb company executives, however, some ransomware gangs still sell the exfiltrated data on the Dark Web to the highest bidders or piecemeal it out for a profit which only further demonstrates why absolutely no one should pay ransomware gangs. Take your losses, install backups (let’s hope you were smart enough to have them), and restore your systems. Instead, ransomware gangs are making profits off of encrypted data at least twice.
The Sodinokibi/REvil ransomware gang successfully infected the Flagship Group in Norwich, England, via a phishing email recently that resulted in the compromise of some staff and customer data. This gang is known to demand a ransom and later auction the data on the Dark Web.
A hacker is reportedly selling 34 million user records from 17 different companies on a Dark Web hacker forum. Some of the companies affecting users in the U.S. are Katapult, Toddycafe, Invidio, and Fantasycruncher.
Major Privacy-related Lawsuits
The Mayo Clinic is being sued in a class-action lawsuit for a data breach allegedly caused by a clinic insider who was able to improperly access over 1,600 patient medical records because proper privacy controls were not in place. The insider accessed patient names, dates of birth, demographic information, clinic notes, and even images of the patients in some cases.
You might realize that your state Department of Motor Vehicle (DMV) is a massive data broker that is allowed to collect your personal information and sell it for profit to other data brokers and even to private investigators. That’s right, you read that correctly. Now, keep in mind that this is a state-run government agency across all 50 states that every person is required to give their personally identifiable information to so they can get a driver’s license or ID card. The California DMV made $52 million in 2017 doing just that and the Florida DMV made $77 million the same year. The shit is out of control. You definitely cannot trust your own government your personal information.
DMV’s across the country are allowed to collect and sell your PII thanks to a whopper of a law called the Driver’s Privacy Protection Act (DPPA) passed in 1994. This law was specifically created to protect drivers’ PII and limit what information was accessible because actress Rebecca Schaeffer was murdered by a stalker after he was able to obtain her home address from a private investigator. Lawmakers left some gaping holes in the law when it was created that still need to be fixed because DMVs are selling private information to damn near anyone who is willing to pay for it. That’s the opposite of data protection. That is a state-run racketeering operation. That needs to be fixed ASAP.
LexisNexis, an actual data broker, was sued in a class-action lawsuit after the company allegedly sold DMV data to law firms. They settled the lawsuit for $5 million which in my humble opinion is not enough. They abused DMV information. They knew what they did was wrong otherwise they would’ve taken the case to trial and defended themselves. They settled to avoid getting slapped with heftier fines imposed by the court.
Privacy Legislation Developments
Privacy was clearly an important issue for some states and voters during the national elections. Both California and Michigan voters passed privacy legislation. Michigan passed Prop 2, which requires that law enforcement now get search warrants before seizing electronic data from anyone. In a giant middle finger to the world and many so-called privacy “experts” who said that California’s Proposition 24 was a poorly written law, California voters passed the California Privacy Rights Act (CPRA) in this week’s election.
This new law will require businesses around the world that do business in the state of California to comply with the new law. The CPRA which some have dubbed “CCPA 2.0” (California Consumer Privacy Act of 2018) makes some new changes to the CCPA that will take effect a couple of years from now on New Years Day 2023.
In addition to redefining some important terms in the CCPA such as “sale” and “service provider,” the CPRA provides consumers with more rights, requires data minimization, and establishes a new California Privacy Protection Agency (CPPA) that will enforce privacy regulations and thereby relieve some of the burdens currently placed on the state Office of the Attorney General. The law could be stronger in many ways but overall it is an improvement. Californians will gain some GDPR-like privacy rights like:
- The right to correct inaccurate personal information businesses hold about them.
- The right to opt-out of the use of their personal information by automated decision-making software that profiles consumers based on evaluations, economic status, behavior, location, health, personal preferences, etc.
- The right to restrict the use of sensitive personal information such as GPS location data, race, religion, sexual orientation, SSNs, and certain non-HIPAA personal health information (PHI).
- The right to data portability requires businesses to send certain PII to another business entity in a structured, commonly used, machine-readable format when consumers wish to move their data to another business.
The Ongoing Facial Recognition System Saga
The city of Portland, Oregon, passed its Referendum Question B which essentially bans facial surveillance by public officials and police departments. The public is allowed to sue the city if facial surveillance data is illegally obtained or used.
Schools in Rio Rancho, New Mexico, have reportedly purchased 71 thermal cameras to monitor the body temperatures of students and staff for fever indications at roughly $2,268 per device! “GoSafe” tablets made by the company OneScreen will be used by school officials to take attendance and screen temperatures by scanning student foreheads for indications of elevated temperatures.
The problem is that these GoSafe tablets also come pre-installed with facial recognition software that will undoubtedly be stored in some Cloud storage database that isn’t properly secured or where the FRS data is shared with data brokers or government agencies. Apparently, dozens of school districts have purchased these OneScreen devices.
“It’s a Trojan horse.” — Shobita Parthasarathy, Professor of Public Policy, University of Michigan
Hmm? I smell a class-action lawsuit coming to a school district near Rio Rancho, New Mexico. The thermal cameras on the tablets are low-risk as far as data privacy is concerned. It’s not until this OneScreen company slipped in the free facial recognition software when the red privacy alarm sirens start wailing.
Featured Privacy Tactics, Techniques, Tools, & Procedures
DIY Network Content Filter
Build Your Own Raspberry Pi Home Network Content Filter
Close the terminal window; we’re done with the command line. (See, that wasn’t so bad.) Open a web browser and navigate…
If you have some basic tech chops you can fairly easily build your own Raspberry Pi home network content filter which will not only improve your home network security but also the privacy of the most-private data you likely own. Think about all of the important, sensitive data, personal pictures, movies, banking information, and files you have saved to your home computers. Now, consider that every WiFi-connected device represents a possible attack surface on your home WiFi network that attackers can hack and pivot across your network from. Got your attention yet? Yeah. It’s serious, so don’t be so quick to dismiss inventive ways such as this to help protect your personal files. Check the link for more details but this is a fairly easy DIY project for basic tech-savvy folks.
Low-Tech Private Life Evasion & Anonymity Tip
One of the simplest measures you can take to protect your home WiFi network is to segment it properly. Most modern WiFi routers are either dual-band or tri-band routers which means they broadcast signals using two frequency bands for devices to join: 2.4 GHz and 5 GHz. A tri-band router just provides users with an additional 5 GHz band. All of your shitty Internet of Things (IoT) devices were likely manufactured with the least amount of security possible because good security costs manufacturers extra money they would rather not spend. Learn more about shitty IoT device security here if interested.
Instead, they prefer to manufacture their shitty IoT devices in places like China and Malaysia for cheaper rates and with the least amount of security they are required to design in. Then, if there is some major vulnerability discovered down the road, they’ll issue a firmware patch that no one is alerted about because how many consumers actually take the time to check the vendor sites or register their devices with the vendor? Very few. Let’s be honest though, most people are not in the habit of patching their IoT devices. It is typically a plug-connect-forget type of purchase.
That does it for this edition of the Digital Invisibility newsletter. I hope you enjoyed the content and be sure to show your appreciation if so. Thank you, until next time friends.
Trust No One. Verify Everything. Leave No Trace.
Additional Privacy Resources
*Privacy-related articles also published by the author can be found here.