z3r0trust Privacy Newsletter #6–21
*Note: This article was originally published by the author on June 26, 2021. A monthly privacy digest curated with experienced security insights for those who are able to think for themselves. This article is also available in Spanish here.
Welcome back loyal readers to the most recent resurrection of the z3r0trust Privacy Newsletter, the June 2021 edition. They say the third time’s the charm, so here’s to this newsletter remaining a semi-permanent output of my written volumes of work. Look for it, as usual, at the end of each month if you’re into privacy. I shall spare you the explanations of why I took a break from writing this series and just jump right back in where I left off. Bottom line, I believe privacy and security are extremely important topics and I have no intentions to ever stop writing about these topics to help spread awareness and maybe, in some small measure, help effect positive change.
Privacy is never more important to someone as when their privacy has been negatively impacted by some egregious incident that threatens to expose their Personally Identifiable/Health Information (PII/PHI) to the entire connected world. Then suddenly it is a crisis and something must be done by lawmakers this instant! Isn’t it strange how that works? This newsletter is a monthly series that focuses on developments in digital privacy and I provide information and techniques readers can use to improve their digital and physical privacy. In this month’s newsletter, I cover Apple’s refusal to allow app sideloading on iOS, Google’s decision to delay its Privacy Sandbox initiative, the FBI’s Anom secure messaging platform honeypot, and much more.
Private Data & App Exposures
With each passing week, we learn of new data breaches or ransomware infections and I want to be perfectly clear to readers that a successful ransomware attack has the same net effect as a data breach. Both are potential instances in which our personally identifiable/health information (PII)/(PHI) user and possibly also intellectual property (IP) data has been compromised in some manner and could then be sold for profit to the highest bidder on the darknets. Companies cannot tell you whether or not your private information is being sold on the dark web, they haven’t the slightest clue where to even look much less access to those underground data black markets.
Apple is not fooling anyone with their latest public relations push to restrict iPhone users from sideloading apps because it will harm the iOS ecosystems and iPhone users. This is just the latest in a series of controversial moves by Apple to further make their products non-interoperable with other devices, apps, and services. It is exactly the reason that strong federal legislation is needed to prevent tech companies like Apple from taking anti-interoperability actions such as this one and also anti-trust to prevent tech companies from buying up smaller tech startups that could threaten them later.
Apple’s argument found within their whitepaper for disallowing users to sideload apps from third-party app stores or directly from app vendor sites primarily hinges on the potential for users to download “malicious and privacy-invasive apps” and a general “we know what’s best for our customers” attitude (Axon, 2021). The advice is solid as it has been published by the EU Agency for Cybersecurity in 2016 and by the US DHS in 2017 (Axon, 2021). However, Apple fails to mention that they [a tech company] have access to private user data and profit off of data collection.
When users are allowed to sideload apps onto their devices, the data collection is not monopolized by Apple and therefore, Apple stands to lose out. This is less about privacy and security and more about Apple’s greed and desire to monopolize the apps market for itself. That’s why Apple’s products have increasingly become less interoperable with other vendor products and devices. Is Apple’s privacy better than other smartphone manufacturers? Without question it is, but that doesn’t mean that Apple should get exclusive app restriction rights to what apps each iPhone user puts on their phone.
In a testament to the effectiveness of pushing back against tech companies employing privacy-invasive features to their products and encouraging citizens to push lawmakers for stronger privacy legislation, Google delayed plans to phase out support for web activity tracking third-party cookies. Google’s latest Privacy Sandbox blog announces that the company is delaying because “…it’s become clear that more time is needed across the ecosystem to get this right” (Goel, 2021).
Google’s Privacy Sandbox is supposedly an initiative to improve user privacy but at the same time provide app developers/companies “the tools to build thriving digital businesses to keep the web open and accessible to everyone, now, and for the future” (Goel, 2021). Readers like myself, however, are left scratching our heads wondering how Google can make these two diametrically opposed forces happy at the same time. You really can’t have online privacy and still allow app companies to track user web activity in any way whatsoever…
The move to delay is probably a wise move on Google’s part but instead of erring on the side of user privacy, Google has opted to continue supporting third-party web activity tracker cookies until it can better determine what direction new potential privacy legislation is going to look like. After all, tech companies like Google and Facebook make millions off of the advertisement marketing industry and laws like the EU’s GDPR as well as individual state laws are making it clear that people care more about privacy than Google originally thought.
If it seems like every month there is a new discovery of a Google Android app bug that is potentially catastrophic to user privacy and security, that’s because there has been. In the latest cacophony of security blunders, the code that comprises the Google app relied on code libraries that weren’t bundled with the Google app (Whittaker, 2021). This code flaw could’ve allowed for a malicious app to inherit permissions to the Google app itself and in turn, allow for unauthorized “access includes access to a user’s Google accounts, search history, email, text messages, contacts, and call history, as well as being able to trigger the microphone and camera, and access the user’s location” (Whittaker, 2021). Of course, Google said it doesn’t have any evidence that the vulnerability was ever exploited by attackers.
The Australian Federal Police and the FBI have teamed up since 2018 for Operations “Trojan Shield” and “Greenlight” that once again showed the criminal underworld that law enforcement is willing to go to great lengths to take down their syndicated crime networks by whatever legal means necessary, including creating a secure messaging platform (Brodkin, 2021).
They “strategically developed and covertly operated an encrypted device company, called ANOM, which grew to service more than 12,000 encrypted devices to over 300 criminal syndicates operating in more than 100 countries, including Italian organized crime, outlaw motorcycle gangs, and international drug trafficking organizations,” Europol said today.
Unsuspecting criminals purchased the “end-to-end encrypted” Anom smartphones on the dark web which only came with one app, a calculator app that once a code was entered could be used to send encrypted messages and images, and came with remote wipe and duress password features (Brodkin, 2021). Of course, the major plot twist was that the criminals were not aware that the smartphone app was being monitored by law enforcement authorities who had been collecting data on the criminals for 18 months (Brodkin, 2021). We’re talking about entire criminal enterprise networks here.
After 18 months of monitoring, law enforcement agencies including the U.S./FBI, DEA, and Europol from 16 different countries conducted coordinated raids on over 700 houses, netting over 800 arrests, 8 tons of coke, 22 tons of marijuana, 2 tons of synthetic drugs, 6 tons of synthetic drug precursor chemicals, 250 firearms, 55 luxury cars, and over $48 million in different global currencies (Brodkin, 2021). Now, that is what you call a massive honeypot. This also highlights the fact that the FBI and other U.S. law enforcement agencies do not need a backdoor to encryption, however. If they can simply create a fake company and sell backdoored encrypted devices to people, then big tech should not be asked to create encryption backdoors — ever.
This honeypot was partly successful because worldwide LEOs took down the EncroChat and Sky ECC encrypted messaging platforms preceding the advertisement of the FBI’s Anom phone. This goes to show that there is always a black market need for criminals looking to use secure messaging applications to conduct their criminal enterprises. There is no doubt they are using encryption, it’s just which flavor and tools that is the question. When we say ‘Trust no one,’ it’s for a good reason. Any technology we decide to use could be backdoored by the NSA, FBI, or some other entity. How are we to know this unless we are experts in communication technology and hardware/software hacking? And let’s be honest, most people are not.
It was announced Friday, June 25, that Amazon Web Services (AWS) is acquiring the secure messaging app Wickr (Gagliordi, 2021). If you’ve noticed a trend amongst the GAFAM (Google, Apple, Facebook, Amazon, and Microsoft) big tech companies each gobbling up a secure messaging app company, then bonus points to you for paying attention to current events. AWS plans to offer customers the Wickr services immediately after acquisition and will also use the service for internal AWS communications.
Premise is an app that pays ordinary, everyday people like you or I — gig workers, to conduct open-source intelligence (OSINT) collection, a service the company offers to both private and public clients such as U.S. military intelligence. Federal spending records revealed Premise has received at least $5 million since 2017 on military projects — such as on Air Force and the Army contracts and as a subcontractor to other defense entities (Tau, 2021).
“Sometimes those tasks involve collecting data on nearby wireless signals or other cellphones, the company said, comparing the practice to how Google and Apple map Wi-Fi networks with phones using their operating systems” (Tau, 2021)
Imagine how apps like this can be used by Orwellian governments or law enforcement the world over to track and monitor protestors or political dissenters not only here in the U.S. as we saw with the horribly corrupt Trump administration sicking the Department of Justice goons on reporters and political adversaries, but also abroad in countries with autocrats or dictators that have zero qualms about hunting down their own citizens and punishing them or worse.
This fusion of technology and military intelligence is not new though, it’s been steadily developed since 9/11 and its spy technology roots go back much further. Read Shane Harris’ “@War” book for more on the development of OSINT and intelligence agencies' use of technology to spy.
Personally, I think there is a fine line of abuse of power when governments are paying private citizens to spy on citizens in some form or capacity using taxpayer money. However you want to spin it, that’s essentially what is happening here with Premise and there are plenty of other examples which are too numerous to mention here.
Developments in Privacy-related Law
Colorado has become the third state in the nation, behind only California and Virginia, to pass data privacy legislation. Senate Bill 21–190 regulates how companies can collect and use consumer PII (Miller, 2021). This Colorado law, however, is even more far-reaching than the California Consumer Privacy Act (CCPA) in that it affords Coloradans the same privacy protections as the CCPA, but it also gives consumers the right to correct personal information as well as the right to data portability. Amazon, AT&T, Comcast, and Facebook among other tech companies reportedly wanted changes to SB 21–190 but lawmakers passed it without caving to their pressure (Miller, 2021).
Your greatest privacy weapon will always be to maintain a low profile and abstain from using certain types of technology. We simply cannot trust big tech, or any government or corporation to protect our privacy. Therefore, we must try to do what we can to limit the exposure of our private data.
In some respects, you cannot limit the exposure of your private data because it is collected by external agencies and corporations alike in the OPM or Equifax data breaches.
But as I’ve said before, privacy is not entirely about becoming a Luddite and shunning all types of modern technology. It’s about being smart with your private information, how you protect it, how much of it you volunteer within various contexts both online and in person. There are privacy tech tools like apps that we can use to assist us in improving our personal privacy, but none as powerful as your ability to maintain a low profile in every aspect of your life but especially at work and online.
Some privsec tools you can use at home and on your mobile devices are:
- Virtual Private Network (VPN) (e.g., ProtonVPN, Mullvad, IVPN)
- Privacy-Focused Web Browser (e.g., Tor, Firefox, Brave, Safari, Opera)
- Ad blocker browser extensions (e.g., Ghostery, Privacy Badger, DuckDuckGo)
- Encrypted Domain Name System (DNS) (i.e., 220.127.116.11=Cloudflare WARP)
- Data Destroying app (e.g., Hard Disk Scrubber, WipeDrive, DBAN)
- Secure Messaging App (e.g., Threema, Signal, Wire, Wickr, Telegram)
- Password Manager (e.g., BitWarden, KeePass, 1Password, Dashlane)
- 2FA/MFA (i.e., try to use security key or universal 2-factor authentication if the website allows it; otherwise auth apps like Google authenticator, Duo, or similar are the next best option; SMS text-based 2FA is the least favorable option but is still better than no 2FA)
- Full Device Encryption (e.g., Windows- BitLocker, BitLocker To Go, DiskCryptor, VeraCrypt; Mac- enable FileVault protection, Disk Utility; Linux- TecMint, cryptmount, cryFS, VeraCrypt)
Privacy continues to be a very hard sell in today’s world because so many people have given up on it. Those people who have given up assume that surveillance and internet tracking has become so pervasive now that no one can expect any level of privacy anymore. But that is false, we can still eke out a modicum of privacy even if not as much a person reasonably could fifty years ago before the internet was created. Perhaps we can agree that you can’t escape facial recognition software or automated license plate reader technology coupled with the ubiquitous CCTV surveillance cameras because most of us have to go out into the world and leave our homes. We can, however, put forth some effort to minimize our online digital footprints and employ good operational security (OPSEC) habits.
Never Trust. Always Verify. Think Like An Adversary.
Additional Privacy Resources
*Privacy-related articles also published by the author can be found here.
Apple. (2021, June). Building a trusted ecosystem for millions of apps: the important role of app store protections. Retrieved from https://www.apple.com/privacy/docs/Building_a_Trusted_Ecosystem_for_Millions_of_Apps.pdf
Axon, S. (2021, June 23). Apple exec: “Sideloading in this case is actually eliminating choice”. Retrieved from https://arstechnica.com/gadgets/2021/06/apples-anti-sideloading-pr-blitz-includes-white-papers-interviews/
Brodkin, J. (2021, June 8). FBI sold phones to organized crime and read 27 million “encrypted” messages. Retrieved from https://arstechnica.com/tech-policy/2021/06/fbi-sold-phones-to-organized-crime-and-read-27-million-encrypted-messages/
Gagliordi, N. (2021, June 25). AWS acquires encrypted messaging app Wickr. Retrieved from https://zd.net/2T3F4Om
Goel, V. (2021, June 24). An updated timeline for Privacy Sandbox milestones. Retrieved from https://blog.google/products/chrome/updated-timeline-privacy-sandbox-milestones/
Miller, F. (2021, June 18). Colorado third in the nation to pass sweeping data privacy legislation: Another bill aims to safeguard immigrants’ personal information. Retrieved from https://coloradonewsline.com/2021/06/18/colorado-third-in-the-nation-to-pass-sweeping-data-privacy-legislation/
Tau, B. (2021, June 24). App Taps Unwitting Users Abroad to Gather Open-Source Intelligence. Retrieved from https://www.wsj.com/articles/app-taps-unwitting-users-abroad-to-gather-open-source-intelligence-11624544026
Whittaker, Z. (2021, June 17). A security bug in Google’s Android app put users’ data at risk. Retrieved from https://techcrunch.com/2021/06/17/a-security-bug-in-googles-android-app-installed-on-billions-of-devices-put-user-data-at-risk/