z3r0trust Privacy Newsletter #8.20
*Note: This article was originally published by the author in August 2020.
“The only thing privacy laws accomplish is making the bugs smaller.” ~Robert A. Heinlein
Information discovered in the BlueLeaks archive reveals that Government and state law enforcement agencies are having hissy fits over the fact that facial recognition systems aren’t able to positively identify citizens that are rightfully wearing face masks to prevent the spread of COVID-19 as advised by competent medical authorities (Hvistendahl & Biddle, 2020). Let that sink for a moment… The cops are more concerned with facial recognition system effectiveness than your right to protect yourself from the disease which has killed over 150,000 Americans to date. It just speaks volumes about their priorities. Facial recognition systems are not as important as our need to slow the spread of this disease and preserve life as much as we can.
A constant refrain you hear me repeat often is that our privacy is constantly under attack by the surveillance state that is now becoming nearly every town and city in America. It’s not just in the U.S., however. Other countries are as bad, if not much worse. Singapore is one of the most heavily surveilled countries I’ve ever traveled to when I was in the Service. However, even it pales in comparison to the mesh network of China’s CCTV camera monitoring system it employs to identify and track its citizens using facial recognition system technology. China has even gone as far as assigning social credit score ratings for its citizens that can restrict whether citizens can travel on public transport or frequent various establishments (Gonzalez, 2019).
Case in point, there was a situation once back in 2008 where I was on a Western Pacific (WestPac) ship deployment and we stopped in Singapore after sailing all the from San Diego past Hawaii without stopping. It was a most welcome break from being on a ship for all the Marines and Sailors aboard the ship. It was my turn to pull shore patrol duty as a Marine staff non-commissioned officer. So there I was walking around Singapore in uniform with my bright red shoulder patch saying “Shore Patrol” to identify myself and the other Marines with me that we were on duty when suddenly a call came over the radio that two chuckleheaded drunk Marines had done something bad. Full stop.
Everything else was put on hold to handle this potentially disastrous international incident. Marines are required to stay in pairs while on “liberty” while visiting foreign ports of call such as Singapore to hold each other accountable and to prevent being taken advantage of. One of the two Marines had opened the doors to a moving subway train and jumped out of it. His buddy, not wanting to be left behind, followed suit. Imagine the surprise of the Singaporean authorities when they discovered two American GIs running through their subway tunnel system on CCTV camera footage! Of course, Singaporean authorities didn’t want these two dumbass Marines to be struck and killed by a subway train. Nobody wanted that to happen. Therefore, a timely apprehension was of the utmost importance.
All shore patrol Marines, what few of us there were, were on the lookout for these two idiots. This included my shore patrol team that consisted of four of us, one commissioned Officer, a Staff Non-Commissioned Officer, and two NCOs. All we had were physical descriptions and the names of these two Marines but they were dressed in civilian attire so finding them wasn’t as easy you might think. None of us on duty knew these two young Marines. Shortly after the call went out over the radio we met up with a local Naval Criminal Investigative Service (NCIS) agent to discuss strategy and get more Intel on the situation outside a building notoriously known as the “Four Floors of Whores.”
It was a popular tourist attraction for young Marines for some reason… It would all turn out to be much ado about nothing, however, because within 20 minutes of questioning every Marine I came into contact with in civilian liberty attire and looking at their military IDs, I located the two culprits sitting on a planter curb and called it in over the radio. They didn’t try to resist or anything. They knew they messed up. The NCIS agent was overly-joyed that we had located them so quickly and gave me special kudos for doing such a great job. Let me also add that it was better for these Marines that I was the one to have found these two Marines rather than the Singaporean police. Things might have gone a lot differently if that had happened.
Those two Marines had to answer to the Singaporean authorities as well as their military chain of command (read: serious trouble). The point is that Singapore’s CCTV surveillance system is vast and the police respond quickly. “Big Brother” really is watching everything you do. Don’t doubt that for one second. Don’t mess around there or anywhere else for that matter because you never know when you’re on camera. You didn’t see any Singaporean police walking around the city but whenever an incident popped up on camera, they were there in an instant.
That is how some modernized international cities are using CCTV and facial recognition systems in coordination with community policing strategies. I know, it’s not the best story about all of the wonderful things the U.S. military has done but sometimes the truth hurts. Often, all it takes is one dumbass to ruin an organization’s reputation. Servicemen and servicewomen have been doing these types of “international PR black eye” stunts for decades all around the world and it is no wonder that many foreigners maintain an “Ugly American” image.
Moreover, concerning surveillance capitalism, “Chongqing was listed as the city with the world’s heaviest CCTV surveillance, with Comparitech [a VPN provider company] reporting that the Chinese city had over 2.5 million cameras for 15.3 million people, which came out to 168.03 cameras per 1,000 people” (Gonzalez, 2019). Notably evident is the fact many Chinese cities are substantially more populated than any city the U.S. has. Chongqing to put its sheer size into context is roughly the same size municipality as the country of Austria. Naturally, China sees CCTV surveillance coupled with facial recognition systems as the technological tools by which they can best govern a massive (1 billion+) population size. Although understanding why China employs this technology is important to the context of the discussion, population size and governing do not justify what China does with these technological tools.
I find it interesting to study how different countries like Japan, India, China, Brazil, and Mexico, for example, invest in their surveillance infrastructure. Tokyo has a lot of cameras but I’ve not traveled to Delhi, Shanghai, or Sao Paolo to know the extent of surveillance in those cities. I am a very detail-oriented person, so when I travel I take in a lot of detail about my surroundings. I take photographs that I might use later in my research and published work. But I am very careful about what and who I photograph. I try not to capture other people’s faces because knowing how all of this facial recognition software stuff works, I don’t want to inadvertently expose someone in one of my photos that was maybe trying to hide from a stalker or repressive regime or something similar.
We have now learned that as far back as 2013, Chinese hackers created and deployed malware that is still operationally used today. The malware was designed to specifically target Android smartphone users in particular, the type of smartphones widely used by the nation’s Muslim Uighur population and which China used to collect data for its secret police surveillance database. China even used the malware to track and spy on dissidents who fled the country to escape China’s persecution of Muslims (Mozur & Perlroth, 2020). This was the scary kind of malware that could activate the microphone or cameras on a smartphone and spy on people by recording their conversation or capturing video. Chinese authorities would confiscate Uighur smartphones and return them with spyware or even a different phone altogether (Mozur & Perlroth, 2020).
It’s difficult to imagine that level of espionage campaign against U.S. citizens but China is willing to go to great lengths to use malware to target specific population demographics, the U.S. intelligence agencies work in coordination with or purchase data from U.S.-based Internet Service Providers (ISP) and Telecom providers (Volz, 2019). I think all of this surveillance and data collection only means that for the privacy-minded folks out there, we have to inject privacy whenever and wherever we can into the equation because no one is going to look out for our privacy but ourselves. Between the ISPs and Telecom providers that we pay to use their services (some services are free, so we are the product in a sense) and our government, who needs enemies?
It turns out that Rite Aid stores have quietly been installing and using a facial recognition system called “DeepCam” in 200 stores for the last eight years in New York and Los Angeles as Reuters reported (Dastin, 2020). Rite Aid claims that the use of DeepCam, a product developed by a company with links to the Chinese government, is to “deter theft and protect staff from violence” (Dastin, 2020). Amazon, IBM, and Microsoft, in the wake of the Black Lives Matter (#BLM) protests across the U.S., temporarily banned police use of their facial recognition technology for a year (Greene, 2020). Ethically speaking, we should be asking ourselves as a modern society if facial recognition systems coupled with an overwhelming abundance of CCTV camera systems are the direction we want to pursue for the future. George Orwell’s, 1984 classic novel was not meant to be an instruction manual for how governments should monitor their citizens. I shudder to think about what comes next? Could it be “thought police?”
TikTok Ban in the U.S. (at least, for Government devices)
“As far as TikTok is concerned, we’re banning them from the United States,” [President] Trump told reporters late Friday [July 31, 2020]. I previously detailed how TikTok is risky to use on any device, especially a government device.
Hacking Privacy #6.20: Traceless Non-Contact & TikTok-Talkitty Talks to Everyone
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” ―…
However, I also agree with other security experts who have said that banning TikTok is being done more as a political distraction by the current Administration as well as other GOP lawmakers and that the app doesn’t collect more data than say Facebook or Twitter apps do. The difference is, of course, that the TikTok U.S. has some measure of control over Facebook, Twitter, Instagram, and Snap, Inc. I see this more as a China fearmongering political stunt for the GOP in the coming November elections than anything else. From an average internet user's perspective, they should be allowed to use TikTok or any other application they want to.
After all, it’s their privacy at stake. It’s their data at risk of being exploited and that it may not happen now but later, or not at all. Is it any worse than what Cambridge Analytica did with Facebook users, though? I would argue that it’s not. Users accept security and privacy risks any time they install any app or any browser extension. Apps run code that enables access to your device for certain things like geographic tracking, photos/videos, and other risky things to share. Most users don’t think about the implications of installing such apps on their devices though, they just want to see the funny videos on TikTok or share media content with friends and family.
On government devices, however, which are often used to discuss unclassified but for official use-only government business, any app other than those that are necessary is a potential attack vector by foreign intelligence agencies. An app often can enable remote code execution on a host device which means that an app while perhaps not dangerous at the moment of inspection with good security and privacy reviews can be updated with malicious components baked into the code. TikTok’s U.S. general manager, Vanessa Pappas, responded to Trump’s statement about the potential ban very confidently by saying, “We’ve heard your outpouring of support, and we want to say thank you. We’re not planning on going anywhere” (Millman, 2020).
Trump and his GOP goons can’t ban the TikTok app for normal American citizens to use. If there is a ban it would only be a ban that applies to government devices to protect against Chinese espionage. It’s not a matter of national security that Billy Joe Smith’s smartphone is being spied on by Chinese intelligence agencies. China wouldn’t care about targeting average citizens. The reward for the spy has to be worth the cost and effort. Otherwise, why bother? I say that if the USG wants to ban risky apps from USG devices then they should ban them all. Facebook, Twitter, Instagram, Snapchat, Google apps, VPN apps, game apps, all of the nonessential apps. Blacklist them for all USG users and ban them all for “national security” reasons.
Government devices are supposed to be used strictly for work purposes only anyway. Expect the same level of retaliation from adversary nations. They will undoubtedly respond in kind. Additionally, don’t think for one minute that such an action will prevent further espionage attempts by other means. In addition to a USG-issued smartphone, they all have personal smartphones as well which are usually either on their person, outside the building in a cubby, or locked in their vehicles while in the office. Their smartphones might have TikTok on them and if the USG employee isn’t careful about separating work from personal life, well there is your Computer Network Espionage (CNE) vector.
Trust No One. Always Verify. Leave No Trace.
Additional Privacy Resources
*Privacy-related articles also published by the author can be found here.
Dastin, J. (2020, July 28). Rite Aid deployed facial recognition systems in hundreds of U.S. stores. Retrieved from https://www.reuters.com/investigates/special-report/usa-riteaid-software/
Gonzalez, M. (2019, August 23). Singapore is number 11 when it comes to surveillance, but it has nothing on China. Retrieved from http://theindependent.sg/singapore-is-number-11-when-it-comes-to-surveillance-but-it-has-nothing-on-china/
Greene, J. (2020, June 11). Microsoft won’t sell police its facial-recognition technology, following similar moves by Amazon and IBM. Retrieved from https://www.washingtonpost.com/technology/2020/06/11/microsoft-facial-recognition/
Hvistendahl, M., Biddle, S. (2020, July 16). Homeland security worries COVID-19 masks are breaking facial recognition, leaked document shows. Retrieved from https://theintercept.com/2020/07/16/face-masks-facial-recognition-dhs-blueleaks/
Millman, E. (2020, August 1). TikTok Responds After Trump Says He Will Ban App In U.S. Retrieved from https://www.rollingstone.com/pro/news/tiktok-responds-trump-ban-1038027/
Mozur, P., Perlroth, N. (2020, July 1). China’s Software Stalked Uighurs Earlier and More Widely, Researchers Learn. Retrieved from https://www.nytimes.com/2020/07/01/technology/china-uighurs-hackers-malware-hackers-smartphones.html
Volz, D. (2019, June 26). NSA Improperly Collected U.S. Phone Records a Second Time. Retrieved from https://www.wsj.com/articles/nsa-improperly-collected-u-s-phone-records-a-second-time-11561541520