z3r0trust Privacy Newsletter #9–20
*Note: This article was originally published by the author in August 2020.
This end-of-the-month digital privacy newsletter installment comes after publishing two other z3roTrust Privacy Newsletter editions #32–20 & #33–20 so this end-cap will round out the remainder of August 2020 privacy developments.
The Privacy Rights Clearinghouse maintains a data breach database that is downloadable though it appears that it has not been maintained beyond January 2019. A better source for up-to-date data breach information is DataBreaches.net which is maintained by @PogoWasRight and @83LeeJ. The transparent privacy-themed website hosts data breach-related news articles, breach law info. It’s worth giving it a look and you know that maintaining a site like this is somewhat of a full-time job with all of the data breaches that occur every week these days. Additionally, check out https://www.pogowasright.org/ which is another well-constructed and maintained privacy website for up-to-date privacy news.
The CISO for Uber during their 2017 data breach that resulted in the public exposure of 57 million driver and passenger email addresses and phone numbers has been charged with concealing evidence of the breach from federal investigators which sent shockwaves throughout the information security community (Conger, 2020). Joe Sullivan served as the CISO for Uber when Uber was hacked in 2016 for the second time in two years. However, the second time around Sullivan failed to disclose the most recent breach to federal investigators who were investigating him regarding the first incident in 2014.
Withholding information from federal investigators is a felony offense. If convicted of the two felony charges Sullivan faces, the maximum punishment he could serve is limited to eight years in prison in addition to potential fines (Conger, 2020). The reason this is shocking to the infosec community is that this case marks the first time a CISO has ever been charged with a crime, two felonies, in fact, for failing to report a data breach. This case will establish a new precedent for CISOs and a company’s obligation to report data breaches as required by law in a timely fashion. It remains to be seen as to whether this will actually change corporate behavior across the industry for the timely reporting of data breaches. It’s not difficult to do the right thing, as damaging as it may be to the business.
Data Broker Social Data Exposes 235 Million Social Media Profiles in Data Leak
Another “dangerously irresponsible” Artificial Intelligence (AI) social media scraping data broker, Social Data, registered with a Hong Kong URL has been found by Comparitech security researchers to have had a publicly exposed database containing scraped social media data on approximately 235 million social media profiles (Ikeda, 2020). That could be yours and my data for all we know?
I could enumerate their site and find the exposed data to confirm but I choose not to add to this clusterfuck of a situation any more than it already has become. However, it turns out that not only was the data publicly exposed, but Social Data didn’t even have the permissions to scrape social media sites in the first place (Ikeda, 2020). They just took the liberty to do so on their own. That’s how easy it is to do. Hey, wow! Imagine that. Why is this so easy to do GAFAM (Google, Apple, Facebook, Amazon, and Microsoft)?
This latest shitshow of lack of protection for privacy-related information is ridiculous and it continues to happen with increasing regularity. When are legislators going to disallow this practice to continue? What is it going to take to stop it from happening and is it even possible to prevent given the fact that social media sites like Facebook, Twitter, and Instagram share their Application Programming Interfaces (API) with developers who are not associated with these companies in any way?
Clearview AI is another notorious case of a company that does this and has not yet been forbidden from doing so. Litigation against Clearview AI is pending. Cases such as these illustrate that politicians do not care about your privacy as everyday citizens of the United States. There is more for them to gain by ignoring these problems than by doing something to prevent them from occurring at all.
Privacy Legislation Developments
A new Senate Bill by Senators Jeff Merkley (D-Ore.) and Bernie Sanders (D-Vt.) called the National Biometric Information Privacy Act (NBIPA) aims to extend facial recognition restrictions nationwide by limiting how biometric data can be collected, requiring written consent for companies to collect a person’s biometric data, and allowing private citizens and state attorneys general to sue companies violating the provisions of this law (Montalbano, 2020). This is a good sign that we still have some lawmakers that are trying to pass meaningful digital privacy regulations to protect ordinary Americans from how facial recognition system data is being used against them. Police have repeatedly shown that they will pay huge sums of money to incorporate FRS technology into their Closed Circuit TV (CCTV) surveillance camera systems to identify protestors along with Automated License Plate Reader (ALPR) systems for vehicles.
Law enforcement argues that this technology is necessary to help solve crimes but as always, with great power comes great responsibility. Who is watching the watchers? The Federal Bureau of Investigations (FBI) is tasked by the Department of Justice (DOJ) to investigate corruption or abuse of authority within police departments in America. However, the FBI is one of the biggest consumers of this type of technology so explain to me how that is supposed to work? That’s law enforcement investigating itself and it will not be done impartially. This is how politics often interfere with the administration of justice.
Miami PD used FRS imagery provided by Clearview AI to reportedly identify and arrest a female suspect that threw a rock at a police officer while other police departments in Columbia, S.C., New York, NY, and Philadelphia, PA police departments used Clearview AI’s FRS technology to identify protestors as well (Montalbano, 2020).
Covered biometric data that would fall under NBIPA would include such things as retina or iris scan data, voice data, facial data, fingerprints or palmprints, or any other “uniquely identifying information based on the characteristics of an individual’s gait or other immutable characteristic of an individual” (Montalbano, 2020). This newly proposed national law will surely be challenged by the corrupt establishment in Washington, D.C. but should it somehow pass despite all odds, it will be outstanding for privacy rights advocates. Illinois’ BIPA law was already instrumental in a successful class-action lawsuit that Facebook settled for $550 million. That same Illinois BIPA law is being used to sue Clearview AI in a pending lawsuit which we can only hope results in a landslide victor for digital privacy rights (Montalbano, 2020).
Senator Merkley was quoted as saying, “We can’t let companies scoop up or profit from people’s faces and fingerprints without their consent. We have to fight against a ‘big-brother’ surveillance state that eradicates our privacy and our control of our own information, be it a threat from the government or from private companies.”
The Facial Recognition System Saga Continues
ICE Signs Facial Recognition System Service Contract With Clearview AI
Although Clearview AI is currently being sued by multiple states and companies, both the US Air Force (USAF) and Immigration and Customs Enforcement (ICE) have signed new contracts with the controversial Chinese-owned company Clearview AI for use of its facial recognition system technology (Lyons, 2020). It kind of makes you wonder if these federal entities know something that we don’t? Such as perhaps, the outcome of future court cases which nullify these federal contracts.
ICE mission support Dallas, TX signed a $224K contract this week and the USAF signed a $50K contract in December 2019 for Clearview AI’s “mission support” AI-powered FRS technology services (Lyons, 2020). ICE has repeatedly displayed an abuse of authority through its highly criticized practices of accessing Department of Motor Vehicle (DMV) state licenses databases to obtain physical address history of drivers as well as license plate information which is used in connection with Clearview AI’s AI-powered FRS technology and ALPR technology to pinpoint people they are targeting for immigration deportation.
In some cases, I think it is important and fair to note that undocumented criminals (bad people) are located and deported through the use of this technology but there is no overwatch for ICE beyond the Department of Homeland Security (DHS) or DOJ. The DHS was created after the 9/11 terrorist attacks and many have called for it to be dissolved because it is both unnecessarily and largely a corrupt agency headed by an unconfirmed by the Senate, Trump appointee Chad Wolf has illegally used his authority to send hundreds of federal agents to cities like Portland, Oregon to “protect” federal buildings.
Those same federal agents and CBP officers have clashed with protestors and have been filmed violating several laws but have, as of yet, not been held accountable. A day of reckoning is sure to come in the future but until then with the November 3, 2020, U.S. Presidential Election looming scheduled to occur within the next couple of months, it is important to remember that the U.S. is a country that was founded by immigrants trying to escape tyranny at the expense of countless untold abuses and massacres of Native Americans.
There is no way to know how badly this technology and information is being abused? But we have plenty of evidence that it is being abused by ICE and that ICE does not cooperate when questioned about its illegal tactics and practices. ICE and the Customs and Border Patrol (CBP), I apologize for the alphabet acronym soup, are more than almost any other agencies the most corrupt and blatantly racist agencies within the federal government under the current administration. They have repeatedly been documented as abusing their authority and targeting the most vulnerable people while receiving backing from its fanboy President Trump and millions in federal funding to perform their missions. This is state-sponsored terrorism against immigrants, all immigrants, not only those who crossed into America illegally.
Trump’s goons who work in ICE and CBP make a habit of illegally profiling people based on their skin color and will without question use whatever technology they can get a hold of to help target illegal immigrants and even natural-born American citizens who publicly oppose their practices. This is not the America we’ve come to know and love, it has morphed into a police state under the current administration that uses technology against its own citizens in violation of the Fourth Amendment of the Constitution of the United States. It is time for fellow Americans for a regime change. We do that at the polling centers on November 3, 2020. Not by violence, never with violence. The “eye for an eye” philosophy only adds to the death toll and solves nothing.
Facial Recognition System App The Walls Available in Apple’s App Store
The Walls is a new app for iPhone users to allow their facial recognition features to be scanned and then users can use the app to project their faces coming out of any wall. Hmm? Why would I want or need that? Does this not seem like a scam to you? I have so many questions about this, mostly privacy-related. Who else will this data be shared with? Clearview AI? GAFAM? How about the NSA, CIA, DHS, ICE, or CBP? Something should tell you this is not a good idea to use if you’re concerned with privacy. The Walls seems to me like another useless, privacy-invasive, social liability app that I certainly would never need or use.
Secret Service & CBP Use Babel Street’s Location X
The U.S. Secret Service (USSS) and the U.S. Customs and Border Patrol (CBP) were found to have contracted the services of social media surveillance company Babel Street which offers a tech product called Locate X that geographically pinpoints people based on apps they’ve installed on their phones that collect location service information, often unbeknownst to the user (Jones, 2020). This is yet another instance of federal agencies circumventing the Fourth Amendment by not getting search warrants and instead contracting the services of a tech company to spy on Americans.
Babel Street’s Locate X uses “anonymized” location data from other popular apps that many people don’t know collect their location data and then sell that geofencing data about Americans to agencies such as the USSS, ICE, and CBP (Jones, 2020). Again, surely these federal agencies are using the technology for legitimate purposes but what controls are in place to ensure that our Constitutional privacy rights against unlawful searches and seizures are being protected here? There are none, it is an egregious example of abuse of government power. No one but lawmakers can stop this from happening and they are currently failing every American on these most basic of Constitutional rights.
Sen. Ron Wyden (D-Ore.) told Motherboard in a statement that he has been unable to get Babel Street to tell him “where their data comes from, who they sell it to, and whether they respect mobile device opt-outs.” Wyden added that his previously announced privacy bill would bar federal agencies from purchasing this kind of data on the open market (Jones, 2020).
Clear Channel Billboards Track Consumers in U.S. & Europe
Radar is a consumer billboard tracking program run by the company Clear Channel Outdoor Holdings. It has been operating its “Radar” tracking technology in the U.S. for the last four years but is now expanding its operations to Europe despite the EU’s GDPR requirements (Lyons, 2020). The company’s CEO, William Eccleshare, said quoted as saying that the data was “very well anonymized” for whatever that is worth. Often, company executives make spurious claims about the security or anonymity of the data their technology relies on. Then, months or years later, it always ends up that either the data was not secure in some way due to their fault, the data was hacked somehow, or they were selling the data to a third-party data broker that didn’t protect it.
Clear Channel’s Radar technology tracks people’s geographic location movements into a store, what they purchase, as well as viewing habits to tailor advertising to consumers for ad companies (Lyons, 2020). This is extremely creepy and is a massive violation of consumer privacy. This is the kind of stuff that makes my skin crawl and no matter how these fat-cat execs try to rationalize it to the media as being just an extension of already existing technology or practices, they seem to completely disregard the fact that people have no say in whether they get to opt-out of these invasive practices or technology.
It is just done without anyone’s consent whatsoever and we’re just supposed to accept it like there’s nothing wrong with it. It honestly sickens me and makes me not want to own a smartphone anymore. Smartphones have become the key to anti-privacy and I can make a very strong case for not owning one. Clear Channel has faced substantial profit losses during the pandemic but plans to launch Radar in the UK and Spain in September 2020 (Lyons, 2020).
Toyota To Share New Car Driver Data With AWS and Insurance Providers
Having been an owner of Toyota cars for a long, long time, sadly that mutually beneficial relationship may be coming to an end if Toyota plans to start uploading vehicle performance data to the Amazon Web Services (AWS) Cloud to sell to insurance providers (Sharwood, 2020). That is a major violation of consumer trust in my book and I will not tolerate it. I will instead vote with my wallet and buy a vehicle from a different manufacturer that does not do this. Toyota is sure to lose customers over this move if they end up going through with it. It would only affect newer model vehicles that are equipped with the Data Communication Module (DCM) (Sharwood, 2020).
In a follow-up tweet, Toyota has informed me that this feature will be on an opt-in basis only which I can live with so long as they live up to their end of the bargain. Should I and other consumers find out that Toyota or any other company has violated consumer privacy rights, they will be boycotted indefinitely and I will advocate wholeheartedly for their bankruptcy.
App Privacy Exposure
Bridgefy Messaging App Falsely Claims App Is Safe For Protestors
Another mobile app, another privacy nightmare. The decentralized messaging app Bridgefy has been a go-to app for protestors because it relies on Bluetooth and mesh networking to allow users to communicate without being connected to the internet (Goodin, 2020). Backed financially and marketing-wise by Twitter, Bridgefy enables users that are located within a few hundred meters or further by using other users as intermediate nodes to text without internet connectivity (Goodin, 2020). This is a great use of technology in my humble opinion for emergencies, disasters, and protests against oppressive regimes and so-called democratic governments. However, as with every app, there are some privacy drawbacks for users. The CEO and company representatives of Bridgefy claim that the app uses end-to-end encryption (E2EE) to protect SMS text messages against interception by counter-protestors, LEOs, and government agencies, but when the app was reverse-engineered by UK security researchers from Royal Holloway, University of London, they determined that the company’s claims are false (Goodin, 2020). Currently, Bridgefy’s website claims its app will be end-to-end encrypted starting in September 2020.
In fact, the researchers determined that the app was susceptible to user deanonymization; real-time user interaction social graphing; decryption of direct messages; user impersonation; network shutdown (think about that one for a second); and Man-In-The-Middle (MITM) attacks which allow for message tampering/modification. Bridgefy was notified of these vulnerabilities in April 2020 and still hasn’t fixed a single one of them (Goodin, 2020). Until Bridgefy satisfactorily addresses all of these security vulnerabilities, I recommend uninstalling the app from your devices and not using it. It is another example of false security advertising.
Customs & Border Patrol Paid Nearly Half a Million to Venntel
The U.S. Customs and Border Patrol under the Trump Administration have become like its Department of Homeland Security counterpart ICE, another federal law enforcement that is using taxpayer money to perform illegal search and seizure activities not only at border crossings but everywhere they can get away with it. This must stop and they must be held accountable for the actions starting with those who are in charge of this corrupt organization. I recommend placing your phone in a Faraday case before entering any border crossings.
At airports, ensure the biometric unlock features are disabled and that the phone is fully encrypted with an 8-digit PIN or password. You are protected under the Fourth Amendment of the Constitution to not unlock your device unless there is a warrant signed by a judge and even then you had better have the opportunity to consult with a lawyer first. It is complete and utter bullshit what these federal agencies think they can get away with under the Trump Administration. In a perfect world, these officials would be tried and convicted for their crimes against citizens and even non-citizens.
In yet another stunning case of Fourth Amendment violations, evidence has shown that the CBP paid Venntel nearly half a million dollars for their services that involve “…location data harvesting from ordinary apps installed on people’s phones” (Cox, 2020). Just in case you had any doubts about whether your government cares about your Constitutional rights against unlawful search and seizure, here is yet another example that they couldn’t care less. Instead of getting a search warrant for a wiretap, agencies like the CBP are skirting around the law and paying for services such as those that vendors like Venntel provide.
In addition to the Venntel contract and Babel Street which offers Locate X that geographically pinpoints people based on apps they’ve installed on their phones, CBP is also creating a searchable database full of user data seized from confiscated cell phones, laptops, and other mobile devices at border crossing checkpoints (Feathers, 2020). The new database system, developed by PenLink, a Nebraska-based surveillance and analytics company, will create “a risk that irrelevant information extracted from devices will now be accessible to a larger number of (US Border Patrol) agents with no nexus to that particular case,” according to CBP’s privacy assessment.
Albion College Forces Students to Install Contact-Tracing App
Students attending Albion College in Michigan have been notified in a July 28, 2020 statement that they must install the contact tracing app, Aura when returning to school this Fall. No opt-out option is being presented to students.
“All students will utilize Aura, an app developed by Nucleus Healthcare, that organizes the College’s COVID-19 testing and public health approach. The app will ask for daily health self-monitoring inputs prior to campus arrival in August and will offer daily reminders about common public health measures that everyone should be taking. Once students arrive on campus, the Aura app will provide regular community updates. All protected health information relating to an individual registered on the app will be treated as confidential. This information will be used only to provide the services agreed to and will not be disclosed to any other person or entity without the individual’s written permission.”
Aura is known to have vulnerabilities and the students are required to install the app or face suspension. The app tracks their geographical location everywhere they go 24-hours a day (Whittaker, 2020). This is the type of cringe-worthy stuff that is not only against the law but also makes me want to strangle HigherEd administrators. What part of this sounded legal or non-invasive to you? Obviously, this is a school that is more concerned with profit over their students’ privacy. The Federal Educational Rights and Privacy Act (FERPA) is supposed to protect the privacy of students and their parents which are required to provide a ton of Personally Identifiable Information (PII) and tax information to colleges and universities for application and student financial aid.
Colleges and universities are disregarding the spirit of laws like FERPA which were designed to protect against things like mandatory privacy-invasive apps being installed on student smartphones but because it doesn’t specify this type of action in the text of the law these institutions think that this somehow buys them leeway in potential court cases. It doesn’t and they will lose every time. However, because the federal government is not doing its part in regulating higher education these types of student privacy violations will continue to occur.
Deepfakes and Porn Sites
A concerning trend is the use of deepfake video technology that is available to anyone to experiment with to create deepfake porn videos of celebrities which are then being uploaded to porn sites like XVideos, Xnxx, and XHamster (Burgess, 2020). As if the fact that these videos are being created isn’t disturbing enough, the fact that there isn’t current legislation protecting against it is abominable. Porn sites are refusing to comply with takedown notices because plain and simply they are making money off of these deepfake porn videos. Until legislation is passed to hold these adult sites accountable for not only deepfakes but also the porn videos made of human trafficking victims, it will continue to be an issue. So, as with any law, if it’s not enforced then it is worthless.
This will have adverse consequences for not only celebrities, politicians, and leaders from every walk of life, but soon enough it will affect even average people like you and me. Imagine going for a job interview and finding out that the company didn’t hire you because someone posted a deepfake video of you engaging in intimate acts, or saying or doing something you never actually did. It is worrisome, to say the least. I don’t see deepfake video or image technology as a good use of technology. The consequences of these deepfake videos could have irreversible consequences on your career and life. “A report from Sensity released last year found 14,678 deepfake videos online in July 2019–96 percent of these were porn and almost all are focused on women” (Burgess, 2020).
Practical Privacy Hack of the Week
Privacy.com allows users to create virtual credit cards for the exact amount they need to spend for a specific purchase. Imagine never having to worry about your real credit card being compromised by some retail website data breach after you purchased something online. This way you never have to worry about your credit card information being compromised and used fraudulently should a website get hacked and a data breach occurs. It is worth looking at but it is not a free service.
An advanced project for the computer techies is to build your own Raspberry Pi Virtual Private Network (VPN) server. User “Gus” from the pimylifeup site explains exactly how to do that in detail within the link. I’ll add that Raspberry Pi’s are relatively inexpensive and a great way to learn about computers, networking, WiFi, and software and hardware hacking. You can do so much with them and they’re pretty durable and resilient. However, the great thing about building your own VPN server is that you can rest assured from a digital privacy standpoint, that no unscrupulous VPN provider is taking your money and logging your Web browsing activity. You’ll no longer have to shell out $5/month to some potentially unscrupulous VPN provider company that might just be leaking or selling your browser activity. This is a personal project of mine that I plan to complete in 2021. So, if you decide to do this then please do message me on Twitter and let me know how it went and how you like it.
That concludes August 2020’s privacy newsletter. Remember to operate in a z3roTrust mentality. Always attempt to verify any information before trusting and relying on it to be accurate. Think about how many times you’ve been burned when you haven’t done this. The less information you share with the world online, the more private your life will be. Not all tech is bad, but much of the current applications of the technology are harmful to user privacy which can then lead to much bigger problems such as identity theft, cyberstalking, fraud, and more.
The solution is not to become a Luddite but to force Tech to be implemented in a privacy-conscious manner. Sometimes, this is where being a hacker becomes beneficial. Smartphones are not a necessity, they are a luxury. However, smartphones are even more of a security and privacy liability than a social media website like LinkedIn. Social media accounts are also not a necessity. Remember that. None of this stuff is a necessity. It’s all just luxuries. You don’t NEED any of it. We choose to use it. At any given point, I know I am perfectly fine to delete it all, deactivate my smartphone, and become virtually untraceable so long as I can keep out of range of satellites, CCTV cameras, ALPRs, and FRS technology, right? Yeah, good luck with that! The odds are stacked against us ever having true privacy. Until next time friends.
Additional Privacy Resources
*Privacy-related articles also published by the author can be found here.
Burgess, M. (2020, August 30). Porn Sites Still Won’t Take Down Nonconsensual Deepfakes. Retrieved from https://www.wired.com/story/porn-sites-still-wont-take-down-non-consensual-deepfakes/
Conger, K. (2020, August 20). Former Uber Security Chief Charged With Concealing Hack. Retrieved from https://www.nytimes.com/2020/08/20/technology/joe-sullivan-uber-charged-hack.html
Cox, J. (2020, August 25). Customs and Border Protection Paid $476,000 to a Location Data Firm in New Deal. Retrieved from https://www.vice.com/en_us/article/k7qyv3/customs-border-protection-venntel-location-data-dhs
Feathers, T. (2020, August 24). CBP Now Has a Massive Searchable Database for Devices Seized at the Border. Retrieved from https://www.vice.com/en_us/article/v7gjay/cbp-now-has-a-massive-searchable-database-for-devices-seized-at-the-border
Goodin, D. (2020, August 24). Bridgefy, the messenger promoted for mass protests, is a privacy disaster. Retrieved from https://arstechnica.com/features/2020/08/bridgefy-the-app-promoted-for-mass-protests-is-a-privacy-disaster/
“Gus”. (2020, July 12). Build Your Own Raspberry Pi VPN Server. Retrieved from https://pimylifeup.com/raspberry-pi-vpn-server/
Ikeda, S. (2020, August 28). Major Data Broker Exposes 235 Million Social Media Profiles in Data Leak. Retrieved from https://www.cpomagazine.com/cyber-security/major-data-broker-exposes-235-million-social-media-profiles-in-data-leak/
Jones, R. (2020, August 17). Secret Service Paid to Get Americans’ Location Data Without a Warrant, Documents Show. Retrieved from https://gizmodo.com/secret-service-bought-access-to-americans-location-data-1844752501
Lyons, K. (2020, August 10). Clear Channel’s billboards will start tracking consumers in Europe. Retrieved from https://www.theverge.com/2020/8/10/21361734/clear-channel-billboards-privacy-ad-tracking-europe
Lyons, K. (2020, August 14). ICE just signed a contract with facial recognition company Clearview AI. Retrieved from https://www.theverge.com/2020/8/14/21368930/clearview-ai-ice-contract-privacy-immigration
Montalbano, E. (2020, August 20). Senate Bill Would Expand Facial-Recognition Restrictions Nationwide. Retrieved from https://threatpost.com/senate-bill-expand-facial-recognition-restrictions-nationwide/158509/
O’Donnell, L. (2020, August 20). IBM Settles Lawsuit Over Weather Channel App Data Privacy. Retrieved from https://threatpost.com/ibm-settles-lawsuit-over-weather-channel-app-data-privacy/158529/
Page, C. (2020, August 14). Oracle And Salesforce Hit With $10 Billion GDPR Class-Action Lawsuit. Retrieved from https://www.forbes.com/sites/carlypage/2020/08/14/oracle-and-salesforce-hit-with-10-billion-gdpr-class-action-lawsuit/?subId3=xid:fr1597594036491ige#3188e202323c
Sharwood, S. (2020, August 18). Oh what a feeling: New Toyotas will upload data to AWS to help create custom insurance premiums based on driver behaviour. Retrieved from https://www.theregister.com/2020/08/18/aws_toyota_alliance/
Whittaker, Z. (2020, August 19). Fearing coronavirus, a Michigan college tracks its students with a flawed app. Retrieved from https://techcrunch.com/2020/08/19/coronavirus-albion-security-flaws-app/