Author Topic: Privacy  (Read 14589 times)

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72256
    • View Profile
Privacy
« on: June 13, 2007, 07:11:28 AM »
All:

The notion of Privacy is under serious attack.   In my opinion, Privacy is a Constitutional right, found in the Ninth Amendment of our Consitution.  This, not the scurrilous attacks upon his person, was the basis of my opposition to the nomination of brilliant legal mind Robert Bork  to the Supreme Court-- he denied the existence of a C'l right to Privacy.

In the name of the inane and insane War on Drugs, the government has intruded into people's lives in ways that once upon a time would have been considered fascistic.

And now the march of technology creates its own demons.

This thread is for the discussion of these matters.   Tis a rare event, but I begin with a NY Times editorial.

Marc
==========================================

Editorial
NY Times
Published: June 13, 2007

Internet users are abuzz over Google’s new Street View feature, which displays ground-level photos of urban blocks that in some cases even look through the windows of homes. If that feels like Big Brother, consider the reams of private information that Google collects on its users every day through the search terms they enter on its site.

Privacy International, a London-based group, has just given Google its lowest grade, below Yahoo and Microsoft, for “comprehensive consumer surveillance and entrenched hostility to privacy.”

There are welcome signs that this Wild West era of online privacy invasion could be coming to an end. Data protection chiefs from the 27 countries of the European Union sent Google a letter recently questioning the company’s policy for retaining consumer information. Here at home, the Federal Trade Commission is looking into the antitrust ramifications of Google’s $3.1 billion acquisition of DoubleClick, an online advertising company.

The F.T.C. should also examine the privacy ramifications of the deal. And Congress needs to act on proposals to prevent the warehousing of such personal data.

Google keeps track of the words users type into its popular site, while DoubleClick tracks surfing behavior across different client Web sites. The combination could give Google an unprecedented ability to profile Web users and their preferences. That knowledge means big bucks from companies trying to target their advertisements. But it also means Google could track more sensitive information — like what diseases users have, or what political causes they support.

Google has announced that rather than keeping information indefinitely, it would only keep it for 18 months before making it anonymous. That is a good step, but not enough since it’s not clear what anonymous means. Last year AOL released records of searches by 657,000 unidentified users. Reporters from The Times were able to trace the queries back to “anonymous” users.

Google is the focus of privacy advocates right now, but it is hardly the only concern. Competitors like Yahoo and Microsoft have the same set of incentives. Privacy is too important to leave up to the companies that benefit financially from collecting and retaining data. The F.T.C. should ask tough questions as it considers the DoubleClick acquisition, and Congress and the European Union need to establish clear rules on the collection and storage of personal information by all Internet companies.


Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72256
    • View Profile
Re: Privacy
« Reply #1 on: January 09, 2008, 02:55:35 PM »


By MIGUEL HELFT
Published: December 11, 2007
OAKLAND, Calif., Dec. 10 - Will privacy sell?

Skip to next paragraph
Related
Blogrunner: Reactions From Around the Web
Ask.com is betting it will. The fourth-largest search engine company will
begin a service today called AskEraser, which allows users to make their
searches more private.

Ask.com and other major search engines like Google, Yahoo and Microsoft
typically keep track of search terms typed by users and link them to a
computer's Internet address, and sometimes to the user. However, when
AskEraser is turned on, Ask.com discards all that information, the company
said.

Ask, a unit of IAC/InterActiveCorp based in Oakland, hopes that the privacy
protection will differentiate it from more prominent search engines like
Google. The service will be conspicuously displayed on Ask.com's main search
page, as well as on the pages of the company's specialized services for
finding videos, images, news and blogs. Unlike typical online privacy
controls that can be difficult for average users to find or modify, people
will be able to turn AskEraser on or off with a single click.

"It works like a light switch," said Doug Leeds, senior vice president for
product management at Ask.com. Mr. Leeds said the service would be a selling
point with consumers who were particularly alert about protecting their
privacy.

"I think that it is a step forward," said Ari Schwartz, deputy director of
the Center for Democracy and Technology, about AskEraser. "It is the first
time that a large company is giving individuals choices that are so
transparent."

But underscoring how difficult it is to completely erase one's digital
footprints, the information typed by users of AskEraser into Ask.com will
not disappear completely. Ask.com relies on Google to deliver many of the
ads that appear next to its search results. Under an agreement between the
two companies, Ask.com will continue to pass query information on to Google.
Mr. Leeds acknowledged that AskEraser cannot promise complete anonymity, but
said it would greatly increase privacy protections for users who want them,
as Google is contractually constrained in what it can do with that
information. A Google spokesman said the company uses the information to
place relevant ads and to fight certain online scams.

Some privacy experts doubt that concerns about privacy are significant
enough to turn a feature like AskEraser into a major selling point for
Ask.com. The search engine accounted for 4.7 percent of all searches
conducted in the United States in October, according to comScore, which
ranks Internet traffic. By comparison, Google accounted for 58.5 percent,
Yahoo for 22.9 percent and Microsoft for 9.7 percent.

"My gut tells me that basically it is not going to be a competitive
advantage," said Larry Ponemon, chairman and founder of the Ponemon
Institute, an independent research company "I think people will look at it
and see it as a cool thing, and they may use it. But I don't think it will
be a market differentiator."

Mr. Ponemon said many surveys showed that while about three in four
Americans said they were concerned about privacy, their concern was not
sufficient to make them change their behavior toward sharing personal
information. About 8 percent of Americans were concerned enough about
privacy to routinely take steps to protect it, the surveys showed.

"Privacy only becomes important to the average consumer when something blows
up," Mr. Ponemon said.

Of course, something has already blown up. Last year, AOL released the
queries conducted by more than 650,000 Americans over three months to foster
academic research. While the queries where associated only with a number,
rather than a computer's address, reporters for The New York Times and
others were quickly able to identify some of the people who had done the
queries. The queries released by AOL included searches for deeply private
things like "depression and medical leave" and "fear that spouse
contemplating cheating."

The incident heightened concerns about the risks posed by the systematic
collection of growing amounts of data about people's online activities. In
response, search companies have sought to reassure consumers that they are
serious about privacy.

While companies say they need to keep records of search strings to improve
the quality of search results and fight online scams, they have put limits
on the time they retain user data.

Google and Microsoft make search logs largely anonymous or discard them
after 18 months. Yahoo does the same after 13 months.

In recent months, privacy has emerged as an increasingly important issue
affecting major Internet companies. Several consumer advocacy groups,
legislators and competitors, for instance, have expressed concerns about the
privacy implications of the proposed $3.1 billion merger between Google and
the ad serving company DoubleClick, which is being reviewed by regulators in
the United States and Europe.

Last month, the Federal Trade Commission held a forum to discuss concerns
over online ads that appear based on a user's Web visits. And just last
week, the popular social networking site Facebook suffered an embarrassing
setback when it was forced to rein in an advertising plan that would have
informed users of their friends' buying activities on the Web. After more
than 50,000 of its members objected, the company apologized and said it
would allow users to turn off the feature.

In some cases, companies have argued that they are required to keep records
of search queries for some time to comply with laws in various countries.

"Those arguments are seriously undermined when their competitors erase data
immediately," said Chris Hoofnagle, a senior lawyer at the Samuelson Law,
Technology & Public Policy Clinic at the University of California, Berkeley.

Mr. Hoofnagle and other privacy advocates said they hoped AskEraser would
pressure Google and others to offer a similar feature. A Google spokesman
said the company takes privacy seriously but is not currently developing a
service to immediately discard search queries.

ccp

  • Power User
  • ***
  • Posts: 19756
    • View Profile
Our records are easily accessible
« Reply #2 on: February 23, 2008, 05:04:43 PM »
I've posted before how our records are easily accessed by many people.  As I've mentioned I know for certain our phone records, bank records, credit information, pay information, and other information as all readilly available to crooks who can easily birbe employees of various companies to snoop on us and supply them with information.  In my experience companies always deny it occurs, deny their employees don't do this, cover it up, not investigate, etc.

I have to grimace every time I hear the darn ACLU talk about how our government is invading our privacy when it is rampant in the private sector.

This is along the lines of what I have experienced for several years now:

http://news.yahoo.com/s/ap/20080223/ap_on_hi_te/snooping_workers

hague720

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: Privacy
« Reply #3 on: November 02, 2008, 08:10:28 AM »
Believe me the safest way to get away fro this is buy some old clothes fro a thrift shop, in cash , nonsequential bills , dont go near anything electronic :? , dont look up , dont buy anything with RFIDS  :evil:in them , dont use credit cards , debit cards , do online shopping , use the internet  :roll: use any energy from any of the utility companies :x dont work anywhere for a salary, fet paid cash with a false name,,,,and on and on ,,,,and on....iperpetua

Because its the only way that you will ever be free...

Cheers Thomas 8-) 8-) 8-)

Body-by-Guinness

  • Guest
Oprah's Genome?
« Reply #4 on: December 30, 2008, 12:16:50 PM »
Exposing Obama's Genome

And Oprah Winfrey's, Brad Pitts', and yours

Ronald Bailey | December 30, 2008

Cheap genome screening is becoming ever more widely available. For example, the price of a genome screening test offered by Silicon Valley startup 23andMe has dropped from $999 to $399, and it now reveals even more genetic information to customers. Let's say the price for such tests falls to the price of over-the-counter paternity tests, making it inexpensive and easy for DNA collected from anyone to be screened. Collecting DNA from suspects is a standard plot device in television shows like CSI: Miami and is a facet of real life crime solving. Investigators pick up a cigarette butt, a soft drink can, a toothpick, or a hair follicle, and have the residual DNA sequenced. All of us shed DNA and anyone could pick up our DNA and send it in for screening. But why would someone want to do that?
Imagine how many fans might be voyeuristically intrigued by the genetic details of celebrities like Oprah Winfrey or Brad Pitt. In fact, Winfrey famously had her DNA screened as part of a PBS television series, African American Lives, in an attempt to trace her African ancestry. Apparently, the results located her matrilineal ancestors among the Kpelle people of Liberia. Now, a waiter at the Table 52 restaurant in Chicago could take a water glass used by Winfrey and hand it over to an enterprising tabloid reporter for a couple of hundred bucks. The reporter could swab the lip of the glass and send in a sample of the talk show host's DNA for screening.

Given that everybody has some kind of genetic disease risks, the tabloid might later breathlessly report that Oprah is at higher risk for type 2 diabetes, age-related macular degeneration, or Crohn's disease. Based on the results of three different genetic markers related to macular degeneration, a sensational (and inaccurate) headline might read: "Oprah To Go Blind, Says Genetic Test." In fact, I am surprised that something like this hasn't already happened. Finding out this bit of titillating, but generally irrelevant, genetic information about entertainment or sports celebrities is no big deal. But what happens when the same thing is done to politicians?

University of Boston neurologist Robert Green and bioethicist George Annas recently considered the genetic privacy of politicians in an article in the New England Journal of Medicine. Both the press and voters are interested in the health of presidential candidates. Green and Annas point out that "some presidential candidates, including Franklin Roosevelt, Dwight Eisenhower, and John F. Kennedy, misled the public about their health status and that illness may have affected their ability to perform their duties." Roosevelt concealed the fact that, as a result of polio, he was a paraplegic confined to a wheel chair. Eisenhower hid the seriousness of his heart disease. Kennedy suffered from numerous debilitating ailments, most critically Addison's disease, an endocrine disease that produces fatigue and muscle weakness.

During the 2008 campaign, Sen. John McCain (R-Ariz.) allowed reporters three hours to look over nearly 1200 pages of his medical records. Democratic political activists published a full page advertisement in The New York Times calling on the 72-year-old McCain to release his medical records. The ad also hinted that the candidate might be hiding information about the possibility of a recurrence of melanoma that was surgically removed 8 years earlier. For his part, President-elect Barack Obama made available just a one-page letter attesting to his good health.

Green and Annas point out that McCain's father and grandfather died of heart attacks at 70 and 61 years of age, respectively. And Obama's grandfather died of prostate cancer at age 73. They note that current genetic screening tests can identify markers that have significant associations with heart disease and prostate cancer. Does the public have a legitimate interest in knowing if McCain has genetic markers indicating a higher risk for heart disease and that Obama has markers indicating a higher risk of prostate cancer? More problematically, some genetic markers can indicate a risk of psychiatric conditions such as bipolar disorder.

Again, it's just as easy to obtain a DNA sample from a presidential candidate as it would be to get one from a celebrity like Winfrey. Green and Annas are most worried that competing campaigns might engage in "genetic McCarthyism." That is, campaigns will seek to obtain DNA from their adversaries and then release genetic data that suggests that their opponents are somehow unhealthy. Such a tactic could be used to confuse the public because genetic information is easy to misinterpret and to misrepresent. Consequently, Green and Annas argue that "future presidential candidates should resist calls to disclose their own genetic information. We recommend that they also pledge that their campaigns will not attempt to obtain or release genomic information about their opponents." They reject the idea of making it a federal crime to sequence a candidate's DNA without consent. Oddly, Green and Annas overlook the plausible scenario in which some media organization surreptitiously obtains DNA from candidates, and then sequences it and reports the results.

Consider that the genetic risks suggested above for Oprah Winfrey are actually the results of my genetic screening test with 23andMe. The genetic screening company reports that 24 out of 100 people with my genotype will get type 2 diabetes between the ages 20 and 79. The average risk is 21.9 per 100 people. With regard to macular degeneration, 9.5 out of 100 people with my genotype will get it between the ages of 43 and 79. The average risk for people of European ethnicity is 7 out of 100. And 0.94 out 100 people with my genotype will get Crohn's disease between the ages of 20 and 79. The average risk for people of European ethnicity is 0.43 out of 100. I will save for a future article the good news that I also have a number of genetic markers that indicate lower risks for many other conditions. This is the kind of risk information that genetic screening tests will reveal. While I can think of plenty of reasons why I might not be cut out for politics, these genetic risks would not disqualify me, or anyone else, from political office.

Right now mendacious political activists and sensationalistic journalists could misrepresent and misinterpret genetic risk information. However, it is unlikely that such genetic risk information would be more toxic than claims that Obama is a secret Muslim. More and more Americans will learn about how to interpret genetic risks as genetic screening becomes routine and even more widely available in the next four to five years, making it less likely that such information can be abused. In any case, politicians, celebrities, and the rest of us should get ready for a world in which our DNA can be screened by anybody at anytime.

Ronald Bailey is reason's science correspondent. His book Liberation Biology: The Scientific and Moral Case for the Biotech Revolution is now available from Prometheus Books.

http://www.reason.com/news/show/130795.html

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72256
    • View Profile
Is the UK still a free country?
« Reply #5 on: January 06, 2009, 10:36:55 AM »
UK - Police set to step up hacking of home PCs

--------------------------------------------------------------------------------

THE Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant.

The move, which follows a decision by the European Union’s council of ministers in Brussels, has angered civil liberties groups and opposition MPs.

They described it as a sinister extension of the surveillance state which drives “a coach and horses” through privacy laws.

The hacking is known as “remote searching”. It allows police or MI5 officers who may be hundreds of miles away to examine covertly the hard drive of someone’s PC at his home, office or hotel room.

Material gathered in this way includes the content of all e-mails, web-browsing habits and instant messaging.

Under the Brussels edict, police across the EU have been given the green light to expand the implementation of a rarely used power involving warrantless intrusive surveillance of private property. The strategy will allow French, German and other EU forces to ask British officers to hack into someone’s UK computer and pass over any material gleaned.

A remote search can be granted if a senior officer says he “believes” that it is “proportionate” and necessary to prevent or detect serious crime — defined as any offence attracting a jail sentence of more than three years.

However, opposition MPs and civil liberties groups say that the broadening of such intrusive surveillance powers should be regulated by a new act of parliament and court warrants.

They point out that in contrast to the legal safeguards for searching a suspect’s home, police undertaking a remote search do not need to apply to a magistrates’ court for a warrant.

Shami Chakrabarti, director of Liberty, the human rights group, said she would challenge the legal basis of the move. “These are very intrusive powers – as intrusive as someone busting down your door and coming into your home,” she said.

“The public will want this to be controlled by new legislation and judicial authorisation. Without those safeguards it’s a devastating blow to any notion of personal privacy.”

She said the move had parallels with the warrantless police search of the House of Commons office of Damian Green, the Tory MP: “It’s like giving police the power to do a Damian Green every day but to do it without anyone even knowing you were doing it.”

Richard Clayton, a researcher at Cambridge University’s computer laboratory, said that remote searches had been possible since 1994, although they were very rare. An amendment to the Computer Misuse Act 1990 made hacking legal if it was authorised and carried out by the state.

He said the authorities could break into a suspect’s home or office and insert a “key-logging” device into an individual’s computer. This would collect and, if necessary, transmit details of all the suspect’s keystrokes.

“It’s just like putting a secret camera in someone’s living room,” he said.
Police might also send an e-mail to a suspect’s computer. The message would include an attachment that contained a virus or “malware”. If the attachment was opened, the remote search facility would be covertly activated. Alternatively, police could park outside a suspect’s home and hack into his or her hard drive using the wireless network.

Police say that such methods are necessary to investigate suspects who use cyberspace to carry out crimes. These include paedophiles, internet fraudsters, identity thieves and terrorists.

The Association of Chief Police Officers (Acpo) said such intrusive surveillance was closely regulated under the Regulation of Investigatory Powers Act. A spokesman said police were already carrying out a small number of these operations which were among 194 clandestine searches last year of people’s homes, offices and hotel bedrooms.

“To be a valid authorisation, the officer giving it must believe that when it is given it is necessary to prevent or detect serious crime and [the] action is proportionate to what it seeks to achieve,” Acpo said.

Dominic Grieve, the shadow home secretary, agreed that the development may benefit law enforcement. But he added: “The exercise of such intrusive powers raises serious privacy issues. The government must explain how they would work in practice and what safeguards will be in place to prevent abuse.”

The Home Office said it was working with other EU states to develop details of the proposals.


http://www.timesonline.co.uk/tol/new...cle5439604.ece

G M

  • Power User
  • ***
  • Posts: 26643
    • View Profile
Re: Privacy
« Reply #6 on: January 07, 2009, 04:26:25 AM »
Free, as compared to what?

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72256
    • View Profile
Re: Privacy
« Reply #7 on: January 07, 2009, 07:08:37 AM »
Oh, I dunno, a country where the people have the right to defend themselves, including with guns; have the right to speak plainly about religious fascism; and have the right to not have the police hack in their personal correspondence and records without a warrant , , , little stuff like that.

G M

  • Power User
  • ***
  • Posts: 26643
    • View Profile
Re: Privacy
« Reply #8 on: January 07, 2009, 07:58:13 AM »
Everything exists on a continuum. The UK is less free than us, more free than most other places.

David III

  • Newbie
  • *
  • Posts: 20
    • View Profile
    • Threat-Management
Re: Privacy
« Reply #9 on: January 07, 2009, 08:14:15 AM »
Everything exists on a continuum. The UK is less free than us, more free than most other places.

I worry that we will follow the UK.

DougMacG

  • Power User
  • ***
  • Posts: 19442
    • View Profile
Individual Privacy vs. Corporate and Government Intrusion - Google etc.
« Reply #10 on: October 27, 2014, 08:14:30 AM »
Some ramblings with no good conclusion.  People on the forum show concern about privacy but it is amazing to me how most people elsewhere really don't care.  Typical reaction is, what do you have to hide? And what are you going to do about it?  Oddly, I have nothing much to hide, yet I value my privacy immensely.

Given that Google cooperates with law enforcement and NSA, corporate and government intrusions are a bit synonymous.  Who knows what other risks are out there, including hacking and security breaches, and mis-use of personal information.  The database of information being collecting is beyond comprehension.

I recently replaced my 'smartphone' with a pretty cheap but fully featured unit.  By merely signing in with Google/Gmail, it is quite amazing and temptingly helpful how much they already know about me when setting up the phone.  They know every email I've ever sent, every search I've made, every movement and every contact including the last 3 girlfriends plus a woman I only dated once.  That's handy...

Gmail is a Google product where you trade your privacy away for a free and important service with very powerful functionality.  Google search, same thing.  GPS services in your phone have that same trade off.  When you switch it off, it is still on.  But they know where you are anyway.  Android, the operating system, is a Google product, and the hardware manufacturer of my new phone, Motorola, is a Google company now too.  Google Plus replaces Skype, so I can teleconference across the ocean at no cost beyond my data plan.  It is already beyond what George Gilder envisioned decades ago with the Teleputer.  We have access to an amazing integration of services and functionality.  With zero privacy.

Add in the Apps from unknown sources and this gets mind boggling.  I have one App where I paid for the software, but otherwise they are all free.  Almost any capability you have heard of can be downloaded and installed in minutes, for free.  All they ask for in return is complete access to your EVERYTHING. 

There is a joke about free radio.  If you aren't paying for the programming, then you aren't the customer; you are the product they are selling. 

Let's say law enforcement needs a warrant for our data, and with NSA, I reluctantly favor a carefully run, macro data watch for preventing avoidable mass murders.   So what else could go wrong? 

For one thing, companies' data gets breached all the time and we are their data.  Look at Target and more recently Home Depot.  The motive for these criminal breaches is to sell your data.  When that data is only credit card info, then it is discovered when used.  What happens when that data breach is your everything?

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72256
    • View Profile
WaPo: Apple phones hacked by NSO Spyware
« Reply #11 on: February 07, 2022, 02:59:49 AM »
Despite the hype, iPhone security no match for NSO spyware
International investigation finds 23 Apple devices that were successfully hacked

Claude Mangin, shown at her home in suburban Paris, has been waging an international campaign to win the freedom of her husband, political activist Naama Asfari, who has been jailed in Morocco for more than a decade. Her iPhone 11 was hacked last month with Pegasus spyware. (Guillaume Herbaut/Agence VU for The Washington Post)
By Craig Timberg, Reed Albergotti and Elodie Guéguen
July 19, 2021 at 7:00 a.m. EDT



The text delivered last month to the iPhone 11 of Claude Mangin, the French wife of a political activist jailed in Morocco, made no sound. It produced no image. It offered no warning of any kind as an iMessage from somebody she didn’t know delivered malware directly onto her phone — and past Apple’s security systems.

Once inside, the spyware, produced by Israel’s NSO Group and licensed to one of its government clients, went to work, according to a forensic examination of her device by Amnesty International’s Security Lab. It found that between October and June, her phone was hacked multiple times with Pegasus, NSO’s signature surveillance tool, during a time when she was in France.

Read key takeaways from the Pegasus Project
The examination was unable to reveal what was collected. But the potential was vast: Pegasus can collect emails, call records, social media posts, user passwords, contact lists, pictures, videos, sound recordings and browsing histories, according to security researchers and NSO marketing materials. The spyware can activate cameras or microphones to capture fresh images and recordings. It can listen to calls and voice mails. It can collect location logs of where a user has been and also determine where that user is now, along with data indicating whether the person is stationary or, if moving, in which direction.

And all of this can happen without a user even touching her phone or knowing she has received a mysterious message from an unfamiliar person — in Mangin’s case, a Gmail user going by the name “linakeller2203.”


These kinds of “zero-click” attacks, as they are called within the surveillance industry, can work on even the newest generations of iPhones, after years of effort in which Apple attempted to close the door against unauthorized surveillance — and built marketing campaigns on assertions that it offers better privacy and security than rivals.

Mangin’s number was on a list of more than 50,000 phone numbers from more than 50 countries that The Post and 16 other organizations reviewed. Forbidden Stories, a Paris-based journalism nonprofit, and the human rights group Amnesty International had access to the numbers and shared them with The Post and its partners, in an effort to identify who the numbers belonged to and persuade them to allow the data from their phones to be examined forensically.

For years, Mangin has been waging an international campaign to win freedom for her husband, activist Naama Asfari, a member of the Sahrawi ethnic group and advocate of independence for the Western Sahara who was jailed in 2010 and allegedly tortured by Moroccan police, drawing an international outcry and condemnation from the United Nations.

“When I was in Morocco, I knew policemen were following me everywhere,” Mangin said in a video interview conducted in early July from her home in suburban Paris. “I never imagined this could be possible in France.”

Especially not through the Apple products that she believed would make her safe from spying, she said. The same week she sat for an interview about the hacking of her iPhone 11, a second smartphone she had borrowed — an iPhone 6s — also was infected with Pegasus, a later examination showed.


Researchers have documented iPhone infections with Pegasus dozens of times in recent years, challenging Apple’s reputation for superior security when compared with its leading rivals, which run Android operating systems by Google.

The months-long investigation by The Post and its partners found more evidence to fuel that debate. Amnesty’s Security Lab examined 67 smartphones whose numbers were on the Forbidden Stories list and found forensic evidence of Pegasus infections or attempts at infections in 37. Of those, 34 were iPhones — 23 that showed signs of a successful Pegasus infection and 11 that showed signs of attempted infection.

Only three of the 15 Android phones examined showed evidence of a hacking attempt, but that was probably because Android’s logs are not comprehensive enough to store the information needed for conclusive results, Amnesty’s investigators said.

Still, the number of times Pegasus was successfully implanted on an iPhone underscores the vulnerability of even its latest models. The hacked phones included an iPhone 12 with the latest of Apple’s software updates.

In a separate assessment published Sunday, the University of Toronto’s Citizen Lab endorsed Amnesty’s methodology. Citizen Lab also noted that its previous research had found Pegasus infections on an iPhone 12 Pro Max and two iPhone SE2s, all running 14.0 or more recent versions of the iOS operating system, first released last year.

How Pegasus works
Target: Someone sends what’s known as a trap link to a smartphone that persuades the victim to tap and activate — or activates itself without any input, as in the most sophisticated “zero-click” hacks.

Infect: The spyware captures and copies the phone’s most basic functions, NSO marketing materials show, recording from the cameras and microphone and collecting location data, call logs and contacts.

Track: The implant secretly reports that information to an operative who can use it to map out sensitive details of the victim’s life.

Read more about why it’s hard to protect yourself from hacks.

Ivan Krstić, head of Apple Security Engineering and Architecture, defended his company’s security efforts.

“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” he said in a statement. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Apple burnished its reputation for guarding user privacy during its high-profile legal fight with the FBI in 2016 over whether the company could be forced to unlock an iPhone used by one of the attackers in a San Bernardino, Calif., mass shooting the previous year. The FBI ultimately withdrew from the legal clash when it found an Australian cybersecurity firm, Azimuth Security, that could unlock the iPhone 5c without any help from Apple.

Outside researchers praise Apple for its stand — and for continuing to improve its technology with each new generation of iPhones. The company last year quietly introduced BlastDoor, a feature that seeks to prevent malware delivered through iMessages from infecting iPhones, making Pegasus-style attacks more difficult.

The investigation’s conclusions also are likely to fuel a debate about whether tech companies have done enough to shield their customers from unwanted intrusions. The vulnerability of smartphones, and their widespread adoption by journalists, diplomats, human rights activists and businesspeople around the world — as well as criminals and terrorists — has given rise to a robust industry offering commercially available hacking tools to those willing to pay.

Invisible surveillance: How spyware is secretly hacking smartphones
An investigation by a consortium of media organizations found Israeli firm NSO Group's Pegasus spyware was used to hack smartphones of journalists and others. (Jon Gerberg/The Washington Post)
NSO, for example, reported $240 million in revenue last year, and there are many other companies that offer similar spyware.

On Sunday, NSO’s chief executive, Shalev Hulio, told The Post that he was upset by the investigation’s reports that phones belonging to journalists, human rights activists and public officials had been targeted with his company’s software, even though he disputed other allegations reported by The Post and its partner news organizations. He promised an investigation. “Every allegation about misuse of the system is concerning to me,” Hulio said. “It violates the trust we are giving the customer.”

Apple is not alone in dealing with potential intrusions. The other major target of Pegasus is Google’s Android operating system, which powers smartphones by Samsung, LG and other manufacturers.

Google spokeswoman Kaylin Trychon said that Google has a threat analysis team that tracks NSO Group and other threat actors and that the company sent more than 4,000 warnings to users each month of attempted infiltrations by attackers, including government-backed ones.


She said the lack of logs that help researchers determine whether an Android device has been attacked was also a security decision.

“While we understand that persistent logs would be more helpful for forensic uses such as the ones described by Amnesty International’s researchers, they also would be helpful to attackers. We continually balance these different needs,” she said.

Advocates say the inability to prevent the hacking of smartphones threatens democracy in scores of nations by undermining newsgathering, political activity and campaigns against human rights abuses. Most nations have little or no effective regulation of the spyware industry or how its tools are used.

“If we’re not protecting them and not providing them with tools to do this dangerous work, then our societies are not going to get better,” said Adrian Shahbaz, director of technology and democracy for Freedom House, a Washington-based pro-democracy think tank. “If everyone is afraid of taking on the powerful because they fear the consequences of it, then that would be disastrous to the state of democracy.”


Apple touts security as an important feature of its products, but reports of hacks to iPhones have grown in recent years as security researchers have found evidence that attackers discovered vulnerabilities in widely used iPhone apps, particularly iMessage. (Antonio Masiello/Getty Images)
Hatice Cengiz, the fiancee of slain Washington Post contributing columnist Jamal Khashoggi, said she used an iPhone because she thought it would offer robust protection against hackers.

“Why did they say the iPhone is more safe?” Cengiz said in a June interview in Turkey, where she lives. Her iPhone was among the 23 found to have forensic evidence of successful Pegasus intrusion. The infiltration happened in the days after Khashoggi was killed in October 2018, the examination of her phone found.

NSO said in a statement that it had found no evidence that Cengiz’s phone had been targeted by Pegasus. “Our technology was not associated in any way with the heinous murder of Jamal Khashoggi,” the company said.

A head-to-head comparison of the security of Apple’s and Google’s operating systems and the devices that run them is not possible, but reports of hacks to iPhones have grown in recent years as security researchers have discovered evidence that attackers had found vulnerabilities in such widely used iPhone apps as iMessage, Apple Music, Apple Photos, FaceTime and the Safari browser.

The investigation found that iMessage — the built-in messaging app that allows seamless chatting among iPhone users — played a role in 13 of the 23 successful infiltrations of iPhones. IMessage was also the mode of attack in six of the 11 failed attempts Amnesty’s Security Lab identified through its forensic examinations.

One reason that iMessage has become a vector for attack, security researchers say, is that the app has gradually added features, which inevitably creates more potential vulnerabilities.

“They can’t make iMessage safe,” said Matthew Green, a security and cryptology professor at Johns Hopkins University. “I’m not saying it can’t be fixed, but it’s pretty bad.”


One key issue: IMessage lets strangers send iPhone users messages without any warning to or approval from the recipient, a feature that makes it easier for hackers to take the first steps toward infection without detection. Security researchers have warned about this weakness for years.

“Your iPhone, and a billion other Apple devices out-of-the-box, automatically run famously insecure software to preview iMessages, whether you trust the sender or not,” said security researcher Bill Marczak, a fellow at Citizen Lab, a research institute based at the University of Toronto’s Munk School of Global Affairs & Public Policy. “Any Computer Security 101 student could spot the flaw here.”

Google’s Project Zero, which searches for exploitable bugs across a range of technology offerings and publishes its findings publicly, reported in a series of blog posts last year on vulnerabilities to iMessage.

Post Reports: The spyware secretly hacking smartphones

The encrypted chat app Signal adopted new protections last year requiring user approval when an unfamiliar user attempts to initiate a call or text — a protection Apple has not implemented with iMessage. Users of iPhones can choose to filter unfamiliar users by activating a feature in their devices’ settings, though research for many years has shown that ordinary users of devices or apps rarely take advantage of such granular controls.

In a 2,800-word email responding to questions from The Post that Apple said could not be quoted directly, the company said that iPhones severely restrict the code that an iMessage can run on a device and that it has protections against malware arriving in this way. It said BlastDoor examines Web previews and photos for suspicious content before users can view them but did not elaborate on that process. It did not respond to a question about whether it would consider restricting messages from senders not in a person’s address book.

The Amnesty technical analysis also found evidence that NSO’s clients use commercial Internet service companies, including Amazon Web Services, to deliver Pegasus malware to targeted phones. (Amazon’s executive chairman, Jeff Bezos, owns The Post.)

Kristin Brown, a spokeswoman for Amazon Web Services, said, “When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts.”

Hard lessons

A poster bearing photos of Mangin and Asfari in support of her appeal for her husband’s release in Morocco is displayed on the side of city hall in Ivry-sur-Seine, France, in 2018. (Elise Hardy/Gamma-Rapho/Getty Images)
The infiltration of Mangin’s iPhones underscores hard lessons about privacy in the age of smartphones: Nothing held on any device is entirely safe. Spending more for a premium smartphone does not change that fact, especially if some nation’s intelligence or law enforcement agencies want to break in. NSO reported last month that it has 60 government customers in 40 countries, meaning some nations have more than one agency with a contract.


New security measures often exact costs to consumers in terms of ease of use, speed of apps and battery life, prompting internal struggles in many technology companies over whether such performance trade-offs are worth the improved resistance to hacking that such measures provide.

One former Apple employee, who spoke on the condition of anonymity because Apple requires its employees to sign agreements prohibiting them from commenting on nearly all aspects of the company, even after they leave, said it was difficult to communicate with security researchers who reported bugs in Apple products because the company’s marketing department got in the way.

“Marketing could veto everything,” the person said. “We had a whole bunch of canned replies we would use over and over again. It was incredibly annoying and slowed everything down.”

Apple also restricts the access outside researchers have to iOS, the mobile operating system used by iPhones and iPads, in a way that makes investigation of the code more difficult and limits the ability of consumers to discover when they’ve been hacked, researchers say.


In its email response to questions from The Post, Apple said its product marketing team has a say only in some interactions between Apple employees and outside security researchers and only to ensure the company’s messaging about new products is consistent. It said it is committed to giving tools to outside security researchers and touted its Security Research Device Program, in which the company sells iPhones with special software that researchers can use to analyze iOS.

Critics — both inside and outside the company — say Apple also should be more focused on tracking the work of its most sophisticated adversaries, including NSO, to better understand the cutting-edge exploits attackers are developing. These critics say the company’s security team tends to focus more on overall security, by deploying features that thwart most attacks but may fail to stop attacks on people subject to government surveillance — a group that often includes journalists, politicians and human rights activists such as Mangin.


“When I was in Morocco, I knew policemen were following me everywhere,” Mangin said in an interview this month regarding the hacking of her iPhone. “I never imagined this could be possible in France.” (Photo by Guillaume Herbaut/Agence VU for The Washington Post)
“It’s a situation where you’re always working with an information deficit. You don’t know a whole lot about what’s out there,” said a former Apple engineer, speaking on the condition of anonymity because Apple does not permit former employees to speak publicly without company permission. “When you have a well-resourced adversary, different things are on the table.”

In its email to The Post, Apple said that in recent years it has significantly expanded its security team focused on tracking sophisticated adversaries. Apple said in the email that it is different from its competitors in that it elects not to discuss these efforts publicly, instead focusing on building new protections for its software. Overall, its security team has grown fourfold over the past five years, Apple said.

Apple’s business model relies on the annual release of new iPhones, its flagship product that generates half of its revenue. Each new device, which typically arrives with an updated operating system available to users of older devices, includes many new features — along with what security researchers call new “attack surfaces.”

Current and former Apple employees and people who work with the company say the product release schedule is harrowing, and, because there is little time to vet new products for security flaws, it leads to a proliferation of new bugs that offensive security researchers at companies like NSO Group can use to break into even the newest devices.

In its email to The Post, Apple said it uses automated tools and in-house researchers to catch the vast majority of bugs before they’re released and that it is the best in the industry.

Apple also was a relative latecomer to “bug bounties,” where companies pay independent researchers for finding and disclosing software flaws that could be used by hackers in attacks.

Krstić, Apple’s top security official, pushed for a bug bounty program that was added in 2016, but some independent researchers say they have stopped submitting bugs through the program because Apple tends to pay small rewards and the process can take months or years.

Last week, Nicolas Brunner, an iOS engineer for Swiss Federal Railways, detailed in a blog post how he submitted a bug to Apple that allowed someone to permanently track an iPhone user’s location without their knowledge. He said Apple was uncommunicative, slow to fix the bug and ultimately did not pay him.

Asked about the blog post, an Apple spokesman referred to Apple’s email in which it said its bug bounty program is the best in the industry and that it pays higher rewards than any other company. In 2021 alone, it has paid out millions of dollars to security researchers, the email said.

People familiar with Apple’s security operations say Krstić has improved the situation, but Apple’s security team remains known for keeping a low public profile, declining to make presentations at conferences such as the heavily attended Black Hat cybersecurity conference in Las Vegas each summer, where other tech companies have become fixtures.


Once a bug is reported to Apple, it’s given a color code, said former employees familiar with the process. Red means the bug is being actively exploited by attackers. Orange, the next level down, means the bug is serious but that there is no evidence it has been exploited yet. Orange bugs can take months to fix, and the engineering team, not security, decides when that happens.

Former Apple employees recounted several instances in which bugs that were not believed to be serious were exploited against customers between the time they were reported to Apple and when they were patched.

Apple said in its email that no system is perfect but that it rapidly fixes serious security vulnerabilities and continues to invest in improving its system for assessing the seriousness of bugs.

But outside security researchers say they cannot be sure how many iOS users are exploited because Apple makes it difficult for researchers to analyze the information that would point to exploits.

“I think we’re seeing the tip of the iceberg at the moment,” said Costin Raiu, director of the global research and analysis team at cybersecurity firm Kaspersky Lab. “If you open it up and give people the tools and ability to inspect phones, you have to be ready for the news cycle which will be mostly negative. It takes courage.”

Dana Priest contributed to this report.

The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organizations coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read more about this project.

ccp

  • Power User
  • ***
  • Posts: 19756
    • View Profile
GIS
« Reply #12 on: April 01, 2022, 05:13:48 AM »