Author Topic: The Surveillance/Omnipotent State  (Read 16570 times)

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
« Last Edit: October 25, 2023, 08:09:41 AM by Crafty_Dog »

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile

G M

  • Power User
  • ***
  • Posts: 26643
    • View Profile
« Last Edit: November 12, 2021, 12:29:49 PM by Crafty_Dog »




Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
Search warrant of Google location data
« Reply #6 on: May 12, 2022, 05:34:16 AM »
Man pleads guilty in case testing Google location history use

ASSOCIATED PRESS

RICHMOND | A Richmond man has pleaded guilty to federal bank robbery charges in a closely watched case that tested the constitutionality of broad search warrants that use Google location history to find people who were near crime scenes.

The Richmond Times-Dispatch reports Okello Chatrie pleaded guilty Monday to armed robbery and use of a firearm in the 2019 robbery of the Call Federal Credit Union in Midlothian.

Chatrie’s lawyers argued the use of a “geofence warrant” to identify people who were near the scene of the robbery violated their constitutional protection against unreasonable searches.

Federal prosecutors argued that Chatrie had no reasonable expectation of privacy since he voluntarily opted in to Google’s Location History.

U.S. District Judge M. Hannah Lauck ruled in March that the warrant violated the Constitution by gathering the location history of people near the bank without having any evidence they had anything to do with the robbery.

Geofence warrants seek location data on every person within a specific location over a certain period of time.

“The warrant simply did not include any facts to establish probable cause to collect such broad and intrusive data from each of these individuals,” Judge Lauck wrote in her ruling.

Privacy advocates said the ruling — believed to be the first time a federal district court judge has ruled on the constitutionality of a geofence warrant — could make it more difficult for police to continue using a popular investigative technique that has helped lead them to suspects in a list of crimes around the country. Judge Lauck’s ruling did not help Chatrie because she denied his motion to suppress the evidence produced by the warrant, finding the detective had acted in good faith by consulting with prosecutors before applying for the warrant and relied on his past experience in obtaining three similar warrants.

The judge said she was not ruling on whether geofence warrants can ever satisfy the Fourth Amendment. She urged legislative action on the issue, noting there is currently no law prohibiting Google and other companies from collecting and using vast amounts of data from their customers.

In a legal brief filed in the case, Google said geofence requests jumped 1,500% from 2017 to 2018, and another 500% from 2018 to 2019.

Google now reports that geofence warrants make up more than 25% of all the warrants Google receives in the U.S., the judge wrote in her ruling.

Chatrie’s lawyers did not immediately respond to an emailed request seeking comment on his guilty plea.

Judge Lauck scheduled sentencing for Aug. 2.


Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile







DougMacG

  • Power User
  • ***
  • Posts: 19447
    • View Profile
Re: Fog Data selling location data to police
« Reply #15 on: October 15, 2022, 10:32:20 AM »
https://www.eff.org/deeplinks/2022/08/inside-fog-data-science-secretive-company-selling-mass-surveillance-local-police

We need to delete and stop using these people tracking apps.

My awareness began when a flashlight app needed permission to access my contacts and location etc.

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
ET: Third Party Doctrine
« Reply #16 on: November 05, 2022, 01:40:44 PM »
How Government Makes Your Bank Spy on You
By Kevin Stocklin November 4, 2022 Updated: November 4, 2022biggersmaller Print

0:00
7:14



1

When you open a bank account, do you surrender all rights to your privacy and personal data?

Today, the answer is yes. The Bank Secrecy Act of 1970 (BSA) and subsequent amendments mandated that your bank must inform the federal government about any customer’s transactions that they consider suspicious, however broadly defined that may be, in the form of Suspicious Activity Reports (SARs).

How often do banks think their customers are doing something suspicious? According to the U.S. Treasury Financial Crimes Enforcement Network, there were approximately 20 million bank reports of suspicious activity in 2019.

An August report by the Cato Institute titled “Government Surveillance Doesn’t Stop at Your Bank’s Door” states that this reporting requirement doesn’t just apply to banks but also to currency exchanges, payments companies, broker-dealers, casinos, pawnbrokers, travel agencies, and car dealerships.

All of this would seem to be illegal under the U.S. Constitution; the Fourth Amendment, for example, prohibits “unreasonable search and seizure” by our government and establishes the requirement for the government to obtain a warrant and show “probable cause” of a crime. But according to Jennifer Schulp, co-author of the Cato report, one reason that government surveillance-by-proxy has been allowed by U.S. courts, including the U.S. Supreme Court, is something called the “Third Party Doctrine.”

Schulp told The Epoch Times that the Third Party Doctrine is a legal principle that “essentially removed the expectation of privacy that an individual has from information that they share with a third party, including their banks. So under current Fourth Amendment jurisprudence, the information that you give to your bank is no longer private.”

Given that it is nearly impossible to function without a bank account in America today, this effectively blurs the line between public and private surveillance. When the Third Party Doctrine was adopted in the 1960s and 1970s, the courts began to allow government to conduct warrantless searches in the interest of preventing crime.

The Cato report points out that “while the government’s interest in stopping crime is certainly an important one, the Constitution’s Fourth Amendment already balances that interest with an individual’s interest in privacy by requiring the government to obtain a warrant to access a person’s documents and information.”

Another reason the Supreme Court allowed the Bank Secrecy Act to stand was that the law as originally written was more narrowly tailored, and only required reporting of transactions over $10,000. Taking inflation into account, this would be about $75,000 today. The limits of the BSA were never adjusted up for inflation, casting a much wider net today than when the law was passed.

How Extensive Is Government Surveillance?
Since being signed off on by the Supreme Court, the law has since been expanded to include many more types of transactions and institutions. But the fact that, according to the law, banks do not tell customers that they’re being surveilled, means that there are few challenges for courts to take up in order to reconsider their verdict.

“Banks are not allowed to let individuals know that this type of report is being filed on them,” Schulp said. “So to the extent that individual citizens might have objections to their information being shared with the government in a Suspicious Activity Report, they have no way of knowing that that’s happening to them, and thus can’t really bring the legal challenge themselves.”

Even at the time of the BSA’s original passage, some justices expressed concerns that the constitution was being violated. Justice Thurgood Marshall, for example, stated that “by compelling an otherwise unwilling bank to photocopy the checks of its customers, the government has as much of a hand in seizing those checks as if it had forced a private person to break into the customer’s home or office and photocopy the checks there.”

This issue is now being raised again today not only about bank surveillance but also about tech surveillance and even tech censorship. The question is: If the government is barred from warrantless searches, can it get around this simply by getting private corporations to search Americans’ data on its behalf? Likewise, if the government is barred from censoring Americans’ speech, can it just get private tech companies to do this instead?

The extent of bank surveillance has made headlines this year, in three cases in particular. The first was a New York Post report that Bank of America had data-mined its customers’ accounts to see which customers had made purchases or traveled to Washington, D.C., around the time of the Jan. 6 riots at the Capitol. The names of customers who had done so, or who had recently bought a firearm, were handed over to the FBI for investigation. One customer was reportedly questioned by the FBI as a result, but no charges were filed.


The second case regards a decision by credit card companies—Visa, Mastercard, and American Express, in particular—to begin tracking their customers’ purchases at gun shops. The CEO of Amalgamated Bank, a progressive bank that had lobbied heavily for the tracking of gun sales, stated that “where there may be gun sales that are intended for black markets or we see patterns of gun purchases made in multiple gun shops … we can provide that information to authorities to investigate.”

Gun rights advocates were quick to criticize this action.

“They’ve created this merchant category code that if you go into a gun store and you purchase anything from that gun store, and it looks like it may be something outside the norm, then that information could be turned over to the U.S. Treasury’s Financial Crimes Enforcement Network,” Mark Oliva, public affairs director for the National Shooting Sports Foundation, told The Epoch Times. “What we’re talking about with this is a heavy-handed approach that’s going to put people who are exercising their Second Amendment rights onto a government watchlist, simply for exercising that right.”

The third case occurred in February, when Canadian banks data-mined the private accounts of truckers protesting pandemic regulations, as well as those who had donated in support of protesters via crowdfunding sites like GoFundMe and GiveSendGo. Under orders from the Canadian government, banks froze the accounts of targeted customers, blocking them from accessing their own money or making credit card payments.

“That Third Party Doctrine has come under criticism a lot over the years, by current Supreme Court justices from very different schools of thought,” Schulp said. “Justice Neil Gorsuch and Justice Sonia Sotomayor have indicated that the Third Party Doctrine needs to be revisited. So I think it’s something that the current court might look at differently than the court did in the 1970s.”


ccp

  • Power User
  • ***
  • Posts: 19768
    • View Profile
Re: The Surveillance State
« Reply #18 on: November 20, 2022, 03:17:23 PM »
I don't know if you watched Bong last night (that is what a do on a Saturday evening for excitement - a wild and crazy guy  :|)

he spent the first part of the show on this topic:

you can skim to minute 15:51:

https://www.youtube.com/watch?v=3bssk4kLS7g

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
https://www.youtube.com/watch?v=kMT1bdGLxfw

Go to https://EstablishedTitles.com/lordwatson and help support the channel. They are now running a massive Black Friday sale, plus 10% off on any purchase with code LORDWATSON. Thanks to Established Titles for sponsoring this video!
« Last Edit: November 21, 2022, 04:36:42 PM by Crafty_Dog »

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
Good thing they would never use this on us , , ,
« Reply #20 on: December 15, 2022, 04:05:27 PM »
https://www.defenseone.com/technology/2022/12/inside-armys-newest-spy-plane/380964/

PS:  Note that they are contracted , , , from whom?

Any chance here for the same Twitter/Public Square Dance wherein the Feds get to private sector to be their beard?

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
FA: Mercenary Spyware
« Reply #21 on: December 16, 2022, 10:05:03 AM »
https://www.foreignaffairs.com/world/autocrat-in-your-iphone-mercenary-spyware-ronald-deibert?utm_medium=newsletters&utm_source=twofa&utm_campaign=How%20to%20Stop%20Chinese%20Coercion&utm_content=20221216&utm_term=FA%20This%20Week%20-%20112017

The Autocrat in Your iPhone
How Mercenary Spyware Threatens Democracy
By Ronald J. Deibert
January/February 2023

Daniel Stolle
Sign in and save to read later
Print this article
Send by email
Share on Twitter
Share on Facebook
Share on LinkedIn
Get a link
Page url
https://www.foreignaffairs.com/world/autocrat-in-your-iphone-mercenary-spyware-ronald-deibert
Request Reprint Permissions
In the summer of 2020, a Rwandan plot to capture exiled opposition leader Paul Rusesabagina drew international headlines. Rusesabagina is best known as the human rights defender and U.S. Presidential Medal of Freedom recipient who sheltered more than 1,200 Hutus and Tutsis in a hotel during the 1994 Rwandan genocide. But in the decades after the genocide, he also became a prominent U.S.-based critic of Rwandan President Paul Kagame. In August 2020, during a layover in Dubai, Rusesabagina was lured under false pretenses into boarding a plane bound for Kigali, the Rwandan capital, where government authorities immediately arrested him for his affiliation with an opposition group. The following year, a Rwandan court sentenced him to 25 years in prison, drawing the condemnation of international human rights groups, the European Parliament, and the U.S. Congress.

Less noted at the time, however, was that this brazen cross-border operation may also have employed highly sophisticated digital surveillance. After Rusesabagina’s sentencing, Amnesty International and the Citizen Lab at the University of Toronto, a digital security research group I founded and direct, discovered that smartphones belonging to several of Rusesabagina’s family members who also lived abroad had been hacked by an advanced spyware program called Pegasus. Produced by the Israel-based NSO Group, Pegasus gives an operator near-total access to a target’s personal data. Forensic analysis revealed that the phone belonging to Rusesabagina’s daughter Carine Kanimba had been infected by the spyware around the time her father was kidnapped and again when she was trying to secure his release and was meeting with high-level officials in Europe and the U.S. State Department, including the U.S. special envoy for hostage affairs. NSO Group does not publicly identify its government clients and the Rwandan government has denied using Pegasus, but strong circumstantial evidence points to the Kagame regime.

In fact, the incident is only one of dozens of cases in which Pegasus or other similar spyware technology has been found on the digital devices of prominent political opposition figures, journalists, and human rights activists in many countries. Providing the ability to clandestinely infiltrate even the most up-to-date smartphones—the latest “zero click” version of the spyware can penetrate a device without any action by the user—Pegasus has become the digital surveillance tool of choice for repressive regimes around the world. It has been used against government critics in the United Arab Emirates (UAE) and pro-democracy protesters in Thailand. It has been deployed by Mohammed bin Salman’s Saudi Arabia and Viktor Orban’s Hungary.

Stay informed.
In-depth analysis delivered weekly.
But the use of spyware is hardly limited to the world’s authoritarians. As researchers have revealed, over the past decade many democracies, including Spain and Mexico, have begun using spyware, as well, in ways that violate well-established norms of human rights and public accountability. U.S. government documents disclosed by The New York Times in November 2022 show that the FBI not only acquired spyware services from NSO, possibly for counterintelligence purposes, but also contemplated deploying them, including on U.S. targets. (An FBI spokesperson told the Times that “there has been no operational use of the NSO product to support any FBI investigation.”)

The advent of advanced spyware has transformed the world of espionage and surveillance. Bringing together a largely unregulated industry with an invasive-by-design digital ecosystem in which smartphones and other personal devices contain the most intimate details of people’s lives, the new technology can track almost anyone, anywhere in the world. Governments have taken notice. For Israel, which approves export licenses for NSO Group’s Pegasus, the sale of spyware to foreign governments has brought new diplomatic clout in countries as disparate as India and Panama; a New York Times investigation found that NSO deals helped Israeli Prime Minister Benjamin Netanyahu seal the Abraham Accords with Bahrain, Morocco, and the UAE. In turn, client states have used Pegasus against not only opposition groups, journalists, and nongovernmental organizations (NGOs) but also geopolitical rivals. In 2020 and 2021, the Citizen Lab discovered that several devices belonging to officials in the United Kingdom’s Foreign Commonwealth and Development Office had been hacked with Pegasus, and that a client of NSO Group in the UAE had used the spyware to infiltrate a device located at 10 Downing Street, the residence of the British prime minister. In November 2021, the tech giant Apple notified 11 staff members of the U.S. embassy in Uganda that their iPhones had been hacked with Pegasus.

In response to these revelations, spyware firms have generally denied responsibility for their clients’ abuses or have declined to comment. In a statement to The New Yorker in April 2022, NSO Group said, “We have repeatedly cooperated with governmental investigations, where credible allegations merit, and have learned from each of these findings and reports and improved the safeguards in our technologies.” The Israeli company has also said that its technology is designed to help governments investigate crime and terrorism. But advanced spyware has now been implicated in human rights violations and interstate espionage in dozens of countries, and spyware companies have few legal obligations or incentives for public transparency or accountability. NSO Group has not provided any specific information to counter the Citizen Lab’s detailed evidence of abuses.

The consequences of the spyware revolution are profound. In countries with few resources, security forces can now pursue high-tech operations using off-the-shelf technology that is almost as easy to acquire as headphones from Amazon. Among democracies, the technology has become an irresistible tool that can be deployed with little oversight; in the last year alone, security agencies in at least four European countries—Greece, Hungary, Poland, and Spain—have been implicated in scandals in which state agencies have been accused of deploying spyware against journalists and political opposition figures. A global market for spyware also means that forms of surveillance and espionage that were once limited to a few major powers are now available to almost any country, and potentially to even more private firms. Left unregulated, the proliferation of this technology threatens to erode many of the institutions, processes, and values on which the liberal international order depends.

WE WILL SPY FOR YOU
The spyware revolution has emerged as a byproduct of a remarkable convergence of technological, social, and political developments over the past decade. Smartphones and other digital devices are vulnerable to surveillance because their applications often contain flaws and because they continually transmit data through insecure cellular and Internet networks. Although manufacturers of these technology platforms employ engineers to find and patch vulnerabilities, they tend to prioritize product development over security. By discovering and weaponizing “zero days”—software flaws that are unknown to their designers—spyware firms exploit the inherent insecurity of the digital consumer world.

But the extraordinary growth of the spyware market has also been driven by several broader trends. First, spyware takes advantage of a global digital culture that is shaped around always-on, always-connected smartphones. By hacking a personal device, spyware can provide its operators with a user’s entire pattern of life in real time. Second, spyware offers security agencies an elegant way to circumvent end-to-end encryption, which has become a growing barrier to government mass surveillance programs that depend on the collection of telecommunications and Internet data. By getting inside a user’s device, spyware allows its operators to read messages or listen to calls before they have been encrypted or after they have been decrypted; if the user can see it on the screen, so can the spyware. A third factor driving the industry’s growth has been the rise of digitally enabled protest movements. Popular upheavals such as the color revolutions in former Soviet states in the first decade of this century and the Arab Spring in 2010–11 took many autocrats by surprise, and the organizers often used phones to mobilize protesters. By offering an almost godlike way to get inside activist networks, spyware has opened up a powerful new method for governments to monitor dissent and take steps to neutralize it before large protests occur.

Finally, the spyware industry has also been fueled by the growing privatization of national security. Just as governments have turned to private contractors for complicated or controversial military operations, they have discovered that they can outsource surveillance and espionage to better-equipped and less visible private actors. Like soldiers of fortune, advanced spyware companies tend to put revenues ahead of ethics, selling their products without regard to the politics of their clients—giving rise to the term “mercenary spyware”—and like military contractors, their dealings with government security agencies are often cloaked in secrecy to avoid public scrutiny. Moreover, just as military contractors have offered lucrative private-sector careers for veterans of military and intelligence agencies, spyware firms and government security services have been building similarly mutually beneficial partnerships, boosting the industry in the process. Many senior members of NSO Group, for example, are veterans of Israeli intelligence, including the elite Military Intelligence Directorate.

Xenia Oliva, an investigative reporter who had her phone hacked seven times, checking her phone in San Salvador, El Salvador, January 2022
Xenia Oliva, an investigative reporter who had her phone hacked seven times, checking her phone in San Salvador, El Salvador, January 2022
Jessica Orellana / Reuters
Although lack of transparency has made the mercenary spyware industry difficult to measure, journalists have estimated it to be worth about $12 billion per year. Before recent financial setbacks brought on by a growing number of lawsuits, NSO Group was valued at $2 billion, and there are other major players in the market. Many companies now produce sophisticated spyware, including Cytrox (founded in North Macedonia and now with operations in Hungary and Israel), Israel-based Cyberbit and Candiru, Italy-based Hacking Team (now defunct), and the Anglo-German Gamma Group. Each of these firms can hypothetically serve numerous clients. Governments that appear to have used Cytrox’s Predator spyware, for example, include Armenia, Egypt, Greece, Indonesia, Madagascar, and Serbia. In 2021, Mexico’s secretary of Security and Public Safety, Rosa Icela Rodríguez, said that previous Mexican administrations had signed multiple contracts with NSO Group, totaling $61 million, to buy Pegasus spyware, and as Mexican and international researchers have shown, the government has kept using Pegasus despite the present leadership’s public assurances that it would not. (In October 2022, Mexican President Andrés Manuel López Obrador denied the findings, stating that his administration was not using the spyware against journalists or political opponents.)

On the basis of such lucrative deals, spyware firms have enjoyed backing from major private equity funds, such as the San Francisco firm Francisco Partners and the London-based Novalpina Capital, thus bolstering their resources. Francisco Partners, which had a controlling stake in NSO Group for five years, told Bloomberg News in 2021, “[We are] deeply committed to ethical business practices, and we evaluate all our investments through that lens.” Novalpina, which together with NSO’s founders acquired Francisco Partners’ stake in 2019, said it would bring the spyware firm “in full alignment with UN guiding principles on business and human rights,” but revelations of abuses of Pegasus have continued, and correspondence published by The Guardian in 2022 indicated that Novalpina sought to discredit NSO Group’s critics, including this author. (Lawyers for Novalpina told The Guardian that these were “tenuous and unsubstantiated allegations.”) After a dispute between Novalpina’s founding partners, the firm lost its controlling stake in NSO Group in 2021.

But the spyware industry also includes far less sophisticated firms in countries such as India, the Philippines, and Cyprus. As the surveillance equivalent of strip-mall phone repair shops, such outfits may lack the ability to identify zero days, but they can still accomplish objectives through simpler means. They may use credential phishing—using false pretenses, often via email or text message, to obtain a user’s digital passwords or other sensitive personal information—or they may simply purchase software vulnerabilities from other hackers on the black market. And these smaller firms may be more willing to undertake illegal operations on behalf of private clients because they are located outside the jurisdiction in which a victim resides or because enforcement is lax.

It is hard to overestimate the reach and power of the latest commercial spyware. In its most advanced forms, it can silently infiltrate any vulnerable device anywhere in the world. Take the zero-day, zero-click exploit that Citizen Lab researchers discovered in 2021 on a Pegasus-infected iPhone. Using the exploit, which researchers called ForcedEntry, a spyware operator can surreptitiously intercept texts and phone calls, including those encrypted by apps such as Signal or WhatsApp; turn on the user’s microphone and camera; track movements through a device’s GPS; and gather photos, notes, contacts, emails, and documents. The operator can do almost anything a user can do and more, including reconfigure the device’s security settings and acquire the digital tokens that are used to securely access cloud accounts so that surveillance on a target can continue even after the exploit has been removed from a device—all without the target’s awareness. After the Citizen Lab shared Pegasus’s ForcedEntry with analysts at Apple and Google, Google’s analysts described it as “one of the most technically sophisticated exploits we’ve ever seen,” noting that it provided capabilities that were “previously thought to be accessible to only a handful of nation states.”

SHOOTING THE MESSENGERS
Over the past decade, the rise of authoritarian regimes in many parts of the world has raised new questions about the durability of the liberal international order. As has been widely noted, many ruling elites have been able to slide toward authoritarianism by limiting or controlling political dissent, the media, the courts, and other institutions of civil society. Yet far less attention has been paid to the pervasive role of the mercenary spyware industry in this process. This neglect is partly the result of how little we know about spyware, including, in many cases, the identity of the specific government agencies that are using it. (Given the secretive nature of spyware transactions, it is far easier to identify victims than operators.) There is little doubt, however, that spyware has been used to systematically degrade liberal democratic practices and institutions.

One of the technology’s most frequent uses has been to infiltrate opposition movements, particularly in the run-up to elections. Researchers have identified cases in which opposition figures have been targeted, not only in authoritarian states such as Saudi Arabia and the UAE but also in democratic countries such as India and Poland. Indeed, one of the most egregious cases arose in Spain, a parliamentary democracy and European Union member. Between 2017 and 2020, the Citizen Lab discovered, Pegasus was used to eavesdrop on a large cross section of Catalan civil society and government. The targets included every Catalan member of the European Parliament who supported independence for Catalonia, every Catalan president since 2010, and many members of Catalan legislative bodies, including multiple presidents of the Catalan parliament. Notably, some of the targeting took place amid sensitive negotiations between the Catalan and Spanish governments over the fate of Catalan independence supporters who were either imprisoned or in exile. After the findings drew international attention, Paz Esteban, the head of Spain’s National Intelligence Center, acknowledged to Spanish lawmakers that spyware had been used against some Catalan politicians, and Esteban was subsequently fired. But it is still unclear which government agency was responsible, and which laws, if any, were used to justify such an extensive domestic spying operation.

In some countries, spyware has proved equally effective against journalists who are investigating those in power, with far-reaching consequences for both the targets and their sources. In 2015, several devices belonging to Mexican journalist Carmen Aristegui and a member of her family were sent Pegasus exploit links while she was investigating corruption involving then Mexican President Enrique Peña Nieto. There is no smoking gun that identifies the responsible party, though strong circumstantial evidence suggests a Mexican government agency. In 2021, a Hungarian journalist investigating corruption in President Viktor Orban’s inner circle was hacked with Pegasus. (The Hungarian government subsequently acknowledged that it had purchased the technology.) And that same year, the cellphone of New York Times Middle East correspondent Ben Hubbard was infected with Pegasus while he was working on a book about Saudi Arabia’s de facto leader, Crown Prince Mohammed bin Salman.

With spyware, governments can stop protests before they occur.
Almost as frequently, spyware has been used to undermine judicial officials and civil society organizations that are trying to hold governments to account. Take the case of Alberto Nisman, a well-known Argentine anticorruption prosecutor who was investigating an alleged criminal conspiracy by high-level Argentine officials. In January 2015, Nisman was found dead in suspicious circumstances—his death was later ruled a homicide—the day before he was to provide testimony to Congress implicating then president of Argentina Cristina Fernández de Kirchner and her foreign minister, Héctor Timerman, in a cover-up of alleged Iranian involvement in the 1994 bombing of a Jewish center in Buenos Aires. Later that year, the Citizen Lab documented how a South American hack-for-hire group had been contracted to target Nisman with spyware before his death, suggesting that someone in power was keen to peer into his investigations. In Mexico in 2017, a still unknown government agency or agencies used Pegasus spyware against human rights groups and international investigators that were tracking down potential government cover-ups of the notorious disappearance and gruesome murder of 43 students in Iguala, Mexico. Subsequent reports showed that the Mexican government had badly botched the investigations and that government personnel were implicated in a cover-up—findings that might never have come to light without the efforts of civil society watchdogs.

Other common Pegasus targets are lawyers involved with prominent or politically sensitive cases. In most liberal democracies, attorney-client privilege is sacrosanct. Yet the Citizen Lab has identified a variety of cases in which spyware has been used to hack or target lawyers’ devices. In 2015, the tactic was used against two lawyers in Mexico who were representing the families of Nadia Vera, a slain government critic and women’s rights advocate. More recently, multiple lawyers representing prominent Catalans were targeted as part of the Spanish surveillance campaign. And in Poland, Pegasus spyware was used several times to hack the device of Roman Giertych, legal counsel to Donald Tusk, a former prime minister and the leader of the country’s main opposition party. (In early 2022, Polish Deputy Prime Minister Jaroslaw Kaczynski publicly acknowledged that the government had bought Pegasus spyware but denied that it had been used against the Polish opposition.)

As the availability of spyware grows, private-sector clients are also getting in on the act. Consider the activities of BellTroX, an Indian hack-for-hire company responsible for extensive espionage on behalf of private clients worldwide. Between 2015 and 2017, someone used BellTroX’s services against American nonprofits that were working to publicize revelations that the oil company ExxonMobil had hidden its research about climate change for decades. BellTroX has also been used to target U.S. organizations working on net neutrality, presumably at the behest of a different client or clients that were opposed to that reform. BellTroX also has a burgeoning business in the legal world; law firms in many countries have used the company’s services to spy on opposing counsel. In April 2022, an Israeli private detective who acted as a broker for BellTroX pleaded guilty in U.S. court to wire fraud, conspiracy to commit hacking, and aggravated identity theft, but BellTroX’s India-based operators have remained out of reach of the law. (Asked by Reuters in 2020 to respond to the findings, the company’s founder, Sumit Gupta, denied any wrongdoing and declined to disclose his clients.)

NOWHERE TO HIDE
The proliferating use of spyware against political and civil society targets in advanced democracies is concerning enough. Even more threatening, however, may be the ways in which the technology has allowed authoritarian regimes to extend their repression far beyond their own borders. In past decades, autocrats faced significant barriers to repressing citizens who had gone into exile. With spyware, however, an operator can get inside a political exile’s entire network without setting foot inside the target’s adopted country, and with very few of the risks and costs associated with conventional international espionage.

Examples of this new form of transnational repression are manifold. Beginning in 2016, Cyberbit was used to target Ethiopian dissidents, lawyers, students, and others in nearly 20 countries. In 2021, the phones of two prominent Egyptians—exiled opposition politician Ayman Nour, who has been living in Turkey, and the host of a popular news program (who has asked to remain anonymous for his own safety)—were hacked with Cytrox’s Predator spyware. In fact, the phone of Nour, who is an outspoken critic of Egyptian President Abdel Fattah el-Sisi, was simultaneously infected with both Predator and NSO Group’s Pegasus spyware, each apparently operated by separate government clients—Egypt in the case of Predator and either Saudi Arabia or the UAE in the case of Pegasus. In a statement to Vice News, Cyberbit said that the Israeli government oversees its technology and that “the intelligence and defense agencies that purchase these products are obligated to use them in accordance with the law.” In the Egyptian hacking case, Cytrox’s CEO, Ivo Malinkovski, declined to comment; according to VICE news, he subsequently deleted references to Cytrox in his LinkedIn profile. (The governments of Egypt, Ethiopia, Saudi Arabia, and the UAE have declined to comment about the findings.)

Especially far-reaching has been the Saudi government’s transnational spyware campaign. In 2018, a phone belonging to Ghanem al-Masarir, a Saudi dissident living in the United Kingdom, was hacked with Pegasus spyware. Coinciding with the infection of his device, al-Masarir was tracked down and physically assaulted by Saudi agents in London. Spyware may have also played a part in the notorious killing of the exiled Saudi journalist Jamal Khashoggi in the Saudi consulate in Turkey. In 2018, a phone owned by Omar Abdulaziz—a Saudi activist, Canadian permanent resident, and close confidant of Khashoggi—was hacked with Pegasus spyware. Abdulaziz and Khashoggi had been discussing their activism against the Saudi regime over what they mistakenly assumed were secure communications platforms. After Khashoggi’s killing, forensic analysis revealed that the devices of several other people closest to Khashoggi, including his Egyptian wife and his Turkish fiancée, had also been infected. To what extent Khashoggi’s own phones were hacked is not known because his fiancée turned them over to Turkish authorities, who have withheld them from independent analysis, but his closest contacts were all under surveillance, providing Saudi agents with windows into Khashoggi’s personal life, political activism, and movements in the months leading up to his murder. (The Saudi government has declined to comment on the revelations. In 2021, NSO Group told The Guardian, “Our technology was not associated in any way with the heinous murder of Jamal Khashoggi.”)

A man reading at a stand for NSO Group Technologies at the European Police Congress in Berlin, February 2020
A man reading at a stand for NSO Group Technologies at the European Police Congress in Berlin, February 2020
Hannibal Hanschke / Reuters
In fact, targeting regime critics abroad with spyware is only one of several ways the Saudi government has employed digital technology to neutralize dissent. For example, according to a U.S. federal indictment, a top adviser to Saudi Crown Prince Mohammed bin Salman paid a Twitter employee $300,000 and provided other gifts in 2014 and 2015, apparently in exchange for spying on dissidents on the platform. The employee, who left Twitter in 2015, was convicted in U.S. court in 2022. When such tactics are used in combination with the type of highly intrusive surveillance that spyware represents, dissidents can come under extraordinary psychological pressure. Many victims of hacking have experienced debilitating shock knowing that their compromised devices have also put friends and associates at risk and that their every move is being watched. One female Saudi activist explained that being digitally targeted was a form of “psychological and emotional war” that caused her “endless fear and anxiety.” By using spyware, autocrats and despots are thus able to clamp down on civil society networks well beyond their own borders even as they strengthen autocracy at home.

Despite a large and growing body of documentation about spyware abuses around the world, there are several reasons that the technology seems likely to become even more widespread. First, although much scrutiny of mercenary spyware firms has concerned their contracts with national government agencies, many firms market to more than one client in a given country, including local law enforcement. For example, in a fact-finding trip to Israel in the summer of 2022, officials for the European Parliament learned that NSO Group has at least 22 clients in 12 European countries, suggesting that a significant number of these clients are subnational agencies. Such deals raise further questions about accountability, given that research has shown that local law enforcement agencies are often more susceptible to abuses, such as racial profiling or corruption, and tend to have poor transparency and insufficient oversight.

Second, although some mercenary spyware firms such as NSO Group claim that they deal only with government clients, there is little to prevent them from selling their technology to private firms or corrupt individuals. Evidence suggests that some already do: in July 2022, Microsoft’s Threat Intelligence Center issued a report on an Austria-based spyware and hack-for-hire firm called DSIRF that had targeted individuals in banks, law firms, and consultancies in several countries. Though Microsoft did not specify what type of clients hired DSIRF, the firm advertises “due diligence” services to businesses, implying that these hacking operations were undertaken on behalf of private clients. When Reuters asked DSIRF about the Microsoft report, the company declined to comment. Although it is illegal if done without a warrant, such private-sector hacking is less likely to be deterred when hackers’ firms are located outside the jurisdiction in which the targeting occurs. As protections for privacy rights, freedom of the press, and independent courts, come increasingly under threat in many countries, it will likely become even easier for corrupt firms or oligarchs to deploy mercenary spyware without accountability.

Third, spyware has become a central component of a broader menu of surveillance tools, such as location tracking and biometric identification, used by many government security agencies. The more that spyware is incorporated into everyday intelligence gathering and policing, the harder it will be to rein it in. More ominously, spyware may soon acquire even more invasive capabilities by exploiting wearable applications, such as biomedical monitors, emotional detection technology, and Internet-connected neural networks currently in development. Already, many digital applications aim to drill deeper into the subliminal or the unconscious aspects of users’ behavior and gather data on their health and physiology. It is no longer science fiction to envision spyware that might use covert access to these data about our biological or cognitive systems to monitor and even manipulate a victim’s behavior and overall well-being.

RESTRAINING ORDERS
For nearly a decade, the mercenary spyware industry has been able to expand its reach across the globe largely without regulation or accountability. But that is a choice governments have made, not an inevitable outcome that must simply be accepted. As civil society watchdogs and journalists have brought to light flagrant abuses, it has become more difficult for major spyware vendors and government clients to hide their operations. In Europe and the United States, committees have held hearings on spyware, and government agencies have begun to develop new policies to limit its use. Notably, the U.S. Commerce Department has placed NSO Group, Candiru, and other hack-for-hire firms on an export restriction list, limiting their access to U.S. products and technology and sending a strong signal to potential investors that spyware companies are under growing scrutiny. Technology platforms have also taken action. Meta (the parent company of Facebook) and Apple have sued NSO Group in U.S. courts, notified victims of spyware infections, and worked to support civil society watchdogs. Apple has also donated $10 million to cybersurveillance research and has pledged to do likewise with any damages awarded from its lawsuit against NSO Group.

But curbing the global spread of mercenary spyware will require a comprehensive approach. To begin with, companies need to devote far more resources to identifying and rooting out spyware and ensuring that their services are properly secured against exploitation. WhatsApp and Apple have already shown how to alert victims when spyware is detected and hold spyware vendors such as NSO Group legally responsible for violations of their terms of service and other legal offenses. Whether through a shift in business culture, or more likely through stronger government regulations, technology platforms should also put more emphasis on security and scale back the relentless quest to vacuum up user data. In turn, the forensic investigations of the Citizen Lab, Amnesty International, journalists, and others will need to be broadened and supplemented by other organizations doing similar work, whether at NGOs, universities, or investigative news organizations. Digital forensic science and digital accountability should be recognized as a formal research discipline that can monitor spyware activity, assist victims and targets, and keep pressure on governments and corporations to be more transparent and accountable for their actions. For such a field to emerge, many years of public, private, and philanthropic support will be needed.

Oliva at the office of GatoEncerrado, an investigative news outlet, in San Salvador, El Salvador, January 2022
Oliva at the office of GatoEncerrado, an investigative news outlet, in San Salvador, El Salvador, January 2022
Jessica Orellana / Reuters
Ultimately, governments themselves will need to adopt a robust regulatory framework for spyware use. Regulating the industry will likely require the enactment of a complex set of rules that address various aspects of the spyware market. For example, domestic-based spyware companies could be required to make regular public disclosures about their exports, and, in turn, government agencies could be required to report from whom and where they are importing spyware. Export rules need to be strengthened to prevent the sale of spyware to governments or other clients that are likely to use them in violation of international human rights law. Clear rules and standards of oversight for the use of spyware are also necessary. Specific legislation addressing the zero-day market will likely also be needed, although it will have to be carefully crafted so that legitimate security research is not hindered. Governments could also pass legislation giving victims of spyware the right to sue both foreign governments and spyware vendors for harms caused by espionage.

Such efforts could be reinforced at an international level through the development of a global spyware control regime. Military activities, for example, have long been subject to international oversight through such mechanisms as the UN’s Register of Conventional Arms and the policies that have been put in place relating to standards for private military and security contractors or the banning of land mines. A similar process could lead to the international regulation of spyware, including requirements for transparency and reporting about its use. These existing models, however, suggest that success will require the buy-in of a significant number of countries, and more pressure is needed to persuade governments and world leaders that mercenary spyware poses a serious and growing threat to international security and the liberal international order.

No doubt, authoritarian governments and security agencies that currently benefit from spyware will seek to obstruct such regulation, but the growing risks to national security of an unregulated market may prompt a more sober assessment. In November 2022, Sir Jeremy Fleming, a top British intelligence official, warned that the proliferating use of mercenary spyware and “hackers for hire” by countries and malefactors “will increase the future threat to UK cybersecurity.” Should the use of mercenary spyware continue to grow unchecked, the risks for democracy will become acute. If elites in any country can use this technology to neutralize legitimate political opposition on any point on earth, silence dissent through targeted espionage, undermine independent journalism, and erode public accountability with impunity, then the values on which the liberal international order is built may soon be no more secure than the passwords on our phones.

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
2015: Some interesting discussion of NSA trying to outsource 4A violations
« Reply #22 on: December 17, 2022, 01:15:37 PM »
https://www.eff.org/deeplinks/2015/08/was-nsa-trying-outsource-responsibilty-its-fourth-amendment-violations?fbclid=IwAR0Kba4Ht7uvDaEsS_r51dDY64bnwVjZaUfPaJKYgKcYLDeBB7jbvGmWS88

Was the NSA Trying to Outsource Responsibility for Its Fourth Amendment Violations?
LEGAL ANALYSIS BY CINDY COHNAUGUST 16, 2015
We're still sifting through the documents released as part of the recent bombshells in the press discussing AT&T's "extreme willingness to help" the NSA in its mass spying programs. One area where the new documents add detail is the division of labor between AT&T and the NSA—according to the New York Times, at times "telecoms have done the sifting and forwarded messages the government believes it may legally collect." To some, including Lawfare's Timothy Edgar, this new information somewhat contradicts claims that critics have been making for years that the NSA has direct access to all the data transiting the Internet backbone. We disagree that this is what the documents actually show: for instance there's the SSO Unilateral tap shown on page 39 of the slides that has the NSA tapping right into the backbone cables.

Regardless, we do agree with Mr. Edgar that the reason this story is important is because the government continues to try to kill litigation like EFF's Jewel v. NSA on behalf of AT&T's customers by claiming that the involvement of AT&T is a state secret. Edgar notes, "the government bears much blame, as it continues to maintain the pretense such banal facts can or should be kept secret. Perhaps there could be a new marking – “still officially classified but blindingly obvious” – to cover situations like this."

But even if AT&T is doing some of the surveillance itself and handing what if finds over to the government, it doesn't absolve the NSA of legal responsibility for the surveillance acts done by AT&T.

First some law: the Fourth Amendment applies whenever a "private party acts as an ‘instrument or agent’ of the government." This rule is clear. In the Ninth Circuit, where our Jewel v. NSA case against mass spying is pending, it has been held to apply when an employee opens someone's package being shipped in order to obtain a DEA reward (US v. Walther), when a hotel employee conducts a search while the police watch (US v. Reed), and when an airline conducts a search under a program designed by the FAA (United States v. Davis), among others.

The concept behind this rule is straightforward: the government cannot simply outsource its seizures and searches to a private party and thereby avoid protecting our constitutional rights.  It seems that the NSA may have been trying to do just that. But it won't work.

Saturday's stories about AT&T's cozy relationship with the NSA confirm that, for purposes of tapping into the Internet backbone, AT&T was acting as the agent of the government. For its part, AT&T denied that it engaged in any surveillance voluntarily, noting: "We do not voluntarily provide information to any investigating authorities other than if a person's life is in danger and time is of the essence."  So AT&T is certainly not claiming that it acted on its own agenda. This is consistent with the funding numbers -- $188 million in 2011 and $232 million in 2010 (page 26 of the NYT release).

As the legal cases cited above explain, this means that the Fourth Amendment violations caused by the surveillance rest with the NSA regardless of who actually did the technical work of spying. The slides disclosed by the New York Times make this very clear, showing that the NSA viewed these structures as a coherent whole. For instance, while the Fairview (aka AT&T) Dataflow Diagrams on pages 47-53 of the NYT release indicate that some of the spying was "partner controlled" (marked in orange) and some "NSA controlled" (marked in yellow), both pieces are part of the NSA's overall collection and analysis schemes:



The slides even helpfully explain why in a bullet point on page 5:




We're not sure what the "legal authorities" reference means, but to the extent the NSA thought it could escape responsibility by getting AT&T to do its dirty work, that's a dodge that has been tried before. And it won't work.
« Last Edit: December 17, 2022, 01:23:15 PM by Crafty_Dog »

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
Jordan Peterson
« Reply #23 on: December 18, 2022, 06:56:01 AM »

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
Deep Fakes
« Reply #24 on: December 21, 2022, 06:38:51 PM »
https://www.youtube.com/watch?v=WQwMFx0rSW8

This man and I move in the same circles.  Army background. He regularly appears on survival TV shows as an expert and has a martial arts school up the road from me. 


Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
Surveillance via your phone
« Reply #26 on: December 24, 2022, 08:39:10 AM »
Recommended by Frankie McRae

https://www.youtube.com/watch?v=FNesDitYqnY

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
Fog Data Science selling mass surveillance to police
« Reply #27 on: December 26, 2022, 09:00:18 AM »

https://www.eff.org/deeplinks/2022/08/inside-fog-data-science-secretive-company-selling-mass-surveillance-local-police

Inside Fog Data Science, the Secretive Company Selling Mass Surveillance to Local Police
BY BENNETT CYPHERSAUGUST 31, 2022
An animated image showing location pins dropping onto a street map from above, tracing several paths
This article is part of EFF’s investigation of location data brokers and Fog Data Science. Be sure to check out our issue page on Location Data Brokers.

A data broker has been selling raw location data about individual people to federal, state, and local law enforcement agencies, EFF has learned. This personal data isn’t gathered from cell phone towers or tech giants like Google — it’s obtained by the broker via thousands of different apps on Android and iOS app stores as part of the larger location data marketplace.

The company, Fog Data Science, has claimed in marketing materials that it has “billions” of data points about “over 250 million” devices and that its data can be used to learn about where its subjects work, live, and associate. Fog sells access to this data via a web application, called Fog Reveal, that lets customers point and click to access detailed histories of regular people’s lives. This panoptic surveillance apparatus is offered to state highway patrols, local police departments, and county sheriffs across the country for less than $10,000 per year.

The records received by EFF indicate that Fog has past or ongoing contractual relationships with at least 18 local, state, and federal law enforcement clients; several other agencies took advantage of free trials of Fog’s service. EFF learned about Fog after filing more than 100 public records requests over several months for documents pertaining to government relationships with location data brokers. EFF also shared these records with The Associated Press.

Troublingly, those records show that Fog and some law enforcement did not believe Fog’s surveillance implicated people’s Fourth Amendment rights and required authorities to get a warrant.

In this post, we use public records to describe how Fog’s service works, where its data comes from, who is behind the company, and why the service threatens people’s privacy and safety. In a subsequent post, we will dive deeper into how it is used by law enforcement around the country and explore the legal issues with its business model.

How does the service work?
In materials provided to law enforcement, Fog states that it has access to a “near real-time” database of billions of geolocation signals derived from smartphones. It sells subscriptions to a service, which the company usually billed as “Fog Reveal,” that lets law enforcement look up location data in its database through a website. The smartphone signals in Fog’s database include latitude, longitude, timestamp, and a device ID. The company can access historical data reaching back to at least June 2017.

Fog’s materials describe how users can run two different queries:

“Area searches”: This feature allows law enforcement to draw one or more shapes on a map and specify a time range they would like to search. The service will show a list of all cell-phone location signals (including location, time, and device ID) within the specified area(s) during that time. The records EFF obtained do not say how large an area Fog’s Area searches are capable of covering with a single query.
“Device searches”: Law enforcement can specify one or more devices they’ve identified and a time range, and Fog Reveal will return a list of location signals associated with each device. Fog’s materials describe this capability as providing a person’s “pattern of life,” which allows authorities to identify “bed downs,” presumably meaning where people sleep, and “other locations of interest.” In other words, Fog’s service allows police to track people’s movements over long periods of time.
Fog Reveal is typically licensed for a year at a time, and records show that over time the company has charged police agencies between $6,000 - $9,000 a year. That basic service tier typically includes 100 queries per month, though Fog sells additional monthly query allocations for an additional fee. For example, in 2019, the California Highway Patrol paid $7,500 for a year of access to Reveal plus $2,400 for 500 more queries per month.

Fog states that it does not collect personally identifying information (for example, names or email addresses). But Fog allows police to track the location of a device over long stretches of time — several months with a single query — and Fog touts the use of its service for “pattern of life” analyses that reveal where the device owner sleeps, works, studies, worships, and associates. This can tie an “anonymous” device to a specific, named individual.

Together, the “area search” and the “device search” functions allow surveillance that is both broad and specific. An area search can be used to gather device IDs for everyone in an area, and device searches can be used to learn where those people live and work. As a result, using Fog Reveal, police can execute searches that are functionally equivalent to the geofence warrants that are commonly served to Google.

This service could be used to determine who was near the scene of a violent crime around the time it was committed. It also could be used to search for visitors to a Planned Parenthood or an immigration law office on a specific day or everyone who attended a protest against police violence.


Image from Fog’s marketing brochure, sent to North Dakota and Chino, CA, which appears to show a single location signal as viewed with Fog’s service.

The basics of Fog’s services are laid out in a marketing brochure which was sent to several prospective customers. The brochure explains that Fog’s “unique, proprietary and patented data platform” processes data from “hundreds of millions of mobile devices” and can deliver “both forensic and predictive analytics and near real-time insights on the daily movements of the people identified with those mobile devices[.]” The materials state that Fog’s collection of people’s location data is “100% Opt-in. All users opt-in to location data collection,” though as we will discuss later, this claim is hard to take at face value.

At the core of Fog’s pitch is a series of claims about the breadth and depth of its location data. It claims to process over 250 million devices per month within the United States. (There are an estimated 301 million mobile devices nationally). According to Fog, these devices generate 15 billion signals per day, or over 5 trillion per year.

 


Excerpt from Fog’s marketing brochure describing the properties of its dataset

EFF could not verify Fog’s claims. But there is reason to be skeptical: Thanks to the nature of its data sources, it’s likely that Fog can only access location data from users while they have apps open, or from a subset of users who have granted background location access to certain third-party apps. Public records indicate that some devices average several hundred pings per day in the dataset, while others are seen just a few times a day. Users who do not install many third-party apps, or who have opted out of tracking via Apple’s App Tracking Transparency (ATT), may not be present in the dataset at all.

Additionally, the records EFF reviewed show that several of the agencies that worked with Fog have since canceled their subscriptions, and at least one said they were not sure if they ever used Fog to successfully solve a case. Those potential shortcomings are not a reason to underestimate Fog’s invasiveness or its capability for unfettered dragnet monitoring. But it’s important to understand its limits. Fog's data may be patchy and incomplete, with data about some people some of the time. But if we take Fog’s claims at face value, it would mean that the company collects the location data of a majority of people in the United States on a monthly basis. This means Fog may have limits in its ability to locate any given person at a specific moment in time. But Fog’s service may still be capable of identifying a significant portion of the hundreds of attendees at a protest or other sensitive location.



The brochure gives some insight into how Fog intends for its service to be used. It lists a series of “use cases” from the dramatic (“Human Trafficking,” “Terrorism Investigations,” “Counter-Intelligence”) to the more mundane (“Drug Investigations,” “Soft Target Protection”). It seems to be aimed at both local law enforcement and at intelligence/homeland security agencies.

The language used in the document often invokes terms used by intelligence agencies. For example, a core advertised feature is the ability to run a “pattern of life analysis,” which is what intelligence analysts call a profile of an individual’s habits based on long-term behavioral data. Fog Reveal is also “ideal for tipping and cueing,” which means using low-resolution, dragnet surveillance to decide where to perform more targeted, high-resolution monitoring. The brochure also includes a screenshot of Fog Reveal being used to monitor “a location at the US/Mexico border,” and an alternate version of the brochure listed “Border Security/Tracking” as a possible use case. As we will discuss in our next post, records show that Fog has worked with multiple DHS-affiliated fusion centers, where local and federal law enforcement agencies share resources and data.

In other materials, Fog emphasizes the convenience of its service. An email titled “Solve crimes faster: Here’s how” reads:

Find strong leads at your desk in minutes. Just type in a location, date and time, then watch app signals disclose what mobile devices were present at the crime scene. We’d love to help your department save time and money too. Let’s schedule a 10-minute demo next week.

Fog’s Reveal customers are given direct access to raw location data, which can be exported from the web portal into portable formats for processing elsewhere. Fog emphasizes that its license permits “processing, analysis, and sub-licensing of location data,” potentially allowing law enforcement to share the data with private contractors. Fog routinely encouraged law enforcement agencies to share one license among multiple users, and some customers used Fog to run queries on behalf of other law enforcement agencies on request.



Fog claims that it only sells its Reveal service to law enforcement agencies. But Fog’s materials also advertise “out-sourced analytic services” for non law enforcement customers, including “private sector security clients.” An email exchange between Fog and Iowa police appears to corroborate this policy: Fog says it will not grant private companies direct access to its database, but it will perform analysis on behalf of “law firms and investigative firms.” According to a brochure, this analysis may include:

Verifiable presence at a location on a specific date and time
Likely locations for residences, places of business and frequent activities
Links to other individuals, places and devices
Patterns of activity correlating to certain events, times or alibis
In other words, Fog advertises that it can use its data to surveil the private lives of individuals on behalf of private companies. The records EFF has obtained do not provide any details about specific relationships Fog has with any private-sector clients.

Where does the data come from?
The kind of data that Fog sells to law enforcement originates from third-party apps on smartphones. Apps that have permission to collect a user’s location can share that data with third-party advertisers or data brokers in exchange for extra ad revenue or direct payouts. Downstream, data brokers collect data from many different apps, then link the different data streams to individual devices using advertising identifiers. Data brokers often sell to other data brokers, obfuscating the sources of their data and the terms on which it was collected. Eventually, huge quantities of data can end up in the hands of actors with the power of state violence: police, intelligence agencies, and the military.

Over the past few years, journalists have uncovered several links between private brokers of app-derived location data and the US government. Babel Street, best known for its open-source intelligence (OSINT) tools for analyzing social media and the like, sells location data as part of a secret add-on service called “Locate X.” Venntel, a subsidiary of marketing data company Gravy Analytics, has sold raw location data to several different US agencies, including ICE, Customs and Border Protection (CBP), and the FBI. And broker X-Mode paid app developers around 3 cents per user per month for access to location data, then sold it directly to defense contractors.

Enter Fog Data Science. Like the other companies, Fog buys data from the private market and packages it for use by law enforcement. Unlike most others, Fog seems to target smaller agencies. Venntel has sold a year’s worth of data to the Department of Homeland Security for more than $650,000; meanwhile, Fog sold its service to the sheriff of Washington County, OH, for $9,000 a year. While Venntel, Babel Street, and Anomaly 6 have made headlines for dealings with three-letter federal agencies, public records show that Fog appears to have targeted its business at local, regional, and state law enforcement. That is, Fog sells its services to police agencies that most Americans are far more likely to interact with than federal law enforcement. The records received by EFF confirm past or ongoing contractual relationships with at least 18 state and local law enforcement clients; several other agencies took advantage of free trials of Fog’s service. Notes from one agency’s meeting with Fog state that the company works with “50-60” agencies nationwide.

So where, exactly, does Fog’s data come from? The short answer is that we don’t know for sure. Several records explain that Fog’s data is sourced from apps on smart phones and tied to mobile advertising identifiers, and one agency relayed that Fog gathers data from “over 700 apps.” Fog officials have referred to a single “data provider” in emails and messages within Fog Reveal. One such message explained that the data provider “works with multiple sources to ensure adequate worldwide coverage,” and that a “newly added source” was causing technical issues.

But when asked about which apps or companies originate its data, Fog has demurred. Some answers implied that Fog itself might not know. In July 2020, Mark Massop responded to a point-blank question from the Chino police that “Our data provider protects the sources of data that they purchase from.” Massop did say that at least two sources were not included in Fog’s dataset: Twitter and Facebook. Separately, a Santa Clara County attorney wrote that Fog gets information from “lots of smaller apps,” but not Google or Facebook.

Another document, shared in 2019 with the city of Anaheim, CA, says that Fog’s portal uses “unstructured geo-spatial data emanating from open apps (Starbucks, Waze, etc.)” It’s unclear whether this means that Fog actually receives data from the apps listed, or whether Starbucks and Waze are simply examples of “open apps” that could be sharing data. On Android, both Starbucks and Waze (which is owned by Google) have access to location permissions, and both apps use third-party advertising or analytics services. Waze was also mentioned in a presentation about Fog’s capabilities to the Greensboro, NC police, according to Davin Hall, a former data analyst for the department interviewed by EFF. Per Hall, “Waze got brought up a lot” in the context of apps that could share data with Fog. “It got mentioned because it was a common one for people to have up while they were driving around, so it would be pinging regularly so that you could see the movement of the device actively,” he said.

The document further claims that Fog’s competitors all buy their data from a single source, and that Fog has a unique and privileged relationship as an “associate” of that source.

[The use of app-based location data] for Law Enforcement and Intelligence Analysis purposes is limited to only a few carriers. Currently, these carriers purchase their source of data from an associate company of FOG Data Science. As non-associates, they are charged a much higher premium to purchase the data, thereby forcing higher prices for their products. […]

Additionally, [FOG’s] direct access to, and association with, the database vendor allows it to offer low prices both per seat license and per additional query.

This implies that Fog’s data provider was, to its knowledge, the sole upstream source of app-based location data for all law enforcement and intelligence clients.

Links to Venntel
Other documents suggest that the “associate company” referenced in the Anaheim document — and the source of Fog’s data — is Venntel, perhaps the largest seller of location data to the government.

The most direct link comes from an email exchange with the Iowa Department of Public Safety. In response to an Iowa intelligence analyst’s question about Fog’s data, a Fog representative said it would ask “our data partner” for assistance. Fog then forwarded the question (including a device identifier) to a representative of Venntel, who sent back a series of screenshots illustrating how the analyst should interpret the data.

There are other links between Fog and Venntel.

The marketing materials provided by Fog to multiple law enforcement agencies are nearly identical to material that Venntel provided to DHS, according to records obtained by ACLU. The style, much of the language, and several of the graphics appear to be identical. It even appears that both companies use the same screenshot of a location in Santa Teresa, NM to illustrate their capabilities. Furthermore, both companies make identical claims about their data coverage, including that they analyze “location signals from 250 million mobile devices in the U.S.” and “15+ billion daily location signals.” These claims could be evidence that both companies have access to the same dataset.

Other records connect the two companies as well. One of the first records EFF received was a version of Fog’s Software License Agreement (SLA) from the Missouri State Highway Patrol. A piece of text in the header—edited to be hidden in the final document, but not deleted—reads “Venntel Analytics, Inc. Event Data Licensing Agreement.” .

Finally, our investigation into the code hosted at fogreveal.com turned up several literal links to Venntel. Many different URLs with the word “Venntel” in their path are referenced in the code. For example, when a Reveal user performs any geofenced device query, that query is submitted by sending a request to the url path “/Venntel/GetLocationData.”

This collection of evidence suggests that Venntel is Fog’s “associate,” that is, the source of its data. This conclusion would be consistent with Fog’s claim that its “associate” was the only source of data for other law-enforcement-facing location data brokers. Previous reporting has revealed that Venntel supplies data to other brokers, including Babel Street, which sells location data to the government through its secret “Locate X” service.



EFF has redacted this screenshot to remove potentially identifiable information.

Records released to EFF also give us new information about how Venntel works. The screenshots appear to be taken from Venntel’s own web-based portal. It has previously been reported that Venntel lets users search for devices in a specific area, then perform deep dives on specific devices. This functionality parallels Fog Reveal’s “area search” and “device search” capabilities. To our knowledge, this is the first time the public has been able to see what Venntel’s user interface looks like. The interface is similar to Fog’s, though the visual style is slightly different. Venntel’s interface also appears to display more information than Fog’s does, including an IP address associated with each signal. You can read more about how Fog Reveal likely operates in our deep dive into its code.

Consent and Identifiability
In marketing materials and emails, Fog has reassured prospective customers that its data is “100% opt-in” and that “no PII [personally-identifiable information] is ever collected.” But records obtained by EFF and the nature of precise, individualized location data shows that the data is incredibly personal and can easily identify people.

First, Fog’s assertion that the people in its database have “opted in” rests on a legal fiction of consent that EFF, courts, and members of Congress have repeatedly criticized because it fails to adequately protect people’s privacy. Modern smartphones require user consent before allowing certain kinds of data, including location, to be shared with apps. However, phones do very little to limit how the data is used after that permission is obtained. As a result, every permission is an all-or-nothing proposition: when you let a weather app access your location in order to see a five-day forecast, you may also give it the ability to sell, share, and use that data for whatever other purposes it chooses. In the United States, often the only legal limits on an app’s use of data are those it places on itself in a privacy policy. And these policies can be written so vaguely and permissively that there are, functionally, no limits at all.

In other words, even if a user consents to an app collecting location data, it is highly unlikely that they consent to that data winding up in Fog’s hands and being used for law enforcement surveillance.

Fog’s second claim, that its data contains no personally identifying information, is hard to square with common understandings of the identifiability of location data as well as with records showing Fog’s role in identifying individuals.

Location data is understood to be “personally identifying” under many privacy laws. The Colorado Privacy Act specifically defines “identified individuals” as people who can be identified by reference to “specific geolocation data.” The California Privacy Rights Act considers “precise geolocation data” associated with a device to be “sensitive personal information,” which is given heightened protections over other kinds of personal information. These definitions exist because location data traces can often be tied back to individuals even in the absence of other PII. Academic researchers have shown over and over again that de-identified or “anonymized” location data still poses privacy risks.

Fog’s data can allow police to determine where a person sleeps, works, or worships; where they go to get lunch, or health care, or to unwind on a Friday night. Tying a location trace to a real identity is often more of a mild inconvenience than a serious barrier to police. Fog’s own literature clarifies this: in a PowerPoint presentation shared with Chino, CA, it explains, “While there is no Pll data provided, the ability to identify a location based on a device's signal strength can provide potential identifications when combined with other data that agencies have access to.” After attending a meeting with Fog representatives, a St. Louis County officer summarized: “There is no PI linked to the [device ID]. (But, if we are good at what we do, we should be able to figure out the owner).”

Furthermore, Fog’s data is directly tied to “hashed” advertising identifiers, and multiple records show how Fog has helped its customers use “device searches” to track devices with specific ad IDs. A phone’s ad ID is available to anyone with access to the device, and ad IDs shared widely among app developers, advertising companies, and data brokers of all stripes. Once an agency has access to a target’s ad ID, they can use Fog to search for a detailed history of that person’s movement.

Emails between Fog and the California Highway Patrol indicate that Fog did not believe the Carpenter v. U.S. decision—which held that law enforcement need a warrant to access cell site location information (CSLI)—applied to their service, and therefore no warrant was required to access the app-based location data that Fog sells. But as we have discussed, Fog’s data is acquired and sold without meaningful consent and can frequently be used to track individuals just as effectively as CSLI. We discuss the legal issues with Fog and what we know about how agencies have treated the law in a subsequent post.

A perfect storm
The market for app-derived location data is massive. Dozens of companies actively buy and sell this data with assistance from thousands more. Many of them put raw data up for sale on the open market. And at least a handful of companies sell this kind of data to the federal government. Despite this, Fog Data Science is the only company EFF is aware of that sells individualized location data to state and local law enforcement in the United States.

Fog’s product represents a direct and uniquely modern threat to our privacy. Its business is only possible because of a cascade of decisions by tech platforms, app developers, lawmakers, and judges, all of whom have failed to adequately protect regular users. Apple and Google have designed their mobile operating systems to support third-party tracking, giving brokers like Fog essential tools like the ad identifier. Thousands of app developers have monetized their software by installing invasive tracking code on behalf of data brokers and ad tech. Congress has repeatedly failed to pass even basic privacy protections, allowing a multibillion dollar data broker industry to operate in the open. And courts have failed to clarify that a person’s Fourth Amendment rights aren’t diminished just because they’re carrying a smartphone that can transmit their location to apps and data brokers.

Fog Reveal can be used to harm vulnerable people and suppress civil liberties. Fog’s area searches can let police perform dragnet surveillance on attendees of peaceful protests, religious services, or political rallies. Some of Fog’s customers already have a history of doing so by other means: an investigation by ACLU revealed how California Highway Patrol used helicopters with high-tech surveillance cameras to capture zoomed-in video of attendees at peaceful demonstrations against police violence.

Fog’s service is especially dangerous in the wake of the Supreme Court’s Dobbs decision. Many states have criminalized abortion, giving state and local police license to unleash their surveillance powers against people seeking reproductive healthcare as well as the professionals that provide it. Fog Reveal lets an officer sitting at a desk draw geofences around abortion clinics anywhere in the world, then track all devices seen visiting them.

Finally, Fog’s service is ripe for abuse. The records we received indicated that some agencies required warrants to use Fog in some circumstances but did not show that law enforcement placed any limits on individual officers’ use of the technology, nor that they conducted routine oversight or auditing. It is possible that officers with access to Fog Reveal could misuse it for personal ends, just like some have misused other investigative tools in the past. In June, news broke that a US Marshal is being charged for allegedly using a different geolocation surveillance service in 2018 that was then sold by a prison payphone company — Securus — to track “people he had personal relationships with as well as their spouses.” (The US Marshals have previously contracted with Fog as well.) It’s possible that officers could similarly misuse Fog to surveil people they know.

How to protect yourself
The good news, if any, is that it is relatively straightforward to protect yourself from Fog’s surveillance. Fog relies on data gathered by code embedded in third-party apps. That means you can cut off its supply by revoking location permissions to any apps that you do not completely trust. Furthermore, turning off location services at the operating system level should prevent Fog and other app-based data brokers from accessing your location data at all. (This does not always prevent location data from being gathered by other actors, like your cellular carrier. You can read more about avoiding a range of threats to privacy in one of EFF’s Surveillance Self-Defense guides.)

There is no evidence that Google Maps, Apple, or Facebook provide data to Fog, and emails from Fog representatives and its customers state that Fog does not gather data from Google or Facebook. While there are other reasons to restrict Google’s access to your location, it does not appear as though data shared exclusively with one of these map providers will end up in Fog’s database.

Finally, evidence suggests that Fog’s service relies on using advertising identifiers to link data together, so simply disabling your ad ID may stymie Fog’s attempts to track you. One email suggests that Apple’s App Tracking Transparency initiative — which made ad ID access opt-in and resulted in a drastic decrease in the number of devices sharing that information — made services like Fog less useful to law enforcement. And former police analyst Davin Hall told EFF that the company wanted to keep its existence secret so that more people would leave their ad IDs enabled.

You can reset or disable your ad ID by following the instructions here.

Fog and its customers have spent years trying to remain in the shadows. Its service cannot function properly otherwise. Exposed to the light of day, Fog’s product becomes clear: an all-seeing eye that invades millions of Americans’ privacy without warrant or accountability.

Read more about Fog Data Science:

Press release: Data Broker Helps Police See Everywhere You’ve Been with the Click of a Mouse: EFF Investigation
What is Fog Data Science? Why is the Surveillance Company so Dangerous?
How Law Enforcement Around the Country Buys Cell Phone Location Data Wholesale
Fog Revealed: A Guided Tour of How Cops Can Browse Your Location Data
Fog Data Science Puts our Fourth Amendment Rights up for Sale
How Ad Tech Became Cop Spy Tech
 


ccp

  • Power User
  • ***
  • Posts: 19768
    • View Profile

DougMacG

  • Power User
  • ***
  • Posts: 19447
    • View Profile
Re: Kill Switches mandated on cars by 2026
« Reply #30 on: January 11, 2023, 08:21:24 AM »
Buy the best car you can find made before cars connected to the internet, and keep it!

It started with gallons per flush and incandescent light bulbs, seat belts and helmes.  Some good ideas.  Some bad.    They decide where you can live.  They can shut off your air conditioner, your furnace and now your car. 

If they have their way and it looks like they will, we will be the last generation to have private automobiles.

When is it that people (mainstream Biden Democrat voters) will say they've had enough?
« Last Edit: January 11, 2023, 08:24:22 AM by DougMacG »

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
Re: The Surveillance State
« Reply #31 on: January 11, 2023, 02:34:02 PM »
"Buy the best car you can find made before cars connected to the internet, and keep it!"

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
GPF: What to expect as states begin enforcing data privacy laws
« Reply #32 on: January 20, 2023, 07:24:38 AM »
What to Expect as U.S. States Begin Enforcing Data Privacy Laws
7 MIN READJan 19, 2023 | 18:28 GMT


Five U.S. states will begin enforcing new EU-styled data privacy laws in 2023, which will create more stringent data requirements for companies operating in these states, posing financial and reputational risks for companies that fail to comply. California, Colorado, Connecticut, Utah and Virginia are all slated to enact changes to their data privacy legislation later in the year and two of these states have already made the changes effective as of Jan. 1. These new laws integrate a number of modifications based on the European Union's General Data Protection Regulation (GDPR), a legal framework that pursues a ''rights-based approach'' to data protection and is arguably the most stringent data privacy legal framework in the world. These newly enacted and proposed state laws incorporate broader definitions for personally identifiable information (PII), stricter requirements regarding data collection and processing and certain oversight assessments to ensure improved data security practices.

The European Union's GDPR is a legal framework that upholds data privacy protections for EU member states and citizens. It was first implemented in May 2018 and represents the most stringent data laws in the world, requiring extensive controls around how EU citizens' data is collected, processed and stored. The GDPR upholds seven basic principles surrounding personal data protection, including transparency, minimization, confidentiality and various data rights, including accessibility, erasure, rectification and portability.

The California Privacy Rights Act (CPRA), which was first passed in November 2020 and became effective Jan. 1, amended past California legislation to create a number of individual rights modeled after the GDPR, including expanding employers' requirements for practices including data collection, data storage, data usage and data sharing. The new legislation also expands definitions for different types of PII that employers can collect and requires these employers to ensure that collected data upholds citizens' rights, including that their data is up to date, accurate and can be deleted upon their request.

The Virginia Consumer Data Privacy Act (VCDPA), which was first passed in March 2021 and also became effective Jan. 1, follows closely in line with these other states' expanded data rights modeled on the GDPR. The new legislation was altered to omit the right to data erasure, but allows users to opt out of certain data processing practices if they choose.

The Colorado Privacy Act (CPA), which was first passed in July 2021 and will become effective July 1, will also create expanded rights for individual data protection akin to the GDPR, including requiring certain data security provisions for vendors.

The Connecticut Data Privacy Act (CDPA), which was first passed in May 2022 and will become effective July 1, will bolster a number of GDPR-modeled individual rights with an emphasis on data minimization, security and assessments for high-risk processing (defined as data processing that involves new technologies or AI, genetic or biometric data, large scale processing, or combinations of data from different data sources).

The Utah Consumer Privacy Act (UCPA), which was first passed in March 2022 and will become effective Dec. 31, will similarly require GDPR-styled individual rights and data security and contract provisions, but will not expressly require risk assessments.

The push by these states to enhance data protection is in response to the U.S. federal government's lack of a comprehensive federal data privacy law and continued allegations of data misuse by U.S. corporations. While there are some federal data laws pertaining to specific sectors and critical infrastructure, the U.S. government does not have a comprehensive federal data privacy law, despite various efforts by lawmakers to reach a bipartisan consensus on a legal framework. In the absence of a federal mandate, U.S. states have been responsible for their own data laws and the vast majority of U.S. states similarly do not have a comprehensive data privacy legal framework. It was only in 2018 that California set the precedent with the California Consumer Privacy Act (CCPA), which California's new CPRA has recently amended and on which these other states' based their own new legislation. The lack of clear data regulation requirements in the United States has historically given companies excessive leeway in their data collection practices, a trend that also contributed to recent efforts by some U.S. states to enforce better data protections for their citizens. In the last year alone, a number of state governments sued U.S. companies, alleging various examples of misusing data or implementing insufficient data protection measures for their clients and users.

In February 2022, Texas Attorney General Ken Paxton filed a lawsuit against Facebook's parent company, Meta, over allegations that the tech company was collecting Texans' facial recognition information without their informed consent. Later, in October 2022, Paxton's office filed another privacy lawsuit against Google, accusing the company of similarly collecting Texans' facial and voice recognition information without their explicit consent. Both lawsuits remain ongoing.

In November 2022, Google agreed to a record $391.5 million privacy settlement with 40 U.S. states under the charge that the company misled users into thinking they had turned off location tracking in their settings even while Google continued to collect data from them. The settlement was the largest internet privacy settlement by U.S. states and will also require Google to make its location tracking disclosures clearer in 2023.

More U.S. states will likely also pursue revised legislation to bolster data protection practices, expanding compliance requirements for companies operating in these states and potentially exposing companies to heightened legal, regulatory and compliance risks. Legislatures in several U.S. states — including Michigan, New Jersey, Ohio and Pennsylvania — are also considering data privacy bills that were all first proposed in either 2021 or 2022. While such efforts will likely bolster data protection practices in the long term, they will also probably pose significant legal, regulatory and compliance challenges to companies operating in those states. The many domestic and foreign companies that operate across various U.S. states will likely struggle to keep up with the varying timelines and data privacy provisions of each state law. The laws that California, Colorado, Connecticut, Utah and Virginia will begin enforcing in 2023 — along with those being considered in Michigan, New Jersey, Ohio and Pennsylvania — are all relatively consistent in their approach to incorporating GDPR-styled language. Some, however, include certain nuances based on local political will that will further complicate compliance efforts. Many companies, especially smaller companies or those with fewer resources, may inadvertently expose themselves to financial and reputational risks if they are fined or penalized by these states for violating the new legislation. Additionally, many of these states' new data privacy laws pertain to only certain organizations exceeding specific thresholds, making it all the more difficult for companies to discern their legal and regulatory obligations.
Bipartisan support in Congress for either a federal data breach notification law or a framework similar to the GDPR will likely also increase over the next year amid growing concerns about malicious cyber activity targeting databases in both the public and private sectors. Importantly, however, continued divides between Democrats and Republicans in Washington, along with political infighting on both sides of the aisle, will likely impede such efforts to pass or enact national data privacy policies in the short term. As a whole, the shifting regulatory landscape for data protection in the United States will create an additional layer of complexity for companies in their data compliance efforts throughout 2023.

Some of these states' new legal provisions (including those that address data processing), only apply to certain companies that reach preset thresholds, such as processing the data of a certain number of residents. Because of these specificities, smaller companies may not be impacted. But the nuance of each state's requirements will nevertheless require a high level of awareness by all companies operating in these states.

Some states altered language in their bills on the basis of state-level pushback. For example, in 2022, Virginia tweaked its VCDPA bill to replace the ''right-to-delete'' with the right to opt out of certain processing. While this is only a slight variation from other states' provisions, such small differences will still create more legal headaches and compliance challenges for companies.

G M

  • Power User
  • ***
  • Posts: 26643
    • View Profile

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
Re: The Surveillance State
« Reply #34 on: January 30, 2023, 02:47:36 PM »
That point about the British making themselves useful as a cut out is well worth noting.   

Isn't that pretty much what they did when having Steele provide the infamous dossier?

G M

  • Power User
  • ***
  • Posts: 26643
    • View Profile
Re: The Surveillance State
« Reply #35 on: January 30, 2023, 03:02:03 PM »
That point about the British making themselves useful as a cut out is well worth noting.   

Isn't that pretty much what they did when having Steele provide the infamous dossier?

That’s definitely part of it. You have zero legal protections from being surveilled by the other 5 eyes nations.

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
WSJ: What is this? Russia?
« Reply #36 on: February 05, 2023, 01:17:01 PM »
Encryption Bans . . . What Is This, Russia?
Many in the U.S., U.K. and Australia would like to force companies like mine to add backdoors giving access to both law enforcement and hackers.
By Andrew Milich
Feb. 3, 2023 1:43 pm ET


My company is on the front lines of the battle for online privacy. On Wednesday the Russian government blocked Skiff, a private email service I built with my co-founder Jason Ginsberg, because our product allowed ordinary people to express themselves freely online. Skiff has since seen an 81% drop in traffic from Russia, and our engineers are scrambling to find ways to restore access to those who rely on us to keep their emails private.

This type of behavior is not surprising from authoritarian regimes. But what we at Skiff worry about most is not despots tightening their grip on the internet in their countries. We worry that the U.S., European Union and Australia—all of which claim to protect privacy and free expression—are trying to do the same thing.

End-to-end encryption makes it impossible for messaging apps such as WhatsApp and Signal to share users’ messages with law enforcement, leading some to argue that encryption hinders criminal investigations.

This argument has landed on sympathetic ears in Congress. The Lawful Access to Encrypted Data Act was introduced in the Senate in 2020 to force tech companies such as Signal, WhatsApp and Skiff to make user information decryptable so it can be shared with law enforcement. The bill failed to gain traction and hasn’t been reintroduced. Similarly, an EU proposal would create a new agency to scan messaging apps for illicit content, undermining end-to-end encryption. The Australian government recently passed a law banning end-to-end encryption, and the U.K. Parliament hopes to pass similar legislation. Banning strong encryption would force companies like mine to hobble their security protocols by adding backdoors that would be exploited.


Advocates for these laws overstate the potential threats that encryption poses and forget its critical security benefits. Law enforcement has found ways to investigate crimes even without backdoor access to encrypted messages. For example, Azimuth Security, a small Australian hacking firm, helped the FBI unlock an iPhone used by a terrorist in the 2015 San Bernardino shooting.

Most important, there is no way to use strong encryption while making data accessible only to some third parties. Any backdoor for law enforcement would also be exploited by bad actors. Banning or undermining encryption protocols would make network traffic, private messages, encrypted emails, and digital voice or video calls vulnerable to surveillance, interception and misuse.

Ironically, the same products targeted by proposed encryption bans have become ubiquitous in the national-security community. The Senate approved Signal for staff use in 2017, and British soldiers have been encouraged to use the app.

If the U.S., EU and others follow Russia’s playbook, Americans and their allies will no longer be able to send encrypted messages without fearing that government officials, companies, advertisers or criminals will take a peek.

The U.S. government can do better than Russia. Encrypted communications undergird freedom and national security. It is time to reject these bans as anti-freedom, anti-American, and better left to Vladimir Putin.

Mr. Milich is CEO of Skiff.


G M

  • Power User
  • ***
  • Posts: 26643
    • View Profile
Re: WSJ: What is this? Russia?
« Reply #37 on: February 05, 2023, 01:20:34 PM »
This is post-coup Amerika. The American Republic is dead.


Encryption Bans . . . What Is This, Russia?
Many in the U.S., U.K. and Australia would like to force companies like mine to add backdoors giving access to both law enforcement and hackers.
By Andrew Milich
Feb. 3, 2023 1:43 pm ET


My company is on the front lines of the battle for online privacy. On Wednesday the Russian government blocked Skiff, a private email service I built with my co-founder Jason Ginsberg, because our product allowed ordinary people to express themselves freely online. Skiff has since seen an 81% drop in traffic from Russia, and our engineers are scrambling to find ways to restore access to those who rely on us to keep their emails private.

This type of behavior is not surprising from authoritarian regimes. But what we at Skiff worry about most is not despots tightening their grip on the internet in their countries. We worry that the U.S., European Union and Australia—all of which claim to protect privacy and free expression—are trying to do the same thing.

End-to-end encryption makes it impossible for messaging apps such as WhatsApp and Signal to share users’ messages with law enforcement, leading some to argue that encryption hinders criminal investigations.

This argument has landed on sympathetic ears in Congress. The Lawful Access to Encrypted Data Act was introduced in the Senate in 2020 to force tech companies such as Signal, WhatsApp and Skiff to make user information decryptable so it can be shared with law enforcement. The bill failed to gain traction and hasn’t been reintroduced. Similarly, an EU proposal would create a new agency to scan messaging apps for illicit content, undermining end-to-end encryption. The Australian government recently passed a law banning end-to-end encryption, and the U.K. Parliament hopes to pass similar legislation. Banning strong encryption would force companies like mine to hobble their security protocols by adding backdoors that would be exploited.


Advocates for these laws overstate the potential threats that encryption poses and forget its critical security benefits. Law enforcement has found ways to investigate crimes even without backdoor access to encrypted messages. For example, Azimuth Security, a small Australian hacking firm, helped the FBI unlock an iPhone used by a terrorist in the 2015 San Bernardino shooting.

Most important, there is no way to use strong encryption while making data accessible only to some third parties. Any backdoor for law enforcement would also be exploited by bad actors. Banning or undermining encryption protocols would make network traffic, private messages, encrypted emails, and digital voice or video calls vulnerable to surveillance, interception and misuse.

Ironically, the same products targeted by proposed encryption bans have become ubiquitous in the national-security community. The Senate approved Signal for staff use in 2017, and British soldiers have been encouraged to use the app.

If the U.S., EU and others follow Russia’s playbook, Americans and their allies will no longer be able to send encrypted messages without fearing that government officials, companies, advertisers or criminals will take a peek.

The U.S. government can do better than Russia. Encrypted communications undergird freedom and national security. It is time to reject these bans as anti-freedom, anti-American, and better left to Vladimir Putin.

Mr. Milich is CEO of Skiff.

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
Re: The Surveillance State
« Reply #38 on: February 05, 2023, 04:03:29 PM »
Well, we're still talking shit and talking the American Creed here!

G M

  • Power User
  • ***
  • Posts: 26643
    • View Profile
Re: The Surveillance State
« Reply #39 on: February 05, 2023, 04:12:47 PM »
Well, we're still talking shit and talking the American Creed here!

For now. They have plans for us.

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
Re: The Surveillance State
« Reply #40 on: February 05, 2023, 04:24:38 PM »
Indeed, but until they shut us down the coup has not solidified and we continue to live by and fight for our American Creed.

G M

  • Power User
  • ***
  • Posts: 26643
    • View Profile
Re: The Surveillance State
« Reply #41 on: February 05, 2023, 04:55:29 PM »
Indeed, but until they shut us down the coup has not solidified and we continue to live by and fight for our American Creed.

https://westernrifleshooters.us/wp-content/uploads/2022/12/74qwmg.jpg



ccp

  • Power User
  • ***
  • Posts: 19768
    • View Profile
if Doug's post is not alarming enough
here is even more outrage :

https://www.theguardian.com/us-news/2019/aug/02/pentagon-balloons-surveillance-midwest



« Last Edit: February 06, 2023, 06:26:13 AM by ccp »

G M

  • Power User
  • ***
  • Posts: 26643
    • View Profile

ccp

  • Power User
  • ***
  • Posts: 19768
    • View Profile
gorgon stare
« Reply #45 on: February 06, 2023, 06:35:44 AM »
https://en.wikipedia.org/wiki/Gorgon_Stare

and Gorgon :
https://en.wikipedia.org/wiki/Gorgon

similar to cameras everywhere in NYC
just on wider scale



Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
Re: The Surveillance State
« Reply #47 on: March 17, 2023, 01:15:01 PM »
Spreading that around!

ccp

  • Power User
  • ***
  • Posts: 19768
    • View Profile
CDC buys cell phone data
« Reply #48 on: March 17, 2023, 01:18:36 PM »
https://notthebee.com/article/cdc-bought-access-to-at-least-55-million-americans-phone-location-data-to-monitor-lockdown-compliance

I am trying to figure this out
2000 mules cell phone pings was called BS

but yet this cell phone was bought and paid for by - the CDC -

the medical profession is turned into a political propaganda tool .  :cry:

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 72319
    • View Profile
Re: The Surveillance State
« Reply #49 on: March 17, 2023, 01:33:17 PM »
 :-o :-o :-o