Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

For The Record  

FTR #1080 Surveillance Valley, Part 6: Double Agents, Part 2 (Foxes Guarding the Online Privacy Henhouse, Part 3)

Dave Emory’s entire life­time of work is avail­able on a flash dri­ve that can be obtained HERE. The new dri­ve is a 32-giga­byte dri­ve that is cur­rent as of the pro­grams and arti­cles post­ed by the fall of 2017. The new dri­ve (avail­able for a tax-deductible con­tri­bu­tion of $65.00 or more.)

WFMU-FM is pod­cast­ing For The Record–You can sub­scribe to the pod­cast HERE.

You can sub­scribe to e‑mail alerts from Spitfirelist.com HERE.

You can sub­scribe to RSS feed from Spitfirelist.com HERE.

Please con­sid­er sup­port­ing THE WORK DAVE EMORY DOES.

This broad­cast was record­ed in one, 60-minute seg­ment.

Intro­duc­tion: In this pro­gram, we resume dis­cus­sion and analy­sis of the con­sum­mate­ly impor­tant recent book Sur­veil­lance Val­ley: The Secret Mil­i­tary His­to­ry of the Inter­net by Yasha Levine. In the pre­vi­ous pro­gram, we not­ed, among oth­er points of analy­sis, the deci­sive role of Eddie “The Friend­ly Spook” Snow­den in pro­mot­ing the intel­li­gence-agency craft­ed Tor net­work.

In addi­tion to Tor, the Open Tech­nol­o­gy Fund (read “CIA”) helped finance the Sig­nal app for mobile phones. It, too, is fun­da­men­tal­ly com­pro­mised. ” . . . . . . . . The Tor project remained the best-known pri­va­cy app fund­ed by the Open Tech­nol­o­gy Fund, but it was quick­ly joined by anoth­er: Sig­nal, an encrypt­ed mobile phone mes­sag­ing app for the iPhone and Android. . . .”

Not sur­pris­ing­ly, the CIA’s Eddie “The Friend­ly Spook” Snow­den was a big pro­mot­er of Sig­nal, as well as Tor: ” . . . . Peo­ple at the ACLU claimed that Sig­nal made fed­er­al agents weep. The Elec­tron­ic Fron­tier Foun­da­tion added Sig­nal along­side Tor to its Sur­veil­lance Self-Defense guide. Fight for the Future, a Sil­i­con Val­ley-fund­ed pri­va­cy activist orga­ni­za­tion, described Sig­nal and Tor as ‘NSA-proof’ and urged peo­ple to use them. Edward Snow­den was the com­bo’s biggest and most famous boost­er and repeat­ed­ly took to Twit­ter to tell his three mil­lion fol­low­ers that he used Sig­nal and Tor every day, and that they should do the same to pro­tect them­selves from gov­ern­ment sur­veil­lance. ‘Use Tor, Use Sig­nal,’ he tweet­ed out.

“With endorse­ments like these, Sig­nal quick­ly became the go-to app for polit­i­cal activists around the world. Egypt, Rus­sia, Syr­ia, and even the Unit­ed States—millions down­loaded Sig­nal, and it became the com­mu­ni­ca­tion app of choice for those who hoped to avoid police sur­veil­lance. Fem­i­nist col­lec­tives, anti-Pres­i­dent Don­ald Trump pro­test­ers, com­mu­nists, anar­chists, rad­i­cal ani­mal rights orga­ni­za­tions, Black Lives Mat­ter activists—all flocked to Sig­nal. Many were heed­ing Snow­den’s advice: ‘Orga­nize. Com­part­men­tal­ize to lim­it com­pro­mise. Encrypt every­thing, from calls to texts (use Sig­nal as a first step.)’ . . . .”

Yasha Levine sums up the fun­da­men­tal con­tra­dic­tions inher­ent  in this dynam­ic: ” . . . . If you stepped back to sur­vey the scene, the entire land­scape of this new Inter­net Free­dom pri­va­cy move­ment looked absurd. Cold War-era orga­ni­za­tions spun off from the CIA now fund­ing the glob­al move­ment against gov­ern­ment sur­veil­lance? Google and Face­book, com­pa­nies that ran pri­vate sur­veil­lance net­works and worked hand in hand with the NSA, deploy­ing gov­ern­ment-fund­ed pri­va­cy tech to pro­tect their users from gov­ern­ment sur­veil­lance? Pri­va­cy activists work­ing with Sil­i­con Val­ley and the US gov­ern­ment to fight gov­ern­ment surveillance—and with the sup­port of Edward Snow­den him­self? . . . .”

Fol­low­ing Snow­den’s pro­mo­tion of OTF’s Tor and Sig­nal tech­nolo­gies, OTF was at a zenith: ” . . . . After Edward Snow­den, OTF was tri­umphant. It did­n’t men­tion the leak­er by name in its pro­mo­tion­al mate­ri­als, but it prof­it­ed from the cryp­to cul­ture he pro­mot­ed and ben­e­fit­ed from his direct endorse­ment of the cryp­to tools it financed. It boast­ed that its part­ner­ship with both Sil­i­con Val­ley and respect­ed pri­va­cy activists meant that hun­dreds of mil­lions of peo­ple could use the pri­va­cy tools the US gov­ern­ment had brought to mar­ket. And OTF promised that this was just a start: ‘By lever­ag­ing social net­work effects, we expect to expand to a bil­lion reg­u­lar users tak­ing advan­tage of OTF-sup­port­ed tools and Inter­net Free­dom tech­nolo­gies by 2015. . . .’

As even­tu­al­ly became clear, the Tor net­work was eas­i­ly breached. It is a safe bet that the fas­cists grouped around the Pirate Bay site (on which Wik­iLeaks held forth), had breached Tor’s “secre­cy,” in addi­tion to the obvi­ous fact that intel­li­gence ser­vices could pen­e­trate it at will.

With this in mind, John Young’s rumi­na­tion about Wik­iLeaks sound more and more sub­stan­tive.

In all prob­a­bil­i­ty, Wik­iLeaks was a huge data min­ing oper­a­tion both by the very intel­li­gence agen­cies who were osten­si­bly tar­get­ed by Wik­iLeaks, and the Fas­cist Inter­na­tion­al net­work around Carl Lund­strom, Daniel Friberg, David Duke et al.

In FTR #‘s 756 and 831 we not­ed Snow­den’s fas­cist views and con­nec­tions. Levine mere­ly char­ac­ter­izes him as a “right-wing lib­er­tar­i­an,” but there is MUCH MORE TO IT THAN  THAT!

Snow­den down­played the fun­da­men­tal role of the Big Tech firms in aid­ing and abet­ting gov­ern­ment sur­veil­lance, in addi­tion to their own mas­sive sur­veil­lance and resul­tant data min­ing. ” . . . . There, while liv­ing under state pro­tec­tion at an undis­closed loca­tion in Moscow, he swept Sil­i­con Val­ley’s role in Inter­net sur­veil­lance under the rug. Asked about it by Wash­ing­ton Post reporter Bar­ton Gell­man, who had first report­ed on the NSA’s PRISM pro­gram, Snow­den shrugged off the dan­ger posed by com­pa­nies like Google and Face­book. The rea­son? Because pri­vate com­pa­nies do not have the pow­er to arrest, jail, or kill peo­ple. ‘Twit­ter does­n’t put war­heads on fore­heads,’ he joked. . . .”

Embody­ing his “cor­po­ratist” and Tech­no­crat­ic Fas­cist point of view, Snow­den cham­pi­oned the Big Tech firms as bul­warks against gov­ern­ment Inter­net sur­veil­lance, despite the only-too-obvi­ous fact (rein­forced by the doc­u­ments he leaked) that Big Tech is–and always has been–in bed with, and active­ly col­lab­o­rat­ing with, the very gov­ern­ment intel­li­gence agen­cies con­duct­ing that sur­veil­lance: ” . . . . The only islands of safe­ty were the pri­vate data cen­ters con­trolled by pri­vate companies—Google, Apple, Face­book. These were the cyber-fortress­es and walled cities that offered sanc­tu­ary to the mass­es. In this chaot­ic land­scape, com­put­er engi­neers and cryp­tog­ra­phers played the role of self­less gal­lop­ing knights and wiz­ard-war­riors whose job was to pro­tect the weak folk of the Inter­net: the young, the old and infirm, fam­i­lies. It was their duty to ride out, weapons aloft, and con­vey peo­ple and their pre­cious data safe­ly from fortress to fortress, not let­ting any of the infor­ma­tion fall into the hands of gov­ern­ment spies. He called on them to start a peo­ple’s pri­va­cy war, ral­ly­ing them to go forth and lib­er­ate the Inter­net, to reclaim it from the gov­ern­ments of the world. . . .”

The nau­se­at­ing head of Facebook–Mark Zuckerberg–has decried the intel­li­gence com­mu­ni­ty’s use of the Inter­net for data min­ing. In FTR #1077, we high­light­ed the Cam­bridge Ana­lyt­i­ca affair, and Face­book’s full coop­er­a­tion with that project at every turn.

Oth­er Big Tech firms had sim­i­lar reac­tions. “. . . . . ‘We had­n’t even heard of PRISM before yes­ter­day,’ Mark Zucker­berg wrote in a Face­book post. He blamed the gov­ern­ment and posi­tioned Face­book as a vic­tim. “I’ve called Pres­i­dent Oba­ma to express my frus­tra­tion over the dam­age the gov­ern­ment is cre­at­ing for all of our future. Unfor­tu­nate­ly, it seems like it will take a very long time for true full reform.’ Apple,  Microsoft, Google, and Yahoo! All react­ed in much the same way, deny­ing the alle­ga­tions and paint­ing them­selves as the vic­tims of gov­ern­ment over­reach. ‘It’s tremen­dous­ly dis­ap­point­ing that the gov­ern­ment sort of secret­ly did all this stuff and did­n’t tell us. We can’t have a democ­ra­cy if we’re hav­ing to pro­tect you and our users from the gov­ern­ment,’ Lar­ry Page told Char­lie Rose in an inter­view on CBS. . . . .”

We present the con­clu­sion of the main part of the book, with Levine’s sum­ma­tion of the inex­tri­ca­ble nature and sym­bio­sis between the Inter­net, the tech firms and the so-called “pri­va­cy com­mu­ni­ty.”

The key points of dis­cus­sion and analy­sis of Levine’s book (as a whole) include:

  1. The Inter­net is a weapon, devel­oped for counter-insur­gency pur­pos­es.
  2. Big Tech firms net­work with the very intel­li­gence ser­vices they pub­licly decry.
  3. Big Tech firms that data mine their cus­tomers on a near­ly unimag­in­able scale do so as a direct, oper­a­tional exten­sion of the very sur­veil­lance func­tion upon which  the Inter­net is pred­i­cat­ed.
  4. The tech­nolo­gies tout­ed by the so-called “Pri­va­cy Activists” such as Edward Snow­den and Jacob Apple­baum were devel­oped by the very intel­li­gence ser­vices they are sup­posed to deflect.
  5. The tech­nolo­gies tout­ed by the so-called “Pri­va­cy Activists” such as Edward Snow­den and Jacob Applebaum–such as the Tor Inter­net func­tion and the Sig­nal mobile phone app– are read­i­ly acces­si­ble to the very intel­li­gence ser­vices they are sup­posed to deflect.
  6. The orga­ni­za­tions that pro­mote the alleged virtues of Snow­den, Apple­baum, Tor, Sig­nal et al are linked to the very intel­li­gence ser­vices they would have us believe they oppose.
  7. Big Tech firms embrace “Inter­net Free­dom” as a dis­trac­tion from their own will­ful and all-embrac­ing data min­ing and their ongo­ing con­scious col­lab­o­ra­tion with the very intel­li­gence ser­vices they pub­licly decry.

NB: Mr. Levine does not go into the fascis­tic char­ac­ter of Snow­den, Assange, Green­wald et al. Some of those shows: Green­wald–FTR #888, Snow­den–FTR #‘s 756, 831, Assange and Wik­iLeaks–FTR #‘s 732, 745, 755, 917.

“. . . . Then there was the fact that Sig­nal ran on Ama­zon’s servers, which meant that all its data were avail­able to a part­ner in the NSA’s PRISM sur­veil­lance pro­gram. Equal­ly prob­lem­at­ic, Sig­nal need­ed Apple and Google to install and run the app on peo­ple’s mobile phones. Both com­pa­nies were, and as far as we know still are, part­ners in PRISM as well. ‘Google usu­al­ly has root access to the phone, there’s the issue of integri­ty,’ writes Sander Ven­e­ma, a respect­ed devel­op­er and secure—technology train­er, in a blog post explain­ing why he no longer rec­om­mends peo­ple use Sig­nal for encrypt­ed chat. ‘Google is still coop­er­at­ing with the NSA and oth­er intel­li­gence agen­cies. PRISM is also still a thing. I’m pret­ty sure that Google could serve a spe­cial­ly mod­i­fied update or ver­sion of Sig­nal to spe­cif­ic tar­get for sur­veil­lance, and they would be none the wis­er that they installed mal­ware on their phones.’ . . .

. . . . So, although the app encrypt­ed the con­tent of peo­ple’s mes­sages, it also marked them with a flash­ing red sign: ‘Fol­low Me, I Have Some­thing to Hide.’ (Indeed, activists protest­ing at the Demo­c­ra­t­ic Nation­al Con­ven­tion in Philadel­phia in 2016 told me that they were bewil­dered by the fact that police seemed to know and antic­i­pate their every move despite their hav­ing used Sig­nal to orga­nize. . . .”

” . . . . For many Inter­net com­pa­nies, includ­ing Google and Face­book, sur­veil­lance is the busi­ness mod­el. It is the base on which their cor­po­rate and eco­nom­ic pow­er rests. Dis­en­tan­gle sur­veil­lance and prof­it, and these com­pa­nies would col­lapse. Lim­it data col­lec­tion, an the com­pa­nies would see investors flee and their stock prices plum­met. [Ital­ics are mine–D.E.]

“Sil­i­con Val­ley fears a polit­i­cal solu­tion to pri­va­cy. Inter­net Free­dom and cryp­to offer an accept­able alter­na­tive. Tools like Sig­nal and Tor pro­vide a false solu­tion to the pri­va­cy prob­lem, focus­ing people’s atten­tion on gov­ern­ment sur­veil­lance and dis­tract­ing them from the pri­vate spy­ing car­ried out by the Inter­net com­pa­nies they use every day. All the while, cryp­to tools give peo­ple a [false] sense that they’re doing some­thing to pro­tect them­selves, a feel­ing of per­son­al empow­er­ment and con­trol. And all those cryp­to rad­i­cals? Well, they just enhance the illu­sion, height­en­ing the impres­sion of risk and dan­ger. With Sig­nal or Tor installed, using an iPhone or Android sud­den­ly becomes edgy and rad­i­cal. So instead of push­ing for polit­i­cal and demo­c­ra­t­ic solu­tions to sur­veil­lance, we out­source our pri­va­cy pol­i­tics to cryp­to apps–software made by the very same pow­er­ful enti­ties that these apps are sup­posed to pro­tect us from. . . .”

1. The Arab Spring pro­vid­ed moti­va­tion for enhanced U.S. fund­ing for Inter­net Free­dom. The Open Tech­nol­o­gy Fund, like the BBG a CIA “deriv­a­tive,” was at the cen­ter of this: ” . . . . The moti­va­tion for this expan­sion came out of the Arab Spring. The idea was to make sure the US gov­ern­ment would main­tain its tech­no­log­i­cal advan­tage in the cen­sor­ship arms race that began in the ear­ly 2000s, but the funds were also going into devel­op­ing a new gen­er­a­tion of tools aimed at lever­ag­ing the pow­er of the Inter­net to help for­eign oppo­si­tion activists orga­nize into cohe­sive polit­i­cal move­ments. The BBG’s $25.5 mil­lion cut of the cash more than dou­bled the agen­cy’s anti­cen­sor­ship tech­nol­o­gy bud­get from the pre­vi­ous year, and the BBG fun­neled the mon­ey into the Open Tech­nol­o­gy Fund, a new orga­ni­za­tion it had cre­at­ed with­in Radio Free Asia to fund Inter­net Free­dom tech­nolo­gies in the wake of the Arab Spring. . . .”

The fun­da­men­tal posi­tion of BBG and OTF (read “CIA”) to the so-called online pri­va­cy com­mu­ni­ty was con­cise­ly expressed by Yasha Levine: ” . . . . From behind this hip and con­nect­ed exte­ri­or, BBG and Radio Free Asia built a ver­ti­cal­ly inte­grat­ed incu­ba­tor for Inter­net Free­dom tech­nolo­gies, pour­ing mil­lions into projects big and small, includ­ing every­thing from evad­ing cen­sor­ship to help­ing polit­i­cal orga­niz­ing, protests, and move­ment build­ing. With its deep pock­ets and its recruit­ment of big-name pri­va­cy activists, the Open Tech­nol­o­gy Fund did­n’t just thrust itself into the pri­va­cy move­ment. In many ways, it WAS the pri­va­cy move­ment. . . .”

Sur­veil­lance Val­ley by Yasha Levine; Pub­lic Affairs Books [HC]; Copy­right 2018 by Yasha Levine; ISBN 978–1‑61039–802‑2; pp. 254—256.

. . . . In ear­ly Jan­u­ary 2014, six months after Snow­den’s leaks, Con­gress passed the Con­sol­i­dat­ed Appro­pri­a­tions Act, an omnibus fed­er­al spend­ing bill. Tucked into the bil­l’s rough­ly fif­teen hun­dred pages was a short pro­vi­sion that ded­i­cat­ed $50.5 mil­lion to the expan­sion of the US gov­ern­men­t’s Inter­net Free­dom arse­nal. The funds were to be split even­ly between the State Depart­ment and the Broad­cast­ing Board of Gov­er­nors.

Although Con­gress had been pro­vid­ing funds for var­i­ous anti-cen­sor­ship pro­grams for years, this was the first time that it bud­get­ed mon­ey specif­i­cal­ly for Inter­net Free­dom. The moti­va­tion for this expan­sion came out of the Arab Spring. The idea was to make sure the US gov­ern­ment would main­tain its tech­no­log­i­cal advan­tage in the cen­sor­ship arms race that began in the ear­ly 2000s, but the funds were also going into devel­op­ing a new gen­er­a­tion of tools aimed at lever­ag­ing the pow­er of the Inter­net to help for­eign oppo­si­tion activists orga­nize into cohe­sive polit­i­cal move­ments.

The BBG’s $25.5 mil­lion cut of the cash more than dou­bled the agen­cy’s anti­cen­sor­ship tech­nol­o­gy bud­get from the pre­vi­ous year, and the BBG fun­neled the mon­ey into the Open Tech­nol­o­gy Fund, a new orga­ni­za­tion it had cre­at­ed with­in Radio Free Asia to fund Inter­net Free­dom tech­nolo­gies in the wake of the Arab Spring.

Ini­tial­ly launched by the Cen­tral Intel­li­gence Agency in 1951 to tar­get Chi­na with anti­com­mu­nist radio broad­casts, Radio Free Asia had been shut­tered and relaunched sev­er­al times over the course of its his­to­ry. In 1994, after the fall of the Sovi­et Union, it reap­peared Ter­mi­na­tor-like as a pri­vate non­prof­it cor­po­ra­tion whol­ly con­trolled and fund­ed by the Broad­cast­ing Board of Gov­er­nors. . . .

. . . . Now, with the Open Tech­nol­o­gy Fund (OTF), Radio Free Asia over­saw the fund­ing of Amer­i­ca’s Inter­net Free­dom pro­grams. To run OTF’s day-to-day oper­a­tions, Radio Free Asia hired Dan Mered­ith, a young techie who worked at Al-Jazeera in Qatar and who had been involved in the State Depart­men­t’s anti­cen­sor­ship ini­tia­tives going back to 2011. With a scruffy beard and messy blond surfer hair, Mered­ith was­n’t a typ­i­cal stuffy State Depart­ment suit. He was flu­ent in cypher­punk-hack­tivist lin­go and was very much a part of the grass­roots pri­va­cy com­mu­ni­ty he sought to woo. In short, he was­n’t the kind of per­son you’d expect to run a gov­ern­ment project with major for­eign pol­i­cy impli­ca­tions.

With him at the helm, OTF put a lot of effort on brand­ing. Out­ward­ly, it looked like a grass­roots pri­va­cy activist orga­ni­za­tion, not a gov­ern­ment agency. It pro­duced hip 8‑bit YouTube videos about its mis­sion to use “pub­lic funds to sup­port Inter­net free­dom projects” and pro­mote “human rights and open soci­eties.” Its web lay­out con­stant­ly changed to reflect the trendi­est design stan­dards.

But if OTF appeared scrap­py, it was also extreme­ly well con­nect­ed. The orga­ni­za­tion was sup­port­ed by a star-stud­ded team—from best-sell­ing sci­ence fic­tion authors to Sil­i­con Val­ley exec­u­tives and cel­e­brat­ed cryp­tog­ra­phy experts. Its advi­so­ry board includ­ed big names from the Colum­bia Jour­nal­ism School, the Elec­tron­ic Fron­tier Foun­da­tion, the Ford Foun­da­tion, Open Soci­ety Foun­da­tions, Google, Slack, and Mozil­la. Andrew McLaugh­lin, the for­mer head of Google’s pub­lic rela­tions team who had brought in Al Gore to talk a Cal­i­for­nia state sen­a­tor into can­cel­ing leg­is­la­tion that would reg­u­late Gmail’s email scan­ning pro­gram, was part of the OTF team. So was Cory Doc­torow, a best-sell­ing young adult sci­ence fic­tion author, whose books about a total­i­tar­i­an gov­ern­men­t’s sur­veil­lance were read and admired by Lau­ra Poitras, Jacob Apple­baum, Roger Din­gle­dine, and Edward Snow­den. Doc­torow was a huge per­son­al­i­ty in the cryp­to move­ment who could fill giant con­fer­ence halls at pri­va­cy con­fer­ences. He pub­licly endorsed OTF’s Inter­net Free­dom mis­sion. “I’m proud to be a vol­un­teer OTF advi­sor,” he tweet­ed.

From behind this hip and con­nect­ed exte­ri­or, BBG and Radio Free Asia built a ver­ti­cal­ly inte­grat­ed incu­ba­tor for Inter­net Free­dom tech­nolo­gies, pour­ing mil­lions into projects big and small, includ­ing every­thing from evad­ing cen­sor­ship to help­ing polit­i­cal orga­niz­ing, protests, and move­ment build­ing. With its deep pock­ets and its recruit­ment of big-name pri­va­cy activists, the Open Tech­nol­o­gy Fund did­n’t just thrust itself into the pri­va­cy move­ment. In many ways, it was the pri­va­cy move­ment. . . .

2. In addi­tion to Tor, the Open Tech­nol­o­gy Fund (read “CIA”) helped finance the Sig­nal app for mobile phones. It, too, is fun­da­men­tal­ly com­pro­mised. ” . . . . . . . . The Tor project remained the best-known pri­va­cy app fund­ed by the Open Tech­nol­o­gy Fund, but it was quick­ly joined by anoth­er: Sig­nal, an encrypt­ed mobile phone mes­sag­ing app for the iPhone and Android. . . .”

Not sur­pris­ing­ly, the CIA’s Eddie “The Friend­ly Spook” Snow­den was a big pro­mot­er of Sig­nal: ” . . . . Peo­ple at the ACLU claimed that Sig­nal made fed­er­al agents weep. The Elec­tron­ic Fron­tier Foun­da­tion added Sig­nal along­side Tor to its Sur­veil­lance Self-Defense guide. Fight for the Future, a Sil­i­con Val­ley-fund­ed pri­va­cy activist orga­ni­za­tion, described Sig­nal and Tor as ‘NSA-proof’ and urged peo­ple to use them. Edward Snow­den was the com­bo’s biggest and most famous boost­er and repeat­ed­ly took to Twit­ter to tell his three mil­lion fol­low­ers that he used Sig­nal and Tor every day, and that they should do the same to pro­tect them­selves from gov­ern­ment sur­veil­lance. ‘Use Tor, Use Sig­nal,’ he tweet­ed out.

“With endorse­ments like these, Sig­nal quick­ly became the go-to app for polit­i­cal activists around the world. Egypt, Rus­sia, Syr­ia, and even the Unit­ed States—millions down­loaded Sig­nal, and it became the com­mu­ni­ca­tion app of choice for those who hoped to avoid police sur­veil­lance. Fem­i­nist col­lec­tives, anti-Pres­i­dent Don­ald Trump pro­test­ers, com­mu­nists, anar­chists, rad­i­cal ani­mal rights orga­ni­za­tions, Black Lives Mat­ter activists—all flocked to Sig­nal. Many were heed­ing Snow­den’s advice: ‘Orga­nize. Com­part­men­tal­ize to lim­it com­pro­mise. Encrypt every­thing, from calls to texts (use Sig­nal as a first step.)’ . . . .”

Yasha Levine sums up the fun­da­men­tal con­tra­dic­tions inher­ent  in this dynam­ic: ” . . . . If you stepped back to sur­vey the scene, the entire land­scape of this new Inter­net Free­dom pri­va­cy move­ment looked absurd. Cold War-era orga­ni­za­tions spun off from the CIA now fund­ing the glob­al move­ment against gov­ern­ment sur­veil­lance? Google and Face­book, com­pa­nies that ran pri­vate sur­veil­lance net­works and worked hand in hand with the NSA, deploy­ing gov­ern­ment-fund­ed pri­va­cy tech to pro­tect their users from gov­ern­ment sur­veil­lance? Pri­va­cy activists work­ing with Sil­i­con Val­ley and the US gov­ern­ment to fight gov­ern­ment surveillance—and with the sup­port of Edward Snow­den him­self? . . . .”

Fol­low­ing Snow­den’s pro­mo­tion of OTF’s Tor and Sig­nal tech­nolo­gies, OTF was at a zenith: ” . . . . After Edward Snow­den, OTF was tri­umphant. It did­n’t men­tion the leak­er by name in its pro­mo­tion­al mate­ri­als, but it prof­it­ed from the cryp­to cul­ture he pro­mot­ed and ben­e­fit­ed from his direct endorse­ment of the cryp­to tools it financed. It boast­ed that its part­ner­ship with both Sil­i­con Val­ley and respect­ed pri­va­cy activists meant that hun­dreds of mil­lions of peo­ple could use the pri­va­cy tools the US gov­ern­ment had brought to mar­ket. And OTF promised that this was just a start: ‘By lever­ag­ing social net­work effects, we expect to expand to a bil­lion reg­u­lar users tak­ing advan­tage of OTF-sup­port­ed tools and Inter­net Free­dom tech­nolo­gies by 2015. . . .’

Sur­veil­lance Val­ley by Yasha Levine; Pub­lic Affairs Books [HC]; Copy­right 2018 by Yasha Levine; ISBN 978–1‑61039–802‑2; pp. 257—260.

. . . . The Tor project remained the best-known pri­va­cy app fund­ed by the Open Tech­nol­o­gy Fund, but it was quick­ly joined by anoth­er: Sig­nal, an encrypt­ed mobile phone mes­sag­ing app for the iPhone and Android.

Sig­nal was devel­oped by Open Whis­per Sys­tems, a for-prof­it cor­po­ra­tion run by Mox­ie Mar­lin­spike, a tall lanky cryp­tog­ra­ph­er with a head full of dread­locks. Mar­lin­spike was an old friend of Jacob Appel­baum, and he played a sim­i­lar rad­i­cal game. He remained cryp­tic about his real name and iden­ti­ty, told sto­ries of being tar­get­ed by the FBI, and spent his free time sail­ing and surf­ing in Hawaii. He had made a good chunk of mon­ey sell­ing his encryp­tion start-up and had worked with the State Depart­ment on Inter­net Free­dom projects since 2011, but he posed as a feisty anar­chist fight­ing the sys­tem. His per­son­al web­site was called thoughtcrime.org—a ref­er­ence to George Orwell’s 1984, which seemed a bit tongue-in-cheek giv­en that he was tak­ing big money—nearly $3 million—from Big Broth­er to devel­op his pri­va­cy app.

Sig­nal was a huge suc­cess. Jour­nal­ists, pri­va­cy activists, and cryp­tog­ra­phers hailed Sig­nal as an indis­pens­able Inter­net pri­va­cy tool. It was a com­ple­ment to Tor in the age of mobile phones. While Tor anonymized brows­ing, Sig­nal encrypt­ed voice calls and text, mak­ing it impos­si­ble for gov­ern­ments to mon­i­tor com­mu­ni­ca­tion. Lau­ra Poitras gave it two secure thumbs up as a pow­er­ful peo­ple’s encryp­tion tool and told every­one to use it every day. Peo­ple at the ACLU claimed that Sig­nal made fed­er­al agents weep. The Elec­tron­ic Fron­tier Foun­da­tion added Sig­nal along­side Tor to its Sur­veil­lance Self-Defense guide. Fight for the Future, a Sil­i­con Val­ley-fund­ed pri­va­cy activist orga­ni­za­tion, described Sig­nal and Tor as “NSA-proof” and urged peo­ple to use them.

Edward Snow­den was the com­bo’s biggest and most famous boost­er and repeat­ed­ly took to Twit­ter to tell his three mil­lion fol­low­ers that he used Sig­nal and Tor every day, and that they should do the same to pro­tect them­selves from gov­ern­ment sur­veil­lance. “Use Tor, Use Sig­nal,” he tweet­ed out.

With endorse­ments like these, Sig­nal quick­ly became the go-to app for polit­i­cal activists around the world. Egypt, Rus­sia, Syr­ia, and even the Unit­ed States—millions down­loaded Sig­nal, and it became the com­mu­ni­ca­tion app of choice for those who hoped to avoid police sur­veil­lance. Fem­i­nist col­lec­tives, anti-Pres­i­dent Don­ald Trump pro­test­ers, com­mu­nists, anar­chists, rad­i­cal ani­mal rights orga­ni­za­tions, Black Lives Mat­ter activists—all flocked to Sig­nal. Many were heed­ing Snow­den’s advice: “Orga­nize. Com­part­men­tal­ize to lim­it com­pro­mise. Encrypt every­thing, from calls to texts (use Sig­nal as a first step.)”

Sil­i­con Val­ley cashed in on OTF’s inter­net Free­dom spend­ing as well. Face­book incor­po­rat­ed Sig­nal’s under­ly­ing encryp­tion pro­to­col into What­sApp, the most pop­u­lar mes­sag­ing app in the world. Google fol­lowed suit, build­ing Sig­nal’s Encryp­tion into its Allo and Duo text and video mes­sag­ing apps. It was a smart move because the praise flowed in. “Allo and Duo’s new secu­ri­ty fea­tures, in oth­er words, are Google’s baby steps towards a ful­ly-encrypt­ed future, into the sort of bold moves to ele­vate pri­va­cy above prof­it or pol­i­tics that some of its com­peti­tors have already tak­en,” wrote Wired’s Andy Green­berg. “But for a com­pa­ny to build on a data col­lec­tion mod­el that’s often fun­da­men­tal­ly opposed to pri­va­cy, baby steps are bet­ter than none at all.”

If you stepped back to sur­vey the scene, the entire land­scape of this new Inter­net Free­dom pri­va­cy move­ment looked absurd. Cold War-era orga­ni­za­tions spun off from the CIA now fund­ing the glob­al move­ment against gov­ern­ment sur­veil­lance? Google and Face­book, com­pa­nies that ran pri­vate sur­veil­lance net­works and worked hand in hand with the NSA, deploy­ing gov­ern­ment-fund­ed pri­va­cy tech to pro­tect their users from gov­ern­ment sur­veil­lance? Pri­va­cy activists work­ing with Sil­i­con Val­ley and the US gov­ern­ment to fight gov­ern­ment surveillance—and with the sup­port of Edward Snow­den him­self? . . . .

. . . . In any event, with sup­port from some­one as cel­e­brat­ed as Edward Snow­den, few had any rea­son to ques­tion why apps like Sig­nal and Tor exist­ed, or what larg­er pur­pose they served. It was eas­i­er and sim­pler to put your trust in app, and to believe in the idea that Amer­i­ca still had a healthy civ­il soci­ety, where peo­ple could come togeth­er to fund tools that coun­ter­vailed the sur­veil­lance pow­er of the state. That suit­ed the spon­sors of Inter­net Free­dom just fine.

After Edward Snow­den, OTF was tri­umphant. It did­n’t men­tion the leak­er by name in its pro­mo­tion­al mate­ri­als, but it prof­it­ed from the cryp­to cul­ture he pro­mot­ed and ben­e­fit­ed from his direct endorse­ment of the cryp­to tools it financed. It boast­ed that its part­ner­ship with both Sil­i­con Val­ley and respect­ed pri­va­cy activists meant that hun­dreds of mil­lions of peo­ple could use the pri­va­cy tools the US gov­ern­ment had brought to mar­ket. And OTF promised that this was just a start: “By lever­ag­ing social net­work effects, we expect to expand to a bil­lion reg­u­lar users tak­ing advan­tage of OTF-sup­port­ed tools and Inter­net Free­dom tech­nolo­gies by 2015. . . .”

3. As even­tu­al­ly became clear, the Tor net­work was eas­i­ly breached. It is a safe bet that the fas­cists grouped around the Pirate Bay site (on which Wik­iLeaks held forth), had breached Tor’s “secre­cy,” in addi­tion to the obvi­ous fact that intel­li­gence ser­vices could pen­e­trate it at will.

With this in mind, John Young’s rumi­na­tion about Wik­iLeaks sound more and more sub­stan­tive.

In all prob­a­bil­i­ty, Wik­iLeaks was a huge data min­ing oper­a­tion both by the very intel­li­gence agen­cies who were osten­si­bly tar­get­ed by Wik­iLeaks, and the Fas­cist Inter­na­tion­al net­work around Carl Lund­strom, Daniel Friberg, David Duke et al.

Sur­veil­lance Val­ley by Yasha Levine; Pub­lic Affairs Books [HC]; Copy­right 2018 by Yasha Levine; ISBN 978–1‑61039–802‑2; pp. 263–265.

. . . . Work­ing under a Pen­ta­gon con­tract, researchers [at Carnegie Mel­lon Uni­ver­si­ty in Penn­syl­va­nia] had fig­ured out a cheap and easy way to crack Tor’s super-secure net­work with just $3,000.00 worth of equip­ment. . . .

. . . . He [Din­gle­dine] accused Carnegie Mel­lon researchers of vio­lat­ing  aca­d­e­m­ic stan­dards for eth­i­cal research by work­ing with law enforce­ment. He then announced that the Tor Project would pub­lish guide­lines for peo­ple who might want to hack or crack Tor for “aca­d­e­m­ic” and “inde­pen­dent research” pur­pos­es in the future but do so in an eth­i­cal man­ner by first obtain­ing con­sent of the peo­ple who were being hacked. . . .

. . . . If it was so frail that it need­ed aca­d­e­m­ic researchers to abide by an eth­i­cal hon­or code to avoid deanonymiz­ing users with­out their con­sent, how could it hold up to the FBI or NSA or the scores of for­eign intel­li­gence agen­cies from Rus­sia to Chi­na to Aus­tralia that might want to punch through its anonymi­ty sys­tems?

In 2015, when I first read these state­ments from the Tor Project, I was shocked. This was noth­ing less than a veiled admis­sion that Tor was use­less at guar­an­tee­ing anonymi­ty and that it required attack­ers to behave “eth­i­cal­ly” in order for it to remain secure. . . .

4. In FTR #‘s 756 and 831 we not­ed Snow­den’s fas­cist views and con­nec­tions. Levine mere­ly char­ac­ter­izes him as a “right-wing lib­er­tar­i­an,” but there is MUCH MORE TO IT THAN  THAT!

Sur­veil­lance Val­ley by Yasha Levine; Pub­lic Affairs Books [HC]; Copy­right 2018 by Yasha Levine; ISBN 978–1‑61039–802‑2; pp. 196–197.

. . . . There he came out as a right-wing lib­er­tar­i­an: he hat­ed the New Deal, want­ed to shrink the gov­ern­ment to the size of a peanut, and believed the state had no right to con­trol the mon­ey sup­ply. He pre­ferred the gold stan­dard. He mocked old peo­ple for need­ing old-age pen­sions. “Some­how, our soci­ety man­aged to make it hun­dreds of years with­out social secu­ri­ty just fine,” he wrote on the forum. “Mag­i­cal­ly the world changed after the new deal, and old peo­ple became made of glass.” He called peo­ple who defend­ed Amer­i­ca’s Social Secu­ri­ty sys­tem “fuck­ing retards.” . . . .

5. Snow­den down­played the fun­da­men­tal role of the Big Tech firms in aid­ing and abet­ting gov­ern­ment sur­veil­lance, in addi­tion to their own mas­sive sur­veil­lance and resul­tant data min­ing. ” . . . . There, while liv­ing under state pro­tec­tion at an undis­closed loca­tion in Moscow, he swept Sil­i­con Val­ley’s role in Inter­net sur­veil­lance under the rug. Asked about it by Wash­ing­ton Post reporter Bar­ton Gell­man, who had first report­ed on the NSA’s PRISM pro­gram, Snow­den shrugged off the dan­ger posed by com­pa­nies like Google and Face­book. The rea­son? Because pri­vate com­pa­nies do not have the pow­er to arrest, jail, or kill peo­ple. ‘Twit­ter does­n’t put war­heads on fore­heads,’ he joked. . . .”

Sur­veil­lance Val­ley by Yasha Levine; Pub­lic Affairs Books [HC]; Copy­right 2018 by Yasha Levine; ISBN 978–1‑61039–802‑2; pp. 199–200.

. . . . There, while liv­ing under state pro­tec­tion at an undis­closed loca­tion in Moscow, he swept Sil­i­con Val­ley’s role in Inter­net sur­veil­lance under the rug. Asked about it by Wash­ing­ton Post reporter Bar­ton Gell­man, who had first report­ed on the NSA’s PRISM pro­gram, Snow­den shrugged off the dan­ger posed by com­pa­nies like Google and Face­book. The rea­son? Because pri­vate com­pa­nies do not have the pow­er to arrest, jail, or kill peo­ple. “Twit­ter does­n’t put war­heads on fore­heads,” he joked. . . .

. . . . Snow­den’s views on pri­vate sur­veil­lance were sim­plis­tic, but they seemed to be in line with his pol­i­tics. He was a lib­er­tar­i­an and believed the utopi­an promise of com­put­er net­works. He believed that the Inter­net was an inher­ent­ly lib­er­at­ing tech­nol­o­gy that, if left alone, would evolve into a force of good in the world. The prob­lem was­n’t Sil­i­con Val­ley; it was gov­ern­ment pow­er. To him, cyn­i­cal intel­li­gence agen­cies like the NSA had warped the utopi­an promise of the Inter­net, turn­ing it into a dystopia where spies tracked our every move and record­ed every­thing we said. He believed the gov­ern­ment was the cen­tral prob­lem and dis­trust­ed leg­isla­tive or polit­i­cal solu­tions to curb sur­veil­lance, which would only involve the gov­ern­ment even more. As it so hap­pened, his line of think­ing tracked per­fect­ly with the antigov­ern­ment pri­va­cy ini­tia­tives that Inter­net com­pa­nies like Google and Face­book had start­ed push­ing to deflect atten­tion from their pri­vate sur­veil­lance prac­tices. . . .

6. Embody­ing his “cor­po­ratist” and Tech­no­crat­ic Fas­cist point of view, Snow­den cham­pi­oned the Big Tech firms as bul­warks against gov­ern­ment Inter­net sur­veil­lance, despite the only-too-obvi­ous fact (rein­forced by the doc­u­ments he leaked) that Big Tech is–and always has been–in bed with, and active­ly col­lab­o­rat­ing with, the very gov­ern­ment intel­li­gence agen­cies con­duct­ing that sur­veil­lance: ” . . . . The only islands of safe­ty were the pri­vate data cen­ters con­trolled by pri­vate companies—Google, Apple, Face­book. These were the cyber-fortress­es and walled cities that offered sanc­tu­ary to the mass­es. In this chaot­ic land­scape, com­put­er engi­neers and cryp­tog­ra­phers played the role of self­less gal­lop­ing knights and wiz­ard-war­riors whose job was to pro­tect the weak folk of the Inter­net: the young, the old and infirm, fam­i­lies. It was their duty to ride out, weapons aloft, and con­vey peo­ple and their pre­cious data safe­ly from fortress to fortress, not let­ting any of the infor­ma­tion fall into the hands of gov­ern­ment spies. He called on them to start a peo­ple’s pri­va­cy war, ral­ly­ing them to go forth and lib­er­ate the Inter­net, to reclaim it from the gov­ern­ments of the world. . . .”

  Sur­veil­lance Val­ley by Yasha Levine; Pub­lic Affairs Books [HC]; Copy­right 2018 by Yasha Levine; ISBN 978–1‑61039–802‑2; pp. 207–208.

. . . . Snow­den por­trayed the Inter­net as a scary and vio­lent place, a cyber-medieval land­scape filled with roam­ing gov­ern­ment ban­dits, hos­tile armies, and boo­by traps. It was a place where reg­u­lar peo­ple were always at risk. The only islands of safe­ty were the pri­vate data cen­ters con­trolled by pri­vate companies—Google, Apple, Face­book. These were the cyber-fortress­es and walled cities that offered sanc­tu­ary to the mass­es. In this chaot­ic land­scape, com­put­er engi­neers and cryp­tog­ra­phers played the role of self­less gal­lop­ing knights and wiz­ard-war­riors whose job was to pro­tect the weak folk of the Inter­net: the young, the old and infirm, fam­i­lies. It was their duty to ride out, weapons aloft, and con­vey peo­ple and their pre­cious data safe­ly from fortress to fortress, not let­ting any of the infor­ma­tion fall into the hands of gov­ern­ment spies. He called on them to start a peo­ple’s pri­va­cy war, ral­ly­ing them to go forth and lib­er­ate the Inter­net, to reclaim it from the gov­ern­ments of the world. . . .

. . . . Snow­den’s dis­re­gard for polit­i­cal solu­tions and his total trust in the abil­i­ty of tech­nol­o­gy to solve com­plex social prob­lems was­n’t sur­pris­ing. He was sim­ply reaf­firm­ing what he had told jour­nal­ists back in 2013: “Let us speak no more of faith in man, but bind him down from mis­chief by chains of cryp­tog­ra­phy.” . . .

7. The nau­se­at­ing head of Facebook–Mark Zuckerberg–has decried the intel­li­gence com­mu­ni­ty’s use of the Inter­net for data min­ing. In FTR #1077, we high­light­ed the Cam­bridge Ana­lyt­i­ca affair, and Face­book’s full coop­er­a­tion with that project at every turn.

Oth­er Big Tech firms had sim­i­lar reac­tions. “. . . . . ‘We had­n’t even heard of PRISM before yes­ter­day,’ Mark Zucker­berg wrote in a Face­book post. He blamed the gov­ern­ment and posi­tioned Face­book as a vic­tim. “I’ve called Pres­i­dent Oba­ma to express my frus­tra­tion over the dam­age the gov­ern­ment is cre­at­ing for all of our future. Unfor­tu­nate­ly, it seems like it will take a very long time for true full reform.’ Apple,  Microsoft, Google, and Yahoo! All react­ed in much the same way, deny­ing the alle­ga­tions and paint­ing them­selves as the vic­tims of gov­ern­ment over­reach. ‘It’s tremen­dous­ly dis­ap­point­ing that the gov­ern­ment sort of secret­ly did all this stuff and did­n’t tell us. We can’t have a democ­ra­cy if we’re hav­ing to pro­tect you and our users from the gov­ern­ment,’ Lar­ry Page told Char­lie Rose in an inter­view on CBS. . . . .”

Sur­veil­lance Val­ley by Yasha Levine; Pub­lic Affairs Books [HC]; Copy­right 2018 by Yasha Levine; ISBN 978–1‑61039–802‑2; pp. 194–195.

. . . . You did­n’t have to be a tech expert to see that the gov­ern­ment sur­veil­lance on the Inter­net sim­ply could not exist with­out the pri­vate infra­struc­ture and con­sumer ser­vices pro­vid­ed by Sil­i­con Val­ley. Com­pa­nies like Google, Face­book, Yahoo!, eBay and Apple did all the heavy lift­ing: they built the plat­forms that drew in bil­lions of users and col­lect­ed a bog­gling amount of data about them. All that the NSA had to do to get at the data was con­nect a few wires, which the agency did with full coop­er­a­tion and total dis­cre­tion from the com­pa­nies them­selves. . . . .

. . . . . “We had­n’t even heard of PRISM before yes­ter­day,” Mark Zucker­berg wrote in a Face­book post. He blamed the gov­ern­ment and posi­tioned Face­book as a vic­tim. “I’ve called Pres­i­dent Oba­ma to express my frus­tra­tion over the dam­age the gov­ern­ment is cre­at­ing for all of our future. Unfor­tu­nate­ly, it seems like it will take a very long time for true full reform.” Apple,  Microsoft, Google, and Yahoo! All react­ed in much the same way, deny­ing the alle­ga­tions and paint­ing them­selves as the vic­tims of gov­ern­ment over­reach. “It’s tremen­dous­ly dis­ap­point­ing that the gov­ern­ment sort of secret­ly did all this stuff and did­n’t tell us. We can’t have a democ­ra­cy if we’re hav­ing to pro­tect you and our users from the gov­ern­ment,” Lar­ry Page told Char­lie Rose in an inter­view on CBS. . . . .

8. We present the con­clu­sion of the main part of the book, with Levine’s sum­ma­tion of the inex­tri­ca­ble nature and sym­bio­sis between the Inter­net, the tech firms and the so-called “pri­va­cy com­mu­ni­ty.”

The key points of dis­cus­sion and analy­sis of Levine’s book (as a whole) include:

  1. The Inter­net is a weapon, devel­oped for counter-insur­gency pur­pos­es.
  2. Big Tech firms net­work with the very intel­li­gence ser­vices they pub­licly decry.
  3. Big Tech firms that data mine their cus­tomers on a near­ly unimag­in­able scale do so as a direct, oper­a­tional exten­sion of the very sur­veil­lance func­tion upon which  the Inter­net is pred­i­cat­ed.
  4. The tech­nolo­gies tout­ed by the so-called “Pri­va­cy Activists” such as Edward Snow­den and Jacob Apple­baum were devel­oped by the very intel­li­gence ser­vices they are sup­posed to deflect.
  5. The tech­nolo­gies tout­ed by the so-called “Pri­va­cy Activists” such as Edward Snow­den and Jacob Applebaum–such as the Tor Inter­net func­tion and the Sig­nal mobile phone app– are read­i­ly acces­si­ble to the very intel­li­gence ser­vices they are sup­posed to deflect.
  6. The orga­ni­za­tions that pro­mote the alleged virtues of Snow­den, Apple­baum, Tor, Sig­nal et al are linked to the very intel­li­gence ser­vices they would have us believe they oppose.
  7. Big Tech firms embrace “Inter­net Free­dom” as a dis­trac­tion from their own will­ful and all-embrac­ing data min­ing and their ongo­ing con­scious col­lab­o­ra­tion with the very intel­li­gence ser­vices they pub­licly decry.

NB: Mr. Levine does not go into the fascis­tic char­ac­ter of Snow­den, Assange, Green­wald et al. Some of those shows: Green­wald–FTR #888, Snow­den–FTR #‘s 756, 831, Assange and Wik­iLeaks–FTR #‘s 732, 745, 755, 917.

Sur­veil­lance Val­ley by Yasha Levine; Pub­lic Affairs Books [HC]; Copy­right 2018 by Yasha Levine; ISBN 978–1‑61039–802‑2; pp. 266–269.

. . . . Then there was the fact that Sig­nal ran on Ama­zon’s servers, which meant that all its data were avail­able to a part­ner in the NSA’s PRISM sur­veil­lance pro­gram. Equal­ly prob­lem­at­ic, Sig­nal need­ed Apple and Google to install and run the app on peo­ple’s mobile phones. Both com­pa­nies were, and as far as we know still are, part­ners in PRISM as well. “Google usu­al­ly has root access to the phone, there’s the issue of integri­ty,” writes Sander Ven­e­ma, a respect­ed devel­op­er and secure—technology train­er, in a blog post explain­ing why he no longer rec­om­mends peo­ple use Sig­nal for encrypt­ed chat. “Google is still coop­er­at­ing with the NSA and oth­er intel­li­gence agen­cies. PRISM is also still a thing. I’m pret­ty sure that Google could serve a spe­cial­ly mod­i­fied update or ver­sion of Sig­nal to a spe­cif­ic tar­get for sur­veil­lance, and they would be none the wis­er that they installed mal­ware on their phones.”

Equal­ly weird was the way the app was designed to make it easy for any­one mon­i­tor­ing Inter­net traf­fic to flag peo­ple using Sig­nal to com­mu­ni­cate. All that the FBI or, say, Egypt­ian or Russ­ian secu­ri­ty ser­vices had  to do was watch for the mobile phones that pinged a par­tic­u­lar Ama­zon serv­er used by Sig­nal, and it was triv­ial to iso­late activists from the gen­er­al smart­phone pop­u­la­tion. So, although the app encrypt­ed the con­tent of peo­ple’s mes­sages, it also marked them with a flash­ing red sign: “Fol­low Me, I Have Some­thing to Hide.” (Indeed, activists protest­ing at the Demo­c­ra­t­ic Nation­al Con­ven­tion in Philadel­phia in 2016 told me that they were bewil­dered by the fact that police seemed to know and antic­i­pate their every move despite their hav­ing used Sig­nal to orga­nize.

Debate about Sig­nal’s tech­ni­cal design was moot any­way. Snow­den’s leaks showed that the NSA had devel­oped tools that could grab every­thing peo­ple did on their smart­phones, which pre­sum­ably includ­ed text and received by Sig­nal. In ear­ly March, 2017, Wik­iLeaks pub­lished a cache of CIA hack­ing tools that con­firmed the inevitable. The agency worked with the NSA as well as oth­er “cyber arms con­trac­tors” to devel­op hack­ing tools that tar­get­ed smart­phones, allow­ing it to bypass the encryp­tion of Sig­nal and any oth­er encrypt­ed chat apps, includ­ing Face­book’s What­sApp. “The CIA’s Mobile Devices Branch (MDB) devel­oped numer­ous attacks to remote­ly hack and con­trol pop­u­lar smart phones. Infect­ed phones can be instruct­ed to send the CIA the user’s geolo­ca­tion, audio and text com­mu­ni­ca­tions as well as covert­ly acti­vate the phone’s cam­era and micro­phone,” explained a Wik­iLeaks press release. “These tech­niques per­mit the CIA to bypass the encryp­tion of What­sApp, Sig­nal, Telegram, Wiebo, Con­fide and Cloack­man by hack­ing the ‘smart’ phones that they run on and col­lect­ing audio and mes­sage traf­fic before encryp­tion is applied.”

Dis­clo­sure of these hack­ing tools showed that, in the end, Sig­nal’s encryp­tion did­n’t real­ly mat­ter, not when the CIA and NSA owned the under­ly­ing oper­at­ing sys­tem and could grab what­ev­er they want­ed before encryp­tion or obfus­ca­tion algo­rithms were applied. The flaw went beyond Sig­nal and applied to every type of encryp­tion tech­nol­o­gy on every type of con­sumer com­put­er sys­tem. . . .

. . . . Con­vo­lut­ed as the sto­ry may be, US gov­ern­ment sup­port for Inter­net Free­dom and its under­writ­ing of cryp­to cul­ture makes per­fect sense. The Inter­net came out of a 1960s mil­i­tary project to devel­op an infor­ma­tion weapon. It was born out of a need to quick­ly com­mu­ni­cate, process data, and con­trol a chaot­ic world. Today, the net­work is more than a weapon; it is also a field of bat­tle, a place where vital mil­i­tary and intel­li­gence oper­a­tions take place. Geopo­lit­i­cal strug­gle has moved online, and Inter­net Free­dom is a weapon in that fight.

If you take a big-pic­ture view, Sil­i­con Valley’s sup­port for Inter­net Free­dom makes sense as well. Com­pa­nies like Google and Face­book first sup­port­ed it as a part of a geopo­lit­i­cal busi­ness strat­e­gy, a way of sub­tly pres­sur­ing coun­tries that closed their net­works and mar­kets to West­ern tech­nol­o­gy com­pa­nies. But after Edward Snowden’s rev­e­la­tions exposed the industry’s ram­pant pri­vate sur­veil­lance prac­tices to the pub­lic, Inter­net Free­dom offered anoth­er pow­er­ful ben­e­fit.

For years, pub­lic opin­ion has been stacked firm­ly against Sil­i­con Valley’s under­ly­ing busi­ness mod­el. In poll, after poll, a major­i­ty of Amer­i­cans have voiced their oppo­si­tion to cor­po­rate sur­veil­lance and have sig­naled sup­port for increased reg­u­la­tion of the indus­try. This has always been a deal break­er for Sil­i­con Val­ley. For many Inter­net com­pa­nies, includ­ing Google and Face­book, sur­veil­lance is the busi­ness mod­el. It is the base on which their cor­po­rate and eco­nom­ic pow­er rests. Dis­en­tan­gle sur­veil­lance and prof­it, and these com­pa­nies would col­lapse. Lim­it data col­lec­tion, and the com­pa­nies would see investors flee and their stock prices plum­met. [Ital­ics are mine–D.E.]

Sil­i­con Val­ley fears a polit­i­cal solu­tion to pri­va­cy. Inter­net Free­dom and cryp­to offer an accept­able alter­na­tive. Tools like Sig­nal and Tor pro­vide a false solu­tion to the pri­va­cy prob­lem, focus­ing people’s atten­tion on gov­ern­ment sur­veil­lance and dis­tract­ing them from the pri­vate spy­ing car­ried out by the Inter­net com­pa­nies they use every day. All the while, cryp­to tools give peo­ple a [false] sense that they’re doing some­thing to pro­tect them­selves, a feel­ing of per­son­al empow­er­ment and con­trol. And all those cryp­to rad­i­cals? Well, they just enhance the illu­sion, height­en­ing the impres­sion of risk and dan­ger. With Sig­nal or Tor installed, using an iPhone or Android sud­den­ly becomes edgy and rad­i­cal. So instead of push­ing for polit­i­cal and demo­c­ra­t­ic solu­tions to sur­veil­lance, we out­source our pri­va­cy pol­i­tics to cryp­to apps–software made by the very same pow­er­ful enti­ties that these apps are sup­posed to pro­tect us from.

In that sense, Edward Snow­den is like the brand­ed face of an Inter­net con­sumerism-as-rebel­lion lifestyle cam­paign, like the old Apple ad about shat­ter­ing Big Broth­er or the Nike spot set to the Bea­t­les’ “Rev­o­lu­tion.” While Inter­net bil­lion­aires like Lar­ry Page, Sergey Brin, and Mark Zucker­berg slam gov­ern­ment sur­veil­lance, talk up free­dom, and embrace Snow­den and cryp­to pri­va­cy cul­ture, their com­pa­nies still cut deals with the Pen­ta­gon, work with the NSA and CIA, [and com­pa­nies like Cam­bridge Analytica–D.E.] and con­tin­ue to track and pro­file peo­ple for prof­it. It is the same old split-screen mar­ket­ing trick: the pub­lic brand­ing and the behind-the-scenes real­i­ty.

Inter­net Free­dom is a win-win for every­one involved–everyone except reg­u­lar users, who trust their pri­va­cy to dou­ble-deal­ing mil­i­tary con­trac­tors, while pow­er­ful Sur­veil­lance Val­ley cor­po­ra­tions con­tin­ue to build out the old mil­i­tary cyber­net­ic dream of a world where every­one is watched, pre­dict­ed, and con­trolled. . . .

Discussion

3 comments for “FTR #1080 Surveillance Valley, Part 6: Double Agents, Part 2 (Foxes Guarding the Online Privacy Henhouse, Part 3)”

  1. This next arti­cle based on a for­mer Apple sub­con­trac­tor who exposed the pri­va­cy abus­es that are going on with smart­phones. He announced this in a let­ter sent to Euro­pean data pro­tec­tion reg­u­la­tors. He revealed that peo­ple who use Siri would have it acti­vat­ed with­out their per­mis­sion or knowl­edge. It was used to record con­ver­sa­tions and all back­ground infor­ma­tion with who­ev­er was present. This was done with­out the user hav­ing acti­vat­ed Siri or autho­rized this to be done. The infor­ma­tion was tran­scribed. The laws on the books in the EU are not being enforced. He men­tioned that he lis­tened to hun­dreds of con­ver­sa­tions per day and this was done by his col­leagues.

    He also said that the com­pe­ti­tions activ­i­ties were worse because Apple did not link the infor­ma­tion to a spe­cif­ic account, while their com­pe­ti­tion did.

    Apple whistle­blow­er goes pub­lic over ‘lack of action’
    Thomas le Bon­niec says firm vio­lat­ing rights and con­tin­ues mas­sive col­lec­tion of data
    Alex Hern
    @alexhern
    The Guardian, U.K.
    Wed 20 May 2020 00.00 EDT
    Last mod­i­fied on Wed 20 May 2020 00.03 EDT

    A for­mer Apple con­trac­tor who helped blow the whis­tle on the
    company’s pro­gramme to lis­ten to users’ Siri record­ings has decid­ed to go pub­lic, in protest at the lack of action tak­en as a result of the dis­clo­sures.

    In a let­ter announc­ing his deci­sion, sent to all Euro­pean data pro­tec­tion reg­u­la­tors, Thomas le Bon­niec said: “It is wor­ry­ing that Apple (and undoubt­ed­ly not just Apple) keeps ignor­ing and vio­lat­ing fun­da­men­tal rights and con­tin­ues their mas­sive col­lec­tion of data.

    “I am extreme­ly con­cerned that big tech com­pa­nies are basi­cal­ly wire­tap­ping entire pop­u­la­tions despite Euro­pean cit­i­zens being told the EU has one of the strongest data pro­tec­tion laws in the world. Pass­ing a law is not good enough: it needs to be enforced upon pri­va­cy offend­ers.”

    Le Bon­niec, 25, worked as a sub­con­trac­tor for Apple in its Cork offices, tran­scrib­ing user requests in Eng­lish and French, until he quit in the sum­mer of 2019 due to eth­i­cal con­cerns with the work. “They do oper­ate on a moral and legal grey area,” he told the Guardian at the time, “and they have been doing this for years on a mas­sive scale. They should be called out in every pos­si­ble way.”

    Fol­low­ing the rev­e­la­tions of Le Bon­niec and his col­leagues, Apple promised sweep­ing changes to its “grad­ing” pro­gram, which involved thou­sands of con­trac­tors lis­ten­ing to record­ings made, both acci­den­tal­ly and delib­er­ate­ly, using Siri. The com­pa­ny apol­o­gised, brought the work in-house, and promised that it would only grade record­ings from users who had explic­it­ly opt­ed-in to the prac­tice.

    “We realise we have not been ful­ly liv­ing up to our high ideals,” the com­pa­ny said in a state­ment in August. It even­tu­al­ly released a soft­ware update in late Octo­ber that allowed users to opt-in or out of their voice record­ings being used to “improve Siri dic­ta­tion”, and to choose to delete the record­ings that Apple had stored. The com­pa­ny also empha­sised that, unlike its com­pe­ti­tion, Siri record­ings are nev­er linked to a spe­cif­ic Apple account.

    But, Le Bon­niec argues, the com­pa­ny nev­er real­ly faced the con­se­quences for its years-long pro­gramme in the first place.

    “I lis­tened to hun­dreds of record­ings every day, from var­i­ous Apple devices (eg. iPhones, Apple Watch­es, or iPads). These record­ings were often tak­en out­side of any acti­va­tion of Siri, eg in the con­text of an actu­al inten­tion from the user to acti­vate it for a request. These pro­cess­ings were made with­out users being aware of it, and were gath­ered into datasets to cor­rect the tran­scrip­tion of the record­ing made by the device,” he said.

    “The record­ings were not lim­it­ed to the users of Apple devices, but also involved rel­a­tives, chil­dren, friends, col­leagues, and who­ev­er could be record­ed by the device. The sys­tem record­ed every­thing: names, address­es, mes­sages, search­es, argu­ments, back­ground nois­es, films, and con­ver­sa­tions. I heard peo­ple talk­ing about their can­cer, refer­ring to dead rel­a­tives, reli­gion, sex­u­al­i­ty, pornog­ra­phy, pol­i­tics, school, rela­tion­ships, or drugs with no inten­tion to acti­vate Siri what­so­ev­er.

    “These prac­tices are clear­ly at odds with the company’s ‘pri­va­cy-dri­ven’ poli­cies and should be urgent­ly inves­ti­gat­ed by data pro­tec­tion author­i­ties and Pri­va­cy watch­dogs. With the cur­rent state­ment, I want to bring this issue to your atten­tion, and also offer my coop­er­a­tion to pro­vide any ele­ment sub­stan­ti­at­ing these facts. Although this case has already gone pub­lic, Apple has not been sub­ject to any kind of inves­ti­ga­tion to the best of my knowl­edge.”

    https://www.theguardian.com/technology/2020/may/20/apple-whistleblower-goes-public-over-lack-of-action?CMP=Share_iOSApp_Other

    Posted by Mary Benton | May 23, 2020, 12:36 pm
  2. A Pen­ta­gon-relat­ed inter­net mys­tery was revealed last week. It was the kind of reveal that that answered one mys­tery but cre­at­ed a much larg­er mys­tery in the process. A much larg­er mys­tery that includes the mys­tery of why this whole thing was­n’t more mys­te­ri­ous:

    First, here’s an excerpt from an AP arti­cle last week that revealed some infor­ma­tion about a mys­tery that erupt­ed on Inau­gu­ra­tion Day, Jan­u­ary 20: A Flori­da-based com­pa­ny, Glob­al Resource Sys­tems LLC, announced that it was now man­ag­ing a pre­vi­ous­ly idle chunk of the inter­net ‘address space’ (like IP address­es) owned by the US Depart­ment of Defense. About 175 mil­lion inter­net address­es in total, which is about 1/25th (~4%) of the size of the cur­rent inter­net and more inter­net space than Chi­na Tele­com, AT&T or Com­cast. The announce­ment imme­di­ate­ly cre­at­ed the mys­tery of why exact­ly this seem­ing­ly ran­dom com­pa­ny — with no his­to­ry of gov­ern­ment con­tracts — was cho­sen for this job. And more gen­er­al­ly, the mys­tery of what it was that the Pen­ta­gon wants Glob­al Resource Sys­tems to do with all this address space.

    The mys­tery was solved some­what last week when the Pen­ta­gon pro­vid­ed a brief expla­na­tion for what it has in mind for the com­pa­ny. The Pen­ta­gon hopes to “assess, eval­u­ate and pre­vent unau­tho­rized use of DoD IP address space,” accord­ing to the state­ment. It’s a plau­si­ble agen­da item for the Pen­ta­gon since address-space squat­ting is a real issue.

    But the announced expla­na­tion of the Pen­tagon’s intent for this project still does­n’t explain why Glob­al Resource Sys­tems was cho­sen for this job. It’s not just that Glob­al Resource Sys­tems has no track record for this kind of gov­ern­ment work. It turns out the only per­son pub­licly asso­ci­at­ed with the com­pa­ny in the Flori­da busi­ness reg­istry, Ray­mond Sauli­no, does have a his­to­ry of gov­ern­ment con­tract­ing work and it’s a rather inter­est­ing his­to­ry. The kind of inter­est­ing his­to­ry that gives us some clues about the nature of the actu­al work Glob­al Resource Sys­tems will be involved with while man­ag­ing this chunk of the inter­net address space.

    For starters, Sauli­no’s name showed in in 2018 in Neva­da cor­po­rate records as a man­ag­ing mem­ber of a cybersecurity/internet sur­veil­lance equip­ment com­pa­ny called Pack­et Foren­sics. Pack­et Foren­sics had near­ly $40 mil­lion in pub­licly dis­closed fed­er­al con­tracts over the past decade, includ­ing with the FBI and the Pentagon’s Defense Advanced Research Projects Agency (DARPA). So while Glob­al Resource Sys­tems has no his­to­ry of gov­ern­ment con­tract­ing, Sauli­no appears to have quite a bit of expe­ri­ence.

    In 2011, Pack­et Foren­sics and Sauli­no were fea­tured in a Wired sto­ry because the com­pa­ny was sell­ing an appli­ance to gov­ern­ment agen­cies and law enforce­ment that let them spy on people’s web brows­ing using forged secu­ri­ty cer­tifi­cates. So Sauli­no appears to have expe­ri­ence with gov­ern­ment con­tract­ing involv­ing tech­nol­o­gy that allows for web brows­ing spy­ing. That’s the lone per­son pub­licly list­ed in rela­tion to Glob­al Resource Sys­tems, which is rather odd when you think about it. When a long­time col­league at Pack­et Foren­sics, Rod­ney Joffe, was con­tact­ed about Sauli­no, Joffe said he believed Sauli­no was retired. Joffe is chief tech­ni­cal offi­cer at Neustar Inc., which pro­vides inter­net intel­li­gence and ser­vices for major indus­tries.

    It also turns out that Pack­et Foren­sics con­tin­ues to sell “law­ful inter­cept” equip­ment and cur­rent­ly has a DARPA con­tract. That con­tract is described as “har­ness­ing auton­o­my for coun­ter­ing cyber-adver­sary sys­tems.” Con­tract descrip­tion says the project involves inves­ti­gat­ing “tech­nolo­gies for con­duct­ing safe, nondis­rup­tive, and effec­tive active defense oper­a­tions in cyber­space,” than that pro­gram would “inves­ti­gate the fea­si­bil­i­ty of cre­at­ing safe and reli­able autonomous soft­ware agen­cies that can effec­tive­ly counter mali­cious bot­net implants and sim­i­lar large-scale mal­ware.”

    You read that cor­rect­ly: autonomous soft­ware agen­cies that can counter bot­nets and large-scale mal­ware. That’s what Pack­et Foren­sics was con­tract­ed to devel­op for DARPA. It’s a rather intrigu­ing descrip­tion. After all, what exact­ly is that? It’s kind of vague. But as we’ll see, it sure sounds like the idea is to lit­er­al­ly cre­ate antivirus soft­ware that will prop­a­gate itself.
    Now, on the one hand, if you’re deal­ing with a bot­net of mal­ware-infect­ed com­put­ers scat­tered across the inter­net, antivirus soft­ware that can prop­a­gate itself across that mal­ware net­work does make a cer­tain kind of log­i­cal sense. It’s just...well, now you’re antivirus soft­ware is act­ing like a virus It would have to prop­a­gate itself across com­put­ers with­out ask­ing for per­mis­sion first. That’s a virus. A the­o­ret­i­cal­ly benign virus, in this case although the def­i­n­i­tion of ‘benign’ is obvi­ous­ly a mat­ter of inter­pre­ta­tion.

    So the only thing was know about Glob­al Resource Sys­tems is the name a sin­gle guy, Ray­mond Sauli­no. Sauli­no brings us to Pack­et Foren­sics, which recent­ly got a DARPA con­tract to cre­ate virus-like autonomous antivirus soft­ware. Is this the nature of Glob­al Resource Sys­tem­s’s work for the Pen­ta­gon? Devel­op­ing and/or deploy­ing autonomous antivirus soft­ware? Keep in mind that any unau­tho­rized com­put­ers oper­at­ing in the inter­net address space man­aged by Glob­al Resource Sys­tems are tech­ni­cal­ly break­ing the rules of the inter­net. Might that cre­ate a legal loop­hole to allow for the deploy­ment of ‘autonomous soft­ware agen­cies’ on those com­put­ers?

    But the selec­tion of Glob­al Resource Sys­tems for this project gets odd­er: the name is iden­ti­cal to a com­pa­ny pre­vi­ous­ly sued for unfair busi­ness prac­tices in 2006 over mass email spam­ming and was shut down over a decade ago. And both the old and cur­rent incar­na­tions of Glob­al Resource Sys­tems have the same street address. So if Glob­al Resource Sys­tems was set up to be an innocu­ous ran­dom com­pa­ny that does­n’t draw a lot of atten­tion it was pret­ty weird to give it the same name and address of a com­pa­ny charged with unfair busi­ness prac­tices. But that’s what hap­pened for mys­te­ri­ous rea­sons:

    Asso­ci­at­ed Press

    The big Pen­ta­gon inter­net mys­tery now par­tial­ly solved

    By FRANK BAJAK
    April 25, 2021

    BOSTON (AP) — A very strange thing hap­pened on the inter­net the day Pres­i­dent Joe Biden was sworn in. A shad­owy com­pa­ny resid­ing at a shared work­space above a Flori­da bank announced to the world’s com­put­er net­works that it was now man­ag­ing a colos­sal, pre­vi­ous­ly idle chunk of the inter­net owned by the U.S. Depart­ment of Defense.

    That real estate has since more than quadru­pled to 175 mil­lion address­es — about 1/25th the size of the cur­rent inter­net.

    ”It is mas­sive. That is the biggest thing in the his­to­ry of the inter­net,” said Doug Mado­ry, direc­tor of inter­net analy­sis at Ken­tik, a net­work oper­at­ing com­pa­ny. It’s also more than twice the size of the inter­net space actu­al­ly used by the Pen­ta­gon.

    After weeks of won­der by the net­work­ing com­mu­ni­ty, the Pen­ta­gon has now pro­vid­ed a very terse expla­na­tion for what it’s doing. But it has not answered many basic ques­tions, begin­ning with why it chose to entrust man­age­ment of the address space to a com­pa­ny that seems not to have exist­ed until Sep­tem­ber.

    The mil­i­tary hopes to “assess, eval­u­ate and pre­vent unau­tho­rized use of DoD IP address space,” said a state­ment issued Fri­day by Brett Gold­stein, chief of the Pentagon’s Defense Dig­i­tal Ser­vice, which is run­ning the project. It also hopes to “iden­ti­fy poten­tial vul­ner­a­bil­i­ties” as part of efforts to defend against cyber-intru­sions by glob­al adver­saries, who are con­sis­tent­ly infil­trat­ing U.S. net­works, some­times oper­at­ing from unused inter­net address blocks.

    The state­ment did not spec­i­fy whether the “pilot project” would involve out­side con­trac­tors.

    The Pen­ta­gon peri­od­i­cal­ly con­tends with unau­tho­rized squat­ting on its space, in part because there has been a short­age of first-gen­er­a­tion inter­net address­es since 2011; they now sell at auc­tion for upwards of $25 each.

    Mado­ry said adver­tis­ing the address space will make it eas­i­er to chase off squat­ters and allow the U.S. mil­i­tary to “col­lect a mas­sive amount of back­ground inter­net traf­fic for threat intel­li­gence.”

    Some cyber­se­cu­ri­ty experts have spec­u­lat­ed that the Pen­ta­gon may be using the new­ly adver­tised space to cre­ate “hon­ey­pots,” machines set up with vul­ner­a­bil­i­ties to draw hack­ers. Or it could be look­ing to set up ded­i­cat­ed infra­struc­ture — soft­ware and servers — to scour traf­fic for sus­pect activ­i­ty.

    “This great­ly increas­es the space they could mon­i­tor,” said Mado­ry, who pub­lished a blog post on the mat­ter Sat­ur­day.

    What a Pen­ta­gon spokesman could not explain Sat­ur­day is why the Defense Depart­ment chose Glob­al Resource Sys­tems LLC, a com­pa­ny with no record of gov­ern­ment con­tracts, to man­age the address space.

    “As to why the DoD would have done that I’m a lit­tle mys­ti­fied, same as you,” said Paul Vix­ie, an inter­net pio­neer cred­it­ed with design­ing its nam­ing sys­tem and the CEO of Far­sight Secu­ri­ty.

    The com­pa­ny did not return phone calls or emails from The Asso­ci­at­ed Press. It has no web pres­ence, though it has the domain grscorp.com. Its name doesn’t appear on the direc­to­ry of its Plan­ta­tion, Flori­da, domi­cile, and a recep­tion­ist drew a blank when an AP reporter asked for a com­pa­ny rep­re­sen­ta­tive at the office ear­li­er this month. She found its name on a ten­ant list and sug­gest­ed try­ing email. Records show the com­pa­ny has not obtained a busi­ness license in Plan­ta­tion.

    Incor­po­rat­ed in Delaware and reg­is­tered by a Bev­er­ly Hills lawyer, Glob­al Resource Sys­tems LLC now man­ages more inter­net space than Chi­na Tele­com, AT&T or Com­cast.

    The only name asso­ci­at­ed with it on the Flori­da busi­ness reg­istry coin­cides with that of a man list­ed as recent­ly as 2018 in Neva­da cor­po­rate records as a man­ag­ing mem­ber of a cybersecurity/internet sur­veil­lance equip­ment com­pa­ny called Pack­et Foren­sics. The com­pa­ny had near­ly $40 mil­lion in pub­licly dis­closed fed­er­al con­tracts over the past decade, with the FBI and the Pentagon’s Defense Advanced Research Projects Agency among its cus­tomers.

    That man, Ray­mond Sauli­no, is also list­ed as a prin­ci­pal in a com­pa­ny called Tide­wa­ter Laskin Asso­ciates, which was incor­po­rat­ed in 2018 and obtained an FCC license in April 2020. It shares the same Vir­ginia Beach, Vir­ginia, address — a UPS store — in cor­po­rate records as Pack­et Foren­sics. The two have dif­fer­ent mail­box num­bers. Calls to the num­ber list­ed on the Tide­wa­ter Laskin FCC fil­ing are answered by an auto­mat­ed ser­vice that offers four dif­fer­ent options but doesn’t con­nect callers with a sin­gle one, recy­cling all calls to the ini­tial voice record­ing.

    Sauli­no did not return phone calls seek­ing com­ment, and a long­time col­league at Pack­et Foren­sics, Rod­ney Joffe, said he believed Sauli­no was retired. Joffe, a cyber­se­cu­ri­ty lumi­nary, declined fur­ther com­ment. Joffe is chief tech­ni­cal offi­cer at Neustar Inc., which pro­vides inter­net intel­li­gence and ser­vices for major indus­tries, includ­ing telecom­mu­ni­ca­tions and defense.

    In 2011, Pack­et Foren­sics and Sauli­no, its spokesman, were fea­tured in a Wired sto­ry because the com­pa­ny was sell­ing an appli­ance to gov­ern­ment agen­cies and law enforce­ment that let them spy on people’s web brows­ing using forged secu­ri­ty cer­tifi­cates.

    The com­pa­ny con­tin­ues to sell “law­ful inter­cept” equip­ment, accord­ing to its web­site. One of its cur­rent con­tracts with the Defense Advanced Research Projects Agency is for “har­ness­ing auton­o­my for coun­ter­ing cyber-adver­sary sys­tems.” A con­tract descrip­tion says it is inves­ti­gat­ing “tech­nolo­gies for con­duct­ing safe, nondis­rup­tive, and effec­tive active defense oper­a­tions in cyber­space.” Con­tract lan­guage from 2019 says the pro­gram would “inves­ti­gate the fea­si­bil­i­ty of cre­at­ing safe and reli­able autonomous soft­ware agen­cies that can effec­tive­ly counter mali­cious bot­net implants and sim­i­lar large-scale mal­ware.”

    Deep­en­ing the mys­tery is Glob­al Resource Sys­tems’ name. It is iden­ti­cal to that of a firm that inde­pen­dent inter­net fraud researcher Ron Guil­mette says was send­ing out email spam using the very same inter­net rout­ing iden­ti­fi­er. It shut down more than a decade ago. All that dif­fers is the type of com­pa­ny. This one’s a lim­it­ed lia­bil­i­ty cor­po­ra­tion. The oth­er was a cor­po­ra­tion. Both used the same street address in Plan­ta­tion, a sub­urb of Fort Laud­erdale.

    “It’s deeply sus­pi­cious,” said Guil­mette, who unsuc­cess­ful­ly sued the pre­vi­ous incar­na­tion of Glob­al Resource Sys­tems in 2006 for unfair busi­ness prac­tices. Guil­mette con­sid­ers such mas­querad­ing, known as slip-stream­ing, a ham-hand­ed tac­tic in this sit­u­a­tion. “If they want­ed to be more seri­ous about hid­ing this they could have not used Ray Sauli­no and this sus­pi­cious name.”

    Guil­mette and Mado­ry were alert­ed to the mys­tery when net­work oper­a­tors began inquir­ing about it on an email list in mid-March. But almost every­one involved didn’t want to talk about it. Mike Leber, who owns Hur­ri­cane Elec­tric, the inter­net back­bone com­pa­ny han­dling the address blocks’ traf­fic, didn’t return emails or phone mes­sages.

    ...

    ———-

    “The big Pen­ta­gon inter­net mys­tery now par­tial­ly solved” by FRANK BAJAK; Asso­ci­at­ed Press; 04/25/2021

    “The mil­i­tary hopes to “assess, eval­u­ate and pre­vent unau­tho­rized use of DoD IP address space,” said a state­ment issued Fri­day by Brett Gold­stein, chief of the Pentagon’s Defense Dig­i­tal Ser­vice, which is run­ning the project. It also hopes to “iden­ti­fy poten­tial vul­ner­a­bil­i­ties” as part of efforts to defend against cyber-intru­sions by glob­al adver­saries, who are con­sis­tent­ly infil­trat­ing U.S. net­works, some­times oper­at­ing from unused inter­net address blocks.”

    Is the Pen­ta­gon mere­ly hir­ing Glob­al Resource Sys­tems to “assess, eval­u­ate and pre­vent unau­tho­rized use of DoD IP address space” and “iden­ti­fy poten­tial vul­ner­a­bil­i­ties”? Per­haps, but that’s the kind of descrip­tion that could include a lot of dif­fer­ent activ­i­ty. Activ­i­ty that could prob­a­bly include the DARPA con­tract for Ray­mond Sauli­no’s Pack­et Foren­sics to “inves­ti­gate the fea­si­bil­i­ty of cre­at­ing safe and reli­able autonomous soft­ware agen­cies that can effec­tive­ly counter mali­cious bot­net implants and sim­i­lar large-scale mal­ware”:

    ...
    What a Pen­ta­gon spokesman could not explain Sat­ur­day is why the Defense Depart­ment chose Glob­al Resource Sys­tems LLC, a com­pa­ny with no record of gov­ern­ment con­tracts, to man­age the address space.

    ...

    The only name asso­ci­at­ed with it on the Flori­da busi­ness reg­istry coin­cides with that of a man list­ed as recent­ly as 2018 in Neva­da cor­po­rate records as a man­ag­ing mem­ber of a cybersecurity/internet sur­veil­lance equip­ment com­pa­ny called Pack­et Foren­sics. The com­pa­ny had near­ly $40 mil­lion in pub­licly dis­closed fed­er­al con­tracts over the past decade, with the FBI and the Pentagon’s Defense Advanced Research Projects Agency among its cus­tomers.

    That man, Ray­mond Sauli­no, is also list­ed as a prin­ci­pal in a com­pa­ny called Tide­wa­ter Laskin Asso­ciates, which was incor­po­rat­ed in 2018 and obtained an FCC license in April 2020. It shares the same Vir­ginia Beach, Vir­ginia, address — a UPS store — in cor­po­rate records as Pack­et Foren­sics. The two have dif­fer­ent mail­box num­bers. Calls to the num­ber list­ed on the Tide­wa­ter Laskin FCC fil­ing are answered by an auto­mat­ed ser­vice that offers four dif­fer­ent options but doesn’t con­nect callers with a sin­gle one, recy­cling all calls to the ini­tial voice record­ing.

    Sauli­no did not return phone calls seek­ing com­ment, and a long­time col­league at Pack­et Foren­sics, Rod­ney Joffe, said he believed Sauli­no was retired. Joffe, a cyber­se­cu­ri­ty lumi­nary, declined fur­ther com­ment. Joffe is chief tech­ni­cal offi­cer at Neustar Inc., which pro­vides inter­net intel­li­gence and ser­vices for major indus­tries, includ­ing telecom­mu­ni­ca­tions and defense.

    In 2011, Pack­et Foren­sics and Sauli­no, its spokesman, were fea­tured in a Wired sto­ry because the com­pa­ny was sell­ing an appli­ance to gov­ern­ment agen­cies and law enforce­ment that let them spy on people’s web brows­ing using forged secu­ri­ty cer­tifi­cates.

    The com­pa­ny con­tin­ues to sell “law­ful inter­cept” equip­ment, accord­ing to its web­site. One of its cur­rent con­tracts with the Defense Advanced Research Projects Agency is for “har­ness­ing auton­o­my for coun­ter­ing cyber-adver­sary sys­tems.” A con­tract descrip­tion says it is inves­ti­gat­ing “tech­nolo­gies for con­duct­ing safe, nondis­rup­tive, and effec­tive active defense oper­a­tions in cyber­space.” Con­tract lan­guage from 2019 says the pro­gram would “inves­ti­gate the fea­si­bil­i­ty of cre­at­ing safe and reli­able autonomous soft­ware agen­cies that can effec­tive­ly counter mali­cious bot­net implants and sim­i­lar large-scale mal­ware.”
    ...

    And then there’s the mys­tery of why Glob­al Resource Sys­tems was giv­en the name and address of a com­pa­ny charged with unfair busi­ness prac­tices. It’s like they were try­ing to cre­ate a ker­fuf­fle. Or just got real­ly lazy:

    ...
    Deep­en­ing the mys­tery is Glob­al Resource Sys­tems’ name. It is iden­ti­cal to that of a firm that inde­pen­dent inter­net fraud researcher Ron Guil­mette says was send­ing out email spam using the very same inter­net rout­ing iden­ti­fi­er. It shut down more than a decade ago. All that dif­fers is the type of com­pa­ny. This one’s a lim­it­ed lia­bil­i­ty cor­po­ra­tion. The oth­er was a cor­po­ra­tion. Both used the same street address in Plan­ta­tion, a sub­urb of Fort Laud­erdale.

    “It’s deeply sus­pi­cious,” said Guil­mette, who unsuc­cess­ful­ly sued the pre­vi­ous incar­na­tion of Glob­al Resource Sys­tems in 2006 for unfair busi­ness prac­tices. Guil­mette con­sid­ers such mas­querad­ing, known as slip-stream­ing, a ham-hand­ed tac­tic in this sit­u­a­tion. “If they want­ed to be more seri­ous about hid­ing this they could have not used Ray Sauli­no and this sus­pi­cious name.”

    Guil­mette and Mado­ry were alert­ed to the mys­tery when net­work oper­a­tors began inquir­ing about it on an email list in mid-March. But almost every­one involved didn’t want to talk about it. Mike Leber, who owns Hur­ri­cane Elec­tric, the inter­net back­bone com­pa­ny han­dling the address blocks’ traf­fic, didn’t return emails or phone mes­sages.
    ...

    And that’s why we can only report that this mys­tery has been par­tial­ly solved. We know at least have an offi­cial expla­na­tion from the Pen­ta­gon. An offi­cial expla­na­tion that does­n’t actu­al­ly explain what it is that Glob­al Resource Sys­tems is going to be work­ing on or why it was hired in the first place. But at least we have enough clues now to get a vague idea of what Glob­al Resource Sys­tems might be work­ing on: autonomous (viral) antivi­ral soft­ware. It’s a fas­ci­nat­ing con­cept and obvi­ous­ly a poten­tial pri­va­cy night­mare. After all, once you start going down the path of autonomous antivirus soft­ware that can prop­a­gate itself from com­put­er to com­put­er, you’re just one step removed from autonomous antivirus soft­ware that can pre­emp­tive­ly prop­a­gate itself from com­put­er to com­put­er with­out ask­ing. Might that be what Glob­al Resource Sys­tems is actu­al­ly work­ing on? Well, if so, it’s worth not­ing that the Snow­den doc­u­ments actu­al­ly talked about devel­op­ing exact­ly that kind of tech­nol­o­gy:

    The Verge

    Leaked Snow­den doc­u­ments detail NSA’s plans for ‘mil­lions’ of mal­ware attacks

    By Adi Robert­son
    Mar 12, 2014, 10:36am EDT

    Over the past months, leaked doc­u­ments from the NSA, GCHQ, and oth­er agen­cies have shed light on efforts to dra­mat­i­cal­ly scale the process of putting mal­ware on tar­gets’ com­put­ers. At The Inter­cept, Glenn Green­wald and Ryan Gal­lagher have pub­lished more details about how these pro­grams work, and what tools oper­a­tives use to com­pro­mise secu­ri­ty — whether that’s by hack­ing routers or imper­son­at­ing Face­book. A pro­gram known as TURBINE, first revealed last year, is meant to dra­mat­i­cal­ly speed the process: one doc­u­ment says it will “allow the cur­rent implant net­work to scale to large size (mil­lions of implants) by cre­at­ing a sys­tem that does auto­mat­ed con­trol implants by groups instead of indi­vid­u­al­ly.

    The group behind TURBINE, known as the NSA’s Tai­lored Access Oper­a­tions (TAO) divi­sion, gath­ers infor­ma­tion on spe­cif­ic tar­gets, but Green­wald and secu­ri­ty experts wor­ry that a large, auto­mat­ed sys­tem makes the sur­veil­lance process too pain­less and open to abuse. The scal­ing process, accord­ing to Green­wald, start­ed in 2004, when the NSA oper­at­ed only 100 to 150 soft­ware implants. The num­ber of implants used in the years between 2010 to 2012, by con­trast, is described as num­ber­ing in the tens of thou­sands. The doc­u­ments revealed in this report appear to be most­ly from 2009.

    ...

    ———–

    “Leaked Snow­den doc­u­ments detail NSA’s plans for ‘mil­lions’ of mal­ware attacks” by Adi Robert­son; The Verge; 03/12/2014

    “...A pro­gram known as TURBINE, first revealed last year, is meant to dra­mat­i­cal­ly speed the process: one doc­u­ment says it will “allow the cur­rent implant net­work to scale to large size (mil­lions of implants) by cre­at­ing a sys­tem that does auto­mat­ed con­trol implants by groups instead of indi­vid­u­al­ly.””

    Large scale implants of mal­ware via auto­mat­ed con­trol implants. That sure sounds like the basis for the cre­ation of “safe and reli­able autonomous soft­ware agen­cies that can effec­tive­ly counter mali­cious bot­net implants and sim­i­lar large-scale mal­ware.” Is Glob­al Resource Sys­tems devel­op­ing an off­shoot of project TURBINE? It sure sounds plau­si­ble based on what we’ve been told (and haven’t been told). There’s clear­ly an inter­est in this tech­nol­o­gy. For exam­ple, here’s an announce­ment from 2018 about DARPA con­tracts for the Har­ness­ing Auton­o­my for Coun­ter­ing Cyber-adver­sary Sys­tems (HACCS) pro­gram. What does the HACCS pro­gram devel­op? Accord­ing to the announce­ment, the pro­gram would seek “the abil­i­ty to find and elim­i­nate sophis­ti­cat­ed cyber secu­ri­ty threats in a scal­able, time­ly, safe, and reli­able man­ner, while main­tain­ing pri­va­cy and oth­er legal safe­guards — even if the own­ers of bot­net-con­script­ed net­works are unaware of the infec­tion and are not par­tic­i­pat­ing in neu­tral­iza­tion.In oth­er words, it was a DARPA pro­gram on how to devel­op a legal antivi­ral virus:

    Mil­i­tary & Aero­space Elec­tron­ics

    DARPA hires two trust­ed com­put­ing com­pa­nies to devise cyber secu­ri­ty for net­work bot­net attacks

    ARLINGTON, Va. – U.S. mil­i­tary trust­ed com­put­ing researchers are look­ing to two U.S. cyber secu­ri­ty com­pa­nies to find ways to iden­ti­fy and elim­i­nate bot­net, large-scale mal­ware, and oth­er cyber secu­ri­ty threats from com­pro­mised mil­i­tary devices and net­works.

    John Keller
    Apr 6th, 2018

    ARLINGTON, Va. – U.S. mil­i­tary trust­ed com­put­ing researchers are look­ing to two U.S. cyber secu­ri­ty com­pa­nies to find ways to iden­ti­fy and elim­i­nate bot­net, large-scale mal­ware, and oth­er cyber secu­ri­ty threats from com­pro­mised mil­i­tary devices and net­works.

    Offi­cials of the U.S. Defense Advanced Research Projects Agency (DARPA) this week announced con­tracts to Sotera Defense Solu­tions Inc. in Hern­don, Va., and to Aarno Labs LLC in Cam­bridge, Mass., for the Har­ness­ing Auton­o­my for Coun­ter­ing Cyber-adver­sary Sys­tems (HACCS) pro­gram.

    HACCS seeks the abil­i­ty to find and elim­i­nate sophis­ti­cat­ed cyber secu­ri­ty threats in a scal­able, time­ly, safe, and reli­able man­ner, while main­tain­ing pri­va­cy and oth­er legal safe­guards — even if the own­ers of bot­net-con­script­ed net­works are unaware of the infec­tion and are not par­tic­i­pat­ing in neu­tral­iza­tion.

    Sotera won a $7.3 DARPA HACCS con­tract on Thurs­day, and Aarno Labs won a $6.5 mil­lion HACCS con­tract on Mon­day. In the HACCS pro­gram, Sotera and Aarno Labs will inves­ti­gate cre­at­ing safe and reli­able autonomous agents to counter var­i­ous types of mali­cious bot­net implants and sim­i­lar large-scale mal­ware.

    The com­pa­nies will devel­op the tech­niques and soft­ware nec­es­sary to mea­sure the accu­ra­cy of iden­ti­fy­ing bot­net-infect­ed net­works, the accu­ra­cy of iden­ti­fy­ing the type of devices resid­ing in a net­work, and the sta­bil­i­ty of poten­tial access vec­tors.

    Sotera and Aarno Labs also will mea­sure the effec­tive­ness of deny­ing, degrad­ing, and dis­rupt­ing bot­nets and indi­vid­ual bot­net implants with­out affect­ing the sys­tems and net­works where they reside.

    Mali­cious actors can pen­e­trate and use with impuni­ty large num­bers of devices owned and oper­at­ed by third par­ties, DARPA offi­cials say. Such col­lec­tions of com­pro­mised devices, com­mon­ly referred to as bot­nets, are used for crim­i­nal, espi­onage, and com­put­er net­work attack pur­pos­es — some­times all three.

    Recent exam­ples of bot­nets and self-prop­a­gat­ing mal­code include Mirai, Hid­den Cobra, Wan­naCry, and Petya/NotPetya. The scale of their poten­tial and actu­al­ized effects make such mal­ware a nation­al secu­ri­ty threat. Yet improv­ing the secu­ri­ty pos­ture of U.S. mil­i­tary net­works alone is insuf­fi­cient to counter such threats, DARPA offi­cials say. Cur­rent inci­dent response meth­ods are too resource- and time-con­sum­ing to address the prob­lem at scale.

    Active defense meth­ods are insuf­fi­cient­ly pre­cise and pre­dictable in their behav­ior, pos­ing a risk that the “fix” may cause pro­cess­ing issues or oth­er side effects. This is where the HACCS pro­gram comes in.

    HACCS con­trac­tors Sotera and Aarno Labs will iden­ti­fy and fin­ger­print not only bot­net-con­script­ed net­works to deter­mine the pres­ence of bot­net implants, but also the num­ber and types of devices present on said net­works, and the soft­ware ser­vices run­ning on these devices.

    The com­pa­nies will gen­er­ate non-dis­rup­tive soft­ware exploits for many known vul­ner­a­bil­i­ties that could estab­lish ini­tial pres­ence in each bot­net-con­script­ed net­work with­out affect­ing legit­i­mate sys­tem func­tion­al­i­ty.

    In addi­tion, the com­pa­nies will cre­ate soft­ware agents that autonomous­ly nav­i­gate with­in bot­net-con­script­ed net­works, iden­ti­fy bot­net implants, and neu­tral­ize them or oth­er­wise cur­tail their abil­i­ty to oper­ate, while min­i­miz­ing net­work side effects.

    ...

    ———–

    “DARPA hires two trust­ed com­put­ing com­pa­nies to devise cyber secu­ri­ty for net­work bot­net attacks” by John Keller; Mil­i­tary & Aero­space Elec­tron­ics; 04/06/2018

    “HACCS seeks the abil­i­ty to find and elim­i­nate sophis­ti­cat­ed cyber secu­ri­ty threats in a scal­able, time­ly, safe, and reli­able man­ner, while main­tain­ing pri­va­cy and oth­er legal safe­guards — even if the own­ers of bot­net-con­script­ed net­works are unaware of the infec­tion and are not par­tic­i­pat­ing in neu­tral­iza­tion.

    This sure sounds a lot like the Pack­et Foren­sics DARPA con­tract. But with more details. Details like the fact that this autonomous soft­ware is intend­ed to be run on the com­put­ers of unwit­ting bot­net vic­tims with­out them being aware any of this is hap­pen­ing. And note the lan­guage used to describe how this autonomous antivirus soft­ware will be deployed: non-dis­rup­tive soft­ware exploits for many known vul­ner­a­bil­i­ties will be used to estab­lish the ini­tial pres­ence on the bot­net-infect­ed net­work (where the soft­ware will pro­ceed to cat­a­logue all the devices on the net­work and what soft­ware its run­ning). In oth­er words, they’re going to hack into these already-hacked net­works. All very inno­cent­ly and benign­ly, of course. It’s a remind­ing that the con­cept of the autonomous antivirus virus a includes the idea that this autonomous soft­ware has robust built-in hack­ing capa­bil­i­ties. Oth­er­wise how is it sup­posed to prop­a­gate itself oth­er­wise?

    ...
    Active defense meth­ods are insuf­fi­cient­ly pre­cise and pre­dictable in their behav­ior, pos­ing a risk that the “fix” may cause pro­cess­ing issues or oth­er side effects. This is where the HACCS pro­gram comes in.

    HACCS con­trac­tors Sotera and Aarno Labs will iden­ti­fy and fin­ger­print not only bot­net-con­script­ed net­works to deter­mine the pres­ence of bot­net implants, but also the num­ber and types of devices present on said net­works, and the soft­ware ser­vices run­ning on these devices.

    The com­pa­nies will gen­er­ate non-dis­rup­tive soft­ware exploits for many known vul­ner­a­bil­i­ties that could estab­lish ini­tial pres­ence in each bot­net-con­script­ed net­work with­out affect­ing legit­i­mate sys­tem func­tion­al­i­ty.

    In addi­tion, the com­pa­nies will cre­ate soft­ware agents that autonomous­ly nav­i­gate with­in bot­net-con­script­ed net­works, iden­ti­fy bot­net implants, and neu­tral­ize them or oth­er­wise cur­tail their abil­i­ty to oper­ate, while min­i­miz­ing net­work side effects.
    ...

    Is this the future of the bat­tle against virus­es? Keep in mind that this is all kind of the log­i­cal end of the cur­rent dig­i­tal pri­va­cy conun­drum: hav­ing the NSA pre­emp­tive­ly infect every­one’s com­put­ers with autonomous net­works of antivirus virus­es locked in a per­pet­u­al bat­tle with all the oth­er virus­es. A log­i­cal end that basi­cal­ly includes the end of what­ev­er sem­blance of dig­i­tal pri­va­cy that remains. It’s not a great thought but let’s not pre­tend there are easy answers here.

    So we’ll see how well cre­at­ing autonomous super-hack­er soft­ware enti­ties that can auto-hack their way across the inter­net turns out. Autonomous super-hack­er soft­ware autonomous­ly work­ing for the greater good, so there should prob­a­bly be noth­ing to wor­ry about. That’s how these things work, right?

    Posted by Pterrafractyl | May 1, 2021, 4:24 pm
  3. Data pri­va­cy night­mares are noth­ing new. But that does­n’t mean we can’t put new twists on that now endem­ic real­i­ty. Which brings us to the fol­low­ing recent NY Times report on a part of dai­ly life that is increas­ing­ly filled with seri­ous pri­va­cy risks. Risks that go beyond just the ram­pant col­lec­tion and sell­ing of per­son­al data:

    As we’ve seen, mod­ern cars — con­nect­ed to the inter­net and bristling with cam­eras, micro­phones, and oth­er sen­sors — have because pri­va­cy night­mares for con­sumers over the last decade. The kind of con­sumer pri­va­cy night­mare that has cor­po­ra­tions fight­ing over own ‘owns’ all that data, result­ing in fights between data giants like Google and Apple and car man­u­fac­tur­ers over who ‘owns’ the data gen­er­at­ed by these inter­net con­nect­ed cars. Also recall how there’s there’s extra ambi­gu­i­ty about who ‘owns’ the data when it comes to rental cars. Is it the car man­u­fac­tur­er or rental fleet own­er who can access that data? Audi was even devel­op­ing a sys­tem of “deep learn­ing” that mon­i­tored dri­ver vital signs.

    These kinds of risks have been known about for years now. The prob­lem is that noth­ing has been done about them and now those risks appear to be worse than ever. For starters, cars are eas­i­er than ever to remote­ly oper­ate, includ­ing with smart­phone apps that allow own­ers to do things like turn on the lights, turn the engine off and on, or even turn on the heating/cooling or seat warm­ers. Or track your car’s loca­tion. As the fol­low­ing NY Times report describes, these fea­tures can be a con­ve­nience for most own­ers, they can eas­i­ly turn into a night­mare espe­cial­ly for peo­ple in abu­sive rela­tion­ships who co-own their car with their abuser. There is noth­ing man­dat­ing that car man­u­fac­tur­ers have sys­tems in place to deal with sit­u­a­tions where one of those co-own­ers needs to have access cut off for anoth­er own, even when law enforce­ment gets involved. In fact, in one case, a woman who obtained a restrain­ing order against her hus­band was unsuc­cess­ful in her attempts to get her hus­band’s remote access to car revoked. The woman took Tel­sa to court but a judge ulti­mate­ly dis­missed Tes­la from the case on the basis that it would be “oner­ous” to expect car man­u­fac­tur­ers to deter­mine which claims of abuse were legit­i­mate.

    So what option to vic­tims in this sit­u­a­tion have? Sell­ing the vehi­cle. But even then, as we’re going to see, there’s a new pri­va­cy night­mare. It turns out inves­ti­ga­tions of shown the pre­vi­ous own­ers of vehi­cles can often still remote­ly access their vehi­cles long after they’ve sold them, and there does­n’t appear to be an reg­u­la­tions in place to deal with it.

    And then there’s the flip side to this risk to sell­ing a used vehi­cle: that when you sell you car there’s no law man­dat­ing that the per­son­al infor­ma­tion stored in that car is delet­ed. That’s all the respon­si­bil­i­ty of the own­er to take care of before the sale...assuming they have any idea this is a poten­tial issue. Beyond that, only one state, Maine, has laws allow­ing con­sumers to request per­son­al infor­ma­tion be delet­ed from vehi­cles pos­sess by insur­ance com­pa­nies while deal­ing with a claims report.

    Final­ly, as we’re also going to see, mod­ern cars were giv­en the award of worst pri­va­cy vio­la­tors among more than a dozen dif­fer­ent cat­e­gories of prod­ucts test­ed by the Mozil­la Foun­da­tion last year. 19 out of 25 man­u­fac­tur­ers admit to open­ly sell­ing the infor­ma­tion to data bro­kers that they col­lect on rid­ers. Some even sell infor­ma­tion they “infer” about you. Nis­san, for exam­ple, cre­ates pro­files “reflect­ing the consumer’s pref­er­ences, char­ac­ter­is­tics, psy­cho­log­i­cal trends, pre­dis­po­si­tions, behav­ior, atti­tudes, intel­li­gence, abil­i­ties, and apti­tudes.” And sell that pro­file data. Nis­san even admit­ted to col­lec­tion infor­ma­tion that includ­ed license num­bers, immi­gra­tion sta­tus, race, sex­u­al ori­en­ta­tion, sex­u­al activ­i­ty, and even health diag­noses. Intrigu­ing­ly, Nis­san was one of six man­u­fac­tur­ers who said they could col­lect “genet­ic infor­ma­tion” or “genet­ic char­ac­ter­is­tics.” It’s not clear how this infor­ma­tion is gath­ered, but it’s a sign of how exten­sive the col­lect­ing has become by 2024, with almost no con­sumer aware­ness of this hap­pen­ing at all.

    So whether you are buy­ing or sell­ing a car, watch out. Because that car is watch­ing you. Along with all the peo­ple and com­pa­nies watch­ing that car and every­thing that hap­pens inside it:

    The New York Times

    Your Car Is Track­ing You. Abu­sive Part­ners May Be, Too.

    Apps that remote­ly track and con­trol cars are being weaponized by abu­sive part­ners. Car man­u­fac­tur­ers have been slow to respond, accord­ing to vic­tims and experts.

    By Kash­mir Hill
    Dec. 31, 2023

    After almost 10 years of mar­riage, Chris­tine Dow­dall want­ed out. Her hus­band was no longer the charm­ing man she had fall­en in love with. He had become nar­cis­sis­tic, abu­sive and unfaith­ful, she said. After one of their fights turned vio­lent in Sep­tem­ber 2022, Ms. Dow­dall, a real estate agent, fled their home in Cov­ing­ton, La., dri­ving her Mer­cedes-Benz C300 sedan to her daughter’s house near Shreve­port, five hours away. She filed a domes­tic abuse report with the police two days lat­er.

    Her hus­band, a Drug Enforce­ment Admin­is­tra­tion agent, didn’t want to let her go. He called her repeat­ed­ly, she said, first plead­ing with her to return, and then threat­en­ing her. She stopped respond­ing to him, she said, even though he texted and called her hun­dreds of times.

    Ms. Dow­dall, 59, start­ed occa­sion­al­ly see­ing a strange new mes­sage on the dis­play in her Mer­cedes, about a loca­tion-based ser­vice called “mbrace.” The sec­ond time it hap­pened, she took a pho­to­graph and searched for the name online.

    ...

    “Mbrace” was part of “Mer­cedes me” — a suite of con­nect­ed ser­vices for the car, acces­si­ble via a smart­phone app. Ms. Dow­dall had only ever used the Mer­cedes Me app to make auto loan pay­ments. She hadn’t real­ized that the ser­vice could also be used to track the car’s loca­tion. One night, when she vis­it­ed a male friend’s home, her hus­band sent the man a mes­sage with a thumbs-up emo­ji. A near­by cam­era cap­tured his car dri­ving in the area, accord­ing to the detec­tive who worked on her case.

    Ms. Dow­dall called Mer­cedes cus­tomer ser­vice repeat­ed­ly to try to remove her husband’s dig­i­tal access to the car, but the loan and title were in his name, a deci­sion the cou­ple had made because he had a bet­ter cred­it score than hers. Even though she was mak­ing the pay­ments, had a restrain­ing order against her hus­band and had been grant­ed sole use of the car dur­ing divorce pro­ceed­ings, Mer­cedes rep­re­sen­ta­tives told her that her hus­band was the cus­tomer so he would be able to keep his access. There was no but­ton she could press to take away the app’s con­nec­tion to the vehi­cle.

    “This is not the first time that I’ve heard some­thing like this,” one of the rep­re­sen­ta­tives told Ms. Dow­dall.

    ...

    A car, to its dri­ver, can feel like a sanc­tu­ary. A place to sing favorite songs off key, to cry, to vent or to dri­ve some­where no one knows you’re going.

    But in truth, there are few places in our lives less pri­vate.

    Mod­ern cars have been called “smart­phones with wheels” because they are inter­net-con­nect­ed and have myr­i­ad meth­ods of data col­lec­tion, from cam­eras and seat weight sen­sors to records of how hard you brake and cor­ner. Most dri­vers don’t real­ize how much infor­ma­tion their cars are col­lect­ing and who has access to it, said Jen Cal­trid­er, a pri­va­cy researcher at Mozil­la who reviewed the pri­va­cy poli­cies of more than 25 car brands and found sur­pris­ing dis­clo­sures, such as Nis­san say­ing it might col­lect infor­ma­tion about “sex­u­al activ­i­ty.”

    “Peo­ple think their car is pri­vate,” Ms. Cal­trid­er said. “With a com­put­er, you know where the cam­era is and you can put tape over it. Once you’ve bought a car and you find it is bad at pri­va­cy, what are you sup­posed to do?”

    Pri­va­cy advo­cates are con­cerned by how car com­pa­nies are using and shar­ing con­sumers’ data — with insur­ance com­pa­nies, for exam­ple — and dri­vers’ inabil­i­ty to turn the data col­lec­tion off. California’s pri­va­cy reg­u­la­tor is inves­ti­gat­ing the auto indus­try.

    For car own­ers, the upside of this data-palooza has come in the form of smart­phone apps that allow them to check a car’s loca­tion when, say, they for­get where it is parked; to lock and unlock the vehi­cle remote­ly; and to turn it on or off. Some apps can even remote­ly set the car’s cli­mate con­trols, make the horn honk or turn on its lights. After set­ting up the app, the car’s own­er can grant access to a lim­it­ed num­ber of oth­er dri­vers.

    Domes­tic vio­lence experts say that these con­ve­nience fea­tures are being weaponized in abu­sive rela­tion­ships, and that car mak­ers have not been will­ing to assist vic­tims. This is par­tic­u­lar­ly com­pli­cat­ed when the vic­tim is a co-own­er of the car, or not named on the title.

    Detec­tive Kel­ly Downey of the Bossier Parish Sheriff’s Office, who inves­ti­gat­ed Ms. Dowdall’s hus­band for stalk­ing, also reached out to Mer­cedes more than a dozen times to no avail, she said. She had pre­vi­ous­ly dealt with anoth­er case of harass­ment via a con­nect­ed car app — a woman whose hus­band would turn on her Lexus while it sat in the garage in the mid­dle of the night. In that case, too, Detec­tive Downey was unable to get the car com­pa­ny to turn off the husband’s access; the vic­tim sold her car.

    “Auto­mo­bile man­u­fac­tur­ers have to cre­ate a way for us to stop it,” Detec­tive Downey said. “Tech­nol­o­gy may be our god­send, but it’s also very scary because it could hurt you.”

    Mer­cedes also failed to respond to a search war­rant, Detec­tive Downey said. She instead found evi­dence that the hus­band was using the Mer­cedes Me app by obtain­ing records of his inter­net activ­i­ty.

    Unable to get help from Mer­cedes, Ms. Dow­dall took her car to an inde­pen­dent mechan­ic this year and paid $400 to dis­able the remote track­ing. This also dis­abled the car’s nav­i­ga­tion sys­tem and its S.O.S. but­ton, a tool to get help in an emer­gency.

    ...

    Eva Galperin, an expert on tech-enabled domes­tic abuse at the dig­i­tal rights group Elec­tron­ic Fron­tier Foun­da­tion, said that she has seen anoth­er case of an abuser using a car app to track a victim’s move­ments, and that the vic­tim didn’t real­ize it because she “isn’t the one who has set it up.”

    “As far as I know, there are not any guides for how to lock your part­ner out of your car after you break up,” Ms. Galperin said.

    Con­trol­ling part­ners have tracked their vic­tims’ cars in the past using GPS devices and Apple AirTags, Ms. Galperin said, but con­nect­ed car apps offer new oppor­tu­ni­ties for harass­ment.

    A San Fran­cis­co man used his remote access to the Tes­la Mod­el X sport util­i­ty vehi­cle he co-owned with his wife to harass her after they sep­a­rat­ed, accord­ing to a law­suit she filed anony­mous­ly in San Fran­cis­co Supe­ri­or Court in 2020. (Reuters pre­vi­ous­ly report­ed on the case.)

    Accord­ing to a legal com­plaint against her hus­band and Tes­la, the car’s lights and horns were acti­vat­ed in a park­ing garage. On hot days, she would arrive at her car and dis­cov­er the heat was run­ning so that it was uncom­fort­ably hot, while on cold days, she would find that the air-con­di­tion­er had been acti­vat­ed from afar. Her hus­band, she said in court doc­u­ments, used the loca­tion-find­ing fea­ture on the Tes­la to iden­ti­fy her new res­i­dence, which she had hoped to keep secret from him.

    The woman, who obtained a restrain­ing order against her hus­band, con­tact­ed Tes­la numer­ous times to get her husband’s access to the car revoked — she includ­ed some of the emails in legal fil­ings — but was not suc­cess­ful.

    Tes­la did not respond to a request for com­ment. In legal fil­ings, Tes­la denied respon­si­bil­i­ty for the harass­ment; ques­tioned whether it had occurred, based on the husband’s denials; and raised ques­tions about the woman’s reli­a­bil­i­ty. (Some of what she claimed her hus­band had done, such as turn­ing on songs with dis­turb­ing lyrics while she was dri­ving, could not be done via the Tes­la app.)

    “Vir­tu­al­ly every major auto­mo­bile man­u­fac­tur­er offers a mobile app with sim­i­lar func­tions for their cus­tomers,” Tesla’s lawyers wrote in a legal fil­ing. “It is illog­i­cal and imprac­ti­cal to expect Tes­la to mon­i­tor every vehi­cle owner’s mobile app for mis­use.”

    A judge dis­missed Tes­la from the case, stat­ing that it would be “oner­ous” to expect car man­u­fac­tur­ers to deter­mine which claims of app abuse were legit­i­mate.

    Katie Ray-Jones, the chief exec­u­tive of the Nation­al Domes­tic Vio­lence Hot­line, said abu­sive part­ners used a wide vari­ety of inter­net-con­nect­ed devices — from lap­tops to smart home prod­ucts — to track and harass their vic­tims. Tech­nol­o­gy that keep tabs on a person’s move­ments is of par­tic­u­lar con­cern to domes­tic vio­lence shel­ters, she said, because they “try to keep the shel­ter loca­tion con­fi­den­tial.”

    As a pre­ven­ta­tive mea­sure, Ms. Ray-Jones encour­ages peo­ple in rela­tion­ships to have equal access to tech­nolo­gies used to con­trol their homes and belong­ings.

    ...

    Adam Dodge, a for­mer fam­i­ly law attor­ney turned dig­i­tal safe­ty train­er, called car app stalk­ing “a blind spot for vic­tims and automak­ers.”

    “Most vic­tims I’ve talked to are whol­ly unaware that the car they rely on is app-con­nect­ed in the first place,” he said. “They can’t address threats they don’t know are there.”

    As a pos­si­ble solu­tion to the prob­lem, he and oth­er domes­tic vio­lence experts point­ed to the Safe Con­nec­tions Act, a recent fed­er­al law that allows vic­tims of domes­tic abuse to eas­i­ly sev­er their phone from accounts shared with their abusers. A sim­i­lar law should extend to cars, Mr. Dodge said, allow­ing peo­ple with pro­tec­tive orders from a court to eas­i­ly cut off an abuser’s dig­i­tal access to their car.

    “Hav­ing access to a car for a vic­tim is a life­line,” he said. “No vic­tim should have to make the choice between being stalked by the car or hav­ing no car. But that’s the cross­roads many of them find them­selves at.”

    ———-

    “Your Car Is Track­ing You. Abu­sive Part­ners May Be, Too.” By Kash­mir Hill; The New York Times; 12/31/2023

    “Mod­ern cars have been called “smart­phones with wheels” because they are inter­net-con­nect­ed and have myr­i­ad meth­ods of data col­lec­tion, from cam­eras and seat weight sen­sors to records of how hard you brake and cor­ner. Most dri­vers don’t real­ize how much infor­ma­tion their cars are col­lect­ing and who has access to it, said Jen Cal­trid­er, a pri­va­cy researcher at Mozil­la who reviewed the pri­va­cy poli­cies of more than 25 car brands and found sur­pris­ing dis­clo­sures, such as Nis­san say­ing it might col­lect infor­ma­tion about “sex­u­al activ­i­ty.”

    Smart­phones on wheels. That’s one way of describ­ing mod­ern inter­net-con­nect­ed cars. Smart­phones on wheels that poten­tial­ly detect sex­u­al activ­i­ty, col­lect that info, and make it avail­able to who­ev­er has access. Includ­ing venge­ful exes. And as US law enforce­ment has found, these car man­u­fac­tur­ers aren’t exact­ly respon­sive when abus­es involv­ing these remote access fea­tures are report­ed. In fact, a judge even ruled that it would be too oner­ous for car man­u­fac­tur­ers to respond to cas­es like this. Car own­ers are on their own:

    ...
    Detec­tive Kel­ly Downey of the Bossier Parish Sheriff’s Office, who inves­ti­gat­ed Ms. Dowdall’s hus­band for stalk­ing, also reached out to Mer­cedes more than a dozen times to no avail, she said. She had pre­vi­ous­ly dealt with anoth­er case of harass­ment via a con­nect­ed car app — a woman whose hus­band would turn on her Lexus while it sat in the garage in the mid­dle of the night. In that case, too, Detec­tive Downey was unable to get the car com­pa­ny to turn off the husband’s access; the vic­tim sold her car.

    “Auto­mo­bile man­u­fac­tur­ers have to cre­ate a way for us to stop it,” Detec­tive Downey said. “Tech­nol­o­gy may be our god­send, but it’s also very scary because it could hurt you.”

    Mer­cedes also failed to respond to a search war­rant, Detec­tive Downey said. She instead found evi­dence that the hus­band was using the Mer­cedes Me app by obtain­ing records of his inter­net activ­i­ty.

    Unable to get help from Mer­cedes, Ms. Dow­dall took her car to an inde­pen­dent mechan­ic this year and paid $400 to dis­able the remote track­ing. This also dis­abled the car’s nav­i­ga­tion sys­tem and its S.O.S. but­ton, a tool to get help in an emer­gency.

    ...

    A San Fran­cis­co man used his remote access to the Tes­la Mod­el X sport util­i­ty vehi­cle he co-owned with his wife to harass her after they sep­a­rat­ed, accord­ing to a law­suit she filed anony­mous­ly in San Fran­cis­co Supe­ri­or Court in 2020. (Reuters pre­vi­ous­ly report­ed on the case.)

    Accord­ing to a legal com­plaint against her hus­band and Tes­la, the car’s lights and horns were acti­vat­ed in a park­ing garage. On hot days, she would arrive at her car and dis­cov­er the heat was run­ning so that it was uncom­fort­ably hot, while on cold days, she would find that the air-con­di­tion­er had been acti­vat­ed from afar. Her hus­band, she said in court doc­u­ments, used the loca­tion-find­ing fea­ture on the Tes­la to iden­ti­fy her new res­i­dence, which she had hoped to keep secret from him.

    The woman, who obtained a restrain­ing order against her hus­band, con­tact­ed Tes­la numer­ous times to get her husband’s access to the car revoked — she includ­ed some of the emails in legal fil­ings — but was not suc­cess­ful.

    Tes­la did not respond to a request for com­ment. In legal fil­ings, Tes­la denied respon­si­bil­i­ty for the harass­ment; ques­tioned whether it had occurred, based on the husband’s denials; and raised ques­tions about the woman’s reli­a­bil­i­ty. (Some of what she claimed her hus­band had done, such as turn­ing on songs with dis­turb­ing lyrics while she was dri­ving, could not be done via the Tes­la app.)

    “Vir­tu­al­ly every major auto­mo­bile man­u­fac­tur­er offers a mobile app with sim­i­lar func­tions for their cus­tomers,” Tesla’s lawyers wrote in a legal fil­ing. “It is illog­i­cal and imprac­ti­cal to expect Tes­la to mon­i­tor every vehi­cle owner’s mobile app for mis­use.”

    A judge dis­missed Tes­la from the case, stat­ing that it would be “oner­ous” to expect car man­u­fac­tur­ers to deter­mine which claims of app abuse were legit­i­mate.
    ...

    But, of course, it’s not just angry exes who pose a risk of mali­cious remote access. Any­one with remote access to your vehi­cle might use that pow­er for nefar­i­ous rea­sons, whether that involves harassing/stalking like behav­ior or just secret­ly col­lect­ing about where you are and any oth­er info col­lect­ed by the car. And that brings us to the fol­low­ing report from back in 2021 about a dis­cov­ery by a local inves­tiga­tive news team. A dis­cov­ery that was actu­al­ly brought to the CBS13 news team by some­one who dis­cov­ered he could still remote­ly access via a phone app his recent­ly sold 2020 Ford Escape months after the sale and trade in of the car. When the jour­nal­ists reached out to the car’s new own­er, they report­ed not even real­iz­ing such an app had been set up. As the report found, this isn’t a Ford prob­lem. It’s an indus­try-wide prob­lem, with no stan­dards in place for how to han­dle the process of keep­ing data safe when trans­fer­ring own­er­ship. Instead, it’s basi­cal­ly up to the con­sumers to be sure to wipe their cars before sell­ing them. And this isn’t just an issue when sell­ing vehi­cles. Insur­ance com­pa­nies in pos­ses­sion of a car while a report is being filed can poten­tial­ly access all of the info stored on a car too, and there’s no law man­dat­ing how this data is treat­ed:

    WGME

    Buy­ing a used car? The pre­vi­ous own­er may still be able to access app, con­trol it remote­ly

    by Maris­sa Bod­nar
    Wed, Novem­ber 10th 2021

    PORTLAND (WGME) — A lack of safe­guards in con­nect­ed cars may put con­sumers at risk, by allow­ing the pre­vi­ous own­er of a used vehi­cle to con­tin­ue access­ing the app and con­trol­ling the vehi­cle after it’s been sold or trad­ed in.

    Mike Hall of Wind­ham says he trad­ed in his 2020 Ford Escape in August, but as of late Octo­ber, he could still access the Ford­Pass app and con­trol the vehi­cle remote­ly.

    “I’m going to shut it off,” Hall said, after acci­den­tal­ly start­ing the car dur­ing our inter­view. “I hope I didn’t freak some­body out.”

    Hall con­tact­ed the CBS13 I‑Team, con­cerned the lack of secu­ri­ty might present a safe­ty risk to oth­ers.

    “I can see where the vehicle’s locat­ed. I can see tire pres­sure. I can see gas, how many miles it’s dri­ven,” Hall said. “I can also start and stop it and unlock it.”

    Using the app, Hall led the I‑Team to the SUV parked in Water­ville Val­ley, New Hamp­shire, and its new own­er, Shan­non Geher.

    Geher watched as Hall start­ed and unlocked her car all the way from Maine.

    “For­get about the gov­ern­ment watch­ing you,” Geher said.

    Geher says she didn’t even know the car had an app until the I‑Team showed up.

    ...

    A Ford spokesper­son says:

    “Ford uses sev­er­al meth­ods to inform vehi­cle occu­pants that the vehi­cle is con­nect­ed and data is being shared, while mak­ing it easy for them to update data shar­ing set­tings in the vehi­cle.”

    The com­pa­ny’s state­ment says cus­tomers are alert­ed with a data shar­ing icon on the SYNC screen and data shar­ing pop­ups that appear when some­one gets into the vehi­cle with a mobile device that has­n’t been paired with the vehi­cle. They also point to the own­er’s man­u­al and Con­nect­ed Vehi­cle Pri­va­cy Pol­i­cy, rec­om­mend­ing a Mas­ter Reset before sell­ing or trans­fer­ring own­er­ship.

    CBS13 I‑Team Reporter Maris­sa Bod­nar: “Is that enough of a safe­guard?”

    Privacy4Cars Founder Andrea Ami­co: “I don’t think so.”

    Andrea Ami­co is the founder of Privacy4Cars. He says his com­pa­ny became aware of the issue in 2019 and brought it to the auto indus­try.

    “At the peak of my research, I could con­trol almost 30 cars out of my phone across the coun­try,” Ami­co said.

    It’s not just Ford. Ami­co says he looked into a num­ber of man­u­fac­tur­ers and found vul­ner­a­bil­i­ties across the board.

    In most cas­es, he says, the respon­si­bil­i­ty falls to the con­sumer to delete the app or per­form a reset.

    “Unfor­tu­nate­ly, there’s many ill-inten­tioned peo­ple out there and we just don’t think that’s the right lev­el of pro­tec­tion that con­sumers deserve,” Ami­co said.

    Ami­co says it also affects rental cars, plus those repos­sessed or in the hands of insur­ance com­pa­nies after an acci­dent.

    Some states offer pro­tec­tion through “right to delete” laws, giv­ing con­sumers the abil­i­ty to request busi­ness­es delete any per­son­al infor­ma­tion. Ami­co says Maine only requires that of insur­ance com­pa­nies.

    “My hope is the indus­try will col­lab­o­rate and get it done, but if not, maybe reg­u­la­tors will step in and say, ‘You know what? The right thing to do is actu­al­ly cre­ate a man­date,’ ” Ami­co said.

    In the mean­time, he rec­om­mends con­sumers read their vehicle’s man­u­al, call the man­u­fac­tur­er or deal­er if they’re con­cerned, and always dis­con­nect their data.

    ...

    Nucar Ford of Tilton, where Hall trad­ed in his Escape, tells the I‑Team:

    “Just as one would clear their phone and com­put­er when turn­ing it in for a new mod­el, the same should be done when turn­ing in or trad­ing in an auto­mo­bile.”

    The deal­er­ship also says that mov­ing for­ward, they will proac­tive­ly work to ensure that all Ford trade-ins deac­ti­vate their apps, and do the same with oth­er man­u­fac­tur­ers.

    The I‑Team reached out to sev­er­al major automak­ers besides just Ford, to ask what poli­cies they have in place to pre­vent a pri­or own­er from access­ing the app.

    Only two respond­ed.

    A spokesper­son for Nis­san says:

    “The reg­is­tered own­er of a Nis­san vehi­cle can always deter­mine who has remote access to their car.”

    A spokesper­son for Hon­da says in part:

    “Hon­da does not auto­mat­i­cal­ly receive notice when a Hon­da vehi­cle changes own­er­ship, espe­cial­ly through pri­vate or third-par­ty deal­er sales. We are cur­rent­ly explor­ing process­es to bet­ter detect changes in own­er­ship in order to offer the ben­e­fits of Hon­daLink con­nect­ed vehi­cle ser­vices to new vehi­cle own­ers.”

    Hon­da adds that a paid sub­scrip­tion is required for more advanced func­tions, such as unlock­ing the vehi­cle, giv­ing the pri­or own­er finan­cial moti­va­tion to get rid of the app, and the app will alert new own­ers if a pri­or account is still active.

    The Alliance for Auto­mo­tive Inno­va­tion, the trade group rep­re­sent­ing near­ly all of the nation’s automak­ers, did not respond to ques­tions from CBS13 about whether there are enough safe­guards in place. Instead, a spokesper­son referred us to this FTC blog from 2018 warn­ing con­sumers to clear per­son­al data before sell­ing their vehi­cle.

    ———–

    “Buy­ing a used car? The pre­vi­ous own­er may still be able to access app, con­trol it remote­ly” by Maris­sa Bod­nar; WGME; 11/10/2021

    “Mike Hall of Wind­ham says he trad­ed in his 2020 Ford Escape in August, but as of late Octo­ber, he could still access the Ford­Pass app and con­trol the vehi­cle remote­ly.”

    With great pow­er comes great respon­si­bil­i­ty. And as this inves­ti­ga­tion dis­cov­ered, not only did the for­mer own­er of this car still have remote access to the car months lat­er, but the new own­er had no idea this remote access was set up in the first place. How many used cars are being mon­i­tored like this today? And this isn’t a Ford issue. It’s an indus­try issue:

    ...
    Using the app, Hall led the I‑Team to the SUV parked in Water­ville Val­ley, New Hamp­shire, and its new own­er, Shan­non Geher.

    Geher watched as Hall start­ed and unlocked her car all the way from Maine.

    “For­get about the gov­ern­ment watch­ing you,” Geher said.

    Geher says she didn’t even know the car had an app until the I‑Team showed up.

    ...

    The com­pa­ny’s state­ment says cus­tomers are alert­ed with a data shar­ing icon on the SYNC screen and data shar­ing pop­ups that appear when some­one gets into the vehi­cle with a mobile device that has­n’t been paired with the vehi­cle. They also point to the own­er’s man­u­al and Con­nect­ed Vehi­cle Pri­va­cy Pol­i­cy, rec­om­mend­ing a Mas­ter Reset before sell­ing or trans­fer­ring own­er­ship.

    ...

    Andrea Ami­co is the founder of Privacy4Cars. He says his com­pa­ny became aware of the issue in 2019 and brought it to the auto indus­try.

    “At the peak of my research, I could con­trol almost 30 cars out of my phone across the coun­try,” Ami­co said.

    It’s not just Ford. Ami­co says he looked into a num­ber of man­u­fac­tur­ers and found vul­ner­a­bil­i­ties across the board.

    In most cas­es, he says, the respon­si­bil­i­ty falls to the con­sumer to delete the app or per­form a reset.
    ...

    And then there’s the insur­ance com­pa­nies, which might also get their hands on a vehi­cle, tem­porar­i­ly or per­ma­nent­ly. Only a sin­gle state, Maine, man­dates that insur­ance com­pa­nies delete per­son­al infor­ma­tion gath­ered from these vehi­cles if con­sumers request it. In oth­er words, in every state but Maine insur­ance com­pa­nies can kind of do what they want with the data extract­ed from vehi­cles in their pos­ses­sion:

    ...
    Ami­co says it also affects rental cars, plus those repos­sessed or in the hands of insur­ance com­pa­nies after an acci­dent.

    Some states offer pro­tec­tion through “right to delete” laws, giv­ing con­sumers the abil­i­ty to request busi­ness­es delete any per­son­al infor­ma­tion. Ami­co says Maine only requires that of insur­ance com­pa­nies.

    “My hope is the indus­try will col­lab­o­rate and get it done, but if not, maybe reg­u­la­tors will step in and say, ‘You know what? The right thing to do is actu­al­ly cre­ate a man­date,’ ” Ami­co said.
    ...

    And as we’ve seen, these ‘smart­phones on wheels’ are also cre­at­ing all sorts of new rev­enue streams for car man­u­fac­tur­ers and any­one else with access to that data thanks to the fact that it can all be sold to mar­keters. Which is exact­ly what is hap­pen­ing, accord­ing to a recent Mozil­la inves­ti­ga­tion that found mod­ern cars to be the worst pri­va­cy vio­la­tors among more than a dozen prod­uct cat­e­gories test­ed. Nine­teen car man­u­fac­tur­ers admit to sell­ing your data and they appear to have no intent on allow­ing own­ers to opt out of this new real­i­ty. The only real option is own­ing an old­er pre-dig­i­tal car:

    Asso­ci­at­ed Press

    Car­mak­ers are fail­ing the pri­va­cy test. Own­ers have lit­tle or no con­trol over data col­lect­ed

    By FRANK BAJAK
    Updat­ed 5:45 PM CST, Sep­tem­ber 6, 2023

    BOSTON (AP) — Most major car man­u­fac­tur­ers admit they may be sell­ing your per­son­al infor­ma­tion — though they are vague on the buy­ers, a new study finds, and half say they would share it with the gov­ern­ment or law enforce­ment with­out a court order.

    The pro­lif­er­a­tion of sen­sors in auto­mo­biles — from telem­at­ics to ful­ly dig­i­tized con­trol con­soles — has made them prodi­gious data-col­lec­tion hubs.

    But dri­vers are giv­en lit­tle or no con­trol over the per­son­al data their vehi­cles col­lect, researchers for the non­prof­it Mozil­la Foun­da­tion said Wednes­day in their lat­est “Pri­va­cy Not Includ­ed” sur­vey. Secu­ri­ty stan­dards are also vague, a big con­cern giv­en automak­ers’ track record of sus­cep­ti­bil­i­ty to hack­ing.

    “Cars seem to have real­ly flown under the pri­va­cy radar and I’m real­ly hop­ing that we can help rem­e­dy that because they are tru­ly awful,” said Jen Cal­trid­er, the study’s research lead. “Cars have micro­phones and peo­ple have all kinds of sen­si­tive con­ver­sa­tions in them. Cars have cam­eras that face inward and out­ward.”

    Unless they opt for a used, pre-dig­i­tal mod­el, car buy­ers “just don’t have a lot of options,” Cal­trid­er said.

    Cars scored worst for pri­va­cy among more than a dozen prod­uct cat­e­gories — includ­ing fit­ness track­ers, repro­duc­tive-health apps, smart speak­ers and oth­er con­nect­ed home appli­ances — that Mozil­la has stud­ied since 2017.

    Not one of the 25 car brands whose pri­va­cy notices were reviewed — cho­sen for their pop­u­lar­i­ty in Europe and North Amer­i­ca — met the min­i­mum pri­va­cy stan­dards of Mozil­la, which pro­motes open-source, pub­lic inter­est tech­nolo­gies and main­tains the Fire­fox brows­er. By con­trast, 37% of the men­tal health apps the non-prof­it reviewed this year did.

    Nine­teen automak­ers say they can sell your per­son­al data, their notices reveal. Half will share your infor­ma­tion with gov­ern­ment or law enforce­ment in response to a “request” — as opposed to requir­ing a court order. Only two — Renault and Dacia, which are not sold in North Amer­i­ca — offer dri­vers the option to have their data delet­ed.

    The automak­ers are vague on dis­clos­ing to whom they are sell­ing what they col­lect, though the researchers have lit­tle doubt it includes data bro­kers, mar­keters and deal­ers. Part­ners with installed prod­ucts and ser­vices, includ­ing Sir­iusXM, Google Maps and Onstar, are also amass­ing data.

    “Increas­ing­ly, most cars are wire­taps on wheels,” said Albert Fox Cahn, a tech­nol­o­gy and human rights fel­low at Harvard’s Carr Cen­ter for Human Rights Pol­i­cy. “The elec­tron­ics that dri­vers pay more and more mon­ey to install are col­lect­ing more and more data on them and their pas­sen­gers.”

    “There is some­thing unique­ly inva­sive about trans­form­ing the pri­va­cy of one’s car into a cor­po­rate sur­veil­lance space,” he added.

    A trade group rep­re­sent­ing the mak­ers of most cars and light trucks sold in the U.S., the Alliance for Auto­mo­tive Inno­va­tion, took issue with that char­ac­ter­i­za­tion. In a let­ter sent Tues­day to U.S. House and Sen­ate lead­er­ship, it said it shares “the goal of pro­tect­ing the pri­va­cy of con­sumers.”

    It called for a fed­er­al pri­va­cy law, say­ing a “patch­work of state pri­va­cy laws cre­ates con­fu­sion among con­sumers about their pri­va­cy rights and makes com­pli­ance unnec­es­sar­i­ly dif­fi­cult.” The absence of such a law lets con­nect­ed devices and smart­phones amass data for tai­lored ad tar­get­ing and oth­er mar­ket­ing — while also rais­ing the odds of mas­sive infor­ma­tion theft through cyber­se­cu­ri­ty breach­es.

    The Asso­ci­at­ed Press asked the Alliance, which has resist­ed efforts to pro­vide car own­ers and inde­pen­dent repair shops with access to onboard data, if it sup­ports allow­ing car buy­ers to auto­mat­i­cal­ly opt out of data col­lec­tion — and grant­i­ng them the option of hav­ing col­lect­ed data delet­ed. Spokesman Bri­an Weiss said that for safe­ty rea­sons the group “has con­cerns” about let­ting cus­tomers com­plete­ly opt out — but does endorse giv­ing them greater con­trol over how the data is used in mar­ket­ing and by third par­ties.

    In a 2020 Pew Research sur­vey, 52% of Amer­i­cans said they had opt­ed against using a prod­uct or ser­vice because they were wor­ried about the amount of per­son­al infor­ma­tion it would col­lect about them.

    On secu­ri­ty, Mozilla’s min­i­mum stan­dards include encrypt­ing all per­son­al infor­ma­tion on a car. The researchers said most car brands ignored their emailed ques­tions on the mat­ter, those that did offer­ing par­tial, unsat­is­fac­to­ry respons­es.

    Japan-based Nis­san astound­ed researchers with the lev­el of hon­esty and detailed break­downs of data col­lec­tion its pri­va­cy notice pro­vides, a stark con­trast with Big Tech com­pa­nies such as Face­book or Google. “Sen­si­tive per­son­al infor­ma­tion” col­lect­ed includes driver’s license num­bers, immi­gra­tion sta­tus, race, sex­u­al ori­en­ta­tion and health diag­noses.

    Fur­ther, Nis­san says it can share “infer­ences” drawn from the data to cre­ate pro­files “reflect­ing the consumer’s pref­er­ences, char­ac­ter­is­tics, psy­cho­log­i­cal trends, pre­dis­po­si­tions, behav­ior, atti­tudes, intel­li­gence, abil­i­ties, and apti­tudes.”

    It was among six car com­pa­nies that said they could col­lect “genet­ic infor­ma­tion” or “genet­ic char­ac­ter­is­tics,” the researchers found.

    Nis­san also said it col­lect­ed infor­ma­tion on “sex­u­al activ­i­ty.” It didn’t explain how.

    The all-elec­tric Tes­la brand scored high on Mozilla’s “creepi­ness” index. If an own­er opts out of data col­lec­tion, Tesla’s pri­va­cy notice says the com­pa­ny may not be able to noti­fy dri­vers “in real time” of issues that could result in “reduced func­tion­al­i­ty, seri­ous dam­age, or inop­er­abil­i­ty.”

    ...

    Mozilla’s Cal­trid­er cred­it­ed laws like the 27-nation Euro­pean Union’s Gen­er­al Data Pro­tec­tion Reg­u­la­tion and California’s Con­sumer Pri­va­cy Act for com­pelling car­mak­ers to pro­vide exist­ing data col­lec­tion infor­ma­tion.

    It’s a start, she said, by rais­ing aware­ness among con­sumers just as occurred in the 2010s when a con­sumer back­lash prompt­ed TV mak­ers to offer more alter­na­tives to sur­veil­lance-heavy con­nect­ed dis­plays.

    ———–

    “Car­mak­ers are fail­ing the pri­va­cy test. Own­ers have lit­tle or no con­trol over data col­lect­ed” By FRANK BAJAK; Asso­ci­at­ed Press; 09/06/2023

    “Cars scored worst for pri­va­cy among more than a dozen prod­uct cat­e­gories — includ­ing fit­ness track­ers, repro­duc­tive-health apps, smart speak­ers and oth­er con­nect­ed home appli­ances — that Mozil­la has stud­ied since 2017.”

    How bad does a prod­uct cat­e­go­ry’s pri­va­cy have to be to be the worst in 2023? Pre­sum­ably even more awful than peo­ple ever sus­pect­ed. And that’s what Mozil­la found: abhor­rent pri­va­cy stan­dards that basi­cal­ly don’t exist. Instead, it’s a data free-for-all, with 19 out of 25 car man­u­fac­tur­ers open­ly sell­ing your per­son­al data to mar­keters. Than there’s the ser­vice providers like Sir­iusXM or Google Maps and Onstar who also get to par­take in the data col­lec­tion. It’s ram­pant col­lec­tion and sell­ing of per­son­al data and the indus­try has zero intent on mak­ing it less ram­pant:

    ...
    Not one of the 25 car brands whose pri­va­cy notices were reviewed — cho­sen for their pop­u­lar­i­ty in Europe and North Amer­i­ca — met the min­i­mum pri­va­cy stan­dards of Mozil­la, which pro­motes open-source, pub­lic inter­est tech­nolo­gies and main­tains the Fire­fox brows­er. By con­trast, 37% of the men­tal health apps the non-prof­it reviewed this year did.

    Nine­teen automak­ers say they can sell your per­son­al data, their notices reveal. Half will share your infor­ma­tion with gov­ern­ment or law enforce­ment in response to a “request” — as opposed to requir­ing a court order. Only two — Renault and Dacia, which are not sold in North Amer­i­ca — offer dri­vers the option to have their data delet­ed.

    The automak­ers are vague on dis­clos­ing to whom they are sell­ing what they col­lect, though the researchers have lit­tle doubt it includes data bro­kers, mar­keters and deal­ers. Part­ners with installed prod­ucts and ser­vices, includ­ing Sir­iusXM, Google Maps and Onstar, are also amass­ing data.

    ...

    The Asso­ci­at­ed Press asked the Alliance, which has resist­ed efforts to pro­vide car own­ers and inde­pen­dent repair shops with access to onboard data, if it sup­ports allow­ing car buy­ers to auto­mat­i­cal­ly opt out of data col­lec­tion — and grant­i­ng them the option of hav­ing col­lect­ed data delet­ed. Spokesman Bri­an Weiss said that for safe­ty rea­sons the group “has con­cerns” about let­ting cus­tomers com­plete­ly opt out — but does endorse giv­ing them greater con­trol over how the data is used in mar­ket­ing and by third par­ties.
    ...

    And then we get to this incred­i­ble dis­clo­sure by Nis­san, which appears to some­how col­lect immi­gra­tion sta­tus, race, sex­u­al ori­en­ta­tion, sex­u­al activ­i­ty, and health diag­noses. Nis­san can even “infer” char­ac­ter­is­tics about you about like “psy­cho­log­i­cal trends, pre­dis­po­si­tions, behav­ior, atti­tudes, intel­li­gence, abil­i­ties, and apti­tudes” and sell that info. And Nis­san was only one of six dif­fer­ent car com­pa­nies col­lect­ing some sort of “genet­ic infor­ma­tion” on rid­ers. Who knows how exact­ly they were col­lect­ing genet­ic infor­ma­tion but six car man­u­fac­tur­ers appear to be doing it some­how:

    ...
    Japan-based Nis­san astound­ed researchers with the lev­el of hon­esty and detailed break­downs of data col­lec­tion its pri­va­cy notice pro­vides, a stark con­trast with Big Tech com­pa­nies such as Face­book or Google. “Sen­si­tive per­son­al infor­ma­tion” col­lect­ed includes driver’s license num­bers, immi­gra­tion sta­tus, race, sex­u­al ori­en­ta­tion and health diag­noses.

    Fur­ther, Nis­san says it can share “infer­ences” drawn from the data to cre­ate pro­files “reflect­ing the consumer’s pref­er­ences, char­ac­ter­is­tics, psy­cho­log­i­cal trends, pre­dis­po­si­tions, behav­ior, atti­tudes, intel­li­gence, abil­i­ties, and apti­tudes.”

    It was among six car com­pa­nies that said they could col­lect “genet­ic infor­ma­tion” or “genet­ic char­ac­ter­is­tics,” the researchers found.

    Nis­san also said it col­lect­ed infor­ma­tion on “sex­u­al activ­i­ty.” It didn’t explain how.
    ...

    So for any­one con­sid­er­ing the pur­chase of new car, have you con­sid­ered a used one instead? Per­haps a old­er mod­el that isn’t per­ma­nent­ly con­nect­ed to the inter­net, cam­eras, and micro­phones? Because there’s a cer­tain nos­tal­gia to not hav­ing your car spy on you for the finan­cial ben­e­fit of ran­dom strangers or your stalk­ers. Good times. Sim­pler times.

    Posted by Pterrafractyl | January 4, 2024, 6:29 pm

Post a comment