• Th chevron_right

    Google and Amazon Face Shareholder Revolt Over Israeli Defense Work / TheIntercept · 2 days ago - 16:27 · 7 minutes

Google and Amazon are both set to help build “Project Nimbus,” a mammoth new cloud computing project for the Israeli government and military that is spurring intense dissent among employees and the public alike. Shareholders of both firms will soon vote on resolutions that would mandate reconsideration of a project they fear has grave human rights consequences.

Little is known of the plan, reportedly worth over $1 billion, beyond the fact that it would consolidate the Israeli government’s public sector cloud computing needs onto servers housed within the country’s borders and subject solely to Israeli law, rather than remote data centers distributed around the world. Part of the plan’s promise is that it would insulate Israel’s computing needs from threats of international boycotts, sanctions, or other political pressures stemming from the ongoing military occupation of Palestine; according to a Times of Israel report , the terms of the Project Nimbus contract prohibit both companies from shutting off service to the government, or from selectively excluding certain government offices from using the new domestic cloud.

It remains unclear what technologies exactly will be provided through Nimbus or to what end, an ambiguity critics say is unnerving. Google in particular is known for the sophistication of its cloud-based offerings that are perfectly suited for population-scale surveillance, including powerful image recognition technology that made the company initially so alluring to the Pentagon’s drone program . In 2020, The Intercept reported that Customs and Border Protection would use Google Cloud software to analyze video data from its controversial surveillance initiative along the U.S.-Mexico border .

While a wide variety of government ministries will make use of the new computing power and data storage, the fact that Google and Amazon may be directly bolstering the capabilities of the Israeli military and internal security services has generated alarm from both human rights observers and company engineers. In October 2021, The Guardian published a letter from a group of anonymous Google and Amazon employees objecting to their company’s participation. “This technology allows for further surveillance of and unlawful data collection on Palestinians, and facilitates expansion of Israel’s illegal settlements on Palestinian land,” the letter read. “We cannot look the other way, as the products we build are used to deny Palestinians their basic rights, force Palestinians out of their homes and attack Palestinians in the Gaza Strip — actions that have prompted war crime investigations by the international criminal court .” In March, an American Google employee who had helped organize the employee opposition to Nimbus said the company abruptly told her she could either move to Brazil or lose her job , a move she said was retaliation for her stance.

Nimbus will now face a referendum of sorts among Google and Amazon shareholders, who next month will vote on a pair of resolutions that call for company-funded reviews of their participation in that project and others that might harm human rights. The filers of the Google resolution collectively own roughly $1.8 million in shares, according to Parker Breza of the Institute for Middle East Understanding, which is helping coordinate the filings. While these investors object to Nimbus on largely the same moral grounds as the authors of the Guardian letter, they’re also tapping into the specific anxieties of the Wall Street investor: What if bad press from Project Nimbus loses us money? Citing the very public controversies surrounding Project Nimbus and other prior contracts with various governmental security agencies, the Google shareholder resolution warns that “employee and public opposition to such contracts will increase and pose a risk to Google’s reputation and its strategic positioning on social responsibility,” and asks that “the company issue a report, at reasonable expense and excluding proprietary information, reassessing the Company’s policies on support for military and militarized policing agency activities and their impacts on stakeholders, user communities, and the Company’s reputation and finances.”

The Amazon resolution, filed by Investor Advocates for Social Justice, also calls for an independent inquiry into Nimbus and other surveillance contracts, stating: “Amazon’s government and government-affiliated customers and suppliers with a history of rights-violating behavior pose risks to the company” and “Inadequate due diligence presents material privacy and data security risks, as well as legal, regulatory, and reputational risks.”

Ed Feigen, a Google shareholder since 2014 and lead filer of that resolution, told The Intercept he and several fellow investors felt compelled to oppose Nimbus as soon as they learned of it. “I’m also a member of the organization Jewish Voice for Peace,” Feigen said, “which works to ensure US foreign policy advances peace, human rights, and follows international law so we can ensure freedom and justice for Palestinians.” Feigen added that the resolution was drafted in collaboration with Google employees who similarly oppose the contract on human rights grounds. “We also felt the need to support Google employees who’d spoken out against contracts Google was pursuing with militaries and police agencies like CBP and ICE,” Feigen said, “both because we believe that profiting from violence is plainly immoral, and because we see pursuing such contracts as a liability for investors––especially given the history of Google employees protesting such contracts.”

A Google software engineer who provided feedback for the resolution and spoke on the condition of anonymity told The Intercept that they’re concerned employees are just as much in the dark about Nimbus as the general public, and fear how the company’s technology would be used to repress Palestinians. “It became a point of shame,” they said in an interview. “We know that the IDF, one of its projects is mass constant surveillance of various areas of the Occupied Territories, and I don’t believe there are any restrictions on which cloud services the Israeli government wants to procure from [Google] Cloud. Google offers big data analysis, machine learning, and AI tool suites through Cloud; I don’t think there’s any reason to assume they aren’t consuming all of these products to help them work on this.”

“If workers are working on cloud AI products or large scale data management, they should think of themselves as working on technology that is oppressing people.”

This engineer added that while they have found like-minded colleagues who are similarly disturbed by the prospect of their cloud technologies being used to fortify the Israeli occupation, employee activism against Nimbus is much diminished since the waves of worker-led protests against prior Google contracts like Project Maven and Dragonfly, the company’s planned custom-built Chinese search engine . “Right now we’re kind of in a slump,” they said. While past employee movements spurred heated discussions on internal chat forums, they said, “We haven’t had anything like that from Nimbus, which is really unfortunate.” In addition to fearing retaliation from Google itself, this source said Google employees who might otherwise vocally oppose the Nimbus contract have remained quiet in order to avoid accusations of antisemitism. “The harm is documented, putting Palestinians under constant surveillance is very well documented, and yet [this contract] is the one where even if workers care about it, not only do they face retaliation from management, some coworkers might retaliate in their own ways.” Googlers could stand to think more about how their creations could be misused, they added: “If workers are working on cloud AI products or large scale data management, they should think of themselves as working on technology that is oppressing people.” But the engineer pointed to the fact that Google engineers likely trust the company’s vague public commitments to human rights values and “ AI principles ,” even if naively. “Leadership has failed to take these commitments seriously, so they’ve passed responsibility to ensure our technology is used responsibly on to us.”

As with most activist shareholder resolutions, these will likely be a difficult sell. Government contracts like Nimbus are enormously lucrative, and both Amazon and Google have made it clear they are continuing to seek them even in the face of protest from within and without. Global internet giants have seen their profits soar in recent years, a trend they hope to continue by taking on military and law enforcement work that in previous eras may have been handed to traditional defense contractors. It will be difficult to convince investors chiefly concerned with maximizing share prices that these firms should walk away from the giant payouts defense or national security-related projects would bring. Even if successful, neither resolution would end Project Nimbus or thwart either company’s involvement. The Google software engineer added that most of their fellow anti-Nimbus colleagues don’t believe the resolution goes far enough: “It calls for a report on potential impacts to be prepared, but otherwise does not propose any binding action.” Still, they hope that the resolution, doomed or not, will help draw scrutiny and public pressure to the project, a sentiment Feigen shares: “This is the first time a resolution like this has ever been introduced, so we know it’s a big challenge,” he said. “It’s still too early to know whether the resolution will pass, but whether it does or not, this is just the first step in calling attention to these important concerns.”

Correction: May 18, 2022

A previous version of this article stated that the shareholders behind both the Google and Amazon resolutions owned $1.8 million in shares collectively, however that figure represents only the shares held by the supporters of the Google resolution.

The post Google and Amazon Face Shareholder Revolt Over Israeli Defense Work appeared first on The Intercept .

  • Th chevron_right

    How a Supreme Court Investigation of the Roe v. Wade Leak Might Unfold / TheIntercept · Sunday, 8 May - 10:00 · 7 minutes

Following the publication by Politico of Supreme Court Justice Samuel Alito’s draft majority opinion to overturn Roe v. Wade, Chief Justice Roberts authenticated the leaked document and stated that he had “directed the Marshal of the Court to launch an investigation into the source of the leak.” Whether or not the leak itself was illegal , however, the question of how a technical investigation of this document would proceed raises some interesting issues for journalists as well as potential sources.

Leak investigators have three key areas to analyze for clues: the document itself, the environment the document circulated in, and the potential identity of the leaker. Each area in turn presents lessons and opportunities for would-be leakers to adopt various counter-forensic strategies to subvert future leak investigations.

The Document

Since the leaked opinion appears to be a scan or photocopy of a paper document instead of a transcription or recreation, the image can be analyzed for any unique markings that might allow investigators to pinpoint which particular physical copy of the document was leaked.

The first page includes several such potentially unique identifying markers, including a highlighted title, a page bend, and what appear to be staple perforations.


Screenshot: The Intercept

Other pages also reveal subtle markings that could identify the specific paper copy of the leaked document. For instance, the bottom-left region of page 90 has a singular speck; the fact that it is not present on other page images indicates that it is a stray mark present only on that physical page of the document, as opposed to being a dust flake on the scanner bed.

Screenshot: The Intercept

If investigators managed to locate a physical copy of the document matching the characteristics found in the leaked file, that would allow them to conclude that it was the physical copy that was leaked. This is significant, because it could establish the provenance of the document, which could in turn identify potential leakers.

For instance, if it were known that this particular physical copy of the document was handled by certain specific persons, those individuals would naturally fall under suspicion — though of course a scenario exists in which someone outside the intended chain of custody could have obtained the physical copy, for instance, simply by picking it up from someone else’s desk or by finding it on a photocopier. Then again, there is also the possibility that the original source of the document is digital and that the source printed out a copy prior to leaking it, or that Politico itself printed out the digital copy prior to publishing it.

Investigators could also analyze the metadata of the digital version of the document using software such as ExifTool for any clues about when, where, how, or by whom the digital copy was created. They could also exploit potential information-leaking vulnerabilities in the PDF creation and redaction process, which could inadvertently leave unintended and potentially identifying information in the digital document.

The Environment

In addition to the document itself, leak investigators will likely pay attention to the environment in which the leak originated. Modern commercial office printers generally come with a variety of ancillary functions like photocopying and scanning, while also typically keeping a running log of jobs the printer performs, which may include such information as the file name and page count of the document, the date and time the job was performed, as well as the username or IP address that initiated the job. If the printer also offers the capability to email a photocopy or scan of a document, a log may keep track of which jobs were sent to which email addresses and could even store a copy of the digital document in its memory.

Investigators will likely perform an audit of printer and network logs to see which staff members opened or otherwise interacted with the document in question. Investigators could also explore who had occasion to access the document as part of their day-to-day duties, as well as where the particular copy of the leaked document was physically stored, and who had occasion to access that space.

The Leaker

The practice of anomaly-based insider threat detection involves investigating staff who display any kind of irregular behavior or activity. For instance, if a staff member usually swipes into the office on work days at 8 a.m. and swipes out at 5 p.m., but access logs show them coming into the office at 10 p.m. on a Saturday in the days leading up to the leak, this finding would likely subject that staff member to scrutiny, which could include analyzing available surveillance footage.

Staff computer and phone usage, particularly web browsing, could also be analyzed to see if anyone previously visited the news site that published the leak, in this case Politico, or visited other webpages of potential interest, such as any that describe whistleblowers or leaking . Rudimentary analysis could include looking through desktop browsing history, while a more thorough and sophisticated investigation would involve analyzing network traffic logs to determine whether Politico was accessed from a mobile device connected to the office Wi-Fi. Though of course in the case of Politico, a news website that covers politics and policy, it is likely to show up in quite a lot of staff logs and thus would likely not be a particularly fruitful finding for investigators.

“Sentiment analysis” may also be performed as part of an insider threat investigation by analyzing the various thoughts and opinions expressed by staff members in office communications. This kind of analysis could also utilize what’s often called “open source intelligence,” in the form of looking at staff social media postings to see if anyone had expressed interest in Politico, or any thoughts about the Alito opinion, or generally any signs of disgruntlement with their employer. Additionally, sentiment analysis may also include a review of staff postings on internal forums, as well as emails and private messages sent via channels controlled by the employer, such as direct messages sent over Slack .

Takeaways for Would-Be Leakers

These potential methods of leak investigation may also be interpreted as lessons for future leakers to evade identification by adopting a number of counter-forensic measures.

To reduce the potential amount of information investigators may glean from a leaked document, leakers could send journalists a transcription or reproduction of the document instead of the original source document itself. While a transcription of the document will not successfully pass a barium meal test — in which each individual is given a uniquely phrased copy of the document, sophisticated forms of which may deploy natural language watermarking , subtly altering the syntactic structure of every version of a document — it would nonetheless neutralize all other attempts at source document identification. Transcription would bypass efforts at identifying either errant or intentional markings on a page, as well as attempts at identifying positional watermarks such as subtle shifts in character or line spacing unique to each version of a document. Of course, this also would make it harder for journalists to verify a document’s authenticity, and care would have to be taken to ensure that the source left no identifying metadata in the transcription file.

Office equipment would best be avoided when making copies of a document, but using personal equipment can also be fraught with risk. Source camera identification is the forensic process of identifying the camera that took a particular photo. At times, this sort of identification may hinge on obvious features such as visible scratches on a lens or dead pixels on a screen. In other situations, the unique characteristics of an image might not be visible to the naked eye, but instead might be based on the unique image sensor noise each camera produces, otherwise known as photo response non-uniformity .

In other words, if leaked photographs of a document were to emerge, and leak investigators had particular suspects in mind, they could analyze photos posted to social media by the suspects to see if they provide an algorithmic match to the noise pattern in the leaked photos. When making audio recordings or photographs, therefore, it would be best practice to adopt the principle of one-time use: Use a temporary device like a cheap camera or smartphone that will be used only for the purposes of the leak, and then discard the device.

To avoid falling afoul of anomaly-detection triggers, would-be leakers might consider incorporating document acquisition as part of their normal routine instead of engaging in uncharacteristic behavior like clocking in at the office at odd hours or downloading files en masse. Likewise, leakers should avoid browsing news outlets while at work, both on their personal and of course work devices. Expressing any kind of disagreement or dissatisfaction with employer policies or decisions on either a company, public, or personal forum (such as during happy hour drinks) is also best avoided, as rigorous insider threat monitoring may keep tabs of any such behavior.

Leaking and subsequent leak investigations are back-and-forth games of forensics and counter-forensics, of operational security and its failures. While the risk of source identification can never be entirely eliminated, there are nonetheless various practical technical countermeasures which can be adopted to reduce the additional risk to sources who are already risking a great deal.

The post How a Supreme Court Investigation of the Roe v. Wade Leak Might Unfold appeared first on The Intercept .

  • To chevron_right

    VPN Users’ Anonymity Under Threat Following Indian Security Order / TorrentFreak · Wednesday, 4 May - 20:32 · 4 minutes

lock People being free to share and access ideas, knowledge and opinions with their peers is a universally accepted standard for the entire human race. The big problem is that the definition of ‘free’ differs widely and is often defined by the few, not the many.

In online terms, true freedom is already under threat. As governments take more control over ‘their’ parts of the internet, citizens are informed that this is for the greater good, to keep their families safe and economies strong. Giving up small freedoms here….and a few others over there….are presented as insignificant sacrifices hardly worth our attention.

However, once these systems are in place, governments can use them to ‘protect’ citizens from dissenting opinions, unpalatable news, whistleblowing, and our ability to absorb all information, thereby reaching educated conclusions of our own. Early adopters of VPNs recognized this years ago, and as more people retain choice by using them, some governments are calling for VPNs to be restricted or even banned.

Calls for VPN Ban in India

In common with many countries worldwide, India has introduced laws to render illegal certain types of content online. It blocks thousands of websites due to copyright infringement and pornography, for example, but is now engaged in censorship to suppress political opposition in the name of national security. It even threatened to put Twitter executives in prison for refusing to censor opponents.

Due to the increased security and anonymity they provide, good VPN services with high standards enable people to absorb and impart information more freely. They are not a silver bullet but can be considered as part of a toolkit to unfilter internet access and restore freedoms. As a result, India’s government (and more besides) view them as a threat.

Last year a Parliamentary Standing Committee called for a total ban on VPNs, advising that they allow criminals to be anonymous online. The Ministry of Electronics and Information Technology was urged to force ISPs to block these encryption tools and increase online surveillance to clear any remnants.

While the government didn’t respond with a full ban, new directions to India’s IT sector reveal that if VPNs are to stay, the authorities will have the power to identify their users.

Security Measures for a “Safe & Trusted Internet”

The Indian Computer Emergency Response Team (CERT-In) serves as the national agency for online security. It analyzes cyber threats and can obtain logging information from service providers, intermediaries, data centers and corporate bodies. After identifying gaps in its ability to analyze ‘incidents’, CERT-In recently issued directions to companies providing internet services designed to ensure a “safe & trusted Internet” in the country.

While the directions focus on improved responses to security incidents, Indian authorities have also ordered all service providers, intermediaries, and data centers to enable and maintain logs. These must contain 180 days of event logging and be maintained within Indian jurisdiction for straightforward access. For other service providers the requirements are even tougher.

VPN Providers Cannot Be Anonymous, Must Carry Logs

Although caveats apply (and vary between providers), a good VPN service should be able to offer enhanced or even complete anonymity to users. Many do this, at least in part, by not carrying logs that can link a specific user to any IP address at any given time. India’s directions are designed to thwart this business model.

All VPN services, data centers, VPS (virtual private server) providers, and cloud services must store a laundry list of information and logs for at least five years, longer if the government chooses to change the law. The rules apply to all of the above services, but given the nature of VPN services as censorship-busting anonymity tools, they appear to be the hardest hit.

An email address is often sufficient when a customer signs up for a foreign VPN service like . In future, VPN providers in India will be required to obtain a customer’s real name, address, and phone number. All information provided must be validated as accurate.

Providers will also be required to record the user’s email address, IP address and timestamp used at the time of registration and obtain a statement of intent from the subscriber, i.e a description of what the VPN will be used for.

The ‘period of hire’ (times and dates) must also be logged to include every IP address allocated to and used by customers. All service providers must synchronize their clocks with specified NTP servers for uniform accuracy across the industry.

Implications for VPN Providers and Users

The full implications will become clearer over time, but the directions seem to impact VPN providers in India and, to a lesser extent, those based overseas operating servers in India.

Pervasive logging throughout the entire system translates to a generally hostile environment for anonymity so after consideration, some providers may be less keen to do business locally. Especially given that prison sentences are available for non-compliance.

The directions can be found here (pdf)

From: TF , for the latest news on copyright battles, piracy and more.

  • Th chevron_right

    Staten Island DA Bought Clearview Face Recognition Software With Civil Forfeiture Cash / TheIntercept · Wednesday, 4 May - 11:00 · 7 minutes

The Staten Island district attorney’s use of the highly controversial Clearview face recognition system included attempts to dig up the social media accounts of homicide victims and was paid for with equally controversial asset forfeiture cash, according to city records provided to The Intercept.

Clearview has garnered international attention and intense criticism for its simple premise: What if you could instantly identify anyone in the world with only their picture? Using billions of images scraped from social media sites, Clearview sells police and other governmental agencies the ability to match a photo to a name using face recognition, no search warrant required — a power civil libertarians and privacy advocates say simply places too much unsupervised power in the hands of police.

The use of Clearview by the Staten Island district attorney’s office was first reported by Gothamist , citing city records obtained by the Legal Aid Society. Subsequent records procured via New York State Freedom of Information Law request and provided to The Intercept now confirm the initial concerns about the tool’s largely unsupervised use by prosecutors. According to spokesperson Ryan Lavis, the DA’s office “completely stopped utilizing Clearview as an investigative tool last year.”

Yet the documents provide new information about how Staten Island prosecutors used the notorious face recognition tool and show that the software was paid for with funds furnished by the Justice Department’s Equitable Sharing Program. The program lets state and local police hand seized cash and property over to a federal law enforcement agency, whereupon up to 80 percent of the proceeds are then sent back the original state or local department to pocket.

A May 2 letter to Attorney General Merrick Garland by Reps. Jamie Raskin, D-Md., and Nancy Mace, R-S.C., alleged that the federal program is routinely abused by police. “We are concerned that the Equitable Sharing Program creates a loophole allowing state and local law enforcement to seize assets from individuals without bringing criminal charges or a conviction, even in states that prohibit civil asset forfeiture,” reads the letter, first reported by The Hill.

Public records turned over to the Legal Aid Society in response to its request for information about how the Staten Island DA’s office paid for Clearview included a document titled “Guide to Equitable Sharing for State, Local, and Tribal Law Enforcement Agencies,” which outlines the program and how state entities can make use of it. In a letter sent to the Legal Aid Society and shared with The Intercept, the DA’s office confirmed that federal forfeiture proceeds had paid for its Clearview license. Asset forfeiture has become a contentious and frequently abused means of padding department budgets around the country, and critics say the Equitable Sharing program provides police in states with laws constraining asset seizures with a convenient federal workaround. While civil asset forfeiture is permitted in New York, the state places some limits on how and when seizures can be conducted, rules that the federal program could let a local district attorney skirt.

“The revelation that the funds used to access the Clearview AI service was derived from property obtained without due process, from the same individuals who are most at risk to the devastating consequences of its flaws, is nearly dystopian,” said Diane Akerman, an attorney with the Legal Aid Society’s Digital Forensics Unit. “Perversely, the most overpoliced and targeted communities would be footing the bill for such surveillance through police seizures of their assets,” Akerman added.

“These sorts of search tools not only destroy our privacy, but erode the bedrock of democracy.”

Albert Fox Cahn, executive director of the New York-based Surveillance Technology Oversight Project, told The Intercept that there’s a troubling aptness to the funding. “You have New Yorkers whose assets are being stolen by the police to pay for facial recognition software that works by stealing our faces from social media,” Cahn noted in an interview. To face recognition critics like Cahn, Clearview is emblematic of the technology’s ability to simultaneously eradicate privacy expectations and enhance the surveillance powers of the state. “There’s this pattern here of the public’s money and data being taken without consent in these ways that are deemed lawful but seem criminal. … These sorts of search tools not only destroy our privacy, but erode the bedrock of democracy.”

Among the disclosed records is a long list, albeit almost entirely redacted, of Clearview searches conducted by the DA’s office from 2019 to 2021, including the general purpose of the queries and names of the targets, which The Intercept has redacted to protect the privacy of those scrutinized by the DA. These search logs indicate that on many occasions, Clearview was tapped not to identify suspects in criminal investigations but to find and search through the social media histories of people whose identities were already known, including homicide victims and unspecified “personnel.” A handwritten note appended to a search conducted in January 2020 also indicates that the DA’s office used Clearview to assist in a “deportation case” — a law enforcement investigation not typically within the DA’s remit, particularly given New York’s status as a so-called sanctuary city. “Despite what we claim as being a sanctuary city, there’s no law in New York whatsoever that stops a conservative DA’s office like Staten Island from partnering with ICE,” said Cahn, referring to U.S. Immigration and Customs Enforcement.

The search records are indicative of how face recognition technology isn’t just proliferating among government agencies but also becoming used in applications broader than the public may expect. “Typically, the NYPD’s use of facial recognition technology has been to attempt to identify unknown witnesses or suspects,” Akerman explained. “The Richmond County District Attorney’s Office” — Richmond County is coextensive with the Staten Island borough, and the DA operates as a county official — “is engaging in a new use of the technology — as a form of surveillance of a known person’s social media.” Akerman pointed to the fact that the New York Police Department, the country’s largest police force, already makes use of face recognition technologies and questioned why the smallest DA’s office in the city needed such a powerful tool. Akerman also questioned the need for such a powerful tool given that prosecutors already routinely obtain intimately personal data about individuals during criminal investigations. “DA’s offices already obtain warrants, which are largely rubber-stamped, to search individuals’ cellphones, social media, phone location records, etc., regardless of whether there is a connection to the incident.”

Peter Thiel, co-founder of PayPal, Palantir Technologies, and Founders Fund, holds hundred dollar bills as he speaks during the Bitcoin 2022 Conference at Miami Beach Convention Center on April 7, 2022 in Miami, Florida.

Right-wing billionaire Peter Thiel holds $100 bills as he speaks during the Bitcoin 2022 conference on April 7, 2022, in Miami.

Photo: Marco Bello/Getty Images

Although face recognition is a potentially invasive and dangerous technology no matter how or where it’s deployed, the Peter Thiel-backed Clearview and its right-wing founder have become emblematic of the threat that the powerful and typically unsupervised software poses, particularly given its rapid adoption by police forces across the country. While the company is already eagerly selling its software to surveillance-hungry police departments, its ambitions are far greater. In February, the Washington Post reported that Clearview recently boasted to investors that it was working toward growing its database of faces to 100 billion images by next year, a number it says would mean “almost everyone in the world will be identifiable” with a simple snapshot. In a sign that the company is expanding its clientele in addition to its capabilities, the Ukrainian military has reportedly begun using Clearview to identify Russian corpses.

Critics of Clearview say the technology represents an untenable threat to personal privacy and, by virtue of the fact that it requires no judicial oversight, an assault on Fourth Amendment protections against undue searches. Clearview’s degree of accuracy is unclear, providing another klaxon for civil liberties advocates regardless of efficacy: If the technology works as advertised, its surveillance powers are an existential threat to privacy rights, but if it’s inaccurate, it risks implicating innocent people — particularly people of color — in crimes.

The Staten Island DA’s office declined to answer questions about the expansive use of Clearview documented in the search logs.

Cahn, of the Surveillance Technology Oversight Project, agreed that the disclosed records are a worrying sign that Clearview is being used far more broadly than initially advertised. “It’s increasingly clear that Clearview is not just a facial recognition tool, it’s a social media monitoring tool,” he said. “When so many people have social media accounts that they try to keep anonymous, where they try to keep their names off of the account, this becomes yet another tool to map out what people say, what they post, when they’re trying to keep their identities secret.”

The post Staten Island DA Bought Clearview Face Recognition Software With Civil Forfeiture Cash appeared first on The Intercept .

  • Ga chevron_right

    Zapper turns smartphones into card machines - virtually all digital payments accepted without the need for point of sale hardware, customers no longer need the app either

    Danie van der Merwe · / gadgeteerza-tech-blog · Tuesday, 3 May - 10:18

Zapper has announced that their merchants will now be able to accept tap-on-phone payments. This includes Samsung Pay, Apple Pay, and Garmin Pay. Customers no longer have to download the Zapper app for merchants to accept payments through the Zapper platform.

“The software responsible for capturing, submitting and processing payments has been lab-tested and approved by both MasterCard and Visa,” the company said.


#southafrica #zapper #banking #technology

  • chevron_right

    Can semiconductor makers meet surging demands sustainably? / ArsTechnica · Friday, 29 April - 16:19 · 1 minute

Can semiconductor makers meet surging demands sustainably?

Enlarge (credit: Getty Images )

Earth Day was April 22, and its usual message—take care of our planet—has been given added urgency by the challenges highlighted in the latest IPCC report. This year, Ars is taking a look at the technologies we normally cover, from cars to chipmaking, and finding out how we can boost their sustainability and minimize their climate impact.

While chips have been in short supply lately, there has also been growing concern about their environmental impact. Droughts and COVID caused factory (or fab) shutdowns just as the pandemic fueled a surge in demand for medical devices, tele-everything, and all the other gadgets to help people remain productive and less isolated. But the demand for chips has been growing for some time , making it important to ask whether meeting these demands is compatible with climate and sustainability goals.

The answer is that it’s a work in progress. Semiconductor manufacturers are building new facilities in Taiwan , the US , Europe , and elsewhere, providing an opportunity for the industry to incorporate sustainability from the very start. Doing so will help leading chip manufacturers meet voluntary pledges, such as reaching net-zero emissions by 2040 and 2050 . These promises are encouraging, but they're still shy of the urgent action needed, according to the latest Intergovernmental Panel on Climate Change report . And pledging doesn’t guarantee delivery—but contributions from researchers, external regulators, and consumers can help with that.

Read 20 remaining paragraphs | Comments

  • Th chevron_right

    Russia Is Losing a War Against Hackers Stealing Huge Amounts of Data / TheIntercept · Friday, 22 April - 20:40 · 10 minutes

Russia is known for its army of hackers , but since the start of its invasion of Ukraine, dozens of Russian organizations — including government agencies, oil and gas companies, and financial institutions — have been hacked, with terabytes of stolen data leaked onto the internet.

Distributed Denial of Secrets , the transparency collective that’s best known for its 2020 release of 270 gigabytes of U.S. law enforcement data (in the midst of racial justice protests following the murder of George Floyd), has become the de facto home of the hacked datasets from Russia. The datasets are submitted to DDoSecrets mostly by anonymous hackers, and those datasets are then made available to the public on the collective’s website and distributed using BitTorrent . (I am an adviser to DDoSecrets).

“The flood of Russian data has meant a lot of sleepless nights, and it’s truly overwhelming,” Emma Best, co-founder of DDoSecrets, told The Intercept via an encrypted messaging app. “In its first 10 years, WikiLeaks claimed to publish 10 million documents. In the less than two months since the invasion began, we’ve published over 6 million Russian documents — and it absolutely feels like it.”

After receiving a dataset, DDoSecrets organizes and compresses the data; it then starts distributing the data using BitTorrent for public consumption, publicizes it, and helps journalists at a wide range of newsrooms access and report on it. DDoSecrets has published about 30 hacked datasets from Russia since its invasion of Ukraine began in late February.

The vast majority of sources who provided the hacked Russian data appear to be anonymous individuals, many self-identifying as part of the Anonymous hacktivist movement. Some sources provide email addresses or other contact information as part of the dumped data, and some, like Network Battalion 65 , have their own social media presence.

Still, with so many datasets submitted by anonymous hackers, it’s impossible to be certain about their motives or if they’re even truly hacktivists. For instance, in 2016 hackers compromised the network of the Democratic National Committee and leaked stolen emails to WikiLeaks in an attempt to hurt Hillary Clinton’s presidential campaign. Guccifer 2.0, the hacker persona responsible, claimed to be a lone actor but was later revealed to be an invention of the GRU, Russia’s military intelligence agency.

For this reason, the recent Russian datasets published by DDoSecrets include a disclaimer: “This dataset was released in the buildup to, in the midst of, or in the aftermath of a cyberwar or hybrid war. Therefore, there is an increased chance of malware, ulterior motives and altered or implanted data, or false flags/fake personas. As a result, we encourage readers, researchers and journalists to take additional care with the data.”

Hacks Begin in February

On February 26, two days after Russia’s invasion started, DDoSecrets published 200 gigabytes of emails from the Belarus weapons manufacturer Tetraedr , submitted by the hacktivist persona Anonymous Liberland and the Pwn-Bär Hack Team. Belarus is a close ally to Russia in its war against Ukraine. A message published with the dataset announced “#OpCyberBullyPutin.”

On February 25, the notorious Russian ransomware gang known as Conti publicly expressed its support for Russia’s war, and two days later, on February 27, an anonymous Ukrainian security researcher who had hacked Conti’s internal infrastructure leaked two years of Conti chat logs , along with training documentation, hacking tools, and source code from the criminal hackers. “I cannot shoot anything, but I can fight with a keyboard and mouse,” the anonymous researcher told CNN on March 30 before he safely slipped out of Ukraine.

In early March, DDoSecrets published 817 gigabytes of hacked data from Roskomnadzor, the Russian federal agency responsible for monitoring, controlling, and censoring Russian mass media. This data specifically came from the regional branch of the agency in the Republic of Bashkortostan. The Intercept made this dataset searchable and shared access with independent Russian journalists from Meduza who reported that Roskomnadzor had been monitoring the internet for “antimilitarism” since at least 2020. In early March, Roskomnadzor began censoring access to Meduza from inside Russia “due to systematic spread of fakes about the special operation in Ukraine,” a spokesperson for the agency told the Russian news site RIA Novosti.

The hacks continued. In mid-March, DDoSecrets published 79 gigabytes of emails from the Omega Co., the research and development wing of the world’s largest oil pipeline company, Transneft, which is state-controlled in Russia. In the second half of March, hacktivism against Russia began to heat up. DDoSecrets published an additional five datasets :

  • 5.9 gigabytes of emails from Thozis Corp., a Russian investment firm owned by billionaire oligarch Zakhar Smushkin.
  • 110 gigabytes of emails from MashOil, a Russian firm that designs and manufactures equipment for the drilling, mining, and fracking industries.
  • 22.5 gigabytes of data allegedly from the central bank of Russia. The source for this data is the persona The Black Rabbit World on Twitter.
  • 2.5 gigabytes of emails from RostProekt, a Russian construction firm. The source for this data is the persona @DepaixPorteur on Twitter.
  • 15.3 gigabytes of data from Rosatom State Nuclear Energy Corp., Russia’s state-run company that specializes in nuclear energy and makes up 20 percent of the country’s domestic electricity production. It’s also one of the world’s largest exporters of nuclear technology products. The source for this data included an email address hosted at the free encrypted email provider ProtonMail.

On the last day of March, the transparency collective also published 51.9 gigabytes of emails from the Marathon Group, an investment firm owned by sanctioned Russian oligarch Alexander Vinokurov.

April Is Cruel to Orthodox Church

On the first day of April, DDoSecrets published 15 gigabytes of emails from the charity wing of the Russian Orthodox Church. Because the emails might include sensitive and private information from individuals, DDoSecrets isn’t distributing this data to the public. Instead, journalists and researchers can contact DDoSecrets to request a copy of it.

On April 3, DDoSecrets published 483 gigabytes of emails and documents from Mosekspertiza, a state-owned corporation that provides expert services to the business community in Russia. On April 4, DDoSecrets published 786 gigabytes of documents and emails from the All-Russia State Television and Radio Broadcasting Co., referred to with the English acronym VGTRK. VGTRK is Russia’s state-owned broadcaster; it operates dozens of television and radio stations across Russia, including regional, national, and international stations in several languages. Former employees of VGTRK told the digital publication that the Kremlin frequently dictated how the news should be covered. Network Battalion 65 is the source for both the VGTRK and Mosekspertiza hacks.

Russia’s legal sector also got hacked. On April 8, DDoSecrets published 65 gigabytes of emails from the law firm Capital Legal Services. The persona wh1t3sh4d0w submitted the data to the transparency collective.

In the following days, DDoSecrets published three more datasets :

By April 11, DDoSecrets had published another three datasets :

  • 446 gigabytes of emails from the Ministry of Culture of the Russian Federation. This government agency is responsible for state policy regarding art, film, copyright, cultural heritage, and in some cases censorship .
  • 150 gigabytes of emails from the city administration of Blagoveshchensk. This is in the same region of Russia that the Roskomnadzor dataset was hacked from.
  • 116 gigabytes of emails from the governor’s office of Tver Oblast, a region of Russia northwest of Moscow.

In mid-April, DDoSecrets published several datasets from the oil and gas industries:

  • 440 gigabytes of emails from Technotec, a group of companies that develops chemical reagents for and provides services to oil and gas companies.
  • 728 gigabytes of emails from Gazprom Linde Engineering, a firm that designs gas and petrochemical processing facilities and oil refineries. This company was a joint venture between the state-owned Russian gas company Gazprom — the largest corporation in Russia — and the German company Linde. In late March, in response to economic sanctions against Russia, Linde announced that it was suspending its Russian business ventures.
  • 222 gigabytes of data from Gazregion, a construction company that specializes in building gas pipelines and facilities. Three different sources — Network Battalion 65, @DepaixPorteur, and another anonymous hacker — hacked this company at roughly the same time and submitted data to DDoSecrets, which published all three overlapping datasets to “provide as complete a picture as possible, and to provide an opportunity for comparison and cross-checking.”

On April 16, DDoSecrets published two more datasets:

Just during the last week, DDoSecrets published these datasets:

Earlier today, DDoSecrets published 342 gigabytes of emails from Enerpred, the largest producer of hydraulic tools in Russia that works in the energy, petrochemical, coal, gas and construction industries.

Researching the Hacked Data

Despite the massive scale of these Russian data leaks, very few journalists have reported on them so far. Since the war began, Russia has severely clamped down on its domestic media, introducing penalties of years in prison for journalists who use the wrong words when describing the war in Ukraine — like calling it a “war” instead of a “special military operation.” Russia has also ramped up its censorship efforts, blocking Twitter and Facebook and censoring access to international news sites, leaving the Russian public largely in the dark when it comes to views that aren’t sanctioned by the state.

One of the barriers for non-Russian news organizations is language: The hacked data is principally in Russian. Additionally, hacked datasets always come with considerable technical challenges. The Intercept, which was founded in part to report on the archive of National Security Agency documents leaked by Edward Snowden, has been using our technical resources to build out tools to make these Russian datasets searchable and then sharing access to these tools with other journalists. Russian-speaking journalists from Meduza — which is forced to operate in Latvia to avoid the Kremlin’s reach — have already published a story based on one of the datasets indexed by The Intercept.

The post Russia Is Losing a War Against Hackers Stealing Huge Amounts of Data appeared first on The Intercept .

  • Th chevron_right

    American Phone-Tracking Firm Demo'd Surveillance Powers by Spying on CIA and NSA / TheIntercept · Friday, 22 April - 11:00 · 17 minutes

In the months leading up to Russia’s invasion of Ukraine, two obscure American startups met to discuss a potential surveillance partnership that would merge the ability to track the movements of billions of people via their phones with a constant stream of data purchased directly from Twitter. According to Brendon Clark of Anomaly Six — or “A6” — the combination of its cellphone location-tracking technology with the social media surveillance provided by Zignal Labs would permit the U.S. government to effortlessly spy on Russian forces as they amassed along the Ukrainian border, or similarly track Chinese nuclear submarines. To prove that the technology worked, Clark pointed A6’s powers inward, spying on the National Security Agency and CIA, using their own cellphones against them.

Virginia-based Anomaly Six was founded in 2018 by two ex-military intelligence officers and maintains a public presence that is scant to the point of mysterious , its website disclosing nothing about what the firm actually does. But there’s a good chance that A6 knows an immense amount about you. The company is one of many that purchases vast reams of location data, tracking hundreds of millions of people around the world by exploiting a poorly understood fact: Countless common smartphone apps are constantly harvesting your location and relaying it to advertisers, typically without your knowledge or informed consent, relying on disclosures buried in the legalese of the sprawling terms of service that the companies involved count on you never reading. Once your location is beamed to an advertiser, there is currently no law in the United States prohibiting the further sale and resale of that information to firms like Anomaly Six, which are free to sell it to their private sector and governmental clientele. For anyone interested in tracking the daily lives of others, the digital advertising industry is taking care of the grunt work day in and day out — all a third party need do is buy access.

Company materials obtained by The Intercept and Tech Inquiry provide new details of just how powerful Anomaly Six’s globe-spanning surveillance powers are, capable of providing any paying customer with abilities previously reserved for spy bureaus and militaries.

According to audiovisual recordings of an A6 presentation reviewed by The Intercept and Tech Inquiry, the firm claims that it can track roughly 3 billion devices in real time, equivalent to a fifth of the world’s population. The staggering surveillance capacity was cited during a pitch to provide A6’s phone-tracking capabilities to Zignal Labs, a social media monitoring firm that leverages its access to Twitter’s rarely granted “firehose” data stream to sift through hundreds of millions of tweets per day without restriction. With their powers combined, A6 proposed, Zignal’s corporate and governmental clients could not only surveil global social media activity, but also determine who exactly sent certain tweets, where they sent them from, who they were with, where they’d been previously, and where they went next. This enormously augmented capability would be an obvious boon to both regimes keeping tabs on their global adversaries and companies keeping tabs on their employees.

The source of the materials, who spoke on the condition of anonymity to protect their livelihood, expressed grave concern about the legality of government contractors such as Anomaly Six and Zignal Labs “revealing social posts, usernames, and locations of Americans” to “Defense Department” users. The source also asserted that Zignal Labs had willfully deceived Twitter by withholding the broader military and corporate surveillance use cases of its firehose access. Twitter’s terms of service technically prohibit a third party from “conducting or providing surveillance or gathering intelligence” using its access to the platform, though the practice is common and enforcement of this ban is rare. Asked about these concerns, spokesperson Tom Korolsyshun told The Intercept “Zignal abides by privacy laws and guidelines set forth by our data partners.”

A6 claims that its GPS dragnet yields between 30 to 60 location pings per device per day and 2.5 trillion locational data points annually worldwide, adding up to 280 terabytes of location data per year and many petabytes in total, suggesting that the company surveils roughly 230 million devices on an average day. A6’s salesperson added that while many rival firms gather personal location data via a phone’s Bluetooth and Wi-Fi connections that provide general whereabouts, Anomaly 6 harvests only GPS pinpoints, potentially accurate to within several feet. In addition to location, A6 claimed that it has built a library of over 2 billion email addresses and other personal details that people share when signing up for smartphone apps that can be used to identify who the GPS ping belongs to. All of this is powered, A6’s Clark noted during the pitch, by general ignorance of the ubiquity and invasiveness of smartphone software development kits, known as SDKs: “Everything is agreed to and sent by the user even though they probably don’t read the 60 pages in the [end user license agreement].”

The Intercept was not able to corroborate Anomaly Six’s claims about its data or capabilities, which were made in the context of a sales pitch. Privacy researcher Zach Edwards told The Intercept that he believed the claims were plausible but cautioned that firms can be prone to exaggerating the quality of their data. Mobile security researcher Will Strafach agreed, noting that A6’s data sourcing boasts “sound alarming but aren’t terribly far off from ambitious claims by others.” According to Wolfie Christl, a researcher specializing in the surveillance and privacy implications of the app data industry, even if Anomaly Six’s capabilities are exaggerated or based partly on inaccurate data, a company possessing even a fraction of these spy powers would be deeply concerning from a personal privacy standpoint.

Reached for comment, Zignal’s spokesperson provided the following statement: “While Anomaly 6 has in the past demonstrated its capabilities to Zignal Labs, Zignal Labs does not have a relationship with Anomaly 6. We have never integrated Anomaly 6’s capabilities into our platform, nor have we ever delivered Anomaly 6 to any of our customers.”

When asked about the company’s presentation and its surveillance capabilities, Anomaly Six co-founder Brendan Huff responded in an email that “Anomaly Six is a veteran-owned small business that cares about American interests, natural security, and understands the law.”

Companies like A6 are fueled by the ubiquity of SDKs, which are turnkey packages of code that software-makers can slip in their apps to easily add functionality and quickly monetize their offerings with ads. According to Clark, A6 can siphon exact GPS measurements gathered through covert partnerships with “thousands” of smartphone apps, an approach he described in his presentation as a “farm-to-table approach to data acquisition.” This data isn’t just useful for people hoping to sell you things: The largely unregulated global trade in personal data is increasingly finding customers not only at marketing agencies, but also federal agencies tracking immigrants and drone targets as well as sanctions and tax evasion . According to public records first reported by Motherboard, U.S. Special Operations Command paid Anomaly Six $590,000 in September 2020 for a year of access to the firm’s “commercial telemetry feed.”

Anomaly Six software lets its customers browse all of this data in a convenient and intuitive Google Maps-style satellite view of Earth. Users need only find a location of interest and draw a box around it, and A6 fills that boundary with dots denoting smartphones that passed through that area. Clicking a dot will provide you with lines representing the device’s — and its owner’s — movements around a neighborhood, city, or indeed the entire world.

As the Russian military continued its buildup along the country’s border with Ukraine, the A6 sales rep detailed how GPS surveillance could help turn Zignal into a sort of private spy agency capable of assisting state clientele in monitoring troop movements. Imagine, Clark explained, if the crisis zone tweets Zignal rapidly surfaces through the firehose were only a starting point. Using satellite imagery tweeted by accounts conducting increasingly popular “open-source intelligence,” or OSINT, investigations, Clark showed how A6’s GPS tracking would let Zignal clients determine not simply that the military buildup was taking place, but track the phones of Russian soldiers as they mobilized to determine exactly where they’d trained, where they were stationed, and which units they belonged to. In one case, Clark showed A6 software tracing Russian troop phones backward through time, away from the border and back to a military installation outside Yurga, and suggested that they could be traced further, all the way back to their individual homes. Previous reporting by the Wall Street Journal indicates that this phone-tracking method is already used to monitor Russian military maneuvers and that American troops are just as vulnerable .

In another A6 map demonstration, Clark zoomed in closely on the town of Molkino, in southern Russia, where the Wagner Group, an infamous Russian mercenary outfit, is reportedly headquartered . The map showed dozens of dots indicating devices at the Wagner base, along with scattered lines showing their recent movements. “So you can just start watching these devices,” Clark explained. “Any time they start leaving the area, I’m looking at potential Russian predeployment activity for their nonstandard actors, their nonuniform people. So if you see them go into Libya or Democratic Republic of the Congo or things like that, that can help you better understand potential soft power actions the Russians are doing.”

To fully impress upon its audience the immense power of this software, Anomaly Six did what few in the world can claim to do: spied on American spies.

The pitch noted that this kind of mass phone surveillance could be used by Zignal to aid unspecified clients with “counter-messaging,” debunking Russian claims that such military buildups were mere training exercises and not the runup to an invasion. “When you’re looking at counter-messaging, where you guys have a huge part of the value you provide your client in the counter-messaging piece is — [Russia is] saying, ‘Oh, it’s just local, regional, um, exercises.’ Like, no. We can see from the data that they’re coming from all over Russia.”

To fully impress upon its audience the immense power of this software, Anomaly Six did what few in the world can claim to do: spied on American spies. “I like making fun of our own people,” Clark began. Pulling up a Google Maps-like satellite view, the sales rep showed the NSA’s headquarters in Fort Meade, Maryland, and the CIA’s headquarters in Langley, Virginia. With virtual boundary boxes drawn around both, a technique known as geofencing, A6’s software revealed an incredible intelligence bounty: 183 dots representing phones that had visited both agencies potentially belonging to American intelligence personnel, with hundreds of lines streaking outward revealing their movements, ready to track throughout the world. “So, if I’m a foreign intel officer, that’s 183 start points for me now,” Clark noted.

The NSA and CIA both declined to comment.


Anomaly Six tracked a device that had visited the NSA and CIA headquarters to an air base outside of Zarqa, Jordan.

Screenshot: The Intercept / Google Maps

Clicking on one of dots from the NSA allowed Clark to follow that individual’s exact movements, virtually every moment of their life, from that previous year until the present. “I mean, just think of fun things like sourcing,” Clark said. “If I’m a foreign intel officer, I don’t have access to things like the agency or the fort, I can find where those people live, I can find where they travel, I can see when they leave the country.” The demonstration then tracked the individual around the United States and abroad to a training center and airfield roughly an hour’s drive northwest of Muwaffaq Salti Air Base in Zarqa, Jordan, where the U.S. reportedly maintains a fleet of drones.

“It doesn’t take a lot of creativity to see how foreign spies can use this information for espionage, blackmail, all kinds of, as they used to say, dastardly deeds.”

“There is sure as hell a serious national security threat if a data broker can track a couple hundred intelligence officials to their homes and around the world,” Sen. Ron Wyden, D-Ore., a vocal critic of the personal data industry, told The Intercept in an interview. “It doesn’t take a lot of creativity to see how foreign spies can use this information for espionage, blackmail, all kinds of, as they used to say, dastardly deeds.”

Back stateside, the person was tracked to their own home. A6’s software includes a function called “Regularity,” a button clients can press that automatically analyzes frequently visited locations to deduce where a target lives and works, even though the GPS pinpoints sourced by A6 omit the phone owner’s name. Privacy researchers have long shown that even “anonymized” location data is trivially easy to attach to an individual based on where they frequent most, a fact borne out by A6’s own demonstration. After hitting the “Regularity” button, Clark zoomed in on a Google Street View image of their home.

“Industry has repeatedly claimed that collecting and selling this cellphone location data won’t violate privacy because it is tied to device ID numbers instead of people’s names. This feature proves just how facile those claims are,” said Nate Wessler, deputy director of the American Civil Liberties Union’s Speech, Privacy, and Technology Project. “Of course, following a person’s movements 24 hours a day, day after day, will tell you where they live, where they work, who they spend time with, and who they are. The privacy violation is immense.”

The demo continued with a surveillance exercise tagging U.S. naval movements, using a tweeted satellite photo of the USS Dwight D. Eisenhower in the Mediterranean Sea snapped by the commercial firm Maxar Technologies. Clark broke down how a single satellite snapshot could be turned into surveillance that he claimed was even more powerful than that executed from space. Using the latitude and longitude coordinates appended to the Maxar photo along with its time stamp, A6 was able to pick up a single phone signal from the ship’s position at that moment, south of Crete. “But it only takes one,” Clark noted. “So when I look back where that one device goes: Oh, it goes back to Norfolk. And actually, on the carrier in the satellite picture — what else is on the carrier? When you look, here are all the other devices.” His screen revealed a view of the carrier docked in Virginia, teeming with thousands of colorful dots representing phone location pings gathered by A6. “Well, now I can see every time that that ship is deploying. I don’t need satellites right now. I can use this.”

Though Clark conceded that the company has far less data available on Chinese phone owners, the demo concluded with a GPS ping picked up aboard an alleged Chinese nuclear submarine. Using only unclassified satellite imagery and commercial advertising data, Anomaly Six was able to track the precise movements of the world’s most sophisticated military and intelligence forces. With tools like those sold by A6 and Zignal, even an OSINT hobbyist would have global surveillance powers previously held only by nations. “People put way too much on social media,” Clark added with a laugh.

As location data has proliferated largely unchecked by government oversight in the United States, one hand washes another, creating a private sector capable of state-level surveillance powers that can also fuel the state’s own growing appetite for surveillance without the usual judicial scrutiny. Critics say the loose trade in advertising data constitutes a loophole in the Fourth Amendment, which requires the government to make its case to a judge before obtaining location coordinates from a cellular provider. But the total commodification of phone data has made it possible for the government to skip the court order and simply buy data that’s often even more accurate than what could be provided by the likes of Verizon. Civil libertarians say this leaves a dangerous gap between the protections intended by the Constitution and the law’s grasp on the modern data trade.

“The Supreme Court has made clear that cellphone location information is protected under the Fourth Amendment because of the detailed picture of a person’s life it can reveal,” explained Wessler. “Government agencies’ purchases of access to Americans’ sensitive location data raise serious questions about whether they are engaged in an illegal end run around the Fourth Amendment’s warrant requirement. It is time for Congress to end the legal uncertainty enabling this surveillance once and for all by moving toward passage of the Fourth Amendment Is Not For Sale Act.”

Though such legislation could restrict the government’s ability to piggyback off commercial surveillance, app-makers and data brokers would remain free to surveil phone owners. Still, Wyden, a co-sponsor of that bill, told The Intercept that he believes “this legislation sends a very strong message” to the “Wild West” of ad-based surveillance but that clamping down on the location data supply chain would be “certainly a question for the future.” Wyden suggested that protecting a device’s location trail from snooping apps and advertisers might be best handled by the Federal Trade Commission. Separate legislation previously introduced by Wyden would empower the FTC to crack down on promiscuous data sharing and broaden consumers’ ability to opt out of ad tracking.

A6 is far from the only firm engaged in privatized device-tracking surveillance. Three of Anomaly Six’s key employees previously worked at competing firm Babel Street, which named all three of them in a 2018 lawsuit first reported by the Wall Street Journal. According to the legal filing, Brendan Huff and Jeffrey Heinz co-founded Anomaly Six (and lesser-known Datalus 5) months after ending their employment at Babel Street in April 2018, with the intent of replicating Babel’s cellphone location surveillance product, “Locate X,” in a partnership with major Babel competitor Semantic AI. In July 2018, Clark followed Huff and Heinz by resigning from his position as Babel’s “primary interface to … intelligence community clients” and becoming an employee of both Anomaly Six and Semantic.

Like its rival Dataminr, Zignal touts its mundane partnerships with the likes of Levi’s and the Sacramento Kings, marketing itself publicly in vague terms that carry little indication that it uses Twitter for intelligence-gathering purposes, ostensibly in clear violation of Twitter’s anti-surveillance policy. Zignal’s ties to government run deep: Zignal’s advisory board includes a former head of the U.S. Army Special Operations Command, Charles Cleveland, as well as the CEO of the Rendon Group , John Rendon, whose bio notes that he “pioneered the use of strategic communications and real-time information management as an element of national power, serving as a consultant to the White House, U.S. National Security community, including the U.S. Department of Defense.” Further, public records state that Zignal was paid roughly $4 million to subcontract under defense staffing firm ECS Federal on Project Maven for “Publicly Available Information … Data Aggregation” and a related “Publicly Available Information enclave” in the U.S. Army’s Secure Unclassified Network .

The remarkable world-spanning capabilities of Anomaly Six are representative of the quantum leap occurring in the field of OSINT. While the term is often used to describe the internet-enabled detective work that draws on public records to, say, pinpoint the location of a war crime from a grainy video clip, “automated OSINT” systems now use software to combine enormous datasets that far outpace what a human could do on their own. Automated OSINT has also become something of a misnomer, using information that is by no means “open source” or in the public domain, like commercial GPS data that must be bought from a private broker.

While OSINT techniques are powerful, they are generally shielded from accusations of privacy violation because the “open source” nature of the underlying information means that it was already to some extent public. This is a defense that Anomaly Six, with its trove of billions of purchased data points, can’t muster. In February, the Dutch Review Committee on the Intelligence and Security Services issued a report on automated OSINT techniques and the threat to personal privacy they may represent: “The volume, nature and range of personal data in these automated OSINT tools may lead to a more serious violation of fundamental rights, in particular the right to privacy, than consulting data from publicly accessible online information sources, such as publicly accessible social media data or data retrieved using a generic search engine.” This fusion of publicly available data, privately procured personal records, and computerized analysis isn’t the future of governmental surveillance, but the present. Last year, the New York Times reported that the Defense Intelligence Agency “buys commercially available databases containing location data from smartphone apps and searches it for Americans’ past movements without a warrant,” a surveillance method now regularly practiced throughout the Pentagon, the Department of Homeland Security , the IRS , and beyond.

The post American Phone-Tracking Firm Demo’d Surveillance Powers by Spying on CIA and NSA appeared first on The Intercept .