Tag Archives: surveillance

Google: An Escape Plan – Part I – Bones Beneath the Chromatic Garden

tumblr_ng00oaxf0k1rqbl96o1_1280

It preaches “don’t be evil” and updates its search engine page with a cute holiday-relevant animation on occasion. Google practically oozes its quirkiness with a range of promises including tons of different “free” services, but let’s be honest, we all know nothing is really free (not digitally, at least). I sometimes catch flak for my distaste for Google and its services, but it’s only because I’m honestly tired of feeling trapped in their almost omnipotent snare. Everywhere you turn, with every digital service you use, they seem to be so closely affiliated.. that is, if they don’t already own whatever you might be using. It’s almost as if you don’t even have a choice as to whether you want to use Google’s services or not anymore; outside of unplugging from the internet completely. When you begin to do some research on the company, this all starts to sink in.

For example, if you look through the Wikipedia entry for ‘List of Mergers and acquisitions by Google‘, you will see a listed table than runs 181 rows long. If you’re reading this post even a few weeks or so after the date it was published, it is sure to be longer. Among these acquisitions is the popular aggregate-focused antivirus tool VirusTotal, multiple facial recognition programs, home monitoring and home automation companies, and even the popular robotics company Boston Dynamics. Now, of course I’m not worried about Google sending out sentient robots to my house, but I am worried that one company (that collects a whole lot of my information, which I consider pretty personal) has so many outlets at their disposal. Having a Google account, so many of the different internet services I use every day are all connected into one company. Gmail, YouTube, Google Music, and the list goes on. Vacuuming up as much user data as they can. Remember, Google is the self-proclaimed world’s largest advertising and search monetization program.

~

Beyond the fact of how much Google owns, there are several factors of what exactly they are doing with their products which stand as irksome to me.

There is, for example, the matter of Google striving to give off a posture of openness – in terms of software and APIs. This is often less true than false. Take for instance Google’s Android OS. As Ron Armadeo of Ars Technica put it, things on Android have become “look but don’t touch”:

When Android had no market share, Google was comfortable keeping just these apps and building the rest of Android as an open source project. Since Android has become a mobile powerhouse though, Google has decided it needs more control over the public source code. For some of these apps, there might still be an AOSP [Android Open Source Project] equivalent, but as soon as the proprietary version was launched, all work on the AOSP version was stopped. Less open source code means more work for Google’s competitors. While you can’t kill an open source app, you can turn it into abandonware by moving all continuing development to a closed source model. Just about any time Google rebrands an app or releases a new piece of Android onto the Play Store, it’s a sign that the source has been closed and the AOSP version is dead.

It’s true, as Android has soaked in a relevant share of the mobile OS market, the demise of once-open-source applications on Android – the Music, Calendar, Photo gallery, and several other applications has occurred as well.

There are also the broken promises or lapses in expectations from the company in terms of privacy/security-conscious OS implementations. Take for instance, the recent backpedaling on encryption-by-default settings being prepared for the next Android version update:

..despite all those promises, Google hadn’t updated its Android Compatibility Definition document for Lollipop, which lists rules for its hardware partners, to include a stipulation for encryption. It stated the following: “If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data… as well as the SD card partition if it is a permanent, non-removable part of the device… For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.”

And there you have it. Though it looks to be laying down the law at first, Google simply recommends partners add encryption by default, though they must support it (this is no different from previous Android iterations, though). It seems Google pushed the button too early, at least for some manufacturers worried about the performance impact on phones that can’t handle the extra data load.

Here is the update on the change in plans from Google‘s official Android Blog:

Update: In September, we announced that all new Android Lollipop devices would be encrypted by default. Due to performance issues on some Android partner devices, we are not yet at encryption by default on every new Lollipop device. That said, our new Nexus devices are encrypted by default and Android users (Jelly Bean and above) have the option to encrypt the data on their device in Settings —> Security —> Encryption. We remain firmly committed to encryption because it helps keep users safe and secure on the web.

Encryption is a crucial piece of security for what’s basically a handheld computer you carry around with you each and every day, and while in the height of legal strain on the idea of “crypto for everyone” this may have been a “too idealistic” pitch for Google HQ, this doesn’t seem to resonate in the official statement from the company. The fact that the ability for encryption remains an option for users makes this a sort of small quibble, but is it really too much to ask for a company that stores and transfers so much user data to have such security implemented out-of-the-box? Even Apple uses fairly robust system encryption in iOS8 all by default, which even includes a type of public-key cryptography scheme with their popular iMessage service.

~

In a more human aspect, Google pulls some serious bureaucratic strings. According to the Center for Responsive Politics, Google was the ninth highest spender in political lobbying through 2014. It’s remained in the Top 20 of this list for the last three years.

Top Spenders in Political Lobbying - 2014 (Center for Responsive Politics)

Top Spenders in Political Lobbying – 2014 (Center for Responsive Politics)

But just in case you’re not as firm a believer as I am in the “money talks” principle that suits our political system, we can take a look at the particulars of the company’s stake in the situation:

A Revolving Door, Indeed.

A Revolving Door, Indeed.

Yes, that charts clearly spells it out: ~82% of the time a Google lobbyist has previously held a government job. You can further investigate each of the individual Google lobbyists yourself, if you’re still not convinced of its presence.

This leads me to the largest issue I personally have with Google – the realm of user privacy. Regardless of several several higher-ups claiming that Google will stand against mass surveillance, there are several very blatant actions Google has taken to do just the opposite. Yes, Google had filed a First Amendment lawsuit against the NSA shortly after the Snowden leaks began to reveal the extent of the agency’s capabilities under their PRISM program, and sure, they fight against the secrecy behind National Security Letters as well, but it would be wise not to start cheering here. Again, Google’s priority is expanding their assets and mining as much user data/metrics as possible for businesses and agencies they have relationships with (basically every business and marketing agency with an internet connection). If they build it, who will come?

When most people think of mass digital surveillance, several three-letter agencies come to mind. But the fact is major corporations – especially ones that process well over 20 petabytes of user data per day – are generally overlooked in this aspect. These are the companies that we are supposed to trust day in and day out to keep us safe as we use their services through our various personal devices. Scraping the bounds of user information they do, they are leaving critical pieces of our devices open as ripe targets for people striving to scrape the same information for their own benefit and other malicious means.

Google both uses personally and lets their advertising/marketing clients use their browser cookie technology to monitor the way users interact with their websites. It does this by injecting a cookie into the user’s browser as they travel along the way, which communicates back to Google’s servers, and to an advertising account/dashboard the client has control of as well. This is what the information from a DoubleClick (Google-owned) cookie looks like:

time: 01/Aug/2015 9:01:45
ad_placement_id: 105
ad_id: 1003
userid: 0000000000000001
client_ip: 209.85.128.1
referral_url: http://www.facebook.com/Google

This includes the site you visited, when you visited this site, the IP address you visited this site from, and the unique cookie generated and “fed” to your browser during this visit. Most of the time, these DoubleClick cookies are deployed over HTTP – an unencrypted protocol, thus making them susceptible to hijacking. The way Doubleclick’s advertising scheme functions has also left a door open for several attacks attempting to spread malware through webpages running the advertising service as a redirect. Even besides these instances, the idea of harnessing that amount of data on users should at least make you think about the repercussions involved. We are talking about a cookie that usually lasts a minimum of 30 days and keeps track of any other sites you’ve visited besides the original one, as long as they are running the DoubleClick from their page as well (and as long as they are not deleted locally from the browser *cough*). According to a digital advertising buying guide printed in 2011, the use of tracking by means of DoubleClick is extremely widespread. Here are some details from the “Who We Are” section, presumably written up by an employee working at Google:

Buyers have access to a vast, global pool of inventory to reach their audiences with the frequency they want across more than 2 million sites. Google reaches 80 percent of Internet users worldwide, serving hundreds of billions of impressions to more than 500 million users each month, in 100 different countries and 20 languages. This massive inventory pool is uniform across DoubleClick Ad Exchange and the Google Display Network, and is readily accessible to Invite Media clients.

Our clients can reach hundreds of millions of users classified into demographics and interests..

While this does benefit businesses to understand user behavior involved with their products, it seems more and more like the user is becoming the product. Having been in a digital marketing environment before, it has become clear to me that Google and its clients want, more than anything, a particular wealth of information more than anything else – a full layout of each individual user and their browsing behavior. The company has been recently striving to find ways to tie an individuals devices together, so that actions such as web searches and page views can be all rounded up under a unique user profile – regardless of which device you’ve used, which network you were connected to, and regardless of if you were even logged into your Google account while you made them.

While Google does probably have some keen internal checks and balances involved to try and protect user information, their Privacy Policy is vague at best. This strikes up yet another concern involved, one regarding the Privacy Policies and End User Licenses agreements (see details on the complexity/criticism surrounding Google’s EULA’s in this post) you’ll be (probably blindly) agreeing to before using Google’s services. Well, that is most of the time you’ll be agreeing to them before you use the product, unless you are using something like their commuting route optimization tool Waze, which won’t let you view its Privacy Policy until after you’ve agreed to let it utilize your location on your phone.

~

While I think that at this point its pretty plain to see that my thoughts towards Google as a company and all-around entity on the internet are not fond ones, that’s not to say that I don’t appreciate certain things they’ve been involved with. For one, I think their coveted team known as Project Zero has done a fantastic job at digging into vulnerabilities, bugs, and things that are way over my head. I also think that Google has brought an idea of convenience in their product that has changed the way developers of tech tools approach making things “user-friendly”. But with this convenience, Google has managed to convince users opening an account with them to tie seemingly every asset they use to the company. Your email, your internet searches, your wallet, your locations, your frequent routes, the music you listen to, your spreadsheets, your photographs, your home thermometer, your.. well, you get the point. And what happens when your Google account gets hacked? What about when Google decides to change their mind and start selling your data to the highest bidder? Believe me, data gets retained, and its not like the entrails of your Google account will just vanish into thin air upon closing it.

Compartmentalization is a big deal in terms of privacy and personal data security in this day and age. It’s a very scary idea to me that all of these are tied together per a single user account in the name of “convenience”, all created by one of the world’s largest corporations. Take it from Moxie Marlinspike, an expert in the field of privacy and digital security: Google is something regime intelligence agencies could only dream of having within their grasps:

A transcription of the embedded video, starting from 12:10:

Slide reads: “Develop the technology to easily mine the massive amoiunt of data you collect – that’s Google’s jam!”

..

“Now, clearly, their [Google’s] intent is different; they’re not John Poindexter, they’re trying to sell advertising. But make no mistake about it, they are in the surveillance business. That’s how they make money: they surveille people and use that to profit, and so the effect is the same.

So there’s this quote, ‘who knows more about the citizens in their own country: Kim Jong Il, or Google?’

Now I think its Google,.. it’s pretty clearly Google.

So once again, there’s this question, why are people so concerned about the surveillance practices of the John Poindexters of the world, and not as concerned about things like Google?

Again, I think it comes back to this question of choice; you choose to use Google, and you don’t choose to be surveilled by John Poindexter or Kim Jong-Il, but once again I think the scope of this choice is expanding, and it’s going to become harder and harder to make that choice, until its a choice of participating in society or not.

I mean, already, if you were to say “I don’t want to participate in Google’s data collection., so I’m not going to email anybody who has a Gmail address.” …that’s probably pretty hard to do. I mean, you would in some sense be removed form the social narrative – you would be cut out from part of the conversation that’s happening that’s essential to the way society works today.”

Looking back on this talk, it seems things have only become more polarized towards a Google-glazed internet. So what’s a user to do about it? In this series of posts, I intend to find out if Moxie Marlinspike’s predictions from that Defcon18 talk ring as true as they seem they might. I’m going to attempt to ditch Google. I mean this in its the purest way possible – an attempt to completely sever myself from anything Google related. In this trilogy of posts, I will explore the scenario as follows:

Part One: What are the reasons I want to get rid of Google? What makes them worth straying away from? (This is the post you’ve just read/skimmed through)

Part Two: Just how much of Google’s services do I use? What is “ditching Google” going to look like? (an escape plan, if you will)

Part Three: This is where I will make my “escape” and share what happens along the way. I will be documenting alternative services used, practices, and any instances of failure.

How hard is it to use the internet without Google? Will doing so disqualify me from fully “participating with society?” It’s questions that have my mind stirring, questions I intend to answer, and ones that will surely require some stiff drinks along the way.

Leave a comment

Filed under Uncategorized

Surveillance in Sochi – A Summary of Events

Welcome to the 2014 Sochi Olympics.

Sochi – all eyes on me.

The road to the 2014 Winter Olympics in Sochi has been one paved in bathroom jokes and quips about drinking water. Those traveling abroad in the Russian city have posted pictures on their twitter accounts and other social media platforms, joking about how they are missing a door knob and willing to trade some light bulbs for one, or how stray dogs have become their companions, following them through their commute.

Accompanying the laughing, however, has been a serious feeling of paranoia – and not without merits. Before the opening ceremony had even kicked off, and as soon as some journalists and spectators had landed and connected to a nearby wireless router, they had possibly become victims of snoopers and malicious attacks.

But lets be careful here not to take the half-baked reporting route that a certain NBC special broadcast had, where a reporter and his hired techie side-hand demonstrated how their brand new laptop and cell phone were both “instantly hacked” as they entered a bar near Sochi’s airport. While I’m sure Russian hackers are taking advantage of the tourism in Sochi around now, this type of event could happen at just about any coffee shop across the globe (including your favorite Starbucks here in the states) where people with little or no understanding of security practices are connecting to public WiFi that probably isn’t properly secured itself. This stuff needs to be properly analyzed, after all.

Outside of this hyperbolic report, there has been an actual flurry of activity in Sochi in terms of eavesdropping, and not all of it should be downplayed. The fact is, while a pub in New York might have some local bad actors snooping on on internet traffic, steps have been taken in Russia to ensure that literally all of the local traffic can be vacuumed up regardless of the connection. This quickly assembled FSB surveillance campaign has been exposed in a recent Salon article:

On Wednesday, I spoke to Andrei Soldatov, a Russian investigative journalist who broke the biggest security story of the Sochi Olympics: SORM, the Russians’ virtual surveillance system. The Russian FSB (successor to the KGB) will monitor all communications between spectators, journalists, athletes and anyone else who visits (or lives in) Sochi. The U.S. State Department has warned business travelers to be careful with sensitive information, which “may be taken and shared with competitors, counterparts, and/or Russian regulatory and legal entities.” One security expert said SORM was like “PRISM on steroids.

“There’s not public outcry about these measures,” Soldatov said. “After every big terrorist attack, like Volgograd,” — where suicide bombings killed 34 people last month — “Russian society approves half-measures. And metadata seems quite innocent in comparison to what was proposed.” In October, for example, the lower house of the Russian Parliament approved a law to hold the relatives of terrorists financially responsible for crimes. Muslim women in nearby Dagestan say they have been asked to provide saliva samples to the FSB so that their body parts may be identified in the event of a suicide bombing.

Very bleak measures that need not even think of civil liberties are being taken for the event. Earlier on in the same article, we see the HUMINT capabilities of the Russian Government – 60,000 security personnel, one for every six residents of the Russian city.

And even more robust is SORM (System for Operative Investigative Activities), allowing deep packet inspection of just about anyone in the region. There’s no way out through a smaller or safer ISP either, with reports of providers refusing to install FSB software used with SORM.

Another hint of surveillance practices occurred early on before the opening ceremony. It was almost whispered in reporting from a Wall Street Journal article highlighting their tour taken of the revamped Russian city that would hold the seasons largest international athletic event:

Dmitry Kozak, the deputy prime minister responsible for the Olympic preparations, seemed to reflect the view held among many Russian officials that some Western visitors are deliberately trying to sabotage Sochi’s big debut out of bias against Russia. “We have surveillance video from the hotels that shows people turn on the shower, direct the nozzle at the wall and then leave the room for the whole day,” he said. An aide then pulled a reporter away before Mr. Kozak could be questioned further on surveillance in hotel rooms. “We’re doing a tour of the media center,” the aide said.

Careful there, Mr. Kozak! It’s okay, he quickly sent on of his cohorts to dispel the worry later that day:

A spokesman for Mr. Kozak later on Thursday said there is absolutely no surveillance in hotel rooms or bathrooms occupied by guests. He said there was surveillance on premises during construction and cleaning of Sochi’s venues and hotels and that is likely what Mr. Kozak was referencing. A senior official at a company that built a number of the hotels also said there is no such surveillance in rooms occupied by guest

The fact is, there is definitely a lot of surveillance going on in Russia, which one would expect with the elevated threats to their security against terrorists and other threats, but for a high ranking figure like Kozak to confidently blurt out “the westerners are wasting our water, and we know this because we watch them shower” brings the question of journalists, athletes, and other foreigners being targeted by that same surveillance apparatus to an even more physical level.

The State Department (DoS) even publicly announced that visitors in Sochi should have ‘no expectations of privacy’:

“Russian Federal law permits the monitoring, retention and analysis of all data that traverses Russian communication networks, including Internet browsing, email messages, telephone calls, and fax transmissions.”

So, really, this is spelled out in Russia’s law. I guess they don’t need it stamped by a judge in a secret court, even. The question comes to mind: how much of this is actively being intercepted and monitored by Russian intel agencies? Are journalists being targeted by the FSB, not just script kiddies and packet sniffers that want as many facebook credentials as possible? This could be a bigger problem on the threat level for those spending time reporting on the Winter Games. Imagine a LGBT activist in Russia has a new scoop on violent actions taken against the homosexual community in Russia – something that, if brought to the public, would surely cause an outcry against those responsible. With active targeting of plaintext communications, it could spell more than trouble for any reporter willing to talk to an activist over Sochi WiFi. Last year, the Reporters Without Borders ranked Russia 148 out 0f 179 countries on the Press Freedom Index, very close to the worst.

There is a possibility snooping through digital means has even had an impact on a key member of our very own DoS. a conference call that included Assistant Secretary of State for European Affairs Victoria Nuland. A video recently surfaced on YouTube containing audio from Secretary Nuland in which she is heard saying “..fuck the EU.” while talking about developments and strategies concerning Ukraine. Quickly after the audio was spread across the web, U.S. officials furiously claimed the conversations were intercepted by Russian hackers, which was quickly denied by an aide to the Deputy Prime Minister of the country, Dmitry Rogozin. While we don’t have verification on the who the actual culprit is (yet), the possibility of Russian involvement does seem to touch the realm of possibility. Or should we be more surprised that the conference was intercepted in the first place and not properly secured?

There are those who have come somewhat prepared, however, understanding the widening landscape of eavesdropping threats. Two of the Philelphia Flyers physicians are one example. Peter DeLuca and Gary Dorsheimer are working as medical representatives for the Olympic Mens U.S. Hockey team, and have been taking appropriate precautions. Their phones – probably full of both personal and patient/athlete’s data – have been left in at home, and they were issued “clean” new phones to be used in Sochi. The physicians are worried that someone could intercept their communications regarding the health (or lack thereof) of certain U.S. players, and they could be provided to another team to use as an advantage in the games.

Hopefully others in delicate positions are taking steps similar to these. But hey, we can’t all afford brand new “clean” phones to use for a couple of months. But did you notice how I mentioned encryption earlier? We could all do ourselves a favor if we would “Trust the math”, as Bruce Schneier would say. Encrypting every bit of data and communications possible on mobile phones and laptops with the appropriate tools is the second best bet. Second to leaving them off with their batteries out, or at home.

But what’s there to be done when you’re being watched in your hotel shower? And who knows where else? So while twitter giggles itself through the day over jamming hotel doors and other #SochiProblems, there are darker deeds being done that deserve more than a hashtag’s notice. Though many of these instances of unjustifiable surveillance have gone unverified, questions must be asked regarding possible serious privacy violations.

1 Comment

Filed under Uncategorized

We Need to Talk About Commercial Drones.

On Sunday, December 1st, 60 Minutes featured a story on Jeff Bezos, Amazon founder and CEO, and his plan to introduce drone-based delivery of packages by 2015. Through the interview, Charlie Rose and Bezos talked gleefully about how the new technology will ‘change the game’ of the delivery enterprise. While Bezos explained that the drones planned as delivery makers were created to be ‘autonomous’ – not controlled by human hands – and will find their delivery points by logging GPS coordinates, he admitted that perhaps the most worrisome aspect of the system is the idea of drones suffering failures and landing on unsuspecting people, causing serious damage. He briefly touched on this in the interview:

“This thing can’t land on somebody’s head as they’re walking around the neighborhood, that’s not good.”

He reassured Rose and the viewers that ‘years of additional work’ is needed in order to ensure that the delivery drones are safe and reliable.

The fact is, general domestic drone (UAV) use is nothing very new. It’s a very quickly growing hobby, and looks to become quite the delivery gimmick, with corporations already making plans to follow suit with Amazon’s utilization. There is the ‘Burrito Bomber‘ for one, a UAV created to target the location of your phone as you make an order from it, and drop your freshly-made burrito off without having to wait through traffic. Or InventWorks and Boulder Labs, who plan on making producing drones for farmers to use in order to control invasive plants and watch over their livestock. There will surely be more to come, but the issues that might effect people beyond these businesses don’t seem to be stated often enough.

——-

CRASHING:

These ideas and implementations may sound fun and quirky to most, however (as even Bezos acknowledges) these small drones do crash. And they crash quite often. Perhaps this is due to the fact that the person (or program) piloting the machine isn’t as cautious in terms of flying, since they are not at any risk of hurting themselves in the process. There is also the factor of sight. UAV’s are operated from screens; your computer, your tablet, or even your cell phone. Visuals from flight are limited, and can even go black at times, increasing the chances for error and an eventual crash.

It will be interesting to see just what kind of programming lies beneath the ‘autonomous’ guidance system Amazon plans to implement within its delivery drones… that is if they ever release any of it to the public. We should all hope that there are rigorous measures taken by the engineers and developers behind the delivery drones, both for our parcels and – more importantly – our houses.

HACKING:

Crashing isn’t the sole worry that will have you listening for humming from the skies. Just like every newly emerging technology used in its early years, drones are going to have their bugs and/or exploits.

Meet SkyJack, a DIY RaspberryPi-based drone with a program hellbent on taking control of your popular Parrot drone. Creator Samy Kamkar elaborates on his website:

SkyJack is a drone engineered to autonomously seek out, hack, and wirelessly take full control over any other drones within wireless or flying distance, creating an army of zombie drones under your control.

SkyJack can be easily downloaded from both Kamkar’s webpage for the project and his Github page. The type of drone that this hack  is unleashed upon is one of the more popular ones, making this zombie attack a serious problem. There will also surely be more of these exploits unleashed into the wild, especially for drones that rely upon WiFi and Bluetooth connectivity.

SPY GAMES:

Most drones come complete with functional cameras that con be monitored from remote locations, and the ones that don’t can easily be altered to carry such devices. This obviously creates a privacy issue.

There are already several corporate surveillance institutions determined to use drones to their advantage. There is also the issue of leaps in the development of smaller drones, some disguised as birds to hide themselves from any suspect.

As the Electronic Frontier Foundation points out in a recent article on drone policy, transparency should be paramount:

While we appreciate the steps the FAA has taken so far, the agency could and should go further to require similar transparency from all drone operators. The FAA has already authorized almost 1,500 permits for domestic drones since 2007, but, despite our two Freedom of Information Act lawsuits for drone data, we still don’t know much about where these drones are flying and what data they are collecting.

There have already been a few companies offering drone-based surveillance services across the globe, and if these companies show a success, it is presumed that U.S. corporations that monetize in snooping will surely look to the skies in optimizing their abilities.

——-

In September of 2015, Congress has required that the FAA create a set of rules to regulate drones in order for them to safely fly through U.S. skies. Here is the FAA’s ‘Modernization and Reform Act of 2012‘.

Sure, drones aren’t whizzing by us too often at this point in time, but instead of holding our breath for a couple of years – before the guidelines for commercial drones are clearly laid out – we should be asking ourselves these questions and drilling companies who plan on using drone technology, whether its for surveillance, advertising, or even delivering a burrito. The regulations on these machines and the entities controlling them must keep public safety and the right to privacy as the priority, and public education along with an airing of any grievances regarding the subject is the best way we can attempt to achieve this.

Leave a comment

Filed under Uncategorized