2017 Surveillance Society News Archive

2017

"Nobody knows what happened to the Uighur student after he returned to China from Egypt and was taken away by police. Not his village neighbors in China’s far west, who haven’t seen him in months. Not his former classmates, who fear Chinese authorities beat him to death.The student’s friends think he joined the thousands — possibly tens of thousands — of people, rights groups and academics estimate, who have been spirited without trial into secretive detention camps for alleged political crimes that range from having extremist thoughts to merely traveling or studying abroad. The mass disappearances, beginning the past year, are part of a sweeping effort by Chinese authorities to use detentions and data-driven surveillance to impose a digital police state in the region of Xinjiang and over its Uighurs, a 10-million strong, Turkic-speaking Muslim minority that China says has been influenced by Islamic extremism. Along with the detention camps, unprecedented levels of police blanket Xinjiang’s streets. Cutting-edge digital surveillance systems track where Uighurs go, what they read, who they talk to and what they say..... “Xinjiang has very likely exceeded the level of police density seen in East Germany just before its collapse,” Zenz said. “What we’ve seen in the last 12 to 14 months is unprecedented.” But much of the policing goes unseen. To enter the Hotan bazaar, shoppers first pass through metal detectors and then place their national identification cards on a reader while having their face scanned. The facial scanner is made by China Electronics Technology Group (CETC), a state-owned defense contractor that has spearheaded China’s fast-growing field of predictive policing with Xinjiang as its test bed. The AP found 27 CETC bids for Xinjiang government contracts, including one soliciting a facial recognition system for facilities and centers in Hotan Prefecture. Hours after visiting the Hotan bazaar, AP reporters were stopped outside a hotel by a police officer who said the public security bureau had been remotely tracking the reporters’ movements. “There are tens of thousands of cameras here,” said the officer, who gave his name as Tushan. “The moment you took your first step in this city, we knew.” The government’s tracking efforts have extended to vehicles, genes, and even voices. In February, authorities in Xinjiang’s Bayingol prefecture, which includes Korla, required every car to install GPS trackers for real-time monitoring. And since late last year, Xinjiang authorities have required health checks to collect the population’s DNA samples. In May, a regional police official told the AP that Xinjiang had purchased $8.7 million in DNA scanners — enough to analyze several million samples a year."
Surveillance cams, face scans help China make thousands vanish
Associated Press, 17 December 2017

"BBC reporter John Sudworth recently got a peek behind the curtain at the world’s largest surveillance system. Tasked with remaining undetected by more than 170 million Chinese closed circuit television (CCTV) cameras, the exercise ended predictably with Sudworth being spotted and detained in about seven minutes. China’s 170 million CCTV cameras is imposing. Plans to add an additional 400 million cameras in the coming years invokes visions of Orwell’s 1984. But it’s not just the number of CCTV cameras that makes the network so troubling. Chinese officials say the cameras (and their corresponding software) can link faces to ID cards, cars, friends, family, and colleagues. They can estimate age, ethnicity, and gender. And perhaps even more startling, they can provide all this information for up to a week prior. For the Chinese, this nightmarish scenario is already a reality. For the rest of us, it’s just a glimpse of what’s to come."
Watch this BBC reporter try to evade China’s massive CCTV network
The Next Web, 14 December 2017

"The senior lawyer charged with oversight of our spies has issued a damning report into "unlawful" access of data about "large proportion of New Zealanders" by the NZ Security Intelligence Service. Inspector General of Intelligence and Security (IGIS) Cheryl Gwyn has also detailed a difficult relationship with the NZ Security Intelligence Service, accusing it of a "lack of precision and forthrightness". In a report released today, Gwyn has spelled out her belief that the NZSIS unlawfully access Customs' data for 17 years. She details how the service had access to a Customs' computer terminal, which allowed agents to do a massive trawl of information that "detailed the movement of 11 million passengers each year"."
Spies slammed by watchdog for 'unlawful' access of database which includes most Kiwis
New Zealand Herald, 14 December 2017

"Chinese authorities are collecting DNA samples, fingerprints and other biometric data from every resident in a far western region, Human Rights Watch has said. Officials are also building a database of iris scans and blood types of everyone aged between 12 and 65 in Xinjiang, adding to controls in a place some experts have called an “open-air prison”.... Xinjiang is one of the most tightly controlled parts of China, with the Uighur minority facing increased scrutiny in recent years. Heavily armed troops on city streets are a common sight and the authorities frequently hold mass rallies to bolster their support in the fight against the Islamic extremists Beijing blames for a series of attacks on government officials and civilians."
Chinese authorities collecting DNA from all residents of Xinjiang
Guardian, 13 December 2017

"In 2016 LinkNYC began deploying free public Wi-Fi kiosks throughout the city. The kiosks made news when people began using the public web browsers to watch pornography, and CityBridge the private consortium administering LinkNYC limited the browsers, and made other changes to limit how LinkNYC would store personal browser history, time spent on a particular website, and lacked clarity about how LinkNYC would handle government demands for user data, among others issues. But now there’s a new battle brewing. It seems that each of the LinkNYC kiosks has front-facing cameras. Starting on a number of blocks on the Upper West Side, an unknown number of digital protesters has begun to adhere yellow post-it-notes onto the Kiosks, effectively blocking the camera’s view. Then, late a night, a van marked LinkNYC drives up Broadway were a worker with a long stick with a scraper clears the Post-its. But within days, the Post-Its return. The skirmish over the cameras may have been going on for some time, and it’s unclear how widespread the action is, or if there is an organization behind disabling the cameras. The Electronic Frontier Foundation is reporting that LinkNYC “Improves Privacy Policy, Yet Problems Remain” in a post on their website. They say, in part: “In the wake of its 2017 policy changes, LinkNYC still collects what it describes as “Technical Information,” including information such as IP addresses, anonymized MAC addresses, device type, device identifiers, and more, for up to 60 days. Additionally, the LinkNYC kiosks have cameras that store footage for up to 7 days.”
Privacy Battle Brewing: Are LinkNYC Kiosks Surveillance Devices?
Huffington Post, 6 December 2017

"The US government does not need the approval of its secret surveillance court to ask a tech company to build an encryption backdoor. The government made its remarks in July in response to questions posed by Sen. Ron Wyden (D-OR), but they were only made public this weekend. The implication is that the government can use its legal authority to secretly ask a US-based company for technical assistance, such as building an encryption backdoor into a product, but can petition the Foreign Intelligence Surveillance Court (FISC) to compel the company if it refuses. In its answers, the government said it has "not to date" needed to ask the FISC to issue an order to compel a company to backdoor or weaken its encryption. The government would not say, however, if it's ever asked a company to add an encryption backdoor. A spokesperson for the Director of National Intelligence declined to comment."
US says it doesn't need secret court's approval to ask for encryption backdoors
ZDNet, 4 December 2017

"Germany’s Interior Minister wants to force tech and car companies to provide the German security services with hidden digital access to cars, computers, phones and more, according to a media report from Friday.The RedaktionsNetzwerk Deutschland (RND) reported that Thomas de Maizière had written up a draft proposal for the interior minister conference, taking place next week in Leipzig, which he has called “the legal duty for third parties to allow for secret surveillance.” According to the RND, the proposal would “dramatically extend” the state’s powers to spy on its citizens.""
German government wants ‘backdoor’ access to every digital device: report
The Local, 1 December 2017

"A federal court judge has ruled that Canada's domestic spy agency can continue to use contentious cellphone surveillance devices without a warrant, in some cases. For several years, the Canadian Security Intelligence Service (CSIS) has used a device it calls a Cell Site Simulator (CSS) to collect information about cellphones and other cellular-capable devices — such as some laptops or tablets — during its national security investigations. The devices are perhaps better known as IMSI Catchers or Stingrays, and pretend to be legitimate cellphone towers in order to collect information. Privacy advocates have long criticized the technology for how it indiscriminately gathers data, not merely on the subject of an investigation, but on all of the cellular devices in its operating radius. According to CSIS, the technology is used for two reasons: to link a cellular device with the subject of an investigation whose identity is often — but not always — already known; and to pinpoint a subject's location. It is not used to capture communications. But after mounting questions from federal court judges, who only learned the devices were being used by CSIS last year, a recent top-secret warrant application was used to weigh in on the lawfulness of the technique's use. CSIS said previously it sometimes applies for warrants to use such devices and sometimes, for reasons that remain unclear, it has not. ... Under Section 12 of the CSIS Act, the agency is allowed to collect, analyze and retain information without a warrant, as long as it is "strictly necessary" to defend against suspected threats to Canada. However, Tamir Israel, a staff lawyer at the Canadian Internet Policy and Public Interest Clinic (CIPPIC) believes that, given the type of information CSIS is collecting and how the devices operate, a warrant should be required. "The impact on non-direct targets can actually be, I think, much more serious than is presented here," said Israel, who co-authored a report on the use of IMSI catchers in Canada. He called the devices "inherently intrusive."
Spies more free to use cellphone surveillance tech without warrant, under court ruling
CBC News, 28 November 2017

"Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card? Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed. Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.... The location-sharing practice does not appear to be limited to any particular type of Android phone or tablet; Google was apparently collecting cell tower data from all modern Android devices before being contacted by Quartz. A source familiar with the matter said the cell tower addresses were being sent to Google after a change in early 2017 to the Firebase Cloud Messaging service, which is owned by Google and runs on Android phones by default. Even devices that had been reset to factory default settings and apps, with location services disabled, were observed by Quartz sending nearby cell-tower addresses to Google. Devices with a cellular data or WiFi connection appear to send the data to Google each time they come within range of a new cell tower. When Android devices are connected to a WiFi network, they will send the tower addresses to Google even if they don’t have SIM cards installed."
Google collects Android users’ locations even when location services are disabled
Quartz, 21 November 2017

"If you have a driver’s license in Arizona, your face now lives in a government database that uses facial recognition technology to see if you’re really who you say you are, or if you’re stealing someone else’s identity. But that’s not the only use of the system – law enforcement at all levels can also run photos using the facial recognition technology to see if you’re wanted for a crime. That’s what one researcher refers to as a “perpetual lineup.” Most people living in Arizona, at any given time, are part of a constant police lineup, simply by virtue of having a driver’s license. Here’s how it works: After someone at the Motor Vehicle Division takes your photo, your face is scanned by a system based on a proprietary algorithm that analyzes facial features. The system compares your face against the 19 million photos in the state’s driver’s license database to look for similarities. If an image is similar enough, the system will flag it for further review....the department does not inform people who have applied for a license that their photos will be scanned perpetually for law enforcement purposes. No such disclosure appears on the license application.... Jay Stanley, a senior policy analyst at the American Civil Liberties Union, said the government should be transparent about its use of such technology and how effective it is. States should also be reluctant to share their databases with other entities for other purposes, he said.... The Electronic Frontier Foundation, a civil liberties nonprofit focused on privacy, says there should at the very least be a court involved before law enforcement can access millions of unwitting people’s identities, its staff attorney, Adam Schwartz, said. It’s really hard to function in a car-based society without a driver’s license, and people shouldn’t be subjected to an invasive technology when they decide to follow the law and get a legal document that allows them to drive, Schwartz said. It’s a misuse of data to collect data, in this case images, for one thing and use them for other purposes, he said. Plus, he pointed out, in many states, including Arizona, agencies have started using facial recognition technology outside of any formal approval from the public and its representatives, state lawmakers, Schwartz said. “Before government starts using powerful technology to surveil the public, there ought to be a more open and transparent process where the public controls whether or not this is picked up,” he said."
Getting driver’s license puts Arizonans into ‘perpetual criminal lineup’
Arizona Capital Times, 17 November 2017

"Statisticians at the Office for National Statistics (ONS) have been tracking the movements of thousands of people, albeit anonymised, in what was described as a ‘successful experiment' with Vodaphone that could eventually replace census questions in England and Wales. The information would replace questions about where people live and work, and their daily commute, but the ONS on its website recognises that prior to taking such a move it would need to conduct "extensive evaluation" of "privacy impacts." The move is part of government plans for the 2021 census to be the last conducted using the traditional paper-based questionnaire, with alternative sources of information currently being sought.... The experiment took place in the London boroughs of Lambeth, Southwark and Croydon over a four week period in Spring last year, and did not include under-18s for pay-as-you-go phones, and the results showed a decline in people leaving their home borough to work compared to the 2011 census."
ONS watching thousands via their mobiles in 3 London boroughs for census
SC Media, 7 November 2017

"Mobile phone data could be used in place of census questions in the future, a report from the Office for National Statistics (ONS) suggests. The information would allow the ONS to track where people live and work. The ONS tested the idea as part of a government-backed project looking at other data sources for the census. The report said it used commuter flow data from Vodafone users, collected over four weeks in March and April 2016, in three London boroughs.... Commuter flows starting or ending in the south London boroughs of Southwark, Croydon and Lambeth were analysed and compared to data from the last census in 2011. An individual's home location was based on where the phone was located during the night or when switched on in the morning, while a work location was set to where a phone was found between standard working hours, Monday to Friday."
Census 'could use mobile phone data instead of questions'
BBC, 7 November 2017

"The first major challenge to the legality of UK intelligence agencies intercepting private communications in bulk, following Edward Snowden’s whistleblowing revelations, is due to be heard by the European court of human rights (ECHR). Three separate British cases brought by civil rights groups will be considered together by seven judges in Strasbourg on Tuesday, raising questions about the way GCHQ, MI5 and MI6 share surveillance material with the United States and other foreign governments. One of the claims, brought by an alliance of 10 human rights organisations, has been considered by the investigatory powers tribunal (IPT) in London, which takes some of its evidence in secret. The tribunal has already ruled that in the past the UK surveillance regime was unlawful because it breached the right to privacy under article 8 of the European convention on human rights – but that it was now compliant. The tribunal also found that GCHQ, the government’s eavesdropping agency, spied on Amnesty International and the South African non-profit Legal Resources Centre by retaining and illegally examining their data. The other two claims at Strasbourg, brought by Big Brother Watch and the Bureau of Investigative Journalism, have gone directly to the ECHR. They involve allegations that government interception breaches freedom of expression and the right to a fair trial, on the grounds that the IPT’s hearings are held partially in secret and do not provide an effective domestic remedy. The coalition of NGOs includes Liberty, Amnesty International, Privacy International, the American Civil Liberties Union and groups from Pakistan, South Africa and Egypt. The Big Brother Watch case is supported by the Open Rights Group and English Pen. They all argue that cross-border programmes deployed by government agencies to intercept and access communications content and data on an international scale are unlawful. Their communications are likely to have been spied on, they maintain, violating their rights to privacy and freedom of expression while jeopardising confidentiality and the protection of the vulnerable sources and informants with whom they regularly deal. The Strasbourg hearings will focus on the bulk interception programmes revealed by Edward Snowden in 2013, including Tempora, Upstream and Prism. Tempora enables GCHQ to intercept and store a back-up of internet activity entering and leaving the UK through fibre optic cables for subsequent inspection; Upstream allows the United States’ National Security Agency (NSA) to carry out similar operations in the US; and Prism lets the NSA access communications passing through US companies such as Microsoft, Apple, Yahoo!, Google, Facebook, Skype and YouTube.... Martha Spurrier, director of Liberty, said: “Our organisations exist to stand up for people and challenge abuse of power. We work with whistleblowers, victims, lawyers, journalists and campaigners around the world, so confidentiality and protection of our sources is vital. “The UK government’s vast, cross-border mass surveillance regime – which lets it access millions of people’s communications every day – has made those protections meaningless.”"
UK intelligence agencies face surveillance claims in European cour
Guardian, 7 November 2017

"The Texas National Guard last year spent more than $373,000 to install controversial cellphone eavesdropping devices in secretive surveillance aircraft. Maryland-based Digital Receiver Technology Inc., or DRT, installed two of its DRT 1301C “portable receiver systems” in National Guard aircraft in partnership with the Drug Enforcement Administration, according to a contract between the Texas National Guard and the company. Dirt boxes mimic cellphone towers by tricking every smartphone within a geographic area of up to one-third of a mile to connect with the technology, usually without cellphone users or telecom companies ever knowing about it. Also known as cell-site simulators, the devices can be used from land or air and are capable of intercepting the user’s location, phone numbers dialed, text messages and photos as well as recording or listening to phone calls. Privacy and civil liberties advocates have called the use of dirt boxes a “digital dragnet,” because it’s nearly impossible for the government to avoid intercepting personal information from innocent cellphone users when pursuing investigative targets."
Documents: Texas National Guard Installed Cellphone Spying Devices on Surveillance Planes
Observer (US), 6 November 2017

"On Friday Apple fans were queuing to get their hands on the newly released iPhone X: The flagship smartphone that Apple deemed a big enough update to skip a numeral. RIP iPhone 9.... So the iPhone X knows it’s your face looking at it and can act accordingly... Face ID has already generated a lot of excitement but the switch to a facial biometric does raise privacy concerns — given that the human face is naturally an expression-rich medium which, inevitably, communicates a lot of information about its owner without them necessarily realizing it. Now here we get to the fine line around what Apple is doing. Yes it’s protecting the mathematical models of your face it uses the iPhone X’s depth-sensing hardware to generate and which — via Face ID — become the key to unlocking your smartphone and authenticating your identity. But it is also normalizing and encouraging the use of face mapping and facial tracking for all sorts of other purposes."
A closer look at the capabilities and risks of iPhone X face mapping
TechChrunch, 4 November 2017

"The US Department of Homeland Security (DHS) wants to develop technology that scans the faces of travelers as they enter and leave the US. The difficult part? The agency wants to do it without anyone needing to get out of their cars. First spotted by Nextgov, DHS has posted a public notice calling on technology companies to submit proposals for the system by January 2018. The agency is hosting an “industry day” in Silicon Valley on November 14th to give businesses more information about what it is they’re looking for exactly. The proposed program would allow Homeland Security to maintain a database of everyone who leaves and enters the US that would now include photos taken by spying robot-cameras at every border crossing. Not only does DHS want this new facial recognition program to work without anyone having to exit their vehicle, the agency wants it to work even if the travelers are wearing things like sunglasses and hats. DHS also wants it to work without cars having to stop.... Between high-tech license plate readers and facial recognition programs, the world is looking a lot more like Minority Report with each passing day. But unfortunately it seems like we’re not getting all of the cool, helpful technologies from that movie. We’re just getting the dystopian police state ones."
US Homeland Security Wants Facial Recognition to Identify People in Moving Cars
Gizmodo, 2 November 2017

"... despite Apple’s safeguards, privacy activists fear the widespread use of facial recognition would “normalise” the technology and open the door to broader use by law enforcement, marketers or others of a largely unregulated tool. 'Apple has done a number of things well for privacy but it’s not always going to be about the iPhone X,' said Jay Stanley, a policy analyst with the American Civil Liberties Union. 'There are real reasons to worry that facial recognition will work its way into our culture and become a surveillance technology that is abused.' A study last year by Georgetown University researchers found nearly half of all Americans in a law enforcement database that includes facial recognition, without their consent. Civil liberties groups have sued over the FBI’s use of its “next generation” biometric database, which includes facial profiles, claiming it has a high error rate and the potential for tracking innocent people.“We don’t want police officers having a watch list embedded in their body cameras scanning faces on the sidewalk,” said Stanley. Clare Garvie — the Georgetown University Law School associate who led the 2016 study on facial recognition databases — agreed that Apple is taking a responsible approach but others might not. “My concern is that the public is going to become inured or complacent about this,” Garvie said. Widespread use of facial recognition “could make our lives more trackable by advertisers, by law enforcement and maybe someday by private individuals,” she said.... Another worry, she said, is that police could track individuals who have committed no crime simply for participating in demonstrations. Shanghai and other Chinese cities have recently started deploying facial recognition to catch those who flout the rules of the road, including jaywalkers....Regardless of these concerns, Apple’s introduction is likely to bring about widespread use of facial recognition technology. “What Apple is doing here will popularise and get people more comfortable with the technology,” said Patrick Moorhead, principal analyst at Moor Insights & Strategy, who follows the sector."
New iPhone brings facial recognition (and surveillance fears) to the masses
AFP, 29 October 2017

"A top iOS security researcher has uncovered yet another privacy loophole in Apple's mobile firmware. Felix Krause, founder of Fastlane.Tools, said the way Apple's software handles camera access and recording is leaving many fans vulnerable to being spied on by apps on their gadgets without any notification or warning. Krause explained today that because Apple only requires the user to enable camera access one time and then gives free rein without requiring a camera light or notification, a malicious application could go far beyond its intended level of access.... For now, Krause said, the only real way to prevent an iOS app from being able to record you without permission is to use a physical camera cover (such as a piece of tape or sticky note) to obscure the sensor hardware. Revoking camera access for apps and then using copy-paste or manually taking photos with the camera app and then importing them to other apps is also recommended. On Apple's end, Krause said, the issue could be alleviated by introducing one-time access permissions for the camera and adding activity LEDs that indicate whenever the camera is in use and can't be turned off from within the sandbox that all third-party apps use on iOS."
FYI: iOS apps can turn on your camera any time without warning
Register, 25 October 2017

"On June 14, 2014, the State Council of China published an ominous-sounding document called "Planning Outline for the Construction of a Social Credit System". In the way of Chinese policy documents, it was a lengthy and rather dry affair, but it contained a radical idea. What if there was a national trust score that rated the kind of citizen you were? Imagine a world where many of your daily activities were constantly monitored and evaluated: what you buy at the shops and online; where you are at any given time; who your friends are and how you interact with them; how many hours you spend watching content or playing video games; and what bills and taxes you pay (or not). It's not hard to picture, because most of that already happens, thanks to all those data-collecting behemoths like Google, Facebook and Instagram or health-tracking apps such as Fitbit. But now imagine a system where all these behaviours are rated as either positive or negative and distilled into a single number, according to rules set by the government. That would create your Citizen Score and it would tell everyone whether or not you were trustworthy. Plus, your rating would be publicly ranked against that of the entire population and used to determine your eligibility for a mortgage or a job, where your children can go to school - or even just your chances of getting a date. A futuristic vision of Big Brother out of control? No, it's already getting underway in China, where the government is developing the Social Credit System (SCS) to rate the trustworthiness of its 1.3 billion citizens. The Chinese government is pitching the system as a desirable way to measure and enhance "trust" nationwide and to build a culture of "sincerity". As the policy states, "It will forge a public opinion environment where keeping trust is glorious. It will strengthen sincerity in government affairs, commercial sincerity, social sincerity and the construction of judicial credibility."...For now, technically, participating in China's Citizen Scores is voluntary. But by 2020 it will be mandatory. The behaviour of every single citizen and legal person (which includes every company or other entity)in China will be rated and ranked, whether they like it or not."
Big data meets Big Brother as China moves to rate its citizens
Wired, 21 October 2017

"Privacy rights group Privacy International says it has obtained evidence for the first time that UK spy agencies are collecting social media information on potentially millions of people. It has also obtained letters it says show the intelligence agencies’ oversight body had not been informed that UK intelligence agencies had shared bulk databases of personal data with foreign governments, law enforcement and industry — raising concerns about effective oversight of the mass surveillance programs. The documents have come out as a result of an ongoing legal challenge Privacy International has brought against UK intelligence agencies’ use of bulk personal data collection as an investigatory power. (The group also has various other active legal challenges, including to state hacking). It says now that the Investigatory Powers Commissioner’s Office (IPCO) oversight body “sought immediate inspection when secret practices came to light” as a result of its litigation. The use by UK spooks of so-called bulk personal datasets (BPDs) — aka massive databases of personal information — was only publicly revealed in March 2015, via an Intelligence and Security Committee report, which also raised various concerns about their use. Although the report revealed the existence of BPDs it was heavily redacted — for example scrubbing info on exactly how many BPDs are held by the different agencies. Nor was it clear where exactly agencies were sourcing the bulk data from. It did specify that the stored and searchable data can include details such as an individual’s religion, racial or ethnic origin, political views, medical condition, sexual orientation, and legally privileged, journalistic or “otherwise confidential” information. It also specified that BPDs “vary in size from hundreds to millions of records”, and can be acquired by “overt and covert channels”.... The documents obtained by Privacy International now put a little more meat on the bones of BPDs. “New disclosure reveals that the UK intelligence agencies hold databases of our social media data,” the group writes today. “This is the first confirmed concrete example of the type of information collected by the UK intelligence agencies and held in large databases. “The social media database potentially includes information about millions of people,” it further writes, adding: “It remains unclear exactly what aspects of our communications they hold and what other types of information the government agencies are collecting, beyond the broad unspecific categories previously identified such as ‘biographical details’, ‘commercial and financial activities’, ‘communications’, ‘travel data’, and ‘legally privileged communications’.... Additional documents in the new bundle obtained by Privacy International show the IPCO flagging the role of private contractors that are given ‘administrator’ access to the information UK intelligence agencies’ collect — and raising concerns that there are currently no safeguards in place to prevent misuse of the systems by third party contractors. Part of the UK government’s defense to the group legal challenge over intelligence agencies’ use of BPDs is that there are effective safeguards in place to prevent misuse. But Privacy International’s contention is that the new documents show otherwise — with the IPCO stating the Commissioner was never made aware of any practice of GCHQ sharing bulk data with industry....Commenting in a statement, Privacy International solicitor Millie Graham Wood said: “The intelligence agencies’ practices in relation to bulk data were previously found to be unlawful. After three years of litigation, just before the court hearing we learn not only are safeguards for sharing our sensitive data non-existent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments.”
UK spies using social media data for mass surveillance
Tech Crunch, 17 October 2017

"Privacy rights group Privacy International says it has obtained evidence for the first time that UK spy agencies are collecting social media information on potentially millions of people. It has also obtained letters it says show the intelligence agencies’ oversight body had not been informed that UK intelligence agencies had shared bulk databases of personal data with foreign governments, law enforcement and industry — raising concerns about effective oversight of the mass surveillance programs. The documents have come out as a result of an ongoing legal challenge Privacy International has brought against UK intelligence agencies’ use of bulk personal data collection as an investigatory power. (The group also has various other active legal challenges, including to state hacking). It says now that the Investigatory Powers Commissioner’s Office (IPCO) oversight body “sought immediate inspection when secret practices came to light” as a result of its litigation. The use by UK spooks of so-called bulk personal datasets (BPDs) — aka massive databases of personal information — was only publicly revealed in March 2015, via an Intelligence and Security Committee report, which also raised various concerns about their use. Although the report revealed the existence of BPDs it was heavily redacted — for example scrubbing info on exactly how many BPDs are held by the different agencies. Nor was it clear where exactly agencies were sourcing the bulk data from. It did specify that the stored and searchable data can include details such as an individual’s religion, racial or ethnic origin, political views, medical condition, sexual orientation, and legally privileged, journalistic or “otherwise confidential” information. It also specified that BPDs “vary in size from hundreds to millions of records”, and can be acquired by “overt and covert channels”.... access to BPD data had been authorized internally without ministerial approval. And there were no legal penalties for misuse — and perhaps unsurprisingly the report also revealed all intelligence agencies had dealt with cases of inappropriate access of BPDs. The documents obtained by Privacy International now put a little more meat on the bones of BPDs. “New disclosure reveals that the UK intelligence agencies hold databases of our social media data,” the group writes today. “This is the first confirmed concrete example of the type of information collected by the UK intelligence agencies and held in large databases. “The social media database potentially includes information about millions of people,” it further writes, adding: “It remains unclear exactly what aspects of our communications they hold and what other types of information the government agencies are collecting, beyond the broad unspecific categories previously identified such as ‘biographical details’, ‘commercial and financial activities’, ‘communications’, ‘travel data’, and ‘legally privileged communications’.” In one of the new documents — a draft report from last month summarizing the findings of a 2017 audit of the operation of BPDs — the IPCO, which only took over oversight duties for UK investigatory powers last month, makes a stated reference (below) to “social media data” when discussing how agencies handle different BPD databases; indicating that content from consumer social networks such as Facebook and Twitter is indeed ending up within spy agencies’ bulk databases. (Though no services are mentioned by name.)... Additional documents in the new bundle obtained by Privacy International show the IPCO flagging the role of private contractors that are given ‘administrator’ access to the information UK intelligence agencies’ collect — and raising concerns that there are currently no safeguards in place to prevent misuse of the systems by third party contractors. Part of the UK government’s defense to the group legal challenge over intelligence agencies’ use of BPDs is that there are effective safeguards in place to prevent misuse. But Privacy International’s contention is that the new documents show otherwise — with the IPCO stating the Commissioner was never made aware of any practice of GCHQ sharing bulk data with industry.... Commenting in a statement, Privacy International solicitor Millie Graham Wood said: “The intelligence agencies’ practices in relation to bulk data were previously found to be unlawful. After three years of litigation, just before the court hearing we learn not only are safeguards for sharing our sensitive data non-existent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments. “The risks associated with these activities are painfully obvious. We are pleased the IPCO is keen to look at these activities as a matter of urgency and the report is publicly available in the near future.”"
UK spies using social media data for mass surveillance
TechCrunch, 17 October 2017

"MI5 and MI6 may be circumventing legal safeguards when they share bulk datasets with foreign intelligence services and commercial partners, a court has been told. Most of the bulk personal datasets relate to UK citizens who are not of “legitimate intelligence interest”, the investigatory powers tribunal (IPT) heard. The system of independent commissioners, usually retired judges, who were supposed to maintain independent oversight over these procedures had been inadequate and was a “blatant failure”, Ben Jaffey QC, for Privacy International, told the IPT. While GCHQ has said it insists its partners adopt equivalent standards and safeguards when processing bulk data, Jaffey said, neither MI5 nor MI6 have a similar approach. “The effect will be the circumvention of the UK legal regimes,” he added. “Protections will be avoided.” The challenge brought by Privacy International alleges that data-sharing regimes and the legal oversight system are illegal. The case has been running for three years but continues to unearth fresh details about the way in which the intelligence services handle data. Bulk personal datasets contain highly sensitive personal information such as social media sites or online dating sites, the tribunal heard. “Such datasets are very intrusive,” Jaffey said. “They contain information that goes right to the core of an individual’s private life.” The IPT, which is sitting at Southwark crown court this week, hears claims about the legality of surveillance and complaints against the intelligence services. One important industry partner of GCHQ, the tribunal has been told, is the University of Bristol. Documents revealed by Edward Snowden, the US whistleblower, indicate that researchers are given access to GCHQ’s entire raw unselected datasets, including internet usage, telephone call logs, websites visited, online file transfers and others.Researchers are also given access to GCHQ’s targeting database, supposedly delivered at least once a day, the tribunal has been told. That, it was said, is an exceptionally sensitive dataset. Another partner with which GCHQ shares its data is HMRC. The tax collection agency has access to a datastream called Milkwhite Enrichment Service, submissions reveal.Jaffey said analysts at GCHQ were supposed to record their reasons for searching bulk datasets, yet those statements were not seen by the oversight commissioners. Bulk communications data and bulk personal datasets are shared in two ways – either by sending out information on disks or by allowing outside organisations to access the agency’s databases remotely. One of the documents disclosed to the hearing was a letter from the new Investigatory Powers Commissioner’s Office which is critical of a former intelligence services commissioner, Sir Mark Waller. It said: “Sir Mark Waller (ISCom) remained wholly resistant to acquiring any inspector resources (or indeed technical/legal resources) to assist him in his duties despite being advised by the then head of [the Interception of Communications Commissioner’s Office], Jo Cavan, and the interim head that succeeded her of the benefits of such resourcing.” Outside the court, Millie Graham Wood, a solicitor at Privacy International, said: “The intelligence agencies’ practices in relation to bulk data were previously found to be unlawful.'... James Eadie QC, who represents the Foreign Office, Home Office and intelligence agencies, denied in written submissions that any data-sharing was illegal. “It is neither confirmed nor denied whether the [agencies] share or have agreed to share bulk personal data and bulk communications data with foreign partners and [other agencies] or (in the case of [MI6] and MI5) with industry partners,” Eadie maintained. “However, were they to do so such sharing would be lawful.”"
UK spy agencies may be circumventing data-sharing law, tribunal told
Guardian, 17 October 2017

"You cannot quit Facebook or Google. It’s not possible, unless you’re willing to avoid most of the internet entirely. The Silicon Valley giants, which are facing increasing criticism over their vast power over markets, culture, the press and politics, are building a profile of you whether you use their services or not. If you use the internet, they will track you, collect your information and try to target ads at you. They’ve acquired some of their biggest competitors, making it even harder to escape their reach. And they’re designed to manipulate human behavior to make it psychologically and emotionally difficult to opt out. Google tracks you across the web through Google Analytics, which most websites use to track user traffic, and DoubleClick, the dominant online advertising network. Both services collect and collate data from web users without them even knowing, and then send it back to Google. Facebook, meanwhile, places “Like” buttons all across the web. Every time you see a “Like” button on a page that isn’t Facebook, it is collecting your data and sending it back to the Facebook mothership. “You can choose not to use their app or their site,” explained Jason Kint, CEO of Digital Content Next, a trade association for digital content companies. “But they do also collect data across the web.”... Facebook’s privacy rule changes resulted in a 2011 finding by the Federal Trade Commission that the company deceived its users. The company entered into a settlement that still grants the FTC oversight of the site’s privacy rules. At the time of the settlement, Facebook had 500 million users. It now has more than 2 billion users. Google has seven different products with one billion or more users. How can you quit that?"
You Can't Quit Facebook And Google Even If You Wanted To
Huffington Post, 5 October 2017

"Australia is to build a national database of as many citizens' images as it can, with state premiers rubber-stamping prime minister Malcolm Turnbull's plan to add drivers' licenses to a national facial recognition database. The plan, called overreach by rights activists like Digital Rights Watch's chair Tim Singleton Norton, has been considered since at least 2015."
Australia approves national database of everyone's mugshots
The Register, 5 October 2017

"Uber's iPhone app has a secret back door to powerful Apple features, allowing the ride-hailing service to potentially record a user's screen and access other personal information without their knowledge. This access to special iPhone functions — which are so powerful that Apple almost always keeps them off-limits to outside companies — is not disclosed in any consumer-facing information included with Uber's app."
Apple gave Uber's app 'unprecedented' access to sensitive Apple features that can record iPhone screens
Business Insider, 5 October 2017

"'Sustained monitoring' is now a part of our digital lives. And that’s why what happened on May 23, 2017, is so important. On that day, Google announced that it would begin to tie billions of credit card transactions to the online behavior of its users, which it already tracks with data from Google-owned applications like YouTube, Gmail, Google Maps and more. Doing so allows it to show evidence to advertisers that its online ads lead users to make purchases in brick-and-mortar stores. Google’s new program is now the subject of a Federal Trade Commission complaint filed by the Electronic Privacy Information Center in late July. Google may be the first to formally make this link, but it is hardly alone. Among technology companies, the rush to create comprehensive offline profiles of online users is on, driven by the need to monetize online services offered free. In practice, this means that we can no longer expect a meaningful difference between observability and identifiability — if we can be observed, we can be identified. In one recent study, for example, a group of researchers showed that aggregate cellular location data — the records generated by our cellphones as they anonymously interact with nearby cell towers — can identify individuals with 73 percent to 91 percent accuracy....Thanks to the trails created by our continuous online activities, it has become nearly impossible to remain anonymous in the digital age. So what to do? The answer is that we must regulate what organizations and governments can actually do with our data. Simply put, the future of our privacy lies in how our data is used, rather than how or when our data may be gathered. Excepting those who opt out of the digital world altogether, controls on data gathering is a lost cause. This is part of the approach now being taken by European regulators. One of the cornerstones of the European Union’s new regulatory framework for data, known as the General Data Protection Regulation, or G.D.P.R., is the idea of purpose-based restrictions on data. In order for an organization or public authority to use personal data gathered in the European Union, it must first specify what that data is going to be used for. The G.D.P.R. sets forth six broad categories of acceptable purposes, including when an individual has directly consented to a specific use for the data to when data processing is necessary for the public interest. If data is issued for an unauthorized purpose, legal liability ensues. The G.D.P.R. is far from perfect, but it is on to something big. This method stands in stark contrast to the way data is protected in the United States, which might best be characterized as a “collect data first, ask questions later” approach."
The End of Privacy
New York Times, 5 October 2017

"Intel agencies and top-tier hackers are actively hacking other hackers in order to steal victim data, borrow tools and techniques, and reuse each other's infrastructure, attendees at Virus Bulletin Con, Madrid, were told yesterday. The increasing amount of spy-vs-spy type activity is making accurate threat intel increasingly difficult for security researchers, according to Kaspersky Lab. Threat intelligence depends on spotting patterns and tools that point towards a particular threat actor. Related work allows researchers to infer a hacking group's targets and objectives before advising clients about the risk they face. This process falls down now that threat actors are hacking each other and taking over tools, infrastructure and even victims. Juan Andres Guerrero-Saade and Costin Raiu, both from Kaspersky Lab, explained the attribution problems that can arise when one hacking group exploits another's seemingly closed-source toolkit or infrastructure. Quizzed on this point by El Reg, the pair said to date there was no example of an intel agency backdating another foreign hacking group's malware. Cyber-expionage groups are busy instead stealing each other's tools, repurposing exploits, and compromising the same infrastructure, they said. Reuse of fragments of other's tools is more common than wholesale theft and repurposing of third-party APTs. There are two main attack vectors. First, passive attacks that involve intercepting other groups' data in transit, for example as it moves between victims and command and control servers. The second (active) approach involves hacking into another threat actor's malicious infrastructure, an approach much more likely to risk detection but which also brings potential rewards. Kaspersky researchers have come across two examples of backdoors installed in another hacking group's command-and-control infrastructure. One of these was found in 2013, while analysing a server used by NetTraveler, a Chinese-language campaign targeting activists and organisations in Asia. The second one was found in 2014, while probing a hacked website used by Crouching Yeti, a Russian-language hacking crew. Last year a website put together by the Korean-language DarkHotel also hosted exploit scripts for another targeted attacker, which the team called ScarCruft, a group targeting mainly Russian, Chinese and South Korean-organisations, it said. In November 2014, Kaspersky Lab reported that a server belonging to a research institution in the Middle East, known as the Magnet of Threats, simultaneously hosted implants for Regin and Equation Group (English-language), Turla and ItaDuke (Russian-language), as well as Animal Farm (French-language) and Careto (Spanish). This server was the starting point for the discovery of the Equation Group, linked by the leaks of former NSA sysadmin Edward Snowden to an elite NSA hacking crew."
Spy vs spy vs hacker vs... who is THAT? Everyone's hacking each other
The Register, 5 October 2017

"Google received more government requests for user data in the first half of this year than ever before. It also admits it's significantly underreported the number of non-US accounts targeted by US intelligence. Google's latest Transparency Report covering January to June 2017 shows once again it's the go-to firm when governments need data on people.Due the breadth of Google's services, this data could include your Gmail messages, documents and photos you've saved on Google services, and videos on YouTube During the period, Google received 48,941 requests for data from 83,345 accounts and produced user information for 65 percent of requests. This time last year it received 44,943 requests from 76,713 accounts. About half the requests come from the US government. Other major sources of requests include Germany, France, and the UK. Many countries in the report have made fewer than 10 requests.The report doesn't show US national security requests made under the Foreign Intelligence Surveillance Act (FISA) for the current period. Using Section 702 of the FISA Amendment Act of 2008, agencies like the NSA can force Google to hand over content from non-US citizens for foreign intelligence purposes. Current figures are subject to a six-month delay. However, Google has revised upwards the number of accounts affected by these requests, which have been significantly underreported for the past three years. In January 2016 to June 2016, for example, Google originally said there were 500-999 requests for 18,500 to 18,900 accounts. In fact the 500-999 requests were for 25,000 to 25,499 accounts."
Google warns that govt is demanding more of your private data than ever
ZD Net, 29 September 2017

"Face ID doesn’t actually store pictures of you on the iPhone in the Secure Enclave. Instead, the data is turned into a mathematical representation and the images are deleted immediately. For each login, a math representation is compared to the one that’s stored in the Secure Enclave.... The paper does say that the probability of a random person in the world being able to unlock your phone with their face is 1 in 1,000,000, which makes Face ID significantly more secure than Touch ID (1 in 50,000). The likelihood of a false match grows for twins and children under 13, Apple says. That probably means a twin will be able to unlock the other twin’s iPhone. On the other hand, if someone takes the phone away from you and points it to your face, there’s a chance it’ll unlock unless a second failsafe is enabled: attention. The attention feature requires you to look at your phone in order to unlock it, which means your significant other can’t point the phone at your face while you’re asleep to read all your chats. That’s why it’s advisable to have Face ID check your eyes for attention, though you can choose to disable the feature to speed up unlocks. Also of note, you can disable Face ID at anytime by holding the power button and volume button simultaneously. It’ll require some quick thinking on the user’s part, but it’ll prevent authorities or anyone else from forcibly unlocking an iPhone with Face ID."
All the iPhone X’s Face ID secrets were just revealed
BGR, 28 September 2017

"[Apple's] Face ID is far from being the first facial recognition system to be built into a mobile device. But previous technologies have been plagued by complaints they are relatively easy to fool by with photos, video clips or 3D models shown to the sensor. This has made them unsuitable for payment authentication or other security-sensitive circumstances. In publishing its Face ID documentation more than a month ahead of the iPhone X going on sale, Apple is hoping to head off such concerns - particularly since the handset lacks the Touch ID fingerprint sensor found on its other iOS phones and tablets.... Apple has said it carried out many controlled tests involving three-dimensional masks created by Hollywood special effects professionals, among other tasks, to train its neural network into detecting spoofs. However, it does not claim it is perfect, and intends to continue lab-based trials to further train the neural network and offer updates to users over time."
IPhone X to use 'black box' anti-spoof Face ID tech
BBC, 27 September 2017

"A campaign utilizing a new variant of the government spying software FinFisher has spread, potentially with the help of Internet Service Providers. FinFisher, also known as FinSpy, is a surveillance suite developed by Munich-based Gamma Group and is sold to government customers and law enforcement worldwide. The malware -- which often avoids detection by traditional antivirus software -- can be used to monitor communication software such as Skype, eavesdrop on video chats, log calls, view and copy user files, and more. Gamma Group says the malware "helps government law enforcement and intelligence agencies identify, locate and convict serious criminals." According to ESET researchers, a new campaign spreading the malware has been detected in a total of seven countries. In two of them, Internet Service Providers (ISPs) are "most likely" working in collaboration with governments to infect targets of interest with the surveillance malware. The countries have not been named due to safety concerns. In a blog post, the research team said that FinFisher has been spread through man-in-the-middle (MiTM) attacks, which target communication relays to tamper with data streams, spy on users, and deploy malware. "We believe that major internet providers have played the role of the man in the middle," said Filip Kafka, an ESET malware analyst. ESET says the latest variant has been deployed with a number of improvements designed to avoid detection and analysis. Rather than rely on fake Flash plugins or older infection techniques such as watering holes or spearphishing, FinFisher can now infect systems when users are attempting to download a popular application such as WhatsApp, Skype, Avast, WinRAR, or VLC Player. With a successful MiTM attack in play, the target is redirected to the attacker's server, which installs a malicious file containing a Trojan that deploys FinFisher. However, the legitimate app is also installed to prevent suspicion. In addition, the latest version of the malware uses custom code virtualization to protect the majority of its components, including the kernel-mode driver, as well as anti-disassembly tricks which prevent sandboxing, debugging, and emulation -- making the job of security analysts difficult when it comes to picking apart the malicious code. "During the course of our investigations, we found a number of indicators that suggest the redirection is happening at the level of a major internet provider's service," commented Kafka. The new techniques have been used "at the ISP level" in two countries, whereas the other five are still relying on older techniques. "It would be technically possible for the "man" in these man-in-the-middle attacks to be situated at various positions along the route from the target's computer to the legitimate server (e.g. compromised Wi-Fi hotspots)," ESET notes. "However, the geographical dispersion of ESET's detection of latest FinFisher variants suggests the MitM attack is happening at a higher level - an ISP arises as the most probable option." As Gamma Group also offers a solution called "FinFly ISP," which can be deployed on ISP networks to distribute this malware, it may indeed be possible that subscribers are being placed at risk by these companies working in collusion. "The deployment of the ISP-level MitM attack technique mentioned in the leaked documents has never been revealed -- until now," the team says. "If confirmed, these FinFisher campaigns would represent a sophisticated and stealthy surveillance project unprecedented in its combination of methods and reach.""
ISP involvement suspected in latest FinFisher gov't spyware campaign
ZDNet, 22 September 2017

"An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies. In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them. The NSA has now agreed to drop all but the most powerful versions of the techniques - those least likely to be vulnerable to hacks - to address the concerns. The dispute, which has played out in a series of closed-door meetings around the world over the past three years and has not been previously reported, turns on whether the International Organization of Standards should approve two NSA data encryption techniques, known as Simon and Speck. The U.S. delegation to the ISO on encryption issues includes a handful of NSA officials, though it is controlled by an American standards body, the American National Standards Institute (ANSI). The presence of the NSA officials and former NSA contractor Edward Snowden’s revelations about the agency’s penetration of global electronic systems have made a number of delegates suspicious of the U.S. delegation’s motives, according to interviews with a dozen current and former delegates. A number of them voiced their distrust in emails to one another, seen by Reuters, and in written comments that are part of the process. The suspicions stem largely from internal NSA documents disclosed by Snowden that showed the agency had previously plotted to manipulate standards and promote technology it could penetrate. Budget documents, for example, sought funding to “insert vulnerabilities into commercial encryption systems.” More than a dozen of the experts involved in the approval process for Simon and Speck feared that if the NSA was able to crack the encryption techniques, it would gain a “back door” into coded transmissions, according to the interviews and emails and other documents seen by Reuters. “I don’t trust the designers,” Israeli delegate Orr Dunkelman, a computer science professor at the University of Haifa, told Reuters, citing Snowden’s papers. “There are quite a lot of people in NSA who think their job is to subvert standards. My job is to secure standards.”"
Distrustful U.S. allies force spy agency to back down in encryption fight
Reuters, 21 September 2017

"This Tuesday Apple unveiled a new line of phones to much fanfare, but one feature immediately fell under scrutiny: FaceID, a tool that would use facial recognition to identify individuals and unlock their phones. Unsurprisingly, this raised major anxiety about consumer privacy: Consumers are already questioning whether FaceID could be spoofed. And it's also possible police would be able to more easily unlock phones without consent by simply holding an individual’s phone up to his or her face.But FaceID should create fear about another form of government surveillance: mass scans to identify individuals based on face profiles. Law enforcement is rapidly increasing use of facial recognition; one in two American adults are already enrolled in a law enforcement facial recognition network, and at least one in four police departments have the capacity to run face recognition searches. Still, until now, co-opting consumer platforms hasn’t been an option....For the first time, a company will have a unified single facial recognition system built into the world's most popular devices—the hardware necessary to scan and identify faces throughout the world.... that could theoretically make Apple an irresistible target for a new type of mass surveillance order. The government could issue an order to Apple with a set of targets and instructions to scan iPhones, iPads, and Macs to search for specific targets based on FaceID, and then provide the government with those targets’ location based on the GPS data of devices that receive a match. Apple has a good record of fighting for user privacy, but there's only so much the company could do if its objections to an order were turned down by the courts.... Over the last decade the government has increasingly embraced this type of mass scan method. Edward Snowden's disclosures revealed the existence of Upstream, a program under FISA Section 702 (set to expire in just a few months). With Upstream, the NSA scans all internet communications going into and out of the United States for surveillance targets' emails, as well as IP addresses and what the agency has called cybersignatures. And last year Reuters revealed that Yahoo, in compliance with a government order, built custom software to scan hundreds of millions of email accounts for content that contained a digital signature used by surveillance targets.To many these mass scans are unconstitutional and unlawful, but that has not stopped the government from pursing them... Until now text has been the focus of mass scan surveillance, but Apple and FaceID could change that. By generating millions of face prints while simultaneously controlling the cameras that can scan and identify them, Apple might soon face a government order to turn its new unlocking system into the killer app for mass surveillance. What should Apple—and the rest of us—do to respond to this risk?.... Another concern: If iPhone users become accustomed to holding their phone up for face scans to unlock their phone, those consumers could be more vulnerable to other facial-recognition systems with fewer security and privacy protections."
Apple’s FaceID Could Be a Powerful Tool for Mass Spying
Wired, 14 September 2017

"Diners at a KFC store in the eastern Chinese city of Hangzhou will have a new way to pay for their meal. Just smile. Customers will be able to use a “Smile to Pay” facial recognition system at the tech-heavy, health-focused concept store, part of a drive by Yum China Holdings Inc to lure a younger generation of consumers. Diners can pay by scanning their faces at an ordering kiosk and entering a phone number - which is meant to guard against people cheating the system. “Combined with a 3D camera and liveness detection algorithm, Smile to Pay can effectively block spoofing attempts using other people’s photos or video recordings and ensure account safety,” Jidong Chen, Ant’s director of biometric identification technology, said in a statement."
Just smile: In KFC China store, diners have new way to pay
Reuters, 1 September 2017

"The latest documents from Vault 7, a collection of confidential materials related to hacking tools used by the United States Central Intelligence Agency and obtained by WikiLeaks, was made public today by the whistle blowing organization. This newest leak details the CIA's Angelfire project, which is a persistent framework that can load and execute custom malware on computers running Windows XP and Windows 7. Angelfire consists of five components, including Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS,a nd the Windows Transitory File system. Each of these parts has a distinct job. It starts with Solartime, which modifies the partition boot sector so that when Windows fires up boot time device drivers, it also loads and executes the Wolfcreek implant. Once executed, it is able to load and run other Angelfire implants According the documentation, Keystone is part of the Wolfcreek implant and is responsible for starting up malicious user applications. What makes all this hard to detect is that loaded implants never touch the file system. It also disguises itself as svchost.exe in the C:\Windows\system32 directory. BadMFS is described as a covert file system that is created at the end of the active partition. Angelfire uses BadMFS to store all other components, with all files being obfuscated and encrypted. Finally, the Windows Transitory File system is a newer component that is an alternative to BadMFS. Rather than store files on a secret file system, the component uses temporary files for the storage system. These files are added to the UserInstallAppl (both the .exe or .dll versions). Summed up, Angelfire is yet another tool the CIA used for hacking Windows PCs. Compared to other tools, such as Grasshopper and AfterMidnight, Angelfire seems a bit rudimentary with plenty of cons. For example, some versions of BadMFS can be detected because the reference to the covert file system is stored ina file named "zf." Additionally, loading implants can cause memory leaks that might be detected on infected machines. It is not known if the CIA has fully retired Angelfire or if it is now using a newer, more sophisticated version."
WikiLeaks Exposes CIA’s Angelfire Toolset For Hacking Window XP And Windows 7 PCs
Hot Hardware, 1 September 2017

"Techdirt has written a number of stories about facial recognition software being paired with CCTV cameras in public and private places. As the hardware gets cheaper and more powerful, and the algorithms underlying recognition become more reliable, it's likely that the technology will be deployed even more routinely. But if you think loss of public anonymity is the end of your troubles, you might like to think again: 'Lip-reading CCTV software could soon be used to capture unsuspecting customer's private conversations about products and services as they browse in high street stores. Security experts say the technology will offer companies the chance to collect more "honest" market research but privacy campaigners have described the proposals as "creepy" and "completely irresponsible". That story from the Sunday Herald in Scotland focuses on the commercial "opportunities" this technology offers. It's easy to imagine the future scenarios as shop assistants are primed to descend upon people who speak favorably about goods on sale, or who express a wish for something that is not immediately visible to them. But even more troubling are the non-commercial uses, for example when applied to CCTV feeds supposedly for "security" purposes. How companies and law enforcement use CCTV+lip-reading software will presumably be subject to legislation, either existing or introduced specially. But given the lax standards for digital surveillance, and the apparent presumption by many state agencies that they can listen to anything they are able to grab, it would be na&iumlve to think they won't deploy this technology as much as they can. In fact, they probably already have."
CCTV + Lip-Reading Software = Even Less Privacy, Even More Surveillance
Techdirt, 28 August 2017

"In the US, ISPs are allowed to use or sell data they collect about their users’ internet use and histories. Do our smart devices broadcast yield any bankable information? To find out, Noah Apthorpe at Princeton University and his colleagues set up a mock smart home, complete with seven internet-connected devices, to find out what they might reveal about their users. Four of the devices, the team found, could be easily identified by ISPs just because of the way they connected to the internet. That might not be a problem when it comes to an Amazon Echo, which immediately revealed its identity. But now that everything from insulin pumps to vibrators comes with internet connectivity, just knowing what gadgets someone is using could be valuable information to advertisers. Encrypted connections are one way of preventing the amount of information that an ISP can gather about its users. Website addresses that begin with “HTTPS” encrypt their traffic so although an ISP or other network observer could see that a user had visited a particular website, they wouldn’t be able to work out which specific pages they visited or what they did on that website. And encryption doesn’t stop ISPs from knowing which internet-of-things devices their users have, nor does it stop them seeing when we use those devices. In the Princeton study, ISPs could track a user’s sleep patterns by detecting when a sleep tracker was connecting to the internet. It also revealed that ISPs could identify when a home security camera detected movement and when someone was watching a live stream from their security camera.... This type of observation is possible anywhere, but in the US there are few restrictions on what data ISPs are allowed to sell. EU law makes it more difficult for ISPs to do similar things, and the upcoming General Data Protection Regulation should protect UK citizens."
Your broadband provider can use your smart devices to spy on you
New Scientists, 28 August 2017

"Identity theft is reaching "epidemic levels", according to a fraud prevention group, with people in their 30s the most targeted group. ID fraudsters obtain personal information before pretending to be that individual and apply for loans or store cards in their name. A total of 89,000 cases were recorded in the first six months of the year by UK anti-fraud organisation Cifas. That is a 5% rise on the same period last year and a new record high. "We have seen identity fraud attempts increase year on year, now reaching epidemic levels, with identities being stolen at a rate of almost 500 a day," said Simon Dukes, chief executive of Cifas. "These frauds are taking place almost exclusively online. The vast amounts of personal data that is available either online or through data breaches is only making it easier for the fraudster." ID theft accounts for more than half of fraud recorded by Cifas, a not-for-profit organisation that shares fraud prevention tips between businesses and public bodies. More than four in five of these crimes were committed online, it said, with many victims unaware that they had been targeted until they received a random bill or realised their credit rating had slumped. This would prevent them getting a loan of their own. Fraudsters steal identities by gathering information such as their name and address, date of birth and bank account details. They get hold of such information by stealing mail, hacking computers, trawling social media, tricking people into giving details or buying data through the "dark web".... Its 30-page report showed that a lot of personal details that might be useful to a criminal were out there on public websites - but if you choose to have an online presence, that is quite hard to avoid. Far more worrying was the presence in hidden corners of the web of some of my passwords for various accounts, harvested in some of the many hacking attacks on major online firms.Luckily I had already changed those passwords, but the security researchers told me that anyone in the Western world who used the internet reasonably often was likely to have their details held in one of these data dumps. That information is up for sale on a number of criminal marketplaces. Identity theft is big business and it is thriving on the dark web.... Cifas said it was important that employers needed to be alert to fraud, rather than just consumers. There had been a sharp rise in ID fraudsters applying for loans, online retail, telecoms and insurance products, it added. "For smaller and medium-sized businesses in particular, they must focus on educating staff on good cyber-security behaviours and raise awareness of the social engineering techniques employed by fraudsters. Relying solely on new fraud prevention technology is not enough," Mr Dukes said."
Identity theft at epidemic levels, warns Cifas
BBC, 23 August 2017

"Did you know that Google has been recording you without your knowledge? The technology giant has effectively turned millions of its users’ smartphones into listening devices that can capture intimate conversations – even when they aren’t in the room. If you own an Android phone, it’s likely that you’ve used Google’s Assistant, which is similar to Apple’s Siri. Google says it only turns on and begins recording when you utter the words “OK Google”. But a Sun investigation has found that the virtual assistant is a little hard of hearing. In some cases, just saying “OK” in conversation prompted it to switch on your phone and record around 20 seconds of audio. It regularly switches on the microphone as you go about your day-to-day activities, none the wiser."
Paranoid Android
Sun, 22 August 2017

"Today, many automobiles companies are offering vehicles that run on the mostly drive-by-wire system, which means a majority of car's functions—from instrument cluster to steering, brakes, and accelerator—are electronically controlled. No doubt these auto-control systems make your driving experience much better, but at the same time, they also increase the risk of getting hacked. Car Hacking is a hot topic, though it is not new for security researchers who hack cars. A few of them have already demonstrated how to hijack a car remotely, how to disable car's crucial functions like airbags, and even how to remotely steal cars. Now, security researchers have discovered a new hacking trick that can allow attackers to disable airbags and other safety systems of the connected cars, affecting a large number of vendors and vehicle models. A team of researchers from Trend Micro's Forward-looking Threat Research (FTR) team, in collaboration with Politecnico di Milano and Linklayer Labs, discovered a critical security vulnerability in the CAN (controller area network) protocol that car components use to communicate to one another within the car's network. Initially developed in 1983 and put into production in 1989, the CAN standard manages the majority of the electrical subsystems and control units found in a significant number of modern smart cars. If exploited, the vulnerability could eventually allow attackers to turn off crucial safety functions of a vehicle, such as airbags, power-steering, parking sensors, and the anti-lock brakes—or almost any computerised component that's connected to the car's CAN bus. Since the CAN standard is being used in "practically every light-duty vehicle currently in circulation today," the fundamental security flaw affects all modern, internet-connected vehicles, rather than just a particular vendor....Since the vulnerability exists in the design of the CAN bus messaging protocol used in CAN controller chips, the issue can not be directly patched with an OTA (on-the-air) upgrade or dealer recall. Patching this design flaw requires changes in the CAN standards and an entire generation of vehicles using this specification. So, unfortunately, there is no remedy to the problem yet."
Unpatchable Flaw in Modern Cars Allows Hackers to Disable Safety Features
Hacker News, 17 August 2017

"A U.S. federal judge on Monday ruled that Microsoft Corp's (MSFT.O) LinkedIn unit cannot prevent a startup from accessing public profile data, in a test of how much control a social media site can wield over information its users have deemed to be public. U.S. District Judge Edward Chen in San Francisco granted a preliminary injunction request brought by hiQ Labs, and ordered LinkedIn to remove within 24 hours any technology preventing hiQ from accessing public profiles. The case is considered to have implications beyond LinkedIn and hiQ Labs and could dictate just how much control companies have over publicly available data that is hosted on their services. "To the extent LinkedIn has already put in place technology to prevent hiQ from accessing these public profiles, it is ordered to remove any such barriers," Chen's order reads. HiQ Labs uses the LinkedIn data to build algorithms capable of predicting employee behaviors, such as when they might quit."
U.S. judge says LinkedIn cannot block startup from public profile data
Reuters, 14 August 2017

"Appropriately paranoid travelers have always been wary of hotel Wi-Fi. Now they have a fresh justification of their worst wireless networking fears: A Russian espionage campaign has used those Wi-Fi networks to spy on high-value hotel guests, and recently started using a leaked NSA hacking tool to upgrade their attacks.Since as early as last fall, the Russian hacker group known as APT28, or Fancy Bear, has targeted victims via their connections to hacked hotel Wi-Fi networks, according to a new report from security firm FireEye...FireEye says it first saw evidence that Fancy Bear might be targeting hotels in the fall of last year, when the company analyzed an intrusion that had started on one corporate employee's computer. The company traced that infection to the victim's use of a hotel Wi-Fi network while traveling; 12 hours after the person had connected to that network, someone connected to the same Wi-Fi network had used the victim's own credentials to log into their computer, install malware on their machine, and access their Outlook data. That implies, FireEye says, that a hacker had been sitting on the same hotel's network, possibly sniffing its data to intercept the victim's credentials. Then, just last month, FireEye learned of a series of similar Wi-Fi attacks at hotels across seven European capitals and one Middle Eastern capital. In each case, hackers had first breached the target hotel's network—FireEye believes via the common tactic of phishing emails carrying infected attachments that included malicious Microsoft Word macros. They then used that access to launch the NSA hacking tool EternalBlue, leaked earlier this year in a collection of NSA internal data by hackers known as the ShadowBrokers, which allowed them to quickly spread their control through the hotels' networks via a vulnerability in Microsoft's so-called "server message block" protocol, until they reached the servers managing the corporate and guest Wi-Fi networks. From there, the attackers used a network-hacking tool called Responder, which allowed them not only to monitor traffic on the hijacked networks, but also to trick computers connecting to them to cough up users' credentials without giving victims any sign of the theft. When the victim computer reaches out to known services like printers or shared folders, Responder can impersonate those friendly entities with a fake authentication process, fooling the victim machine into transmitting its network username and password. And while the password is sent in a cryptographically hashed form, that hashing can sometimes be cracked. (FireEye believes, for instance, that hackers used Responder to steal the hotel guest's password in the 2016 case; the 12-hour delay may have been the time it took to crack the hash.) In each case, FireEye says that the hacked networks were those of moderately high-end hotels, the kind that attract presumably valuable targets. "These were not super expensive places, but also not the Holiday Inn," FireEye's Read says. "They're the type of hotel a distinguished visitor would stay in when they’re on corporate travel or diplomatic business." But FireEye says it doesn't know whether the hackers had specific visitors in mind, or were simply casting a wide net for potential victims... FireEye says it has "moderate confidence" in its conclusion that Fancy Bear conducted both the 2016 hotel attack and the more recent spate. It bases that assessment on the use of two pieces of Fancy Bear-associated malware, known as GameFish and XTunnel, planted on hotel and victim computers. The company also points to clues in the command and control infrastructure of that malware and information about the victims, which it's not making public. If Fancy Bear is in fact behind the hotel espionage spree, FireEye notes that the group's use of EternalBlue would represent the first publicly confirmed time that Russian hackers have used one of the NSA hacking techniques leaked in the ShadowBrokers' scandal.....All of which should serve as a reminder that hotel networks are not safe havens for travelers with sensitive information. FireEye's Read warns that even using a VPN may not prevent the leakage of private credentials that Responder exploits, though he notes that vulnerability likely depends on which proxy software someone is using. But the safest approach, for any traveler with truly valuable secrets to keep, is to bring your own wireless hotspot—and then stay off the hotel's Wi-Fi altogether."
Russia's 'Fancy Bear' Hackers Used Leaked NSA Tool to Target Hotel Guests
Wired, 11 August 2017

"A former head of MI5 has spoken out against curtailing use of encryption in messaging apps despite warning that Islamist terrorism will remain a threat for up to another 30 years. Jonathan Evans said the terrorist threat to Britain was a “generational problem”, and suggested the Westminster Bridge attack in March may have had an energising effect on extremists.... But Lord Evans, who retired from the security service in 2013, told BBC Radio 4’s Today programme that he would not support a clampdown on use of encryption. His comments came after Amber Rudd, the home secretary, argued that internet companies were not doing enough to tackle extremism online. She has previously singled out the use of encryption as a problem. Acknowledging that use of encryption had hampered security agencies’ efforts to access the content of communications between extremists, Evans added: “I’m not personally one of those who thinks we should weaken encryption because I think there is a parallel issue, which is cybersecurity more broadly. “While understandably there is a very acute concern about counter-terrorism, it is not the only threat that we face. The way in which cyberspace is being used by criminals and by governments is a potential threat to the UK’s interests more widely. “It’s very important that we should be seen and be a country in which people can operate securely – that’s important for our commercial interests as well as our security interests, so encryption in that context is very positive.”"
Ex-MI5 chief warns against crackdown on encrypted messaging apps
Guardian, 11 August 2017

"... a handful of security researchers, lawyers and privacy watchdogs voice increasing concern that consumers might one day wake up in anger at the collection of data by software companies winning rights to do so through “end user license agreements,” also known as EULAs. One researcher says the data collection potentially poses a national security threat. For now, news about how companies collect data emerges in bite-sized stories. In late July, articles brought to light that certain models of the Roomba robotic vacuum not only collect dust as they whir across the floor, they also map the homes of users and send the data back to headquarters... Gary Reback, a Palo Alto, California, antitrust lawyer who has tangled in legal battles with Google and Microsoft over data privacy issues, said data harvested from consumers has led companies to create individual profiles, often at a level of detail that even family members may not know. “When an online profile is created of you, which you never really get to see, it’s not just kind of what you buy, it’s who you might vote for,” Reback said in a recent telephone interview. An old saying goes that when a consumer gets a service or product for free, the consumer becomes the product. His or her profile becomes an item to be marketed. “You may think your identity is, you look in the mirror and that’s what you see, but it’s really not. Your identity is what they’ve compiled,” Reback said. “That is kind of scary when you think about it. I just don’t think people think about it enough.” Internet-connected devices proliferate in homes. An estimated 8.4 billion such devices exist in the world today, the Gartner research firm says, and that number is projected to climb to 20.4 billion by 2020. Those devices are often lumped together as the “Internet of Things.” Wysopal is concerned enough about privacy that he avoids all voice-activated devices in his own home out of concern they may be feeding his private activities back to manufacturers. But he said young people may feel that “we enjoy all this technology so much that we’re willing to give it up.” As time passes, added Reback, the growth of big players in technology may leave consumers with the sense they have little choice but to accept conditions imposed on them.... In addition to how the personal data of consumers is used, a corollary is whether companies can keep the data safe, said James Scott, senior fellow at the Institute for Critical Infrastructure Technology, a Washington center that calls itself America’s cybersecurity think tank. If U.S. adversaries hack databases containing consumer profiles collected and built up by data firms working with software companies, they could use the information to manipulate public opinion to stoke chaos, Scott said.... On a trip to one of the main U.S. intelligence agencies, which Scott would only identify as a three-letter agency, he said he was stuck at security with an unrelated large delegation, and inquired of a colleague who they were. “‘Oh, that’s Google,’” he said he was told. “‘They are always here begging us to buy their data.’”"
Is Alexa spying on us? We're too busy to care — and we might regret that
McClatchy, 10 August 2017

"You will get chipped. It’s just a matter of time. In the aftermath of a Wisconsin firm embedding microchips in employees last week to ditch company badges and corporate logons, the Internet has entered into full-throated debate. Religious activists are so appalled, they’ve been penning nasty 1-star reviews of the company, Three Square Market, on Google, Glassdoor and social media. On the flip side, seemingly everyone else wants to know: Is this what real life is going to be like soon at work? Will I be chipped? “It will happen to everybody,” says Noelle Chesley, 49, associate professor of sociology at the University of Wisconsin-Milwaukee. “But not this year, and not in 2018. Maybe not my generation, but certainly that of my kids.” Gene Munster, an investor and analyst at Loup Ventures, is an advocate for augmented reality, virtual reality and other new technologies. He thinks embedded chips in human bodies is 50 years away.... In the future, consumers could zip through airport scanners sans passport or drivers license; open doors; start cars; and operate home automation systems. All of it, if the technology pans out, with the simple wave of a hand. The embedded chip is not a GPS tracker, which is what many critics initially feared. However, analysts believe future chips will track our every move.... In Sweden, BioHax says nearly 3,000 customers have had its chip embedded to do many things, including ride the national rail system without having to show the conductor a ticket."
You will get chipped — eventually
USA Today, 10 August 2017

"A judge’s porn preferences and the medication used by a German MP were among the personal data uncovered by two German researchers who acquired the “anonymous” browsing habits of more than three million German citizens. “What would you think,” asked Svea Eckert, “if somebody showed up at your door saying: ‘Hey, I have your complete browsing history – every day, every hour, every minute, every click you did on the web for the last month’? How would you think we got it: some shady hacker? No. It was much easier: you can just buy it.” Eckert, a journalist, paired up with data scientist Andreas Dewes to acquire personal user data and see what they could glean from it. Presenting their findings at the Def Con hacking conference in Las Vegas, the pair revealed how they secured a database containing 3bn URLs from three million German users, spread over 9m different sites. Some were sparse users, with just a couple of dozen of sites visited in the 30-day period they examined, while others had tens of thousands of data points: the full record of their online lives."
Anonymous' browsing data can be easily exposed, researchers reveal
Guardian, 1 August 2017

"The Five Eyes surveillance cabal, established at the end of World War 2, includes the US, UK, Australia, Canada and New Zealand. The agreement covers how intelligence is shared. And that's about all we know about it. But that could be about to change. The US government is being sued for information about the deal, officially known as the United Kingdom-United States Communications Intelligence Agreement. UK-based charity Privacy International has filed a lawsuit against the National Security Agency, Office of the Director of National Intelligence, the State Department and the National Archives and Records Administration, which all hold information about the intelligence sharing partnership. The lawsuit follows requests for details about the partnership under the US Freedom of Information Act. All the government agencies rejected the requests. The Five Eyes group has existed since 1946 and the last document officially published about it comes from 1955. Since then, vast technological changes have altered how national security bodies collect and store information. "We hope to find out the current scope and nature of the Five Eyes intelligence sharing agreement – and how much has changed since the 1955 version," Privacy International legal officer Scarlet Kim tells WIRED. "We’d also like to know the US rules and regulations governing this exchange of information – what safeguards and oversight, if any, exist with respect to these activities?" The complaint, says Privacy International wants to access the current text of the agreement, how the US government implements it, and the procedures for how intelligence is shared. "These records are of paramount concern because the public lacks even basic information about the Five Eyes alliance," the document says. The campaign group argues that because the public doesn't have enough information about Five Eyes, it is impossible to know if there is a "legal basis" for exchanging signals intelligence. "We are eager to know whether the US shares information not only about Americans but also about Five Eyes citizens and residents with its Five Eyes partners – and whether it undertakes any sort of due diligence before it shares this information," Kim says. The lawsuit will take a long time to progress through the US legal system but if it is successful could reveal previously private information. Seven years ago, the 1946 agreement between the UK and US, which was superseded by the 1955 document, was acknowledged and released for the first time in the UK. Documents published by the National Archives revealed the basis for the co-operation between the countries. The last light shed on the Five Eyes network came after 2013, when former NSA contractor Edward Snowden published thousands of documents from inside the intelligence agency. "The Snowden disclosures gave us a glimpse into how the change in technical capabilities has transformed the work the 5 Eyes countries do together," Kim explains. "For example, we know that the NSA and GCHQ have worked together to obtain the contact lists and address books from hundreds of millions of personal email and IM accounts as well as webcam images from video chats of millions of Yahoo users". Among many of the practices and capabilities revealed by Snowden surrounding the global intelligence picture, was a glimpse at what is shared with members of Five Eyes. In 2015 it was said New Zealand conducted mass surveillance against its Pacific neighbours, including gathering calls, emails, and social media messages. The documents also revealed New Zealand's Government Communications Security Bureau passed gathered intelligence to the partners within Five Eyes."
The US government is being sued for info on the secretive Five Eyes intelligence group
Wired, 6 July 2017

"Germany is a big target of spying and cyber attacks by foreign governments such as Turkey, Russia and China, a government report said on Tuesday, warning of "ticking time bombs" that could sabotage critical infrastructure. Industrial espionage costs German industry billions of euros each year, with small- and medium-sized businesses often the biggest losers, the BfV domestic intelligence agency said in its 339-page annual report. The report mapped out a range of security threats, including Islamist militancy and increased far-right violence, but highlighted the growing incidence of cyber espionage. It cited a "noticeable increase" in spying by Turkey's MIT foreign intelligence agency in Germany in 2016, following the failed July 15 coup in Turkey, and said Russia was seeking to influence a parliamentary election on Sept. 24. "The consequences for our country range from weakened negotiating positions to high material costs and economic damage all the way to impairment of national sovereignty," it said."
Germany big target of cyber espionage and attacks - government report
Reuters, 4 July 2017

"The High Court has granted Liberty permission to challenge part of the UK's "extreme mass surveillance regime", with a judicial review of the Investigatory Powers Act. The law forces internet companies to keep logs of emails, phone calls, texts and web browsing histories and to hand them over to the state to be stored or examined. The civil liberties campaign group wants to challenge this mass collection, arguing that the measure breaches British people's rights. In a separate case in December, the European Court of Justice ruled the same powers in the previous law governing UK state surveillance were unlawful. The government argues that it needs access to the data to help with criminal investigations and that the legislation is required because so much communication is done online. But Liberty said the legislation had passed through Parliament in part thanks to "shambolic political opposition" and that the government failed to provide evidence that surveillance of everybody in the UK was lawful or necessary. Martha Spurrier, director of Liberty, said: "It's become clearer than ever in recent months that this law is not fit for purpose. The government doesn't need to spy on the entire population to fight terrorism. All that does is undermine the very rights, freedoms and democracy terrorists seek to destroy." She added: "Our government's obsession with storing vast amounts of sensitive information about every single one of us looks dangerously irresponsible. If they truly want to keep us safe and protect our cybersecurity, they urgently need to face up to reality and focus on closely monitoring those who pose a serious threat." The High Court has also allowed Liberty to seek permission to challenge three other parts of the Act, either once the government publishes further codes of practice, or by March 2018. These include bulk and 'thematic' hacking,which allows police and intelligence agencies to hack into devices on an industrial scale. It also allows Liberty to challenge the bulk interception and acquisition of communications content and the use of bulk personal datasets, which allows government agencies to access vast databases held by the public or private sector, which Liberty said contain details on "religion, ethnic origin, sexuality, political leanings and health problems, potentially on the entire population - and are ripe for abuse and discrimination". Liberty said that now permission has been granted, its application for a costs capping order will be considered. If this application is granted, the case will be listed for a full hearing."
UK's 'extreme mass surveillance' web snooping powers face legal challenge
ZDNet, 30 June 2017

"US authorities intercepted and recorded millions of phone calls last year under a single wiretap order, authorized as part of a narcotics investigation. The wiretap order authorized an unknown government agency to carry out real-time intercepts of 3.29 million cell phone conversations over a two-month period at some point during 2016, after the order was applied for in late 2015. The order was signed to help authorities track 26 individuals suspected of involvement with illegal drug and narcotic-related activities in Pennsylvania. The wiretap cost the authorities $335,000 to conduct and led to a dozen arrests. But the authorities noted that the surveillance effort led to no incriminating intercepts, and none of the handful of those arrested have been brought to trial or convicted.The revelation was buried in the US Courts' annual wiretap report, published earlier this week but largely overlooked....Albert Gidari, a former privacy lawyer who now serves as director of privacy at Stanford Law School's Center for Internet and Society, criticized the investigation. "They spent a fortune tracking 26 people and recording three million conversations and apparently got nothing," said Gidari. "I'd love to see the probable cause affidavit for that one and wonder what the court thought on its 10 day reviews when zip came in."
With a single wiretap order, US authorities listened in on 3.3 million phone calls
ZDNet, 30 June 2017

"Before she was elevated to the role of Prime Minister by the fallout from Brexit, Theresa May was the author of the UK's Investigatory Powers bill, which spelled out the UK's plans for mass surveillance in a post-Snowden world. At the unveiling of the bill in 2015, May's officials performed the traditional dance: they stated that they would be looking at controls on encryption, and then stating definitively that their new proposals included "no backdoors". Sure enough, the word "encryption" does not appear in the Investigatory Powers Act (IPA). That's because it is written so broadly it doesn't need to. We've covered the IPA before at EFF, but it's worth re-emphasizing some of the powers it grants the British government.

Any "communications service provider" can be served with a secret warrant, signed by the Home Secretary. Communications service provider is interpreted extremely broadly to include ISPs, social media platforms, mail services and other messaging services.
That warrant can describe a set of people or organizations that the government wants to spy upon.
It can require tech companies to insert malware onto their users' computers, re-engineer their own technology, or use their networks to interfere with any other system.
The warrant explicitly allows those companies to violate any other laws in complying with the warrant.
Beyond particular warrants, private tech companies operating in the United Kingdom also have to respond to "technical capability notices" which will require them to "To provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form," as well as permit targeted and mass surveillance and government hacking.
Tech companies also have to the provide the UK government with new product designs in advance, so that the government can have time to require new "technical capabilities" before they are available to customers.

These capabilities alone already go far beyond the Nineties' dreams of a blanket ban on crypto. Under the IPA [Investigatory Power Act], the UK claims the theoretical ability to order a company like Apple or Facebook to remove secure communication features from their products—while being simultaneously prohibited from telling the public about it. Companies could be prohibited from fixing existing vulnerabilities, or required to introduce new ones in forthcoming products. Even incidental users of communication tech could be commandeered to become spies in her Majesty's Secret Service: those same powers also allow the UK to, say, instruct a chain of coffee shops to use its free WiFi service to deploy British malware on its customers. (And, yes, coffee shops are given by officials as a valid example of a "communications service provider.").... The IPA includes language that makes it clear that the UK expects foreign companies to comply with its secret warrants. Realistically, it's far harder for UK law enforcement to get non-UK technology companies to act as their personal hacking teams. That's one reason why May's government has talked up the IPA as a "global gold standard" for surveillance, and one that they hope other countries will adopt.... hacking and the subversion of tech companies isn't just for spies anymore. The British Act explicitly granted these abilities to conduct "equipment interference" to more than just GCHQ and Britain's other intelligence agencies. Hacking and secret warrants can now be used by, among others, the civilian police force, inland revenue and border controls. The secrecy and dirty tricks that used to be reserved for fighting agents of foreign powers is now available for use against a wide range of potential suspects. With the Investigatory Powers Bill, the United Kingdom is now a country empowered with a blunt tools of surveillance that have no comparison in U.S. or any other countries' law."
Five Eyes Unlimited: What A Global Anti-Encryption Regime Could Look Like
Electronic Frontier Foundation, 29 June 2017

"The latest cache of classified intelligence documents dumped online by WikiLeaks includes files describing malware CIA apparently uses to track PCs via Wi‑Fi. The Julian Assange-led website claims the spyware, codenamed ELSA, infects a target's Windows computer and then harvests wireless network details to pinpoint the location of the machine. The software nasty is said to pull data from Google and Microsoft in order to pinpoint the real-world location of the infiltrated machine. "ELSA is a geo-location malware for Wi‑Fi enabled devices like laptops running the Microsoft Windows operating system," says Wikileaks. "Once persistently installed on a target machine using separate CIA exploits, the malware scans visible Wi‑Fi access points and records the ESS identifier, MAC address and signal strength at regular intervals." ELSA is one more weapon in the suite of malware tools the CIA uses to infiltrate the machines of people under investigation. It is used in combination with other exploits and tracking tools. "The collected access point/geo-location information is stored in encrypted form on the device for later exfiltration," Wikileaks says. "The malware itself does not beacon this data to a CIA back-end; instead the operator must actively retrieve the log file from the device – again using separate CIA exploits and backdoors."
Spies do spying, part 97: The CIA has a tool to track targets via Wi-Fi
The Register, 29 June 2017

"How many people specifically know where you are right now? Some friends and family? Your coworkers, maybe? If you're using a Windows laptop or PC you could add another group to the list: the CIA. New documents released on Wednesday as part of WikiLeaks' series of CIA hacking revelations detail a method the agency uses to geolocate computers and the people using them. The agency infects target devices with malware that can then check which public Wi-Fi networks a given computer can connect to at a given moment, as well as the signal strengths of those networks. From there, the malware compares the list of available Wi-Fi options to databases of public Wi-Fi networks to figure out roughly where the device is. The leaked documents detailing the project, which is known as ELSA, date back to 2013, and specifically address laptops and PCs running Windows 7. But experts say that the technique is straightforward enough that the CIA could have a version of it for every Windows release. ELSA only works on Wi-Fi-enabled workstations, but that’s … pretty much everything at this point. The specific process involves installing malware on a target computer, using that to access the victim device’s Wi-Fi sensor to check for nearby public Wi-Fi points, logging each one’s MAC address and Extended Service Set Identifier (the fingerprints of a Wi-Fi network), and then checking those identifiers against publicly available Wi-Fi databases maintained by Google and Microsoft. By combining this location data with signal strength readings, the malware can calculate the device’s approximate longitude and latitude at a given time. It then encrypts this data and stores it until a CIA agent can work to exfiltrate it. ELSA also includes a removal process so the CIA can cover its tracks. While the underlying concepts are commonly enough known, pulling it off requires quite a bit of sophistication. The technique requires exploit tools (methods for taking advantage of unpatched bugs in computer software) to give the CIA access to the target device in the first place. And at the point where the agency can install ELSA malware on the device, they presumably also have access to do a host of other aspects of the computer in question. You can see how gathering location data might be a frequent priority, though, and the ELSA strategy is practical because it doesn’t require any specialized capabilities like GPS or a wireless chip. It can even work when the target device isn’t actually connected to the internet. As long as the Wi-Fi sensor is enabled, the malware can still record which Wi-Fi networks are in range and when, and store the information for later processing.Researchers note that the Wi-Fi databases maintained by Google and Microsoft have expanded and improved since 2013, so it’s likely that the capability has only gotten more accurate over time. It might also have been possible for companies like Google and Microsoft to figure out who the CIA investigates into if they can glean any unique qualities of the database queries the malware would send. But now that technical details of the capability have leaked, the CIA will presumably revise it–if the agency hasn’t already over the last four years."
WikiLeaks Dump Reveals a Creepy CIA Location-Tracking Trick
Wired, 28 June 2017

"The Australian government looks set to take a hard line on encryption at this week’s Five Eyes meeting, and encourage the other nations in the network to jump on the back-door band wagon. The Five Eyes nations - the UK, United States, Canada, Australia and New Zealand - have an agreement to gather and share intelligence, and are meeting this week to discuss national security. Talks are expected to focus on how to force tech companies to introduce back-doors into their previously encrypted products. The UK government has already indicated it is thinking of going down this path - plans that have gone down like a lead balloon with tech experts and privacy campaigners - but its Australian counterpart has been more forthright in its praise of the idea. In a statement, Australian attorney general George Brandis said that he would “raise the need to address ongoing challenges posed by terrorists and criminals using encryption” as his government’s priority issue at the Five Eyes meeting in Canada."
Australian govt promises to push Five Eyes nations to break encryption
The Register, 26 June 2017

"Parliament has suffered its biggest ever cyber attack as hackers launched a “sustained and determined” attempt to break into MPs email accounts. The “brute force” assault lasted for more than 12 hours on Friday as unknown hackers repeatedly targeted “weak” passwords of politicians and aides. Parliamentary officials were forced to lock MPs out of their own email accounts as they scrambled to minimise the damage from the incident. The network affected is used by every MP including Theresa May, the Prime Minister, and her cabinet ministers for dealing with constituents. Experts last night warned that politicians could be exposed to blackmail or face a heightened threat of terrorist attack if emails were successfully accessed. MPs also apologised to their constituents and expressed concerns that sensitive and private information shared with them may have leaked. Fears were raised by cyber specialists that “state actors” such as Russia, China or North Korea could be behind the attack - thought Government sources said it was too early for conclusions. The attack was launched on Friday morning and targeted the 9,000 people who have email accounts on Parliament’s internal network. All 650 MPs have parliamentary email accounts as well as peers, political aides, constituency staff and officials who work in the building.... Henry Smith, the Tory MP, said: “Sorry no parliamentary email access today - we're under cyber attack from Kim Jong Un, Putin or a kid in his mom's basement or something.”... MPs affected warned of the damage a successful hack could bring. Andrew Bridgen, the Tory MP for North West Leicestershire, raised concerns about “confidential information” shared by voters with their local politicians. “People come to us with their worse problems in their life in the confidence that their emails are secure,” he said.... Sean Sullivan, security adviser to F-secure, a cyber security company, said last night: “This is at an early stage but possible perpetrators of this attack include state actors including Russia, China and North Korea. They would all be in the frame.” Mr Sullivan said MPs’ emails would provide a trove of information to criminal gangs or to hostile enemy states. “This information could be used to launch a terrorist attack or for blackmail plots. MPs accounts contains so much confidential information.”
Blackmail fears after Parliament hit by 'sustained and determined' cyber attack leaving MPs unable to access their emails remotely
Telegraph, 24 June 2017

"Germany's foreign intelligence service long spied on numerous official and business targets in the United States, including the White House, Spiegel weekly reported Thursday. The magazine said it had seen documents showing that the intelligence service, the BND, had a list of some 4,000 so-called selector keywords for surveillance between 1998 and 2006. These included telephone or fax numbers, as well as email addresses at the White House as well as the US finance and foreign ministries. Other monitoring targets ranged from military institutions including the US Air Force or the Marine Corps, space agency NASA to civic group Human Rights Watch. Hundreds of foreign embassies as well as international organisation like the International Monetary Fund were not spared, Spiegel said. The BND declined comment in the Spiegel report. Germany had reacted with outrage when information leaked by former NSA contractor Edward Snowden revealed in 2013 that US agents were carrying out widespread tapping worldwide, including of Chancellor Angela Merkel's mobile phone. Merkel, who grew up in communist East Germany where state spying on citizens was rampant, declared repeatedly that "spying among friends is not on" while acknowledging Germany's reliance on the US in security matters. But to the great embarrassment of Germany, it later emerged that the BND helped the NSA spy on European allies."
Germany spied on the White House over years: report
The Local, 22 June 2017

"Germany on Thursday passed a controversial new law that expands the power of authorities to spy on the content of encrypted message services such as WhatsApp and Skype.... German investigators will now be able to insert into users' cellphones and computers spy software (or a "Trojan horse") to access data in encrypted message services such as popular applications WhatsApp and Skype, including as part of criminal investigations.... The new law is seen as a significant change for a country that usually is very protective of private information, given the burden of Germany's past dictatorships, the Nazi regime in the 1930s-40s and the communist government in the east of the country after the war. Interior Minister Thomas de Maiziere welcomed parliamentary approval of a law which he believes will correct a technological lag on the part of the state in dealing with criminals who, along with the population at large, use these applications all the time. The opposition far-left and Greens parties voted against the law, however, criticising it as an unlimited extension of a surveillance tool in the country. The debate stretches far beyond just Germany. France and Britain, also targets of recent attacks, want to establish a system of legal requirements regarding encrypted services to reinforce Europe's fight against terrorism. WhatsApp, acquired by Facebook, and Skype use data encryption to guarantee user confidentiality."
Germany expands surveillance of encrypted message services
Phys.org, 22 June 2017

"A new analysis of documents leaked by whistleblower Edward Snowden details a highly classified technique that allows the National Security Agency to "deliberately divert" US internet traffic, normally safeguarded by constitutional protections, overseas in order to conduct unrestrained data collection on Americans. According to the new analysis, the NSA has clandestine means of "diverting portions of the river of internet traffic that travels on global communications cables," which allows it to bypass protections put into place by Congress to prevent domestic surveillance on Americans.....The government only has to divert their internet data outside of the US to use the powers of the executive order to legally collect the data as though it was an overseas communication. Two Americans can send an email through Gmail, for example, but because their email is sent through or backed up in a foreign data center, the contents of that message can become "incidentally collected" under the executive order's surveillance powers. The research cites several ways the NSA is actively exploiting methods to shape and reroute internet traffic -- many of which are well-known in security and networking circles -- such as hacking into routers or using the simpler, less legally demanding option of forcing major network providers or telecoms firms into cooperating and diverting traffic to a convenient location. Goldberg noted that sans any conclusive legal or public definitions from the FISA surveillance court on whether the practice is legal, the loophole remains, and "eliminating it calls for a realignment of current US surveillance laws and policies," she added."
NSA's use of 'traffic shaping' allows unrestrained spying on Americans
ZDNet, 22 June 2017

"China has signed an agreement saying it will stop conducting state-sponsored cyberattacks aimed at stealing Canadian private-sector trade secrets and proprietary technology. This industrial espionage accord was worked out this past Friday during high-level talks in Ottawa between senior Communist Party official Wang Yongqing and Daniel Jean, the national security and intelligence adviser to Prime Minister Justin Trudeau. “The two sides agreed that neither country’s government would conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors,” an official communiqué drawn up between China and Canada says. The bilateral pact was concluded four days after Mr. Trudeau held a telephone discussion with Chinese Premier Li Keqiang, where the two leaders focused on a coming third round of exploratory free-trade talks. This new deal only covers economic espionage – hacking corporate secrets – and does not preclude China from conducting state-sponsored cyberattacks against the Canadian government or military as it did in 2014, when Chinese hackers broke into the main computers at the country’s National Research Council. A senior government official, who took part in Friday’s talks, said the agreement should nevertheless be seen as a potentially important step toward addressing the broader problem of Chinese espionage. “This is something that three or four years ago [Beijing] would not even have entertained in the conversation,” according to the official, who is not authorized to speak on the record for the government. “For us, having the commitment on paper is good because we can refer to it. The fact that we do this doesn’t mean we won’t be vigilant, but at the same time if things happen we can go back [to this commitment].” China recently inked similar cyberagreements with the United States, Great Britain, Australia, Brazil and Russia..... Many observers, however, suspect China’s decision to sign the cyberagreement with the United States, Canada and other countries is little more than a shift in tactics. This could include embracing more advanced and secretive computer hacking. “The Chinese may be becoming more stealthy and sophisticated in their attacks. Indeed FireEye noted that the decline in number of attacks [in the United States] may be accompanied by a rise in the sophistication of attacks,” cybersecurity expert Adam Segal wrote in a recent edition of Foreign Affairs magazine. FireEye is a cybersecurity firm that protects against advanced cyberthreats."
Canada and China strike corporate hacking deal
Globe and Mail, 25 June 2017

"The audience at the opening night on Broadway of a new stage adaptation of George Orwell's dystopian fantasy "1984" will include a special guest — the author's son. Richard Blair, whose father finished the book in 1949 when he was a young boy, was in New York on Thursday to cheer on the cast amid a huge jump in interest of his father's nightmarish vison of the future. "His novel '1984' was his take on what could possibly happen — not necessarily will happen — but, as it turned out, it was really quite prescient," said Blair..... The novel tells the story of a man who works at the Ministry of Truth falsifying war news and promoting adoration of the mythical leader Big Brother. The play version stars Olivia Wilde, Tom Sturridge and Reed Birney. Orwell's portrait of a government that manufactures its own facts, demands total obedience and demonizes foreign enemies has enjoyed renewed attention of late... Orwell, the pen name for Eric Arthur Blair, seemed to predict the government's mass surveillance programs and data mining in the age of Facebook and WikiLeaks.... "As the decades have gone by, world events tend to collide with '1984' and suddenly everyone wakes up and says, 'Oh my goodness. This is a bit Orwellian, isn't it?' And a lot of them rush and start buying '1984' and realizing that fiction is imitating life or life is imitating fiction," said Blair."
George Orwell's son says his father's '1984' was 'prescient'
Associated Press, 23 June 2017

"The UK and the EU are at loggerheads once again, but it's not what you might think. This isn't another Brexit debate, but a tussle over encryption. The British government is keen to exploit flaws in tech services for intelligence-gathering and surveillance operations. Home Secretary Amber Rudd, backed by Downing Street, has persistently called for access to WhatsApp, a service used by terrorists in the March attack at Westminster. But on Monday, a European Parliament committee proposed an amendment to incoming legislation that would prevent member states from trying to decrypt encrypted communications, as well as compelling tech companies that don't already use end-to-end encryption to do so. The proposal would protect internet companies from national governments pressuring them to create security flaws, or backdoors, that they could use to hack into people's emails or other messages. The different approaches are emblematic of a debate raging around the world, boiling down to whether tech companies poke security holes in their products so that governments can spy on potential terrorists, or whether they should keep communications locked up tight so as to protect the privacy and safety of internet users. You saw it in the fight that Apple put up against the FBI's efforts to compel the company to create a backdoor into a terrorist's iPhone. While the UK wants to ensure that terrorists have no place to hide, the EU is determined to protect the privacy of law-abiding internet users.... May has long been in favor of increasing the UK's surveillance powers, introducing two bills nicknamed the "Snooper's Charter." The second of these bills, the Investigatory Powers Act, passed into law under her own leadership of the country. The Prime Minister wants the internet to be weak and penetrable, say her critics. They also claim she is using this issue right now to reinforce her own image as "strong and stable" -- her slogan during the recent election campaign....The biggest objection to her proposals is that they will make the internet less safe for users. If governments can exploit backdoors to get to your private communications, so too could criminals or rogue states....Another risk of this style of surveillance is that it could force terrorists to use alternative, less pleasant communication services, added Killock. Pushing them underground completely would only make them even harder to monitor than they are right now, he argued.... The proposals tabled by members of the European Parliament this week are amendments to draft privacy legislation, and forbid member states from "decryption, reverse engineering or monitoring" of encrypted communications, or compelling tech companies to do so. "Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services," one proposal reads. Not only could these proposals scupper the UK's plans, but they could conflict with surveillance activities allowed by the Investigatory Powers Act.... Because of Brexit, it's hard to know how EU rules on privacy and data will apply once the UK leaves the European Union. But without support from other countries, it's highly unlikely that the British government alone would be able to compel tech companies to create backdoors to allow them to bypass encryption. The UK's own new surveillance plans are also not yet a done deal. The small and fragile majority the Conservative party currently holds in Parliament means greater consensus and more debate will be needed in order to pass new laws...."
UK and EU at odds over encryption, fighting terror
CNet, 21 June 2017

"“Surveillance”, as the security expert Bruce Schneier has observed, is the business model of the internet and that is true of both the public and private sectors. Given how central the network has become to our lives, that means our societies have embarked on the greatest uncontrolled experiment in history. Without really thinking about it, we have subjected ourselves to relentless, intrusive, comprehensive surveillance of all our activities and much of our most intimate actions and thoughts. And we have no idea what the long-term implications of this will be for our societies – or for us as citizens. One thing we do know, though: we behave differently when we know we are being watched. There is lots of evidence about this from experimental psychology and other fields, but most of that comes from small-scale studies conducted under controlled conditions. By comparison, our current experiment is cosmic in scale: nearly 2 billion people on Facebook, for example, doing stuff every day. Or the 3.5bn searches that people type every day into Google. All this activity is leaving digital trails that are logged, stored and analysed. We are being watched 24x7x365 by machines running algorithms that rummage through our digital trails and extract meaning (and commercial opportunities) from them. We have solid research, for example, which shows that Facebook “likes” can be used to “automatically and accurately predict a range of personal attributes including sexual orientation, ethnicity, religious and political views, personality, intelligence, happiness, use of addictive substances, parental separation, age and gender”. The idea that being watched on this scale isn’t affecting our behaviour is implausible, to put it mildly. Throughout history, surveillance has invariably had a chilling effect on freedom of thought and expression. It affects, for example, what you search for. After the Snowden revelations, traffic to Wikipedia articles on topics that raise privacy concerns for internet users decreased significantly. Another research project found that people’s Google searches changed significantly after users realised what the NSA looked for in their online activity... By now, most internet users are aware that they are being watched, but may not yet appreciate the implications of it. If that is indeed the case, then a visit to an interesting new website – Social Cooling – might be instructive. It illustrates the way social media assembles a “data mosaic” about each user that includes not just the demographic data you’d expect, but also things such as your real (as opposed to your “projected”) sexual orientation, whether you’ve been a victim of rape, had an abortion, whether your parents divorced before you were 21, whether you’re an “empty nester”, are “easily addictable” or “into gardening”, etc. On the basis of these parameters, you are assigned a score that determines not just what ads you might see, but also whether you get a mortgage. Once people come to understand that (for example) if they have the wrong friends on Facebook they may pay more for a bank loan, then they will start to adjust their behaviour (and maybe change their friends) just to get a better score. They will begin to conform to ensure that their data mosaic keeps them out of trouble. They will not search for certain health-related information on Google in case it affects their insurance premiums. And so on. Surveillance chills, even when it’s not done by the state. And even if you have nothing to hide, you may have something to fear."
Google, not GCHQ, is the truly chilling spy network
Guardian, 18 June 2017

"Routers sit at the front gate of nearly every network, offering total access and few security measures to prevent remote attacks. If you can compromise someone’s router, you’ve got a window into everything they’re doing online. According to new documents published by WikiLeaks, the CIA has been building and maintaining a host of tools to do just that. This morning, the group published new documents describing a program called Cherry Blossom, which uses a modified version of a given router’s firmware to turn it into a surveillance tool. Once in place, Cherry Blossom lets a remote agent monitor the target’s internet traffic, scan for useful information like passwords, and even redirect the target to a desired website. The document is part of a series of publications on CIA hacking tools, including previous modules targeting Apple products and Samsung Smart TVs. As with previous publications, the document dates to 2012, and it’s unclear how the programs have developed in the five years since. The manual describes different versions of Cherry Blossom, each tailored to a specific brand and model of router. The pace of hardware upgrades seems to have made it arduous to support each model of router, but the document shows the most popular routers were accessible to Cherry Blossom. “As of August 2012,” the manual reads, “CB-implanted firmwares can be built for roughly 25 different devices from 10 different manufacturers, including Asus, Belkin, Buffalo, Dell, DLink, Linksys, Motorola, Netgear, Senao, and US Robotics.” The manual also goes into detail on how CIA agents would typically install the modified firmware on a given device. “In typical operation,” another passage reads, “a wireless device of interest is implanted with Cherry Blossom firmware, either using the Claymore tool or via a supply chain operation.” The “supply-chain operation” likely refers to intercepting the device somewhere between the factory and the user, a common tactic in espionage operations. No public documents are available on the “Claymore tool” mentioned in the passage. It’s unclear how widely the implant was used, although the manual generally refers to use against specific targets, rather than for mass surveillance. There’s also reason to believe the NSA was employing similar tactics. In 2015, The Intercept published documents obtained by Edward Snowden that detailed efforts by the UK’s GCHQ to exploit vulnerabilities in 13 models of Juniper firewalls."
The CIA has lots of ways to hack your router
The Verge, 15 June 2017

"The New York Times is enabling comments on more of its online articles because of an artificial intelligence tool developed by Google. The software, named Perspective, helps identify "toxic" language, allowing the newspaper's human moderators to focus on non-offensive posts more quickly. Its algorithms have been trained by feeding them millions of posts previously vetted by the team. By contrast, several other news sites have shut their comments sections. Popular Science, Motherboard, Reuters, National Public Radio, Bloomberg and The Daily Beast are among those to have stopped allowing the public to post their thoughts on their sites, in part because of the cost and effort required to vet them for obscene and potentially libellous content. The BBC restricts comments to a select number of its stories for the same reasons, but as a result many of them end up being complaints about the selection."
Google AI polices newspaper comments
BBC, 14 June 2017

"Officials from the United States, the United Kingdom, Canada, Australia and New Zealand will discuss next month plans to force tech companies to break encryption on their products. The so-called Five Eyes nations have a long-standing agreement to gather and share intelligence from across the globe. They will meet in Canada with a focus on how to prevent "terrorists and organized criminals" from "operating with impunity ungoverned digital spaces online," according to Australian prime minister Malcolm Turnbull. In the most forthright call yet from a national leader to break encryption, Turnbull told Parliament: "The privacy of a terrorist can never be more important than public safety – never." Turnbull's comments reflect a more vague but similar response from UK prime minister Theresa May earlier this week in which she said she was focused on "giving the police and the authorities the powers they need to keep our country safe." And the UK authorities have already put in a legislative placeholder for breaking encryption into Blighty's Investigatory Powers Act. Australia's administration is rather enamored with that new UK law, and hopes to implement it Down Under. The United States meanwhile has been having a long debate on the issue of encryption, with tech firms battling it out with law enforcement in both public and private. It is in the United States where the issue will ultimately be decided however, since the most widely used encrypted services – ranging from Apple's iPhone to Facebook's WhatsApp messaging – are developed and run by US companies. Even the UK's heavily criticized anti-encryption law recognizes that it may be powerless to enforce encryption breaking on products and services that come from overseas – and online that geographic boundary doesn't exist. The Five Eyes group is also going to have to decide how to deal with the mathematical realities of encryption. If companies are forced to insert a backdoor into their encryption products in order to make their contents accessible, there is nothing to stop a malicious third party from doing the same: you cannot wall off a vulnerability. Security experts have called the argument put forward by law enforcement and politicians – that they want access but don't want the bad guys to be able to do the same – "magical thinking." The Five Eyes group needs to reach a decision on how to answer the inherent conundrum of magical thinking. Europe, which has been making its own noises about anti-encryption legislation, needs to do the same. It is also possible of course that the vast and massively powerful spying machinery owned and run by the Five Eyes could be focused on cracking encryption. To isolate specific messages of concern and then throw all computing resources at them.Or, a third way could be for the security services from the five nations to oblige tech companies to develop a way to undermine specific devices – ie, create a piece of software that could be sent to an individual's phone that would allow spies direct access to the device and so enable them to bypass encryption protection. America's National Security Agency is already known to have developed software that uses undiscovered vulnerabilities in software to give itself access to people's phones. If you have full access to someone's phone (or other device), all the encryption in the world won't make a difference. Although some tech companies have been public in their determination not to introduce backdoors – such as Apple and its feud with the FBI, and Facebook's fight with the Brazilian authorities – it is notable that others have been silent or have called for compromise. Google, for example, has stayed out of the fray, while Microsoft has repeatedly implied it is open to a shared solution."
Five Eyes nations stare menacingly at tech biz and its encryption
The Register, 13 June 2017

"A former top spy agency official who was the target of a government leak investigation says the National Security Agency conducted blanket surveillance in Salt Lake City during the 2002 Winter Olympics, according to court documents.Ex-NSA official Thomas Drake wrote in a declaration released Friday that the agency collected and stored virtually all electronic communications going into or out of the Salt Lake area, including the contents of emails and text messages. "Officials in the NSA and FBI viewed the Salt Lake Olympics Field Op as a golden opportunity to bring together resources from both agencies to experiment with and fine tune a new scale of mass surveillance," Drake wrote. It comes as part of a lawsuit filed by attorney Rocky Anderson, who was the mayor of Salt Lake City during the Games held a few months after the Sept. 11, 2001, attacks. Anderson said the document was disclosed to the U.S. Department of Justice on Wednesday. Former CIA and NSA director Michael Hayden has denied in court documents that such a program existed. Hayden was NSA director from 1999 to 2005. Current NSA operations director Wayne Murphy said in court documents that NSA surveillance in Salt Lake City was limited to international communications in which at least one participant was reasonably believed to be associated with foreign terrorist groups. Drake disputed that statement, writing that he spoke with colleagues who worked on the operation and were concerned about its legality. He said he also saw documents showing surveillance equipment being directed to the Utah program....Drake started working for the NSA in 2001 and blew the whistle on what he saw as a wasteful and invasive program. He was later prosecuted for keeping classified information. Most of the charges were dropped before trial in 2011, and he was sentenced to one year of probation."
Ex-spy says NSA did mass surveillance during Utah Olympics
Associated Press, 3 June 2017

"The first arrest using new facial recognition software has been made. South Wales Police has become the first force in the UK to use the equipment. The first arrest was made on Wednesday but it was not related to the Champions League final. Real-time cameras linked to facial recognition software will monitor people in and around the city centre. The images will be use identify people who exist on pre-determined watch lists, usually used for terrorists and hooligans. It will also be used to monitor to ticket touts. The force has also been given funding for a separate trial of software that enables them to cross reference CCTV images and other picture with their database of 500,000 custody images. Police vehicles have been spotted around the city labelled as using "facial recognition"."
The first arrest using facial recognition software has been made
Wales Online, 2 June 2017

"A back door has been built into modems sent to customers of major internet service providers allowing the companies' staff to access settings and potentially create a security hole. The discovery alarmed a computer expert who contacted the Herald, saying the remote access could provide a pathway to the contents of people's computers by employees of the company. Vodafone is not the only major ISP with a "back door" into its modems - Spark has confirmed it also has built-in "remote access" in modems it supplies to customers. The companies say the ability for its staff to access modems remotely is a huge benefit to customers who might find it technically challenging. The expert - who won't be named - said he was astonished to discover the back door existed after his partner sought help from Vodafone while he was away from home.... Waikato University associate professor Ryan Ko - director of the New Zealand Institute for Security and Crime Science - said internet providers were already able to view anything sent to and from people's computers across the internet. He said the danger around remote access would come from a disgruntled worker at an internet provider and it was "high value targets" rather than the average user who would be at risk. "The whole thing exists on the fact you trust your ISP to keep their security up to speed. It all depends on trust.""

Internet providers have backdoor access to customers' modems

New Zealand Herald, 27 May 2017

"U.S. intelligence agencies conducted illegal surveillance on American citizens over a five-year period, a practice that earned them a sharp rebuke from a secret court that called the matter a “very serious” constitutional issue. The criticism is in a lengthy secret ruling that lays bare some of the frictions between the Foreign Intelligence Surveillance Court and U.S. intelligence agencies obligated to obtain the court’s approval for surveillance activities. The ruling, dated April 26 and bearing the label “top secret,” was obtained and published Thursday by the news site Circa. It is rare that such rulings see the light of day, and the lengthy unraveling of issues in the 99-page document opens a window on how the secret federal court oversees surveillance activities and seeks to curtail those that it deems overstep legal authority. The document, signed by Judge Rosemary M. Collyer, said the court had learned in a notice filed Oct. 26, 2016, that National Security Agency analysts had been conducting prohibited queries of databases “with much greater frequency than had previously been disclosed to the court.” It said a judge chastised the NSA’s inspector general and Office of Compliance for Operations for an “institutional ‘lack of candor’ ” for failing to inform the court. It described the matter as “a very serious Fourth Amendment issue.” The Fourth Amendment protects people from unreasonable searches and seizures by the government, and is a constitutional bedrock protection against intrusion. Parts of the ruling were redacted, including sections that give an indication of the extent of the illegal surveillance, which the NSA told the court in a Jan. 3 notice was partly the fault of “human error” and “system design issues” rather than intentional illegal searches. The NSA inspector general’s office tallied up the number of prohibited searches conducted in a three-month period in 2015, but the number of analysts who made the searches and the number of queries were blacked out in the ruling. The NSA gathers communications in ways known as “upstream” and “downstream” collection. Upstream collection occurs when data are captured as they move through massive data highways – the internet backbone – within the United States. Downstream collection occurs as data move outside the country along fiber optic cables and satellite links. Data captured from both upstream and downstream sources are stored in massive databases, available to be searched when analysts need to, often months or as much as two years after the captures took place. The prohibited searches the court mentioned involved NSA queries into the upstream databanks, which constitute a fraction of all the data NSA captures around the globe but are more likely to contain the emails and phone calls of people in the United States. Federal law empowers the NSA and CIA to battle foreign terrorist actions against the United States by collecting the electronic communications of targets believed to be outside the country. While communications of U.S. citizens or residents may get hoovered up in such sweeps, they are considered “incidental” and must be “minimized” – removing the identities of Americans – before broader distribution.""
Secret court rebukes NSA for 5-year illegal surveillance of U.S. citizens
McClatchy, 26 May 2017

"The National Security Agency under former President Barack Obama routinely violated American privacy protections while scouring through overseas intercepts and failed to disclose the extent of the problems until the final days before Donald Trump was elected president last fall, according to once top-secret documents that chronicle some of the most serious constitutional abuses to date by the U.S. intelligence community. More than 5 percent, or one out of every 20 searches seeking upstream Internet data on Americans inside the NSA’s so-called Section 702 database violated the safeguards Obama and his intelligence chiefs vowed to follow in 2011, according to one classified internal report reviewed by Circa. The Obama administration self-disclosed the problems at a closed-door hearing Oct. 26 before the Foreign Intelligence Surveillance Court that set off alarm. Trump was elected less than two weeks later.The normally supportive court censured administration officials, saying the failure to disclose the extent of the violations earlier amounted to an “institutional lack of candor” and that the improper searches constituted a “very serious Fourth Amendment issue,” according to a recently unsealed court document dated April 26, 2017. The admitted violations undercut one of the primary defenses that the intelligence community and Obama officials have used in recent weeks to justify their snooping into incidental NSA intercepts about Americans. Circa has reported that there was a three-fold increase in NSA data searches about Americans and a rise in the unmasking of U.S. person’s identities in intelligence reports after Obama loosened the privacy rules in 2011. Officials like former National Security Adviser Susan Rice have argued their activities were legal under the so-called minimization rule changes Obama made, and that the intelligence agencies were strictly monitored to avoid abuses. The intelligence court and the NSA’s own internal watchdog found that not to be true. “Since 2011, NSA’s minimization procedures have prohibited use of U.S.-person identifiers to query the results of upstream Internet collections under Section 702,” the unsealed court ruling declared. “The Oct. 26, 2016 notice informed the court that NSA analysts had been conducting such queries inviolation of that prohibition, with much greater frequency than had been previously disclosed to the Court.”...The American Civil Liberties Union said the newly disclosed violations are some of the most serious to ever be documented and strongly call into question the U.S. intelligence community’s ability to police itself and safeguard American’s privacy as guaranteed by the Constitution’s Fourth Amendment protections against unlawful search and seizure.... The NSA acknowledged it self-disclosed the mass violations to the court last fall and that in April it took the extraordinary step of suspending the type of searches that were violating the rules, even deleting prior collected data on Americans to avoid any further violations. “NSA will no longer collect certain internet communications that merely mention a foreign intelligence target,” the agency said in the statement that was dated April 28 and placed on its Web site without capturing much media or congressional attention. In question is the collection of what is known as upstream “about data”about an American that is collected even though they were not directly in contact with a foreigner that the NSA was legally allowed to intercept. The NSA said it doesn't have the ability to stop collecting ‘about’ information on Americans, “without losing some other important data. ” It, however, said it would stop the practice to “reduce the chance that it would acquire communication of U.S. persons or others who are not in direct contact with a foreign intelligence target.” Officials "explained that NSA query compliance is largely maintained through a series of manual checks" and had not "included the proper limiters" to prevent unlawful searches, the NSA internal watchdog reported in a top secret report in January that was just declassified. A new system is being developed now, officials said...The NSA’s Signal Intelligence Directorate, the nation’s main foreign surveillance arm, wrote a letter back to the IG saying it agreed with the findings and that “corrective action plans” are in the works.""
Obama intel agency secretly conducted illegal searches on Americans for years
Circa, 25 May 2017

"The government may use the deadly attack in Manchester to launch a crackdown on internet securities. Government officials appear to have briefed newspapers that they will put many of the most invasive parts of the relatively new Investigatory Powers Act into effect after the bombing at Manchester Arena. The specific powers being discussed – named Technical Capability Orders – require big technology and internet companies to break their own security so that messages can be read by intelligence agencies. Government will ask parliament to allow the use of those powers if Theresa May is re-elected, senior ministers told The Sun. “We will do this as soon as we can after the election, as long as we get back in," The Sun said it was told by a government minister. "The level of threat clearly proves there is no more time to waste now. “The social media companies have been laughing in our faces for too long." The anonymous briefings to the paper come soon after the Conservatives launched their manifesto promising "regulation" on the internet. Those proposals included what appeared to be a reiteration of the government's plans to weaken security and encryption. Home secretary Amber Rudd appeared to attempt to limit the application of the powers, suggesting that security services already have the powers they need and that she wouldn't push for increased powers until further work had been done. Ms Rudd had previously suggested that the government will seek to dramatically weaken the encryption that apps like WhatsApp use to keep messages safe. There has been no suggestion yet that encryption, which keeps messages from being read by hackers, played any part in the attack. Neither has it been suggested that the extended powers would have prevented such an attack. Internet companies have repeatedly argued that the powers made possible under the Investigatory Powers Act will make everyone less safe. While building "backdoors" into security will mean that intelligence agencies can read messages, it will also mean that those messages can potentially be read by anyone else, too. Technology companies have told The Independent that it is still impossible to know whether it would be possible to legally comply with such orders. Weakening encryption in one country like the UK might lead the companies to be in breach of – and it still isn't clear whether the UK government could force them to break security across the world, as has been suggested."
Manchester attack could lead Theresa May's government to launch huge internet crackdown
Independent, 24 May 2017

"Your phone may be sending out ultrasonic tones right now. Sounds the human ear can't pick up, but which other devices can. A research team sponsored by the German government discovered more than 230 apps on Google's Android market that secretly tracked users through the use of ultrasonic audio. The so-called ultrasonic tracking beacons can help create intimate profiles of people, tying them to a slew of devices communicating with each other through the beacons. Here's how it works: Let's say your friend's smart TV uses the beacon, and you watch that TV. When a beacon from your phone meets the one from the TV, advertisers tied to both learn a bit more about you — and your friend. In a paper posted online by the researchers at Braunschweig University of Technology in Germany, the team wrote that they identified 234 Android apps "that are constantly listening for ultrasonic beacons in the background without the user's knowledge." Four out of 35 stores the team visited in two European cities use the ultrasonic beacons to track shoppers, as well. The researchers found coding from SilverPush, a San Francisco company that sells cross-device tracking software, on earlier versions of McDonald's and Krispy Kreme apps distributed in the Philippines, but "the functionality has already been removed by the developers," they said in an email to CBS News. Google confirmed to CBS News that the apps discovered by the researchers have all either been suspended or updated to meet the company's privacy policies. In order for the use of ultrasonic beacons to be permissible on Android devices, app developers have to disclose to users that the apps will be using their cellphone microphones for that purpose. While the use of ultrasonic beacons is not yet widespread, the paper notes that known instances of its use have grown from just six in April 2015, to the 234 identified by the German researchers. "Our findings strengthen our concerns that the deployment of ultrasonic tracking increases in the wild and therefore needs serious attention regarding its privacy consequences," the researchers wrote.""
Google removes apps that use ultrasonic frequencies to track users
CBS, 24 May 2017

"The majority of people in the UK are unaware of just how closely the government can monitor their online activities, a new report claims. 76 per cent of Brits are “completely unaware” of the highly controversial Investigatory Powers Act – also known as the Snooper’s Charter – which allows the government to see everything we do online, according to virtual private network comparison site BestVPN.com. 23 per cent were unable to name any of the 48 government bodies that have access to their full browsing history.... 33 per cent of respondents thought the government had no power to monitor online activities, and 59 per cent said they wouldn’t consent to the government or third parties viewing and monitoring their digital activities. However, 63 per cent of the 2,000 adults involved the the study, which was conducted in April, said they would only agree to being monitored in order to prevent criminal activity or a potential terrorist threat. “The public and parliamentary debate about the Investigatory Powers Act was overshadowed by Brexit so it is perhaps unsurprising that many people are not aware of the Government’s extreme surveillance powers,” Jim Killock, the executive director of Open Rights Group, told The Independent. “This has not been helped by the Home Office who recently carried out a ‘secret consultation’ into policies that could affect our privacy and security. “The British public need to be made aware that the UK government has extensive powers to monitor their online activity en masse without any prior suspicion.” Civil liberties group Liberty described the introduction of the measures as a “beacon for despots everywhere”. Theresa May is also planning to regulate the internet, allowing the government to decide what web users can post, share and publish online."
Snooper’s Charter: Majority of public unaware of government online surveillance
Independent, 23 May 2017

"The U.S. National Security Agency collected more than 151 million records of Americans' phone calls last year, even after Congress limited its ability to collect bulk phone records, according to an annual report issued on Tuesday by the top U.S. intelligence officer. The report from the office of Director of National Intelligence Dan Coats was the first measure of the effects of the 2015 USA Freedom Act, which limited the NSA to collecting phone records and contacts of people U.S. and allied intelligence agencies suspect may have ties to terrorism. It found that the NSA collected the 151 million records even though it had warrants from the secret Foreign Intelligence Surveillance court to spy on only 42 terrorism suspects in 2016, in addition to a handful identified the previous year. The NSA has been gathering a vast quantity of telephone "metadata," records of callers' and recipients' phone numbers and the times and durations of the calls - but not their content - since the September 11, 2001, attacks. The report came as Congress faced a decision on whether to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA), which permits the NSA to collect foreign intelligence information on non-U.S. persons outside the United States, and is scheduled to expire at the end of this year....Officials on Tuesday argued that the 151 million records collected last year were tiny compared with the number collected under procedures that were stopped after former NSA contractor Edward Snowden revealed the surveillance program in 2013."
NSA collected Americans' phone records despite law change: report
Reuters, 3 May 2017

"The "live" surveillance of British web users' internet communications has been proposed in a draft technical paper prepared by the government. If made law, such access would occur via the Investigatory Powers (IP) Act, which includes provisions for the removal of encryption on content. The paper was allegedly leaked to civil liberties body the Open Rights Group, which received the document on 4 May. The Home Office denied there was anything new in the consultation. Phone companies and internet service providers would be asked to provide "data in near real time" within one working day, according to one clause in the technical capabilities paper. Such access would need to be sanctioned by secretaries of state and a judge appointed by the prime minister. The paper also echoes the IP Act itself, noting that tech companies would be required to remove - or enable the removal - of encryption from communications as they would need to be provided "in an intelligible form" without "electronic protection". Cryptographers often describe such access as a "backdoor" in the security of communications services. The idea is controversial because some argue it could be exploited by hackers, endangering innocent users. Under the terms of the Investigatory Powers Act, telecoms firms would have to carry out the requirements of any notices to these effects in secret, so the public would be unaware that such access had been given. Simultaneous surveillance could occur in bulk, but be limited to one in every 10,000 users of a given service - a maximum of roughly 900 of BT's 9 million British broadband customers, for instance. A consultation about the paper - due to end on 19 May - is allegedly under way at the moment, though this was not publicly announced by the government. It does not have a legal obligation notify the public about draft regulations, which would have to be passed by both Houses of Parliament in order to become law.... "It seems very clear that the Home Office intends to use these to remove end-to-end encryption - or more accurately to require tech companies to remove it," said Dr Cian Murphy, a legal expert at the University of Bristol who has criticised the scope of the IP act. "I do read the regulations as the Home Office wanting to be able to have near real-time access to web chat and other forms of communication," he told the BBC... Surveillance of some mobile phone user data in "as near real-time as possible" has already been available to law enforcement authorities for many years, noted Dr Steven Murdoch at University College London. The UK's Internet Service Providers' Association (Ispa), which represents BT, Sky, Virgin Media, TalkTalk and others, said it would be "consulting its members and submitting a response to the draft regulations"."
Investigatory Powers: 'Real-time surveillance' in draft update
BBC, 5 May 2017

"The U.S. National Security Agency said on Friday it had stopped a form of surveillance that allowed it to collect without a warrant the digital communications of Americans who mentioned a foreign intelligence target in their messages, marking an unexpected triumph for privacy advocates long critical of the practice. The decision to stop the once-secret activity, which involved messages sent to or received from people believed to be living overseas, came despite the insistence of U.S. officials in recent years that it was both lawful and vital to national security. The halt is among the most substantial changes to U.S. surveillance policy in years and comes as digital privacy remains a contentious issue across the globe following the 2013 disclosures of broad NSA spying activity by former intelligence contractor Edward Snowden. "NSA will no longer collect certain internet communications that merely mention a foreign intelligence target," the agency said in a statement. "Instead, NSA will limit such collection to internet communications that are sent directly to or from a foreign target." NSA also said it would delete the "vast majority" of internet data collected under the surveillance program "to further protect the privacy of U.S. person communications." The decision is an effort to remedy privacy compliance issues raised in 2011 by the Foreign Intelligence Surveillance Court, a secret tribunal that rules on the legality of intelligence operations, sources familiar with the matter said. The court recently approved the changes, NSA said in its statement. The NSA is not permitted to conduct surveillance within the United States. The so-called "about" collection went after messages that mentioned a surveillance target, even if the message was neither to nor from that person. That type of collection sometimes resulted in surveillance of emails, texts and other communications that were wholly domestic. The NSA will continue to collect communications directly involving intelligence targets. Friday's announcement came as a surprise to privacy advocates who have long argued that "about" collection was overly broad and ran afoul of the U.S. Constitution's protections against unreasonable searches."
U.S. spy agency abandons controversial surveillance technique
Reuters, 28 April 2017

"The UK has dropped two places on the World Press Freedom Index following the passing of the Investigatory Powers Act and threats to pursue journalists reporting on national security. The World Press Freedom Index for 2017 was published today by Reporters Without Borders (Reporters sans frontières), the Paris-based international non-profit NGO to promote and defend the freedom of the press, which has consultant status at the United Nations. Of 180 countries, the UK — the land of John Milton, who wrote Areopagitica* — has dropped to 40th, being pipped by France, Chile, and even South Africa. Despite the nation's Parliamentary history and cultural commitment to the freedom of speech, the UK has slipped further behind its neighbours who continue to populate the top spots, where Norway, Sweden, Finland, Denmark and the Netherlands occupy the top five positions respectively.... Among the issues with the UK's respect for press freedom was the Law Commission's plans to target journalists with a punitive new official secrets law, though these have stalled since The Register revealed the lack of process behind the proposals. Open Rights Group executive director Jim Killock responded to the rankings drop: "Extensive surveillance powers are threatening investigative journalism and freedom of expression in the UK. In just four years, the UK has fallen ten places in the World Press Freedom Index, a deeply worrying trend that needs to be addressed. "The government failed to protect journalists when it passed the Investigatory Powers Act. Now, the Law Commission has proposed to send them to prison if they so much as handle official data. This comes at a time when we must be able to hold the Government to account over its vast surveillance powers. Mass surveillance chills freedom of expression and undermines democracy.""
UK drops in World Press Freedom Index following surveillance and anti-espionage threats
The Register, 26 April 2017

"And new data suggests that these televisions are even more susceptible to attack than previously thought. While the recent Samsung Smart TV vulnerabilities exposed by Wikileaks (aka Weeping Angel) required an in-person delivery of a malicious payload via USB drive, more distant, remote attacks are unsurprisingly also a problem. Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, recently revealed that around 90% of smart televisions are vulnerable to a remote attack using rogue DVB-T (Digital Video Broadcasting - Terrestrial) signals. This attack leans heavily on Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable companies and set top manufacturers that helps integrate classic broadcast, IPTV, and broadband delivery systems."
Researcher: 90% Of 'Smart' TVs Can Be Compromised Remotely
Techdirt, 7 April 2017

"Security researchers at Google and Lookout have discovered an extremely sophisticated Android app capable of spying on users by hacking their smartphones' camera and microphone, as well as track calls, messages, internet history and more. Called Chrysaor, the spyware seems to be linked to Pegasus, a notorious program that was found to be targeting iPhone users in 2016 and is suspected of having been created by Israeli firm NSO Group Technologies. Google and Lookout announced the discovery of the spyware last week. The app, which was not available for download from Google Play, has already been detected on 36 devices, most of which were owned by people living in Israel. “To install Chrysaor, we believe an attacker coaxed specifically targeted individuals to download the malicious software onto their device,” said Google. “Once Chrysaor is installed, a remote operator is able to surveil the victim’s activities on the device and within the vicinity, leveraging microphone, camera, data collection, and logging and tracking application activities on communication apps such as phone and SMS.” Other countries to have found infected devices are Georgia, Mexico, Turkey, Kenya and others.NSO Group Technologies has previously been accused of developing Smartphone hacking software and selling them to spy agencies across the globe, as they allegedly did with Pegasus."
Google discovers 'Israeli' spy app designed to hack smartphones
Ynetnews, 7 April 2017

"Julian Assange's WikiLeaks website has released the source code for what it says is a malware obfuscation tool used by the CIA, as part of its Vault 7 information leaks. According to the documentation for the Marble Framework published by WikiLeaks, it is "designed to allow for flexible and easy-to-use obfuscation when developing tools". The obfuscation is done to avoid anyone attributing the malware to the CIA. "When signaturing tools, string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop," the documation states. Announcing the release of the Marble data, WikiLeaks claimed "thousands of CIA viruses and hacking attacks can now be attributed". Obfuscation of strings and data in malware can be done using the Marble algorithms, which can be randomly selected by the tool. The CIA suite also includes a de-obfuscator that restores scrambled files to their original, clean states. Marble tools such as Warble can add languages such as Arabic, Russian, Chinese, Korean and Farsi to the malware, as part of the agency's anti-forensic effort... The documentation for the Marble Framework is marked as SECRET/NOFORN, the second highest security classification used by the CIA, which prohibits access by foreign nationals."
WikiLeaks dumps CIA malware obfuscation code
ITnews, 3 April 2017

A screenshot of foreign language samples used by a CIA tool to hide the nation of origin of CIA code implants, leaked on Friday 31 March by WikiLeaks

Wikileaks releases code that could unmask CIA hacking operations

Arstechnica, 2 April 2017

"WikiLeaks released the third tranche of its leaked CIA documents trove on Friday, which in this episode focuses on anti-forensics tools.....Episode three brings the release of source-code files for the CIA's secret anti-forensic Marble Framework. The technology is designed to make the CIA's malware harder for security researchers at antivirus firms to analyse, thus hampering attribution. It does this by hiding ("obfuscating") text fragments..... One feature in Marble stands out. It creates a means for virus writers to pretend that the malware was created by a speaker of a range of foreign languages (Chinese, Russian, Korean, Arabic and Farsi)... WikiLeaks suggests that this tech would allow the real-life equivalent of American Dad's Stan Smith to trick security researchers into thinking they were, for example, Chinese PLA. "The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, but there are other possibilities, such as hiding fake error messages."
WikiLeaks exposes CIA anti-forensics tool that makes Uncle Sam seem fluent in enemy tongues
The Register, 31 March 2017

"For years, the development of real-time face recognition has been hampered by poor video resolution, the angles of bodies in motion, and limited computing power. But as systems begin to transcend these technical barriers, they are also outpacing the development of policies to constrain them. Civil liberties advocates fear that the rise of real-time face recognition alongside the growing number of police body cameras creates the conditions for a perfect storm of mass surveillance. “The main concern is that we’re already pretty far along in terms of having this real-time technology, and we already have the cameras,” said Jake Laperruque, a fellow at the Constitution Project. “These cameras are small, hard to notice, and all over the place. That’s a pretty lethal combination for privacy unless we have reasonable rules on how they can be used together.”. This imminent reality has led several civil liberties groups to call on police departments and legislators to implement clear policies on camera footage retention, biometrics, and privacy. On Wednesday morning, the House Oversight Committee held a hearing on law enforcement’s use of facial recognition technology, where advocates emphasized the dangers of allowing advancements in real-time recognition to broaden surveillance powers. As Alvaro Bedoya, executive director of the Center on Privacy and Technology at Georgetown Law, told Congress, pairing the technology with body cameras, in particular, “will redefine the nature of public spaces.”.... At least five U.S. police departments, including those in Los Angeles and New York, have already purchased or looked into purchasing real-time face recognition for their CCTV cameras, according to a study of face recognition technology published by Bedoya and other researchers at Georgetown. Bedoya emphasized that it’s only a matter of time until the nation’s body-worn cameras will be hooked up to real-time systems. With 6,000 of the country’s 18,000 police agencies estimated to be using body cameras, the pairing would translate into hundreds of thousands of new, mobile surveillance cameras....Civil liberties experts warn that just walking down the street in a major urban center could turn into an automatic law enforcement interaction. With the ability to glean information at a distance, officers would not need to justify a particular interaction or find probable cause for a search, stop, or frisk. Instead, everybody walking past a given officer on his patrol could be subject to a “perpetual line-up,” as the Georgetown study put it. In Ferguson, Missouri, where a Justice Department investigation showed that more than three-quarters of the population had outstanding warrants, real-time face searches could give police immense power to essentially arrest individuals at will. And in a city like New York, which has over 100 officers per square mile and plans to equip each one of them with body cameras by 2019, the privacy implications of turning every beat cop into a surveillance camera are enormous..... Civil rights group concur that tracking individuals caught on body cameras — either live or using archival footage — could put a chill on First Amendment-protected activities. “Are you going to go to a gun rights rally or a protest against the president, for that matter, if the government can secretly scan your face and identify you?” Bedoya asked the House Committee in his testimony on Wednesday....The databases, too, have already been built. Georgetown researchers estimated that one in every two faces of adults in the United States — many of whom have never committed a crime — are captured in searchable federal, state, or local databases."
Real-Time Face Recognition Threatens to Turn Cops’ Body Cameras Into Surveillance Machines
The Intercept, 22 March 2017

"A GRIM year for American spy agencies took a turn for the worse with the leaking, on March 7th, of what appeared to be a lengthy, detailed catalogue of the CIA's secret hacking tools for turning computers, internet routers, telephones and even web-enabled televisions into remote spying devices, and for bypassing encrypted messaging services by penetrating individual Apple and Android smartphones. The WikiLeaks anti-secrecy organisation posted nearly 9,000 documents and files dated 2013-16 in what it said was a first taste of a 'vault' of CIA secrets. WikiLeaks claimed that the archive was provided by a former American government hacker or contractor eager to 'initiate a public debate' about the security and democratic control of cyber-weapons, viruses and malware. The group said it had redacted computer code that could be used to launch attacks, pending such a debate....The FBI will now hunt for moles and leakers. The CIA must patch up its systems and meanwhile brace itself for fresh disclosures. That would be bad enough, but trust is low between those agencies and close supporters of Mr Trump, who charge intelligence services with acting as a 'deep state' disloyal to the president."
WikiLeaks embarrasses the CIA
Economist, 11 March 2017

"'The fallout from WikiLeaks' disclosure of alleged CIA hacking secrets stretched around the world Thursday, as Chinese officials accused the U.S. of 'stealing secrets' and German prosecutors continued to investigate claims about a major American cyber-spying base in Frankfurt. While stateside investigators hunted the source of the leaks -- a trove of more than 8,000 documents that WikiLeaks claims is the 'entire hacking capacity of the CIA' -- foreign officials were examining what the release revealed about the CIA's interests abroad. Routers produced by Chinese companies Huawei and ZTE were named as devices targeted by CIA hackers, Reuters reported, prompting a rebuke from Beijing.....Thousands of miles away, federal prosecutors in Germany were looking into WikiLeaks-derived allegations that the CIA operated a hacking hub out of the U.S. Consulate in Frankfurt. 'We will initiate an investigation if we see evidence of concrete criminal acts or specific perpetrators,' a spokesman for the prosecutor's office told Reuters. 'We're looking at it very carefully.' The probe may not end at Germany's border. In a release explaining its document dump on Tuesday, WikiLeaks noted that 'once in Frankfurt CIA hackers can travel without further border checks to the 25 European countries that are part of the Shengen open border area -- including France, Italy and Switzerland. The Frankfurt allegations represent the second awkward disclosure this decade regarding possible U.S. spying on its European ally. A previous WikiLeaks release showed the NSA had snooped on Chancellor Angela Merkel's government in 2011. One of the more startling revelations divulged by WikiLeaks is an alleged CIA ability to turn Samsung smart televisions into microphones, technology the anti-secrecy website says was developed in tandem with Britain's intelligence services. South Korea-based Samsung released a statement Wednesday saying it was 'urgently looking into the matter.' WikiLeaks said its Tuesday release was less than 1 percent of the total documents it possesses and set a press conference for later Thursday morning to respond to the alleged CIA leak."
WikiLeaks CIA disclosure fallout is worldwide as agency does damage control
Fox News, 9 March 2017

"The latest revelations about the U.S. government’s powerful hacking tools potentially takes surveillance right into the homes and hip pockets of billions of users worldwide, showing how a remarkable variety of everyday devices can be turned to spy on their owners. Televisions, smartphones and even anti-virus software are all vulnerable to CIA hacking, according to the WikiLeaks documents released Tuesday. The capabilities described include recording the sounds, images and the private text messages of users, even when they resort to encrypted apps to communicate. While many of the attack technologies had been previously discussed at cybersecurity conferences, experts were startled to see evidence that the CIA had turned so many theoretical vulnerabilities into functioning attack tools against staples of modern life. These include widely used Internet routers, smartphones, and Mac and Windows computers. In the case of a tool called “Weeping Angel” for attacking Samsung SmartTVs, WikiLeaks wrote, “After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on, In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.” The CIA reportedly also has studied whether it could infect vehicle control systems for cars and trucks, which WikiLeaks alleged could be used to conduct “nearly undetectable assassinations.” And a specialized CIA unit called the Mobile Devices Branch produced malware to control and steal information from iPhones, which according to WikiLeaks were a particular focus because of the smartphone’s popularity “among social, political diplomatic and business elites.” The agency also targeted popular phones running Google’s Android, the world’s leading mobile operating system....By targeting devices, the CIA reportedly gains access to even well-encrypted communications, on such popular apps as Signal and WhatsApp, without having to crack the encryption itself. The WikiLeaks reports acknowledged that difference by saying the CIA had found ways to “bypass,” as opposed to defeat, encryption technologies....The WikiLeaks revelations also will serve as a reminder that, for whatever the political backlash to revelations about digital spying, it is not going away and probably will continue to grow. Aside from the United States, many other advanced nations such as China, Russia, Britain and Israel have extremely sophisticated tools for digital spying. . Less advanced nations have gained access to powerful online spying technology through a robust and lightly regulated industry of surveillance contractors based throughout the world.On Tuesday, resignation and frustration rippled through Silicon Valley as technologists grappled with revelations of yet another U.S. government attempt to exploit their systems. And cybersecurity experts reacted with alarm. “This is explosive,” said Jake Williams, founder of Rendition Infosec, a cybersecurity firm. The material highlights specific anti-virus products that can be defeated, going further than a release of NSA hacking tools last year, he said. The WikiLeaks release revealed that the CIA has sophisticated “stealth” capabilities that enable hackers not only to infiltrate systems, but evade detection, as well as abilities to move inside a system freely as if they owned it."
WikiLeaks: The CIA is using popular TVs, smartphones and cars to spy on their owners
Washington Post, 7 March 2017

"WikiLeaks published thousands of secret CIA files on Tuesday detailing hacking tools the government employs to break into users' computers, mobile phones and even smart TVs. Some companies that manufacture smart TVs include Apple, Google, Microsoft and Samsung. The documents describe clandestine methods for bypassing or defeating encryption, antivirus tools and other protective security features intended to keep the private information of citizens and corporations safe from prying eyes. U.S. government employees, including President Trump, use many of the same products and internet services purportedly compromised by the tools."
WikiLeaks posts trove of CIA documents detailing mass hacking
CBS, 7 March 2017

"'This is CIA's Edward Snowden,' former CIA acting director Michael Morrell told CBS News Justice correspondent Jeff Pegues, referring to the former National Security Agency contractor who leaked millions of documents in 2013. The files include comments by CIA hackers boasting in slang language of their prowess. 'You know we got the dankest Trojans and collection tools,' one reads. The documents show broad exchanges of tools and information among the CIA, NSA and other U.S. intelligence agencies, as well as intelligence services of close allies Australia, Canada, New Zealand and the United Kingdom. WikiLeaks claimed the CIA used both its Langley, Virginia, headquarters and the U.S. consulate in Frankfurt, Germany, as bases for its covert hackers. The AP found that one purported CIA hack that imitates the Domain Name System -- the internet's phone book -- traced to an internet domain hosted in Germany. Tuesday's documents, purported to be from the CIA's 'Embedded Development Branch,' discuss techniques for injecting malicious code into computers protected by the personal security products of leading international anti-virus companies. They describe ways to trick anti-virus products from companies including Russia-based Kaspersky Lab, Romania-based BitDefender, Dutch-based AVG Technologies, F-Secure of Finland and Rising Antivirus, a Chinese company. In the new trove, programmers also posted instructions for how to access user names and passwords in popular internet browsers. Those browsers include Microsoft Internet Explorer, Google Chrome and Mozilla Firefox. Under a list of references in one exchange, users were advised that 'the following may be low traffic sites, sites in which it might be a good idea to disable JavaScript, etc,' referring to a widely used internet programming language. 'Remember, practice safe browsing, kidz!' they were told. Some documents were classified 'secret' or 'top secret' and not for distribution to foreign nationals. One file said those classifications would protect deployed hacks from being 'attributed' to the U.S. government. The practice of attribution, or identifying who was behind an intrusion, has been difficult for investigators probing sophisticated hacks that likely came from powerful nation-states."
WikiLeaks Publishes Secret Files Allegedly Revealing CIA’s Hacking Methods
CBS, 7 March 2017

" WikiLeaks on Tuesday released thousands of documents that it said described sophisticated software tools used by the Central Intelligence Agency to break into smart phones, computers and even Internet-connected televisions. If the documents are authentic, as appeared likely at first review, the release would be the latest coup for the anti-secrecy organization and a serious blow to the C.I.A., which maintains its own hacking capabilities to be used for espionage. The initial release, which WikiLeaks said was only the first part of the document collection, included 7,818 web pages with 943 attachments, the group said. The entire archive of C.I.A. material consists of several hundred million lines of computer code, it said. Among other disclosures that, if confirmed, will rock the tech world, the WikiLeaks release said that the C.I.A. and allied intelligence services had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram. According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect 'audio and message traffic before encryption is applied. The source of the documents was not named. WikiLeaks said the documents, which it called Vault 7, had been 'circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.' WikiLeaks said the source, in a statement, set out policy questions that 'urgently need to be debated in public, including whether the C.I.A.'s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.' The source, the group said, 'wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.' The documents, from the C.I.A's Center for Cyber Intelligence, are dated from 2013 to 2016 and WikiLeaks described them as 'the largest ever publication of confidential documents on the agency.' One former intelligence officer who briefly reviewed the documents on Tuesday morning said some of the code names for C.I.A. programs, an organization chart and the description of a C.I.A. hacking base appeared to be genuine."
WikiLeaks Releases Trove of Alleged C.I.A. Hacking Document
New York Times, 7 March 2017

"Wikileaks has published details of what it says are wide-ranging hacking tools used by the CIA. The alleged cyber-weapons are said to include malware that targets Windows, Android, iOS, OSX and Linux computers as well as internet routers. Some of the software is reported to have been developed in-house, but the UK's MI5 agency is said to have helped build a spyware attack for Samsung TVs. A spokesman for the CIA would not confirm the details. "We do not comment on the authenticity or content of purported intelligence documents," he said. A spokesman for the UK Home Office was unable to comment. Wikileaks said that its source had shared the details with it to prompt a debate into whether the CIA's hacking capabilities had exceeded its mandated powers. The NSA faced huge embarrassment when many of its secrets were revealed by Edward Snowden, and now the CIA appears to face similar problems, the BBC's security correspondent Gordon Corera said. The effort to compromise Samsung's F8000 range of smart TVs was codenamed Weeping Angel, according to documents dated June 2014. They describe the creation of a "fake-off" mode, designed to fool users into believing that their screens had been switched off. Instead, the documents indicate, infected sets were made to covertly record audio, which would later be transferred over the internet to CIA computer servers once the TVs were fully switched back on, allowing their wi-fi links to re-establish. Under a "future work" section, it is suggested that video snapshots might also be taken and the wi-fi limitation be overcome. Samsung has not commented on the allegations. Wikileaks also claims that as of last year, the CIA has built up an arsenal of 24 Android "zero days" - the term given to previously unknown security flaws in code. Some of these are said to have been discovered by the CIA, but others were allegedly obtained from the UK's GCHQ agency as well as the NSA and unnamed third-parties. Devices made by Samsung, HTC and Sony, among others, were said to have been compromised as a result, allowing the CIA to read messages on Whatsapp, Signal, Telegram and Weibo among other chat services. It is also claimed that a specialised CIA unit was set up to target iPhones and iPads, allowing the agency to see a target's location, activate their device's camera and microphone, and read text communications. The unit is also reported to have made use of further OS "zero days" obtained from GCHQ, the NSA and FBI. "It is longstanding policy that we do not comment on intelligence matters," GCHQ told the BBC. "Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate." Other claims say the CIA: * was trying to find ways to infect vehicles' computer control systems. Wikileaks claims these might have been used for undetectable assassinations * had found ways to infect "air-gapped" computers - machines that are not linked up to the internet or other insecure networks. Methods are said to have included hiding data in images or hidden parts of computer storage * had developed attacks against popular anti-virus products * had built up a library of hacking techniques "stolen" from malware developed in Russia and elsewhere * Wikileaks describes its release as the first in a series of planned leaks about the CIA's cyber-activities, which it refers to as Vault 7. - It added that the material had already circulated among hackers who used to work for the US government as well as contractors in an unauthorised manner."
Wikileaks: CIA has tools to snoop via TVs
BBC, 7 March 2017

"WikiLeaks has published a huge trove of what appear to be CIA spying secrets.The files are the most comprehensive release of US spying files ever made public, according to Julian Assange. In all, there are 8,761 documents that account for "the entire hacking capacity of the CIA", Mr Assange claimed in a release, and the trove is just the first of a series of "Vault 7" leaks. Already, the files include far more pages than the Snowden files that exposed the vast hacking power of the NSA and other agencies. In publishing the documents, WikiLeaks had ensured that the CIA had "lost control of its arsenal", he claimed. That included a range of software and exploits that if real could allow unparalleled control of computers around the world. It includes software that could allow people to take control of the most popular consumer electronics products used today, claimed WikiLeaks. "'Year Zero' introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones," the organisation said in a release. The public files don't include the cyber weapons themselves, according to a statement. The organisation will refrain from distributing "armed" software "until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed, disarmed and published", it said. The files were made available by a source who intended for them to start a conversation about whether the CIA had gained too much power, according to the organisation. "In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA's hacking capabilities exceed its mandated powers and the problem of public oversight of the agency," a release read. "The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons." It also redacts the details of some of the names, locations and targets that are identified in the documents. "
WikiLeaks publishes massive trove of CIA spying files in 'Vault 7' release
Independent, 7 March 2017

"A hacker has created a rather terrifying smart box shaped just like a mobile phone charger, which can keep tabs on you and surreptitiously steal your data....The KeySweeper will sniff-out keystrokes as they're typed, as well as being able to home in on specific data '“ for instance, if you type in particular web addresses (such as Paypal.com), the KeySweeper knows that the next thing you type is likely to be a user name and password. The evil little bugger then earmarks the data for later analysis. The info can be stored on the KeySweeper itself and then extracted via USB, or even sent directly to the person spying via SMS. Thankfully these devices aren't capable of sniffing data from every wireless keyboard. The main types which are vulnerable are ones which still utilise 2.4GHz wireless rather than Bluetooth, such as Microsoft's wireless keyboards. While Microsoft claims that it hasn't produced keyboards using this connection method since 2011, Kamar released a statement suggesting that people may still not be protected from potential surveillance."
The terrifying 'phone charger' that can steal your passwords
Recombu, 15 January 2015

"The BBC has voiced dismay over alleged German spying on foreign journalists, including some working for the BBC. Germany's foreign intelligence service BND spied on media e-mails, faxes and phone calls, including more than a dozen BBC numbers in London and Afghanistan, Spiegel news reported. The surveillance, which began in 1999, also extended to Reuters news agency and the New York Times, it is alleged."
BBC dismayed at German 'BND spying on journalists'
BBC, 24 February 2017

"A few hours after dark one evening earlier this month, a small quadcopter drone lifted off from the parking lot of Ben-Gurion University in Beersheba, Israel. It soon trained its built-in camera on its target, a desktop computer's tiny blinking light inside a third-floor office nearby. The pinpoint flickers, emitting from the LED hard drive indicator that lights up intermittently on practically every modern Windows machine, would hardly arouse the suspicions of anyone working in the office after hours. But in fact, that LED was silently winking out an optical stream of the computer’s secrets to the camera floating outside. That data-stealing drone, shown in the video below, works as a Mr. Robot-style demonstration of a very real espionage technique. A group of researchers at Ben-Gurion's cybersecurity lab has devised a method to defeat the security protection known as an “air gap,” the safeguard of separating highly sensitive computer systems from the internet to quarantine them from hackers. If an attacker can plant malware on one of those systems—say, by paying an insider to infect it via USB or SD card—this approach offers a new way to rapidly pull secrets out of that isolated machine. Every blink of its hard drive LED indicator can spill sensitive information to any spy with a line of sight to the target computer, whether from a drone outside the window or a telescopic lens from the next roof over. If an attacker has a foothold in your air-gapped system, the malware still can send the data out to the attacker," says Ben-Gurion researcher Mordechai Guri, who has spent years focusing on finding techniques for ferreting data out of isolated computer systems. "We found that the small hard drive indicator LED can be controlled at up to 6,000 blinks per second. We can transmit data in a very fast way at a very long distance." An air gap, in computer security, is sometimes seen as an impenetrable defense. Hackers can't compromise a computer that's not connected to the internet or other internet-connected machines, the logic goes. But malware like Stuxnet and the Agent.btz worm that infected American military systems a decade ago have proven that air gaps can't entirely keep motivated hackers out of ultra-secret systems—even isolated systems need code updates and new data, opening them to attackers with physical access. And once an air-gapped system is infected, researchers have demonstrated a grab bag of methods for extracting information from them despite their lack of an internet connection, from electromagnetic emanations to acoustic and heat signaling techniques—many developed by the same Ben-Gurion researchers who generated the new LED-spying trick. But exploiting the computer's hard drive indicator LED has the potential to be a stealthier, higher-bandwidth, and longer-distance form of air-gap-hopping communications. By transmitting data from a computer's hard drive LED with a kind of morse-code-like patterns of on and off signals, the researchers found they could move data as fast as 4,000 bits a second, or close to a megabyte every half hour. That may not sound like much, but it's fast enough to steal an encryption key in seconds. And the recipient could record those optical messages to decode them later; the malware could even replay its blinks on a loop, Guri says, to ensure that no part of the transmission goes unseen. The technique also isn't as limited in range as other clever systems that transmit electromagnetic signals or ultrasonic noises from speakers or a computer's fans. And compared to other optical techniques that use the computer's screen or keyboard light to secretly transmit information, the hard-drive LED indicator—which blinks anytime a program accesses the hard drive—routinely flashes even when a computer is asleep. Any malware that merely gains the ability of a normal user, rather than deeper administrative privileges, can manipulate it. The team used a Linux computer for their testing, but the effects should be the same on a Windows device. "The LED is always blinking as it's doing searching and indexing, so no one suspects, even in the night," says Guri. "It’s very covert, actually."....The good news, however, for anyone security-sensitive enough to worry about the researchers' attack—and anyone who air gaps their computers may be just that sensitive—is that the Ben Gurion researchers point to clear countermeasures to block their hard drive LED exfiltration method. They suggest keeping air-gapped machines in secure rooms away from windows, or placing film over a building's glass designed to mask light flashes. They also note that protective software on a target machine could randomly access the hard drive to create noise and jam any attempt to send a message from the computer's LED.But the simplest countermeasure by far is simply to cover the computer's LED itself. Once, a piece of tape over a laptop's webcam was a sign of paranoia. Soon, a piece of tape obscuring a computer's hard drive LED may be the real hallmark of someone who imagines a spy drone at every window."
Malware Lets a Drone Steal Data by Watching a Computer’s Blinking LED
Wired, 22 February 2017

"Samsung has confirmed that its "smart TV" sets are listening to customers' every word, and the company is warning customers not to speak about personal information while near the TV sets. The company revealed that the voice activation feature on its smart TVs will capture all nearby conversations. The TV sets can share the information, including sensitive data, with Samsung as well as third-party services. The news comes after Shane Harris at The Daily Beast pointed out a troubling line in Samsung's privacy policy: "Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party." Samsung has now issued a new statement clarifying how the voice activation feature works. "If a consumer consents and uses the voice recognition feature, voice data is provided to a third party during a requested voice command search," Samsung said in a statement. "At that time, the voice data is sent to a server, which searches for the requested content then returns the desired content to the TV." The company added that it does not retain or sell the voice data, but it didn't name the third party that translates users' speech.""
Samsung warns customers not to discuss personal information in front of smart TVs
The Week, 9 February 2015

"Judges have ruled that Cleveland police acted unlawfully when they monitored journalists’ phones in an attempt to uncover the source of a series of leaks.The police force used powers under the Regulation of Investigatory Powers Act (Ripa) to seize records of calls totalling more than 1m minutes from three journalists, a solicitor and two police officers after details of internal grievances appeared in the Northern Echo in 2012. Having initially maintained that the data collection was justified, this month the force apologised for its actions after hearing evidence given to an investigatory powers tribunal late last year.... Ripa can be used to check data from phones and other devices to discover evidence of crimes where there is a reasonable chance of prosecution. The tribunal judges decided the decision to access the records was based on a “subjective belief” and that targeting the journalists and a solicitor was always unlikely to be justified.... The application for phone data was made in part to uncover the identity of a whistleblower who passed the Northern Echo an internal report that had uncovered elements of institutional racism in the force. The paper ran the story on its front page in 2012. Tuesday’s judgment says police should have considered that their actions were an infringement of the right to freedom of speech when they accessed data from the personal and work phones of reporters at the paper.... The judgment has been sent to the Independent Police Complaints Commission and the chief inspector of constabulary, Sir Thomas Winsor, for their consideration. Andy Richardson, the editor of the Northern Echo, told the journalism trade website Hold the Front Page that he was delighted to see the law come down on the side of reporters who were trying to expose matters of public interest “rather than police officers who were attempting to stifle the truth”."
UK police force's monitoring of reporters' phones ruled unlawful
Guardian, 31 January 2017

"The inventor behind James Bond's ingenious gadgets, codenamed "Q" in the spy films, exists in reality and is actually a woman, the head of Britain's MI6 espionage agency has said. "The real-life Q is looking forward to meeting you, and I'm pleased to report that the real-life Q is a woman," Alex Younger said at a women's technology awards ceremony this week in London. Q, the head of gadgets at foreign intelligence service MI6, has always been played by a man in the Bond series, though the inventor's boss, "M," was played by Judi Dench from 1995 to 2015. Younger, known as "C," also revealed that the devices used by his operatives were much more sophisticated than those dreamt up by Q. "The gadgets that we employ -- or operational technology as we more properly call it -- probably defy the imagination of spy writers," he said. "Technology now is at the core of what we do in a way that it wasn't before.""
Real-life 'Q' is a woman, British spy chief reveals
AFP, 28 January 2017

"The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks. While most of the software is inserted by gaining access to computer networks, the N.S.A. has increasingly made use of a secret technology that enables it to enter and alter data in computers even if they are not connected to the Internet, according to N.S.A. documents, computer experts and American officials. The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers. In some cases, they are sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target. The radio frequency technology has helped solve one of the biggest problems facing American intelligence agencies for years: getting into computers that adversaries, and some American partners, have tried to make impervious to spying or cyberattack. In most cases, the radio frequency hardware must be physically inserted by a spy, a manufacturer or an unwitting user. The N.S.A. calls its efforts more an act of “active defense” against foreign cyberattacks than a tool to go on the offensive. But when Chinese attackers place similar software on the computer systems of American companies or government agencies, American officials have protested, often at the presidential level. Among the most frequent targets of the N.S.A. and its Pentagon partner, United States Cyber Command, have been units of the Chinese Army, which the United States has accused of launching regular digital probes and attacks on American industrial and military targets, usually to steal secrets or intellectual property. But the program, code-named Quantum, has also been successful in inserting software into Russian military networks and systems used by the Mexican police and drug cartels, trade institutions inside the European Union, and sometime partners against terrorism like Saudi Arabia, India and Pakistan, according to officials and an N.S.A. map that indicates sites of what the agency calls “computer network exploitation.” “What’s new here is the scale and the sophistication of the intelligence agency’s ability to get into computers and networks to which no one has ever had access before,” said James Andrew Lewis, the cybersecurity expert at the Center for Strategic and International Studies in Washington. “Some of these capabilities have been around for a while, but the combination of learning how to penetrate systems to insert software and learning how to do that using radio frequencies has given the U.S. a window it’s never had before.”"
N.S.A. Devises Radio Pathway Into Computers
New York Times, 14 January 2017

"In its final days, the Obama administration has expanded the power of the National Security Agency to share globally intercepted personal communications with the government’s 16 other intelligence agencies before applying privacy protections. The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches. The change means that far more officials will be searching through raw data. Essentially, the government is reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people. Attorney General Loretta E. Lynch signed the new rules, permitting the N.S.A. to disseminate “raw signals intelligence information,” on Jan. 3, after the director of national intelligence, James R. Clapper Jr., signed them on Dec. 15, according to a 23-page, largely declassified copy of the procedures. Previously, the N.S.A. filtered information before sharing intercepted communications with another agency, like the C.I.A. or the intelligence branches of the F.B.I. and the Drug Enforcement Administration. The N.S.A.’s analysts passed on only information they deemed pertinent, screening out the identities of innocent people and irrelevant personal information. Now, other intelligence agencies will be able to search directly through raw repositories of communications intercepted by the N.S.A. and then apply such rules for “minimizing” privacy intrusions. “This is not expanding the substantive ability of law enforcement to get access to signals intelligence,” said Robert S. Litt, the general counsel to Mr. Clapper. “It is simply widening the aperture for a larger number of analysts, who will be bound by the existing rules.” But Patrick Toomey, a lawyer for the American Civil Liberties Union, called the move an erosion of rules intended to protect the privacy of Americans when their messages are caught by the N.S.A.’s powerful global collection methods. He noted that domestic internet data was often routed or stored abroad, where it may get vacuumed up without court oversight.... The limits on using Americans’ information gathered under Order 12333 do not apply to metadata: logs showing who contacted whom, but not what they said. Analysts at the intelligence agencies may study social links between people, in search of hidden associates of known suspects, “without regard to the location or nationality of the communicants.”"
N.S.A. Gets More Latitude to Share Intercepted Communications
New York Times, 12 January 2017

"Facebook currently provides a staggering 29,000 individual categories to its advertisers. These allow advertisers to drill-down and target specific groups amongst the 1.79 billion monthly active users. Of those 29,000 categories, Facebook says 600 come from third-party data providers. According to the research conducted by ProPublica, the majority of this data from commercial data brokers is financial. It allows advertisers to single-out Facebook users in categories including, "total liquid investible assets $1 - $24,999", "people in households that have an estimated household income of between $100K and $125K", or even "individuals that are frequent transactor at lower cost department or dollar stores". Regardless of whether you've ever posted a status, photo or liked a brand on your social media feed relating to your preference for lower cost department stores – Facebook knows. The world's most popular social network, founded by Mark Zuckerberg back in 2004, works with six data collection firms in the US – Acxiom, Epsilon, Experian, Oracle Data Cloud, TransUnion and WPP. "They are not being honest," said Jeffrey Chester, executive director of the Centre for Digital Democracy, told ProPublica. "Facebook is bundling a dozen different data companies to target an individual customer, and an individual should have access to that bundle as well." Here's the catch – unlike the data points that Facebook collects itself, it is extremely difficult to opt-out of the data hoarded by these third-party commercial providers. To remove your preference in department store – or household income estimate – you'll need to contact each provider directly. According to ProPublica, that process is often complex and hidden behind reams of legal mumbo-jumbo. When ProPublica approached Facebook about its perceived lack of disclosure, the US social network responded that it does not inform users about the third-party data because it’s widely available and not collected by Facebook itself.... Earlier this year, Facebook (which has previously conducted bizarre experiments on its users) revealed the extensive list of information it holds on users and uses to target its advertisements. The criteria ranges from the obvious – age, hometown, school, friends – to the downright bizarre. For example, Facebook keeps a record of when you've recently started a new relationship, calculates how much money you are likely to spend on your next car, tracks what operating system you are using to login to the social network, and more. It will even track the types of credit cards you have owned. If you remain logged into Facebook, the social network can see almost every other website you visit. And even if you log-out of your Facebook account before you start surfing the world wide web, it still keeps a close eye. Facebook is alerted every time you load a webpage with one of its Like or Share buttons embedded. Any websites that use advertisements sourced from Atlas network will also track your movements. Facebook also provides online publishers with a small piece of code – dubbed Facebook Pixel – that allows them (and of course, Facebook) to log any Facebook-using visitors."
Why Facebook is NOT telling YOU everything it really knows about you
Express, 2 January 2017

SURVEILLANCE SOCIETY NEWS ARCHIVE 2017
Resources	News - News - News To Go Direct To Current Surveillance Society News Reports - Click Here To Go Direct To 2017 Surveillance Society News Reports - Click Here	Home
Surveillance Society News Reports Current 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 & Earlier	Some Highlights From 2017 "BBC reporter John Sudworth recently got a peek behind the curtain at the world’s largest surveillance system. Tasked with remaining undetected by more than 170 million Chinese closed circuit television (CCTV) cameras, the exercise ended predictably with Sudworth being spotted and detained in about seven minutes. China’s 170 million CCTV cameras is imposing. Plans to add an additional 400 million cameras in the coming years invokes visions of Orwell’s 1984. But it’s not just the number of CCTV cameras that makes the network so troubling. Chinese officials say the cameras (and their corresponding software) can link faces to ID cards, cars, friends, family, and colleagues. They can estimate age, ethnicity, and gender. And perhaps even more startling, they can provide all this information for up to a week prior. For the Chinese, this nightmarish scenario is already a reality. For the rest of us, it’s just a glimpse of what’s to come." Watch this BBC reporter try to evade China’s massive CCTV network The Next Web, 14 December 2017 "Germany’s Interior Minister wants to force tech and car companies to provide the German security services with hidden digital access to cars, computers, phones and more, according to a media report from Friday.The RedaktionsNetzwerk Deutschland (RND) reported that Thomas de Maizière had written up a draft proposal for the interior minister conference, taking place next week in Leipzig, which he has called “the legal duty for third parties to allow for secret surveillance.” According to the RND, the proposal would “dramatically extend” the state’s powers to spy on its citizens."" German government wants ‘backdoor’ access to every digital device: report The Local, 1 December 2017 "Statisticians at the Office for National Statistics (ONS) have been tracking the movements of thousands of people, albeit anonymised, in what was described as a ‘successful experiment' with Vodaphone that could eventually replace census questions in England and Wales. The information would replace questions about where people live and work, and their daily commute, but the ONS on its website recognises that prior to taking such a move it would need to conduct "extensive evaluation" of "privacy impacts." The move is part of government plans for the 2021 census to be the last conducted using the traditional paper-based questionnaire, with alternative sources of information currently being sought.... The experiment took place in the London boroughs of Lambeth, Southwark and Croydon over a four week period in Spring last year, and did not include under-18s for pay-as-you-go phones, and the results showed a decline in people leaving their home borough to work compared to the 2011 census." ONS watching thousands via their mobiles in 3 London boroughs for census SC Media, 7 November 2017 "On June 14, 2014, the State Council of China published an ominous-sounding document called "Planning Outline for the Construction of a Social Credit System". In the way of Chinese policy documents, it was a lengthy and rather dry affair, but it contained a radical idea. What if there was a national trust score that rated the kind of citizen you were? Imagine a world where many of your daily activities were constantly monitored and evaluated: what you buy at the shops and online; where you are at any given time; who your friends are and how you interact with them; how many hours you spend watching content or playing video games; and what bills and taxes you pay (or not). It's not hard to picture, because most of that already happens, thanks to all those data-collecting behemoths like Google, Facebook and Instagram or health-tracking apps such as Fitbit. But now imagine a system where all these behaviours are rated as either positive or negative and distilled into a single number, according to rules set by the government. That would create your Citizen Score and it would tell everyone whether or not you were trustworthy. Plus, your rating would be publicly ranked against that of the entire population and used to determine your eligibility for a mortgage or a job, where your children can go to school - or even just your chances of getting a date. A futuristic vision of Big Brother out of control? No, it's already getting underway in China, where the government is developing the Social Credit System (SCS) to rate the trustworthiness of its 1.3 billion citizens. The Chinese government is pitching the system as a desirable way to measure and enhance "trust" nationwide and to build a culture of "sincerity". As the policy states, "It will forge a public opinion environment where keeping trust is glorious. It will strengthen sincerity in government affairs, commercial sincerity, social sincerity and the construction of judicial credibility."...For now, technically, participating in China's Citizen Scores is voluntary. But by 2020 it will be mandatory. The behaviour of every single citizen and legal person (which includes every company or other entity)in China will be rated and ranked, whether they like it or not." Big data meets Big Brother as China moves to rate its citizens Wired, 21 October 2017 "Australia is to build a national database of as many citizens' images as it can, with state premiers rubber-stamping prime minister Malcolm Turnbull's plan to add drivers' licenses to a national facial recognition database. The plan, called overreach by rights activists like Digital Rights Watch's chair Tim Singleton Norton, has been considered since at least 2015." Australia approves national database of everyone's mugshots The Register, 5 October 2017 "Techdirt has written a number of stories about facial recognition software being paired with CCTV cameras in public and private places. As the hardware gets cheaper and more powerful, and the algorithms underlying recognition become more reliable, it's likely that the technology will be deployed even more routinely. But if you think loss of public anonymity is the end of your troubles, you might like to think again: 'Lip-reading CCTV software could soon be used to capture unsuspecting customer's private conversations about products and services as they browse in high street stores. Security experts say the technology will offer companies the chance to collect more "honest" market research but privacy campaigners have described the proposals as "creepy" and "completely irresponsible". That story from the Sunday Herald in Scotland focuses on the commercial "opportunities" this technology offers. It's easy to imagine the future scenarios as shop assistants are primed to descend upon people who speak favorably about goods on sale, or who express a wish for something that is not immediately visible to them. But even more troubling are the non-commercial uses, for example when applied to CCTV feeds supposedly for "security" purposes. How companies and law enforcement use CCTV+lip-reading software will presumably be subject to legislation, either existing or introduced specially. But given the lax standards for digital surveillance, and the apparent presumption by many state agencies that they can listen to anything they are able to grab, it would be naive to think they won't deploy this technology as much as they can. In fact, they probably already have." CCTV + Lip-Reading Software = Even Less Privacy, Even More Surveillance Techdirt, 28 August 2017 "Before she was elevated to the role of Prime Minister by the fallout from Brexit, Theresa May was the author of the UK's Investigatory Powers bill, which spelled out the UK's plans for mass surveillance in a post-Snowden world. At the unveiling of the bill in 2015, May's officials performed the traditional dance: they stated that they would be looking at controls on encryption, and then stating definitively that their new proposals included "no backdoors". Sure enough, the word "encryption" does not appear in the Investigatory Powers Act (IPA). That's because it is written so broadly it doesn't need to. We've covered the IPA before at EFF, but it's worth re-emphasizing some of the powers it grants the British government. Any "communications service provider" can be served with a secret warrant, signed by the Home Secretary. Communications service provider is interpreted extremely broadly to include ISPs, social media platforms, mail services and other messaging services. That warrant can describe a set of people or organizations that the government wants to spy upon. It can require tech companies to insert malware onto their users' computers, re-engineer their own technology, or use their networks to interfere with any other system. The warrant explicitly allows those companies to violate any other laws in complying with the warrant. Beyond particular warrants, private tech companies operating in the United Kingdom also have to respond to "technical capability notices" which will require them to "To provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form," as well as permit targeted and mass surveillance and government hacking. Tech companies also have to the provide the UK government with new product designs in advance, so that the government can have time to require new "technical capabilities" before they are available to customers. These capabilities alone already go far beyond the Nineties' dreams of a blanket ban on crypto. Under the IPA [Investigatory Power Act], the UK claims the theoretical ability to order a company like Apple or Facebook to remove secure communication features from their products—while being simultaneously prohibited from telling the public about it. Companies could be prohibited from fixing existing vulnerabilities, or required to introduce new ones in forthcoming products. Even incidental users of communication tech could be commandeered to become spies in her Majesty's Secret Service: those same powers also allow the UK to, say, instruct a chain of coffee shops to use its free WiFi service to deploy British malware on its customers. (And, yes, coffee shops are given by officials as a valid example of a "communications service provider.").... The IPA includes language that makes it clear that the UK expects foreign companies to comply with its secret warrants. Realistically, it's far harder for UK law enforcement to get non-UK technology companies to act as their personal hacking teams. That's one reason why May's government has talked up the IPA as a "global gold standard" for surveillance, and one that they hope other countries will adopt.... hacking and the subversion of tech companies isn't just for spies anymore. The British Act explicitly granted these abilities to conduct "equipment interference" to more than just GCHQ and Britain's other intelligence agencies. Hacking and secret warrants can now be used by, among others, the civilian police force, inland revenue and border controls. The secrecy and dirty tricks that used to be reserved for fighting agents of foreign powers is now available for use against a wide range of potential suspects. With the Investigatory Powers Bill, the United Kingdom is now a country empowered with a blunt tools of surveillance that have no comparison in U.S. or any other countries' law." Five Eyes Unlimited: What A Global Anti-Encryption Regime Could Look Like Electronic Frontier Foundation, 29 June 2017 "A new analysis of documents leaked by whistleblower Edward Snowden details a highly classified technique that allows the National Security Agency to "deliberately divert" US internet traffic, normally safeguarded by constitutional protections, overseas in order to conduct unrestrained data collection on Americans. According to the new analysis, the NSA has clandestine means of "diverting portions of the river of internet traffic that travels on global communications cables," which allows it to bypass protections put into place by Congress to prevent domestic surveillance on Americans.....The government only has to divert their internet data outside of the US to use the powers of the executive order to legally collect the data as though it was an overseas communication. Two Americans can send an email through Gmail, for example, but because their email is sent through or backed up in a foreign data center, the contents of that message can become "incidentally collected" under the executive order's surveillance powers. The research cites several ways the NSA is actively exploiting methods to shape and reroute internet traffic -- many of which are well-known in security and networking circles -- such as hacking into routers or using the simpler, less legally demanding option of forcing major network providers or telecoms firms into cooperating and diverting traffic to a convenient location. Goldberg noted that sans any conclusive legal or public definitions from the FISA surveillance court on whether the practice is legal, the loophole remains, and "eliminating it calls for a realignment of current US surveillance laws and policies," she added." NSA's use of 'traffic shaping' allows unrestrained spying on Americans ZDNet, 22 June 2017 "Julian Assange's WikiLeaks website has released the source code for what it says is a malware obfuscation tool used by the CIA, as part of its Vault 7 information leaks. According to the documentation for the Marble Framework published by WikiLeaks, it is "designed to allow for flexible and easy-to-use obfuscation when developing tools". The obfuscation is done to avoid anyone attributing the malware to the CIA. "When signaturing tools, string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop," the documation states. Announcing the release of the Marble data, WikiLeaks claimed "thousands of CIA viruses and hacking attacks can now be attributed". Obfuscation of strings and data in malware can be done using the Marble algorithms, which can be randomly selected by the tool. The CIA suite also includes a de-obfuscator that restores scrambled files to their original, clean states. Marble tools such as Warble can add languages such as Arabic, Russian, Chinese, Korean and Farsi to the malware, as part of the agency's anti-forensic effort... The documentation for the Marble Framework is marked as SECRET/NOFORN, the second highest security classification used by the CIA, which prohibits access by foreign nationals." WikiLeaks dumps CIA malware obfuscation code ITnews, 3 April 2017 "The latest revelations about the U.S. government’s powerful hacking tools potentially takes surveillance right into the homes and hip pockets of billions of users worldwide, showing how a remarkable variety of everyday devices can be turned to spy on their owners. Televisions, smartphones and even anti-virus software are all vulnerable to CIA hacking, according to the WikiLeaks documents released Tuesday. The capabilities described include recording the sounds, images and the private text messages of users, even when they resort to encrypted apps to communicate. While many of the attack technologies had been previously discussed at cybersecurity conferences, experts were startled to see evidence that the CIA had turned so many theoretical vulnerabilities into functioning attack tools against staples of modern life. These include widely used Internet routers, smartphones, and Mac and Windows computers. In the case of a tool called “Weeping Angel” for attacking Samsung SmartTVs, WikiLeaks wrote, “After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on, In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.” The CIA reportedly also has studied whether it could infect vehicle control systems for cars and trucks, which WikiLeaks alleged could be used to conduct “nearly undetectable assassinations.” And a specialized CIA unit called the Mobile Devices Branch produced malware to control and steal information from iPhones, which according to WikiLeaks were a particular focus because of the smartphone’s popularity “among social, political diplomatic and business elites.” The agency also targeted popular phones running Google’s Android, the world’s leading mobile operating system....By targeting devices, the CIA reportedly gains access to even well-encrypted communications, on such popular apps as Signal and WhatsApp, without having to crack the encryption itself. The WikiLeaks reports acknowledged that difference by saying the CIA had found ways to “bypass,” as opposed to defeat, encryption technologies....The WikiLeaks revelations also will serve as a reminder that, for whatever the political backlash to revelations about digital spying, it is not going away and probably will continue to grow. Aside from the United States, many other advanced nations such as China, Russia, Britain and Israel have extremely sophisticated tools for digital spying. . Less advanced nations have gained access to powerful online spying technology through a robust and lightly regulated industry of surveillance contractors based throughout the world.On Tuesday, resignation and frustration rippled through Silicon Valley as technologists grappled with revelations of yet another U.S. government attempt to exploit their systems. And cybersecurity experts reacted with alarm. “This is explosive,” said Jake Williams, founder of Rendition Infosec, a cybersecurity firm. The material highlights specific anti-virus products that can be defeated, going further than a release of NSA hacking tools last year, he said. The WikiLeaks release revealed that the CIA has sophisticated “stealth” capabilities that enable hackers not only to infiltrate systems, but evade detection, as well as abilities to move inside a system freely as if they owned it." WikiLeaks: The CIA is using popular TVs, smartphones and cars to spy on their owners Washington Post, 7 March 2017 "The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks. While most of the software is inserted by gaining access to computer networks, the N.S.A. has increasingly made use of a secret technology that enables it to enter and alter data in computers even if they are not connected to the Internet, according to N.S.A. documents, computer experts and American officials. The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers. In some cases, they are sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target. The radio frequency technology has helped solve one of the biggest problems facing American intelligence agencies for years: getting into computers that adversaries, and some American partners, have tried to make impervious to spying or cyberattack. In most cases, the radio frequency hardware must be physically inserted by a spy, a manufacturer or an unwitting user. The N.S.A. calls its efforts more an act of “active defense” against foreign cyberattacks than a tool to go on the offensive. But when Chinese attackers place similar software on the computer systems of American companies or government agencies, American officials have protested, often at the presidential level. Among the most frequent targets of the N.S.A. and its Pentagon partner, United States Cyber Command, have been units of the Chinese Army, which the United States has accused of launching regular digital probes and attacks on American industrial and military targets, usually to steal secrets or intellectual property. But the program, code-named Quantum, has also been successful in inserting software into Russian military networks and systems used by the Mexican police and drug cartels, trade institutions inside the European Union, and sometime partners against terrorism like Saudi Arabia, India and Pakistan, according to officials and an N.S.A. map that indicates sites of what the agency calls “computer network exploitation.” “What’s new here is the scale and the sophistication of the intelligence agency’s ability to get into computers and networks to which no one has ever had access before,” said James Andrew Lewis, the cybersecurity expert at the Center for Strategic and International Studies in Washington. “Some of these capabilities have been around for a while, but the combination of learning how to penetrate systems to insert software and learning how to do that using radio frequencies has given the U.S. a window it’s never had before.”" N.S.A. Devises Radio Pathway Into Computers New York Times, 14 January 2017
	Need A New Way Of Thinking' - Consciousness-Based Education

Latest Developments In 'Turnkey Totalitarianism' KEEP UP TO DATE WITH SURVEILLANCE SOCIETY NEWS MEDIA REPORTS
Current - 2017 - 2016 - 2015 - 2014 - 2013 - 2012 - 2011 - 2010 - 2009 - 2008 & Earlier


NLPWESSEX, natural law publishing	nlpwessex.org
"I don't think in the last two or three hundred years we've faced such a concatenation of problems all at the same time.... If we are to solve the issues that are ahead of us, we are going to need to think in completely different ways." Paddy Ashdown, High Representative for Bosnia and Herzegovina 2002 - 2006 BBC Radio 4, 'Start The Week', 30 April 2007