Archives December 2017

At first glance, the gaming apps — with names like “Pool 3D,” “Beer Pong: Trickshot” and “Real Bowling Strike 10 Pin” — seem innocuous. One called “Honey Quest” features Jumbo, an animated bear.

Yet these apps, once downloaded onto a smartphone, have the ability to keep tabs on the viewing habits of their users — some of whom may be children — even when the games aren’t being played.

It is yet another example of how companies, using devices that many people feel they can’t do without, are documenting how audiences in a rapidly changing entertainment landscape are viewing television and commercials.

The apps use software from Alphonso, a start-up that collects TV-viewing data for advertisers. Using a smartphone’s microphone, Alphonso’s software can detail what people watch by identifying audio signals in TV ads and shows, sometimes even matching that information with the places people visit and the movies they see. The information can then be used to target ads more precisely and to try to analyze things like which ads prompted a person to go to a car dealership.

More than 250 games that use Alphonso software are available in the Google Play store; some are also available in Apple’s app store.

Some of the tracking is taking place through gaming apps that do not otherwise involve a smartphone’s microphone, including some apps that are geared toward children. The software can also detect sounds even when a phone is in a pocket if the apps are running in the background.

Urumqi, China – This city on China’s Central Asia frontier may be one of the most closely surveilled places on earth.

Security checkpoints with identification scanners guard the train station and roads in and out of town. Facial scanners track comings and goings at hotels, shopping malls and banks. Police use hand-held devices to search smartphones for encrypted chat apps, politically charged videos and other suspect content. To fill up with gas, drivers must first swipe their ID cards and stare into a camera.

China’s efforts to snuff out a violent separatist movement by some members of the predominantly Muslim Uighur ethnic group have turned the autonomous region of Xinjiang, of which Urumqi is the capital, into a laboratory for high-tech social controls that civil-liberties activists say the government wants to roll out across the country.

It is nearly impossible to move about the region without feeling the unrelenting gaze of the government. Citizens and visitors alike must run a daily gantlet of police checkpoints, surveillance cameras and machines scanning their ID cards, faces, eyeballs and sometimes entire bodies.

When fruit vendor Parhat Imin swiped his card at a telecommunications office this summer to pay an overdue phone bill, his photo popped up with an “X.” Since then, he says, every scan of his ID card sets off an alarm. He isn’t sure what it signifies, but figures he is on some kind of government watch list because he is a Uighur and has had intermittent run-ins with the police.

He says he is reluctant to travel for fear of being detained. “They blacklisted me,” he says. “I can’t go anywhere.”

All across China, authorities are rolling out new technology to keep watch over people and shape their behavior. Controls on expression have tightened under President Xi Jinping, and the state’s vast security web now includes high-tech equipment to monitor online activity and even snoop in smartphone messaging apps.

China’s government has been on high alert since a surge in deadly terrorist attacks around the country in 2014 that authorities blamed on Xinjiang-based militants inspired by extremist Islamic messages from abroad. Now officials are putting the world’s most state-of-the-art tools in the hands of a ramped-up security force to create a system of social control in Xinjiang—one that falls heaviest on Uighurs.

At a security exposition in October, an executive of Guangzhou-based CloudWalk Technology Co., which has sold facial-recognition algorithms to police and identity-verification systems to gas stations in Xinjiang, called the region the world’s most heavily guarded place. According to the executive, Jiang Jun, for every 100,000 people the police in Xinjiang want to monitor, they use the same amount of surveillance equipment that police in other parts of China would use to monitor millions.

Authorities in Xinjiang declined to respond to questions about surveillance. Top party officials from Xinjiang said at a Communist Party gathering in Beijing in October that “social stability and long-term security” were the local government’s bottom-line goals.

Chinese and foreign civil-liberty activists say the surveillance in this northwestern corner of China offers a preview of what is to come nationwide.

“They constantly take lessons from the high-pressure rule they apply in Xinjiang and implement them in the east,” says Zhu Shengwu, a Chinese human-rights lawyer who has worked on surveillance cases. “What happens in Xinjiang has bearing on the fate of all Chinese people.”

During an October road trip into Xinjiang along a modern highway, two Wall Street Journal reporters encountered a succession of checkpoints that turned the ride into a strange and tense journey.

At Xingxing Gorge, a windswept pass used centuries ago by merchants plying the Silk Road, police inspected incoming traffic and verified travelers’ identities. The Journal reporters were stopped, ordered out of their car and asked to explain the purpose of their visit. Drivers, mostly those who weren’t Han Chinese, were guided through electronic gateways that scanned their ID cards and faces.

Farther along, at the entrance to Hami, a city of a half-million, police had the Journal reporters wait in front of a bank of TV screens showing feeds from nearby surveillance cameras while recording their passport numbers.

Surveillance cameras loomed every few hundred feet along the road into town, blanketed street corners and kept watch on patrons of a small noodle shop near the main mosque. The proprietress, a member of the Muslim Hui minority, said the government ordered all restaurants in the area to install the devices earlier this year “to prevent terrorist attacks.”

Days later, as the Journal reporters were driving on a dirt road in Shanshan county after being ordered by officials to leave a nearby town, a police cruiser materialized seemingly from nowhere. It raced past, then skidded to a diagonal stop, kicking up a cloud of dust and blocking the reporters’ car. An SUV pulled up behind. A half-dozen police ordered the reporters out of the car and demanded their passports.

An officer explained that surveillance cameras had read the out-of-town license plates and sent out an alert. “We check every car that’s not from Xinjiang,” he said. The police then escorted the reporters to the highway.

At checkpoints further west, iris and body scanners are added to the security arsenal.

Darren Byler, an anthropology researcher at the University of Washington who spent two years in Xinjiang studying migration, says the closest contemporary parallel can be found in the West Bank and Gaza Strip, where the Israeli government has created a system of checkpoints and biometric surveillance to keep tabs on Palestinians.

In Erdaoqiao, the neighborhood where the fruit vendor Mr. Imin lives, small booths known as “convenience police stations,” marked by flashing lights atop a pole, appear every couple of hundred yards. The police stationed there offer water, cellphone charging and other services, while also taking in feeds from nearby surveillance cameras.

Young Uighur men are routinely pulled into the stations for phone checks, leading some to keep two devices—one for home use and another, with no sensitive content or apps, for going out, according to Uighur exiles.

Erdaoqiao, the heart of Uighur culture and commerce in Urumqi, is where ethnic riots started in 2009 that resulted in numerous deaths. The front entrance to Erdaoqiao Mosque is now closed, as are most entries to the International Grand Bazaar. Visitors funnel through a heavily guarded main gate. The faces and ID cards of Xinjiang residents are scanned. An array of cameras keeps watch.

After the riots, authorities showed up to shut down the shop Mr. Imin was running at the time, which sold clothing and religious items. When he protested, he says, they clubbed him on the back of the head, which has left him walking with a limp. They jailed him for six months for obstructing official business, he says. Other jail stints followed, including eight months for buying hashish.

The police in Urumqi didn’t respond to requests for comment.

Mr. Imin now sells fruit and freshly squeezed pomegranate juice from a cart. He worries that his flagged ID card will bring the police again. Recently remarried, he hasn’t dared visit his new wife’s family in southern Xinjiang.

Chinese rulers have struggled for two millennia to control Xinjiang, whose 23 million people are scattered over an expanse twice the size of Texas. Beijing sees it as a vital piece of President Xi’s trillion-dollar “Belt and Road” initiative to build infrastructure along the old Silk Road trade routes to Europe.

Last year, Mr. Xi installed a new Xinjiang party chief, Chen Quanguo, who previously handled ethnic strife in Tibet, another hot spot. Mr. Chen pioneered the convenience police stations in that region, partly in response to a string of self-immolations by monks protesting Chinese rule.

Under Mr. Chen, the police presence in Xinjiang has skyrocketed, based on data showing exponential increases in police-recruitment advertising. Local police departments last year began ordering cameras capable of creating three-dimensional face images as well as DNA sequencers and voice-pattern analysis systems, according to government procurement documents uncovered by Human Rights Watch and reviewed by the Journal.

During the first quarter of 2017, the government announced the equivalent of more than $1 billion in security-related investment projects in Xinjiang, up from $27 million in all of 2015, according to research in April by Chinese brokerage firm Industrial Securities .

Government procurement orders show millions spent on “unified combat platforms”—computer systems to analyze surveillance data from police and other government agencies.

Tahir Hamut, a Uighur poet and filmmaker, says Uighurs who had passports were called in to local police stations in May. He worried he would draw extra scrutiny for having been accused of carrying sensitive documents, including newspaper articles about Uighur separatist attacks, while trying to travel to Turkey to study in the mid-1990s. The aborted trip landed him in a labor camp for three years, he says.

He and his wife lined up at a police station with other Uighurs to have their fingerprints and blood samples taken. He says he was asked to read a newspaper for two minutes while police recorded his voice, and to turn his head slowly in front of a camera.

Later, his family’s passports were confiscated. After a friend was detained by police, he says, he assumed he also would be taken away. He says he paid officials a bribe of more than $9,000 to get the passports back, making up a story that his daughter had epilepsy requiring treatment in the U.S. Xinjiang’s Public Security Bureau, which is in charge of the region’s police forces, didn’t respond to a request for comment about the bribery.

“The day we left, I was filled with anxiety,” he says. “I worried what would happen if we were stopped going through security at the Urumqi airport, or going through border control in Beijing.”

He and his family made it to Virginia, where they have applied for political asylum.

Chinese authorities use forms to collect personal information from Uighurs. One form reviewed by the Journal asks about respondents’ prayer habits and if they have contacts abroad. There are sections for officials to rate “persons of interest” on a six-point scale and check boxes on whether they are “safe,” “average” or “unsafe.”

China Communications Services Co. Ltd., a subsidiary of state telecom giant China Telecom , has signed contracts this year worth more than $38 million to provide mosque surveillance and install surveillance-data platforms in Xinjiang, according to government procurement documents. The company declined to discuss the contracts, saying they constituted sensitive business information.

Xiamen Meiya Pico Information Co. Ltd. worked with police in Urumqi to adapt a hand-held device it sells for investigating economic crimes so it can scan smartphones for terrorism-related content.

A description of the device that recently was removed from the company’s website said it can read the files on 90% of smartphones and check findings against a police antiterror database. “Mostly, you’re looking for audio and video,” said Zhang Xuefeng, Meiya Pico’s chief marketing officer, in an interview.

Near the Xinjiang University campus in Urumqi, police sat at a wooden table recently, ordering some people walking by to hand over their phones.

“You just plug it in and it shows you what’s on the phone,” said one officer, brandishing a device similar to the one on Meiya Pico’s website. He declined to say what content they were checking for.

One recent afternoon in Korla, one of Xinjiang’s largest cities, only a trickle of people passed through the security checkpoint at the local bazaar, where vendors stared at darkened hallways empty of shoppers.

Li Qiang, the Han Chinese owner of a wine shop, said the security checks, while necessary for safety, were getting in the way of commerce. “As soon as you go out, they check your ID,” he said.

Authorities have built a network of detention facilities, officially referred to as education centers, across Xinjiang. In April, the official Xinjiang Daily newspaper said more than 2,000 people had been sent to a “study and training center” in the southern city of Hotan.

One new compound sits a half-hour drive south of Kashgar, a Uighur-dominated city near the border with Kyrgyzstan. It is surrounded by imposing walls topped with razor wire, with watchtowers at two corners. A slogan painted on the wall reads: “All ethnic groups should be like the pods of a pomegranate, tightly wrapped together.”

Villagers describe it as a detention center. A man standing near the entrance one recent night said it was a school and advised reporters to leave.

Mr. Hamut, the poet, says a relative in Kashgar was taken to a detention center after she participated in an Islamic ceremony, and another went missing soon after the family tried to call him from the U.S.

The local government in Kashgar didn’t respond to a request for comment.

Surveillance in and around Kashgar, where Han Chinese make up less than 7% of the population, is even tighter than in Urumqi. Drivers entering the city are screened intensively. A machine scans each driver’s face. Police officers inspect the engine and the trunk. Passengers must get out and run their bags through X-ray machines.

In Aksu, a dusty city a five-hour drive east of Kashgar, knife salesman Jiang Qiankun says his shop had to pay thousands of dollars for a machine that turns a customer’s ID card number, photo, ethnicity and address into a QR code that it lasers into the blade of any knife it sells. “If someone has a knife, it has to have their ID card information,” he says.

On the last day the Journal reporters were in Xinjiang, an unmarked car trailed them on a 5 a.m. drive to the Urumqi airport. During their China Southern Airlines flight to Beijing, a flight attendant appeared to train a police-style body camera attached to his belt on the reporters. Later, as passengers were disembarking, the attendant denied filming them, saying it was common for airline crew to wear the cameras as a security measure.

China Southern says the crew member was an air marshal, charged with safety on board.

Under fire for Facebook Inc.’s role as a platform for political propaganda, co-founder Mark Zuckerberg has punched back, saying his mission is above partisanship. “We hope to give all people a voice and create a platform for all ideas,” Zuckerberg wrote in September after President Donald Trump accused Facebook of bias. Zuckerberg’s social network is a politically agnostic tool for its more than 2 billion users, he has said. But Facebook, it turns out, is no bystander in global politics. What he hasn’t said is that his company actively works with political parties and leaders including those who use the platform to stifle opposition — sometimes with the aid of “troll armies” that spread misinformation and extremist ideologies.

The initiative is run by a little-known Facebook global government and politics team that’s neutral in that it works with nearly anyone seeking or securing power. The unit is led from Washington by Katie Harbath, a former Republican digital strategist who worked on former New York Mayor Rudy Giuliani’s 2008 presidential campaign. Since Facebook hired Harbath three years later, her team has traveled the globe helping political clients use the company’s powerful digital tools. In some of the world’s biggest democracies — from India and Brazil to Germany and the U.K. — the unit’s employees have become de facto campaign workers. And once a candidate is elected, the company in some instances goes on to train government employees or provide technical assistance for live streams at official state events.

Adam Alter (2017)

Welcome to the age of behavioral addiction—an age in which half of the American population is addicted to at least one behavior. We obsess over our emails, Instagram likes, and Facebook feeds; we binge on TV episodes and YouTube videos; we work longer hours each year; and we spend an average of three hours each day using our smartphones. Half of us would rather suffer a broken bone than a broken phone, and Millennial kids spend so much time in front of screens that they struggle to interact with real, live humans.

In this revolutionary book, Adam Alter, a professor of psychology and marketing at NYU, tracks the rise of behavioral addiction, and explains why so many of today’s products are irresistible. Though these miraculous products melt the miles that separate people across the globe, their extraordinary and sometimes damaging magnetism is no accident. The companies that design these products tweak them over time until they become almost impossible to resist.

By reverse engineering behavioral addiction, Alter explains how we can harness addictive products for the good—to improve how we communicate with each other, spend and save our money, and set boundaries between work and play—and how we can mitigate their most damaging effects on our well-being, and the health and happiness of our children.

A new study claims 44.7 million metric tons (49.3 million tons) of TV sets, refrigerators, cellphones and other electrical good were discarded last year, with only a fifth recycled to recover the valuable raw materials inside.

The U.N.-backed study published Wednesday calculates that the amount of e-waste thrown away in 2016 included a million tons of chargers alone.

The U.S. accounted for 6.3 million metric tons, partly due to the fact that the American market for heavy goods is saturated.

The study says all the gold, silver, copper and other valuable materials would have been worth $55 billion had they been recovered.

The authors of the Global E-waste Monitor predict that e-waste, defined as anything with a battery or a cord, will increase to 52.2 million metric tons by 2021.

Throughout 2016 and 2017, individuals in Canada, United States, Germany, Norway, United Kingdom, and numerous other countries began to receive suspicious emails. It wasn’t just common spam. These people were chosen.

The emails were specifically designed to entice each individual to click a malicious link. Had the targets done so, their internet connections would have been hijacked and surreptitiously directed to servers laden with malware designed by a surveillance company in Israel. The spies who contracted the Israeli company’s services would have been able to monitor everything those targets did on their devices, including remotely activating the camera and microphone.

Who was behind this global cyber espionage campaign? Was it the National Security Agency? Or one of its “five eyes” partners, like the GCHQ or Canada’s CSE? Given that it was done using Israeli-made technology, perhaps it was Israel’s elite signals intelligence agency, Unit 8200?

In fact, it was none of them. Behind this sophisticated international spying operation was one of the poorest countries in the world; a country where less than 5 percent of the population has access to the internet; a country run by an autocratic government routinely flagged for human rights abuses and corruption. Behind this operation was… Ethiopia.

The details of this remarkable clandestine activity are outlined in a new Citizen Lab report published today entitled “Champing at the Cyberbit.” In our report my co-authors and I detail how we monitored the command and control servers used in the campaign and in doing so discovered a public log file that the operators mistakenly left open. That log file provided us with a window, for roughly a year, into the attackers’ activities, infrastructure, and operations. Strong circumstantial evidence points to one or more government agencies in Ethiopia as the responsible party.

We were also able to identify the IP addresses of those who were targeted and successfully infected: a group that includes journalists, a lawyer, activists, and academics. Our access also allowed us enumerate the countries in which the targets were located. Many of the countries in which the targets live—the United States, Canada, and Germany, among others—have strict wiretapping laws that make it illegal to eavesdrop without a warrant. It seems individuals in Ethiopia broke those laws.

If a government wants to collect evidence on a person in another country, it is customary for it to make a formal legal request to other governments through a process like the Mutual Legal Assistance Treaties. Ethiopia appears to have sidestepped all of that. International norms would suggest a formal démarche to Ethiopia from the governments whose citizens it monitored without permission, but that may happen quietly if at all.

Our team reverse-engineered the malware used in this instance, and over time this allowed us to positively identify the company whose spyware was being employed by Ethiopia: Cyberbit Solutions, a subsidiary of the Israel-based homeland security company Elbit Systems. Notably, Cyberbit is the fourth company we have identified, alongside Hacking Team, Finfisher, and NSO Group, whose products and services have been abused by autocratic regimes to target dissidents, journalists, and others. Along with NSO Group, it’s the second Israel-based company whose technology has been used in this way.

Israel does regulate the export of commercial spyware abroad, although apparently not very well from a human-rights perspective. Cyberbit was able to sell its services to Ethiopia—a country with not only a well-documented history of governance and human rights problems, but also a track record of abusing spyware. When considered alongside the extensive reporting we have done about UAE and Mexican government misuse of NSO Group’s services, it’s safe to conclude Israel has a commercial spyware control problem.

How big of a problem? Remarkably, by analyzing the command and control servers of the cyber espionage campaign, we were also able to monitor Cyberbit employees as they traveled the world with infected laptops that checked in to those servers, apparently demonstrating Cyberbit’s products to prospective clients. Those clients include the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, and the Philippine president’s Malacañang Palace. Outlining the human rights abuses associated with those government entities would fill volumes.

Cyberbit, for its part, has responded to Citizen Lab’s findings: “Cyberbit Solutions offers its products only to sovereign governmental authorities and law enforcement agencies,” the company wrote me on November 29. “Such governmental authorities and law enforcement agencies are responsible to ensure that they are legally authorized to use the products in their jurisdictions.“ The company declined to confirm or deny that the government of Ethiopia is a client, but did note that “Cyberbit Solutions can confirm that any transaction made by it was approved by the competent authorities.”

Governments like Ethiopia no longer depend on their own in-country advanced computer science, engineering, and mathematical capacity in order to build a globe-spanning cyber espionage operation. They can simply buy it off the shelf from a company like Cyberbit. Thanks to companies like these, an autocrat whose country has poor national infrastructure but whose regime has billions of dollars can order up their own NSA. To wit: Elbit Systems, the parent company of Cyberbit, says it has a backlog of orders valuing $7 billion. An investment firm recently sought to acquire a partial stake in NSO Group for a reported $400 million before eventually withdrawing its offer.

Of course, these companies insist that spyware they sell to governments is used exclusively to fight terrorists and investigate crime. Sounds reasonable, and no doubt many do just that. But the problem is when journalists, academics, or NGOs seek to expose corrupt dictators or hold them accountable, those truth tellers may then be labelled criminals or terrorists. And our research has shown that makes those individuals and groups vulnerable to this type of state surveillance, even if they live abroad.

Indeed, we discovered the second-largest concentration of successful infections of this Ethiopian operation are located in Canada. Among the targets whose identities we were able to verify and name in the report, what unites them all is their peaceful political opposition to the Ethiopian government. Except one. Astoundingly, Citizen Lab researcher Bill Marczak, who led our technical investigation, was himself targeted at one point by the espionage operators.

Countries sliding into authoritarianism and corruption. A booming and largely unregulated market for sophisticated surveillance. Civilians not equipped to defend themselves. Add these ingredients together, and you have a serious crisis of democracy brewing. Companies like Cyberbit market themselves as part of a solution to cyber security. But it is evident that commercial spyware is actually contributing to a very deep insecurity instead.

Remedying this problem will not be easy. It will require legal and policy efforts across multiple jurisdictions and involving governments, civil society, and the private sector. A companion piece to the report outlines some measures that could hopefully begin that process, including application of relevant criminal laws. If the international community does not act swiftly, journalists, activists, lawyers, and human rights defenders will be increasingly infiltrated and neutralized. It’s time to address the commercial spyware industry for what it has become: one of the most dangerous cyber security problems of our day.