Archives 26 November 2020

A new study shows that the demand for employee surveillance software was up 55% in June 2020 compared to the pre-pandemic average. From webcam access to random screenshot monitoring, these surveillance software products can record almost everything an employee does on their computer. VPN review website Top10VPN used its global monitoring data to analyze over 200 terms related to employee surveillance software. It took into account both generic and brand-specific queries for its study which compared searches during March-May 2020 with internet searches in the preceding year. Global demand for employee monitoring software increased by 108% in April, and 70% in May 2020 compared with searches carried out the preceding year. Queries for “How to monitor employees working from home” increased by 1,705% in April and 652% in May 2020 compared with searches carried out the preceding year.

The surge in popularity of such an open-ended phrase like this reveals how unprepared many companies were for the abrupt shift to mass home-working. The most popular surveillance tools are Time Doctor, Hubstaff, and FlexiSPY. The tools with the biggest increase in demand include Teramind, DeskTime, Kickidler, and Time Doctor, with interest for the latter tripling compared to the pre-pandemic levels. The top three tools account for almost 60% of global demand in surveillance software because of the range of features offered. The radical shift away from office-working has clearly made employers nervous about a reduction in productivity and its potential impact on their business. Greater surveillance, however, may actually reduce long-term productivity. Your boss watching your every move may make you less productive in the long run and could significantly impact your feelings about the company itself.

The Swiss intelligence service has known since at least 1993 that Switzerland-based encryption device maker Crypto AG was actually a front for the CIA and its German counterpart, according to a new report released by the Swiss Parliament, but Swiss leaders were in the dark until last year. From a report:
Switzerland’s intra-governmental information gap is unlikely to be welcome news in Europe, which already looks warily upon the U.S.’ expansive surveillance practices. Still, Crypto AG provided information of incalculable value to U.S. policymakers over many decades. Crypto AG was controlled from 1970 on by the CIA and the West German BND intelligence agency. It sold encryption devices — often employed in diplomatic communications — that were used by over 120 countries through the 2000s.

VICE has highlighted six reasons why Google Maps is the creepiest app on your phone. An anonymous reader shares an excerpt from the report:

1. Google Maps Wants Your Search History: Google’s “Web & App Activity” settings describe how the company collects data, such as user location, to create a faster and “more personalized” experience. In plain English, this means that every single place you’ve looked up in the app — whether it’s a strip club, a kebab shop or your moped-riding drug dealer’s location — is saved and integrated into Google’s search engine algorithm for a period of 18 months. Google knows you probably find this creepy. That’s why the company uses so-called “dark patterns” — user interfaces crafted to coax us into choosing options we might not otherwise, for example by highlighting an option with certain fonts or brighter colors.

2. Google Maps Limits Its Features If You Don’t Share Your Search History: If you open your Google Maps app, you’ll see a circle in the top right corner that signifies you’re logged in with your Google account. That’s not necessary, and you can simply log out. Of course, the log out button is slightly hidden, but can be found like this: click on the circle > Settings > scroll down > Log out of Google Maps. Unfortunately, Google Maps won’t let you save frequently visited places if you’re not logged into your Google account. If you choose not to log in, when you click on the search bar you get a “Tired of typing?” button, suggesting you sign in, and coaxing you towards more data collection.

3. Google Maps Can Snitch On You: Another problematic feature is the “Google Maps Timeline,” which “shows an estimate of places you may have been and routes you may have taken based on your Location History.” With this feature, you can look at your personal travel routes on Google Maps, including the means of transport you probably used, such as a car or a bike. The obvious downside is that your every move is known to Google, and to anyone with access to your account. And that’s not just hackers — Google may also share data with government agencies such as the police. […] If your “Location History” is on, your phone “saves where you go with your devices, even when you aren’t using a specific Google service,” as is explained in more detail on this page. This feature is useful if you lose your phone, but also turns it into a bonafide tracking device.

4. Google Maps Wants to Know Your Habits: Google Maps often asks users to share a quick public rating. “How was Berlin Burger? Help others know what to expect,” suggests the app after you’ve picked up your dinner. This feels like a casual, lighthearted question and relies on the positive feeling we get when we help others. But all this info is collected in your Google profile, making it easier for someone to figure out if you’re visiting a place briefly and occasionally (like on holiday) or if you live nearby.

5. Google Maps Doesn’t Like It When You’re Offline: Remember GPS navigation? It might have been clunky and slow, but it’s a good reminder that you don’t need to be connected to the internet to be directed. In fact, other apps offer offline navigation. On Google, you can download maps, but offline navigation is only available for cars. It seems fairly unlikely the tech giant can’t figure out how to direct pedestrians and cyclists without internet.

6. Google Makes It Seem Like This Is All for Your Own Good: “Providing useful, meaningful experiences is at the core of what Google does,” the company says on its website, adding that knowing your location is important for this reason. They say they use this data for all kinds of useful things, like “security” and “language settings” — and, of course, selling ads. Google also sells advertisers the possibility to evaluate how well their campaigns reached their target (that’s you!) and how often people visited their physical shops “in an anonymized and aggregated manner”. But only if you opt in (or you forget to opt out).

On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored. It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn’t realize this, because it’s silent and invisible and it fails instantly and gracefully when you’re offline, but today the server got really slow and it didn’t hit the fail-fast code path, and everyone’s apps failed to open if they were connected to the internet. Because it does this using the internet, the server sees your IP, of course, and knows what time the request came in. An IP address allows for coarse, city-level and ISP-level geolocation, and allows for a table that has the following headings: Date, Time, Computer, ISP, City, State, Application Hash; Apple (or anyone else) can, of course, calculate these hashes for common programs: everything in the App Store, the Creative Cloud, Tor Browser, cracking or reverse engineering tools, whatever.

This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. They know when you open Premiere over at a friend’s house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city. “Who cares?” I hear you asking. Well, it’s not just Apple. This information doesn’t stay with them: These OCSP requests are transmitted unencrypted. Everyone who can see the network can see these, including your ISP and anyone who has tapped their cables. These requests go to a third-party CDN run by another company, Akamai. Since October of 2012, Apple is a partner in the US military intelligence community’s PRISM spying program, which grants the US federal police and military unfettered access to this data without a warrant, any time they ask for it. In the first half of 2019 they did this over 18,000 times, and another 17,500+ times in the second half of 2019.

This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns. For some people, this can even pose a physical danger to them. Now, it’s been possible up until today to block this sort of stuff on your Mac using a program called Little Snitch (really, the only thing keeping me using macOS at this point). In the default configuration, it blanket allows all of this computer-to-Apple communication, but you can disable those default rules and go on to approve or deny each of these connections, and your computer will continue to work fine without snitching on you to Apple. The version of macOS that was released today, 11.0, also known as Big Sur, has new APIs that prevent Little Snitch from working the same way. The new APIs don’t permit Little Snitch to inspect or block any OS level processes. Additionally, the new rules in macOS 11 even hobble VPNs so that Apple apps will simply bypass them.

A team of academics has detailed this week novel research that converted a smart vacuum cleaner into a microphone capable of recording nearby conversations. Named LidarPhone, the technique works by taking the vacuum’s built-in LiDAR laser-based navigational component and converting it into a laser microphone. […] They tested the LidarPhone attack with various objects, by varying the distance between the robot and the object, and the distance between the sound origin and the object. Tests focused on recovering numerical values, which the research team said they managed to recover with a 90% accuracy. But academics said the technique could also be used to identify speakers based on gender or even determine their political orientation from the music played during news shows, captured by the vacuum’s LiDAR.

But while the LidarPhone attack sounds like a gross invasion of privacy, users need not panic for the time being. This type of attack revolves around many prerequisites that most attacks won’t bother. There are far easier ways of spying on users than overwriting a vacuum’s firmware to control its laser navigation system, such as tricking the user on installing malware on their phone. The LidarPhone attack is merely novel academic research that can be used to bolster the security and design of future smart vacuum robots. In fact, the research team’s main recommended countermeasure for smart vacuum cleaning robot makers is to shut down the LiDAR component if it’s not rotating. Additional details about the research are available in a research paper titled “Spying with Your Robot Vacuum Cleaner: Eavesdropping via Lidar Sensors.”

New webcam-based anti-cheating monitoring is so stressful, it’s made some students cry, the Washington Post reports.

“Online proctoring” companies saw in coronavirus shutdowns a chance to capitalize on a major reshaping of education, selling schools a high-tech blend of webcam-watching workers and eye-tracking software designed to catch students cheating on their exams. They’ve taken in millions of dollars, some of it public money, from thousands of colleges in recent months. But they’ve also sparked a nationwide school-surveillance revolt, with students staging protests and adopting creative tactics to push campus administrators to reconsider the deals. Students argue that the testing systems have made them afraid to click too much or rest their eyes for fear they’ll be branded as cheats…

One system, Proctorio, uses gaze-detection, face-detection and computer-monitoring software to flag students for any “abnormal” head movement, mouse movement, eye wandering, computer window resizing, tab opening, scrolling, clicking, typing, and copies and pastes. A student can be flagged for finishing the test too quickly, or too slowly, clicking too much, or not enough. If the camera sees someone else in the background, a student can be flagged for having “multiple faces detected.” If someone else takes the test on the same network — say, in a dorm building — it’s potential “exam collusion.” Room too noisy, Internet too spotty, camera on the fritz? Flag, flag, flag.

As an unusually disrupted fall semester churns toward finals, this student rebellion has erupted into online war, with lawsuits, takedowns and viral brawls further shaking the anxiety-inducing backdrop of college exams. Some students have even tried to take the software down from the inside, digging through the code for details on how it monitors millions of high-stakes exams… Some students said the experience of having strangers and algorithms silently judge their movements was deeply unnerving, and many worried that even being accused of cheating could endanger their chances at good grades, scholarships, internships and post-graduation careers. Several students said they had hoped for freeing, friend-filled college years but were now resigned to hours of monitored video exams in their childhood bedrooms, with no clear end in sight….

[T]he systems’ technical demands have made just taking the tests almost comically complicated. One student at Wilfrid Laurier University in Ontario shared the instructions for his online Introduction to Linear Algebra midterm: five pages, totaling more than 2,000 words, requiring students to use a special activity-monitoring Web browser and keep their face, hands and desk in view of their camera at all times…

Students who break the rules or face technical difficulties can be investigated for academic misconduct. “The instructions,” the student said, “are giving me more anxiety than the test itself.”

Company executives “say a semester without proctors would turn online testing into a lawless wasteland” according to the article. But one long-time teacher counters that “the most clear value conveyed to students is ‘We don’t trust you.'”

Yet the education tech nonprofit Educause reported that 54% of higher education institutions they’d surveyed “are currently using online or remote proctoring services.

“And another 23% are planning or considering using them.”