Archives 25 January 2021

New Site Extracts and Posts Every Face from Parler’s Capitol Hill Insurrection Videos

“Late last week, a website called Faces of the Riot appeared online, showing nothing but a vast grid of more than 6,000 images of faces, each one tagged only with a string of characters associated with the Parler video in which it appeared,” reports WIRED, saying the site raises clear privacy concerns:
The site’s creator tells WIRED that he used simple, open source machine-learning and facial recognition software to detect, extract, and deduplicate every face from the 827 videos that were posted to Parler from inside and outside the Capitol building on January 6, the day when radicalized Trump supporters stormed the building in a riot that resulted in five people’s deaths. The creator of Faces of the Riot says his goal is to allow anyone to easily sort through the faces pulled from those videos to identify someone they may know, or recognize who took part in the mob, or even to reference the collected faces against FBI wanted posters and send a tip to law enforcement if they spot someone… “It’s entirely possible that a lot of people who were on this website now will face real-life consequences for their actions….”

A recent upgrade to the site adds hyperlinks from faces to the video source, so that visitors can click on any face and see what the person was filmed doing on Parler. The Faces of the Riot creator, who says he’s a college student in the “greater DC area,” intends that added feature to help contextualize every face’s inclusion on the site and differentiate between bystanders, peaceful protesters, and violent insurrectionists. He concedes that he and a co-creator are still working to scrub “non-rioter” faces, including those of police and press who were present. A message at the top of the site also warns against vigilante investigations, instead suggesting users report those they recognize to the FBI, with a link to an FBI tip page….

McDonald has previously both criticized the power of facial recognition technology and himself implemented facial recognition projects like ICEspy, a tool he launched in 2018 for identifying agents of the Immigration and Customs Enforcement agency… He sees Faces of the Riot as “playing it really safe” compared even to his own facial recognition experiments, given that it doesn’t seek to link faces with named identities. “And I think it’s a good call because I don’t think that we need to legitimize this technology any more than it already is and has been falsely legitimized,” McDonald says.

But McDonald also points out that Faces of the Riot demonstrates just how accessible facial recognition technologies have become. “It shows how this tool that has been restricted only to people who have the most education, the most power, the most privilege is now in this more democratized state,” McDonald says.

Twitter Bots Are a Major Source of Climate Disinformation

Twitter accounts run by machines are a major source of climate change disinformation that might drain support from policies to address rising temperatures. In the weeks surrounding former President Trump’s announcement about withdrawing from the Paris Agreement, accounts suspected of being bots accounted for roughly a quarter of all tweets about climate change, according to new research. “If we are to effectively address the existential crisis of climate change, bot presence in the online discourse is a reality that scientists, social movements and those concerned about democracy have to better grapple with,” wrote Thomas Marlow, a postdoctoral researcher at the New York University, Abu Dhabi, campus, and his co-authors. Their paper published last week in the journal Climate Policy is part of an expanding body of research about the role of bots in online climate discourse.

The new focus on automated accounts is driven partly by the way they can distort the climate conversation online. Marlow’s team measured the influence of bots on Twitter’s climate conversation by analyzing 6.8 million tweets sent by 1.6 million users between May and June 2017. Trump made his decision to ditch the climate accord on June 1 of that year. President Biden reversed the decision this week. From that dataset, the team ran a random sample of 184,767 users through the Botometer, a tool created by Indiana University’s Observatory on Social Media, which analyzes accounts and determines the likelihood that they are run by machines.

Researchers also categorized the 885,164 tweets those users had sent about climate change during the two-month study period. The most popular categories were tweets about climate research and news. Marlow and the other researchers determined that nearly 9.5% of the users in their sample were likely bots. But those bots accounted for 25% of the total tweets about climate change on most days. […] The researchers weren’t able to determine who deployed the bots. But they suspect the seemingly fake accounts could have been created by “fossil-fuel companies, petro-states or their surrogates,” all of which have a vested interest in preventing or delaying action on climate change.

Intelligence Analysts Use US Smartphone Location Data Without Warrants, Memo Says

A military arm of the intelligence community buys commercially available databases containing location data from smartphone apps and searches it for Americans’ past movements without a warrant, according to an unclassified memo obtained by The New York Times. Defense Intelligence Agency analysts have searched for the movements of Americans within a commercial database in five investigations over the past two and a half years, agency officials disclosed in a memo they wrote for Senator Ron Wyden, Democrat of Oregon.

The disclosure sheds light on an emerging loophole in privacy law during the digital age: In a landmark 2018 ruling known as the Carpenter decision, the Supreme Court held that the Constitution requires the government to obtain a warrant to compel phone companies to turn over location data about their customers. But the government can instead buy similar data from a broker — and does not believe it needs a warrant to do so. “D.I.A. does not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially available data for intelligence purposes,” the agency memo said.

Mr. Wyden has made clear that he intends to propose legislation to add safeguards for Americans’ privacy in connection with commercially available location data. In a Senate speech this week, he denounced circumstances “in which the government, instead of getting an order, just goes out and purchases the private records of Americans from these sleazy and unregulated commercial data brokers who are simply above the law.” He called the practice unacceptable and an intrusion on constitutional privacy rights. “The Fourth Amendment is not for sale,” he said.

How Law Enforcement Gets Around Your Smartphone’s Encryption

Lawmakers and law enforcement agencies around the world, including in the United States, have increasingly called for backdoors in the encryption schemes that protect your data, arguing that national security is at stake. But new research indicates governments already have methods and tools that, for better or worse, let them access locked smartphones thanks to weaknesses in the security schemes of Android and iOS.

Cryptographers at Johns Hopkins University used publicly available documentation from Apple and Google as well as their own analysis to assess the robustness of Android and iOS encryption. They also studied more than a decade’s worth of reports about which of these mobile security features law enforcement and criminals have previously bypassed, or can currently, using special hacking tools…

once you unlock your device the first time after reboot, lots of encryption keys start getting stored in quick access memory, even while the phone is locked. At this point an attacker could find and exploit certain types of security vulnerabilities in iOS to grab encryption keys that are accessible in memory and decrypt big chunks of data from the phone. Based on available reports about smartphone access tools, like those from the Israeli law enforcement contractor Cellebrite and US-based forensic access firm Grayshift, the researchers realized that this is how almost all smartphone access tools likely work right now. It’s true that you need a specific type of operating system vulnerability to grab the keys — and both Apple and Google patch as many of those flaws as possible — but if you can find it, the keys are available, too…

Forensic tools exploiting the right vulnerability can grab even more decryption keys, and ultimately access even more data, on an Android phone.