Resources

Ring Cameras Are Being Used To Control and Surveil Overworked Delivery Workers

Networked doorbell surveillance cameras like Amazon’s Ring are everywhere, and have changed the nature of delivery work by letting customers take on the role of bosses to monitor, control, and discipline workers, according to a recent report (PDF) by the Data & Society tech research institute. “The growing popularity of Ring and other networked doorbell cameras has normalized home and neighborhood surveillance in the name of safety and security,” Data & Society’s Labor Futures program director Aiha Nguyen and research analyst Eve Zelickson write. “But for delivery drivers, this has meant their work is increasingly surveilled by the doorbell cameras and supervised by customers. The result is a collision between the American ideas of private property and the business imperatives of doing a job.”

Thanks to interviews with surveillance camera users and delivery drivers, the researchers are able to dive into a few major developments interacting here to bring this to a head. Obviously, the first one is the widespread adoption of doorbell surveillance cameras like Ring. Just as important as the adoption of these cameras, however, is the rise of delivery work and its transformation into gig labor. […] As the report lays out, Ring cameras allow customers to surveil delivery workers and discipline their labor by, for example, sharing shaming footage online. This dovetails with the “gigification” of Amazon’s delivery workers in two ways: labor dynamics and customer behavior.

“Gig workers, including Flex drivers, are sold on the promise of flexibility, independence and freedom. Amazon tells Flex drivers that they have complete control over their schedule, and can work on their terms and in their space,” Nguyen and Zelickson write. “Through interviews with Flex drivers, it became apparent that these marketed perks have hidden costs: drivers often have to compete for shifts, spend hours trying to get reimbursed for lost wages, pay for wear and tear on their vehicle, and have no control over where they work.” That competition between workers manifests in other ways too, namely acquiescing to and complying with customer demands when delivering purchases to their homes. Even without cameras, customers have made onerous demands of Flex drivers even as the drivers are pressed to meet unrealistic and dangerous routes alongside unsafe and demanding productivity quotas. The introduction of surveillance cameras at the delivery destination, however, adds another level of surveillance to the gigification. […] The report’s conclusion is clear: Amazon has deputized its customers and made them partners in a scheme that encourages antagonistic social relations, undermines labor rights, and provides cover for a march towards increasingly ambitious monopolistic exploits.

248

ByteDance Planned to Use TikTok to Monitor Locations of Specific American Citizens

A China-based team at TikTok’s parent company, ByteDance, planned to use the TikTok app to monitor the personal location of some specific American citizens, according to materials reviewed by Forbes.

The team behind the monitoring project — ByteDance’s Internal Audit and Risk Control department — is led by Beijing-based executive Song Ye, who reports to ByteDance cofounder and CEO Rubo Liang. The team primarily conducts investigations into potential misconduct by current and former ByteDance employees. But in at least two cases, the Internal Audit team also planned to collect TikTok data about the location of a U.S. citizen who had never had an employment relationship with the company, the materials show.

It is unclear from the materials whether data about these Americans was actually collected; however, the plan was for a Beijing-based ByteDance team to obtain location data from U.S. users’ devices.

249

Beijing Bus Drivers Have Been Told To Wear Wristbands To Monitor Their Emotions

The move was initiated by the state-run Beijing Public Transport Holding Group, which says it is aimed at protecting public safety. But legal experts have raised privacy concerns and say the wristbands could cause bus drivers undue distress and potentially lead to discrimination. Some 1,800 wristbands were distributed to bus drivers on cross-province and highway routes on Wednesday, the official Beijing Daily reported. It is unclear how many drivers will be required to wear the devices. The report said they would be used to monitor the drivers’ vital signs and emotional state in real time to improve safety.

226

TikTok Tracks You Across the Web, Even If You Don’t Use the App

A Consumer Reports investigation finds that TikTok, one of the country’s most popular apps, is partnering with a growing number of other companies to hoover up data about people as they travel across the internet. That includes people who don’t have TikTok accounts. These companies embed tiny TikTok trackers called “pixels” in their websites. Then TikTok uses the information gathered by all those pixels to help the companies target ads at potential customers, and to measure how well their ads work. To look into TikTok’s use of online tracking, CR asked the security firm Disconnect to scan about 20,000 websites for the company’s pixels. In our list, we included the 1,000 most popular websites overall, as well as some of the biggest sites with domains ending in “.org,” “.edu,” and “.gov.” We wanted to look at those sites because they often deal with sensitive subjects. We found hundreds of organizations sharing data with TikTok.

If you go to the United Methodist Church’s main website, TikTok hears about it. Interested in joining Weight Watchers? TikTok finds that out, too. The Arizona Department of Economic Security tells TikTok when you view pages concerned with domestic violence or food assistance. Even Planned Parenthood uses the trackers, automatically notifying TikTok about every person who goes to its website, though it doesn’t share information from the pages where you can book an appointment. (None of those groups responded to requests for comment.) The number of TikTok trackers we saw was just a fraction of those we observed from Google and Meta. However, TikTok’s advertising business is exploding, and experts say the data collection will probably grow along with it.

After Disconnect researchers conducted a broad search for TikTok trackers, we asked them to take a close look at what kind of information was being shared by 15 specific websites. We focused on sites where we thought people would have a particular expectation of privacy, such as advocacy organizations and hospitals, along with retailers and other kinds of companies. Disconnect found that data being transmitted to TikTok can include your IP address, a unique ID number, what page you’re on, and what you’re clicking, typing, or searching for, depending on how the website has been set up. What does TikTok do with all that information? “Like other platforms, the data we receive from advertisers is used to improve the effectiveness of our advertising services,” says Melanie Bosselait, a TikTok spokesperson. The data “is not used to group individuals into particular interest categories for other advertisers to target.” If TikTok receives data about someone who doesn’t have a TikTok account, the company only uses that data for aggregated reports that they send to advertisers about their websites, she says. There’s no independent way for consumers or privacy researchers to verify such statements. But TikTok’s terms of service say its advertising customers aren’t allowed to send the company certain kinds of sensitive information, such as data about children, health conditions, or finances. “We continuously work with our partners to avoid inadvertent transmission of such data,” TikTok’s Bosselait says.

265

America’s Funniest Home Surveillance Network Isn’t Funny

Amazon is normalizing neighborhood panopticons by turning its doorbell videos into a TV show. Orwell wouldn’t be laughing.

When smartphones first came on the scene, their built-in cameras were limited to personal use. Then social media sites like Facebook and Instagram created a beast that millions wanted to feed, and photos became a public spectacle. The same phenomenon is happening to doorbell cameras. Initially marketed to make customers feel safer in their homes, their footage is now being uploaded for entertainment. On TikTok, the hashtag Ringdoorbell has more than 2.7 billion views.

Amazon.com Inc., which owns market-dominating Ring, has seen and grabbed a lucrative opportunity, and is contributing to the gradual erosion of our privacy in the process.

On Monday, the company premiered Ring Nation, a television show syndicated across more than 70 American cities. Hosted by the comedian Wanda Sykes and produced by Metro-Goldwyn-Mayer, which Amazon finished buying in March, the 20-minute program features videos captured on smartphones and Amazon’s Ring doorbell cameras, which the company sells for about $105.

251

Spyware Scandals Are Ripping Through Europe

The ripple effects of the scandal are reaching the heart of the European Union. Over the past 13 months, it has been revealed that spyware had targeted opposition leaders, journalists, lawyers and activists in France, Spain, Hungary, Poland and even staff within the European Commission, the EU’s cabinet-style government, between 2019 and 2021. The bloc has already set up an inquiry into its own use of spyware, but even as the 38-person committee works toward producing a report for early 2023, the number of new scandals is quickly mounting up. What sets the scandal in Greece apart is the company behind the spyware that was used. Until then the surveillance software in every EU scandal could be traced back to one company, the notorious NSO Group. Yet the spyware stalking Koukakis’ phone was made by Cytrox, a company founded in the small European nation of North Macedonia and acquired in 2017 by Tal Dilian — an entrepreneur who achieved notoriety for driving a high-tech surveillance van around the island of Cyprus and showing a Forbes journalist how it could hack into passing people’s phones.

In that interview, Dilian said he had acquired Cytrox and absorbed the company into his intelligence company Intellexa, which is now thought to now be based in Greece. The arrival of Cytrox into Europe’s ongoing scandal shows the problem is bigger than just the NSO Group. The bloc has a thriving spyware industry of its own. As the NSO Group struggles with intense scrutiny and being blacklisted by the US, its less well-known European rivals are jostling to take its clients, researchers say. Over the past two months, Cytrox is not the only local company to generate headlines for hacking devices within the bloc. In June, Google discovered the Italian spyware vendor RCS Lab was targeting smartphones in Italy and Kazakhstan. Alberto Nobili, RCS’ managing director, told WIRED that the company condemns the misuse of its products but declined to comment on whether the cases cited by Google were examples of misuse. “RCS personnel are not exposed, nor participate in any activities conducted by the relevant customers,” he says. More recently, in July, spyware made by Austria’s DSIRF was detected by Microsoft hacking into law firms, banks, and consultancies in Austria, the UK, and Panama.

253

Police Across US Bypass Warrants With Mass Location-Tracking Tool

As summer winds down, researchers warned this week about systemic vulnerabilities in mobile app infrastructure, as well as a new iOS security flaw and one in TikTok. And new findings about ways to exploit Microsoft’s Power Automate tool in Windows 11 show how it can be used to distribute malware, from ransomware to keyloggers and beyond.

Fog Reveal Tool Gives Law Enforcement Cheap Access to US Location-Tracking Data From Smartphones

The data broker Fog Data Science has been selling access to what it claims are billions of location data points from over 250 million smartphones to local, state, and federal law enforcement agencies around the US. The data comes from tech companies and cell phone towers and is collected in the Fog Reveal tool from thousands of iOS and Android apps. Crucially, access to the service is cheap, often costing local police departments less than $10,000 per year, and investigations by the Associated Press and Electronic Frontier Foundation found that law enforcement sometimes pulls location data without a warrant. The EFF conducted its investigation through more than 100 public records requests filed over several months. “Troublingly, those records show that Fog and some law enforcement did not believe Fog’s surveillance implicated people’s Fourth Amendment rights and required authorities to get a warrant,” the EFF wrote.

237

Amazon’s empire of surveillance

Through recent billion-dollar acquisitions of health care services and smart home devices, the tech giant is leveraging its monopoly power to track ‘every aspect’ of our lives

Every step of the way, from its beginnings as an alternative to brick and mortar bookstores to snatching up over half of the online retail market, Amazon has relied on surveillance to dominate the competition, according to Evan Greer, director of the nonprofit advocacy group Fight for the Future.

248

Pegasus Spyware Used Against Thailand’s Pro-Democracy Movement

NSO Group’s Pegasus spyware was used to target Thai pro-democracy protesters and leaders calling for reforms to the monarchy. “We forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus spyware,” reports Citizen Lab. “The observed infections took place between October 2020 and November 2021.” Here’s an excerpt from the report:
Introduction: Surveillance & Repression in Thailand: The Kingdom of Thailand is a constitutional monarchy with a parliamentary-style government divided into executive, legislative, and judiciary branches. The country has been beset by intense political conflict since 2005, during the government of former Prime Minister Thaksin Shinawatra. Corruption allegations against the regime culminated in a military coup on September 19, 2006 that ousted Thaksin. The military launched another coup on May 22, 2014 and seized power following mass protests against the civilian government led by Thaksin’s sister, Yingluck Shinawatra. The junta claimed that the 2014 coup was needed to restore order and called itself the National Council for Peace and Order (NCPO).

Findings: Pegasus Infections in Thailand: On November 23, 2021, Apple began sending notifications to iPhone users targeted by state-backed attacks with mercenary spyware. The recipients included individuals that Apple believes were targeted with NSO Group’s FORCEDENTRY exploit. Many Thai civil society members received this warning. Shortly thereafter, multiple recipients of the notification made contact with the Citizen Lab and regional groups. In collaboration with Thai organizations iLaw and DigitalReach, forensic evidence was obtained from notification recipients, and other suspected victims, who consented to participate in a research study with the Citizen Lab. We then performed a technical analysis of forensic artifacts to determine whether these individuals were infected with Pegasus or other spyware. Victims publicly named in this report consented to be identified as such, while others chose to remain anonymous, or have their cases described with limited detail.

Civil Society Pegasus Infections: We have identified at least 30 Pegasus victims among key civil society groups in Thailand, including activists, academics, lawyers, and NGO workers. The infections occurred from October 2020 to November 2021, coinciding with a period of widespread pro-democracy protests, and predominantly targeted key figures in the pro-democracy movement. In numerous cases, multiple members of movements or organizations were infected. Many of the victims included in this report have been repeatedly detained, arrested, and imprisoned for their political activities or criticism of the government. Many of the victims have also been the subject of lese-majeste prosecutions by the Thai government. While many of the infections were detected on the devices of prominent figures, hacking was also observed against individuals who are not publicly involved in the protests. Speculatively, this may reflect the attackers’ intent to uncover details about how opposition movements were organized, and may have been prompted by specific financial transactions that would have been known to Thai financial institutions and the government, but not the public.

258

EU Found Evidence Employee Phones Compromised With Spyware

In a July 25 letter sent to European lawmaker Sophie in ‘t Veld, EU Justice Commissioner Didier Reynders said iPhone maker Apple had told him in 2021 that his iPhone had possibly been hacked using Pegasus, a tool developed and sold to government clients by Israeli surveillance firm NSO Group. The warning from Apple triggered the inspection of Reynders’ personal and professional devices as well as other phones used by European Commission employees, the letter said. Though the investigation did not find conclusive proof that Reynders’ or EU staff phones were hacked, investigators discovered “indicators of compromise” â” a term used by security researchers to describe that evidence exists showing a hack occurred.

246

UK Spy Agency MI5 ‘Breached Surveillance Laws For More Than A Decade’

A UK tribunal has been told that security service MI5 has been breaching surveillance laws since 2010, and unlawfully obtaining bulk surveillance warrants against the public.

Human rights groups Liberty and Privacy International have told the Investigatory Powers Tribunal that MI5 has stored data on members of the public without the legal right to do so, and failed to disclose this to the Home Office and oversight bodies.

It breached safeguards around how long data was retained, who had access to it, and how legally privileged material such as private correspondence between lawyers and clients was protected, they say.

“MI5’s persistent failure to follow the law is inexcusable. For years, they have ignored safeguards put in place to protect us from abuse,” says Privacy International legal director Caroline Wilson Palow.

“These safeguards are a fundamental check on the vast power intelligence agencies can wield over all of us, especially when they engage in mass surveillance.”

The rights groups claim that the Home Office and various home secretaries failed to investigate these breaches. Surveillance warrants must be approved by the home secretary, who must be satisfied that legal safeguards around the handling of data are being met.

However, say Liberty and Privacy International, successive home secretaries repeatedly ignored the signs that MI5 was handling data unlawfully, and continued to sign off on surveillance warrants despite this.

“Surveillance safeguards can only protect us if they work in practice, and they don’t. For 10 years MI5 have been knowingly breaking the rules and failing to report it, and the government has failed to investigate clear red flags,” says Liberty lawyer Megan Goulding.

“There has been no proper investigation into MI5’s breaches by the Home Office, despite having been put on notice by briefings. Instead, the home secretary continued to issue unlawful warrants, and MI5 kept information from the authorities about how it mishandled our data.”

The allegations were first made in 2019 as part of Liberty’s separate legal challenge to the Investigatory Powers Act 2016, during which the government admitted that MI5 had been unlawfully retaining and mishandling the public’s data for years.

Documents shared with the court included correspondence between MI5 and its watchdog, the Investigatory Powers Commissioner’s Office (IPCO), as well as correspondence between MI5 and the Home Office, and reports of inspections carried out by IPCO after they learnt of MI5’s failings.

These documents revealed that MI5 itself called its data stores ‘ungoverned spaces’, and that the Investigatory Powers Commissioner had concluded MI5 had held and handled data in an ‘undoubted unlawful manner’.

“When we campaigned against giving the state unprecedented new surveillance powers under the so-called Snooper’s Charter back in 2015, one of our key concerns was that the safeguards against abuse were just not strong enough,” says Wilson Palow.

“And here we are, seven years later, with even the rules that are enshrined in law being ignored in practice. Those rules need a radical overhaul.”

Liberty and Privacy International have called for all surveillance warrants issued unlawfully to be quashed, all unlawfully retained data to be destroyed, and for the tribunal to declare that the Investigatory Powers Act itself is unlawful, because it doesn’t work in practice.

337

How Beijing’s surveillance cameras crept into widespread use across UK schools, hospitals and government buildings

In the confines of his small cell, Ovalbek Turdakun was watched 24/7. At any attempt to speak to others he was instantly told to be quiet, while lights in the room were on round the clock, making it impossible to know what time of day it was.

Turdakun and his fellow detainees in the Xinjiang camp were not watched by guards, but by software. Cameras made by the Chinese company Hikvision monitored his every move, according to an account he gave to US surveillance website IPVM.

More than a million of the same company’s cameras are in Britain’s schools, hospitals and police departments. Tesco, Costa Coffee and McDonald’s have purchased Hikvision cameras. They are present in a string of Government buildings.

Britain’s population is caught on CCTV more than any nation outside of China, with 6m cameras in use – one for every 11 people. Hikvision is the biggest provider of them.

366

Surveillance Tech Didn’t Stop the Uvalde Massacre

The Uvalde Consolidated Independent School District, of which Robb is a member, followed this conventional wisdom and embraced modern security solutions at its schools. Indeed, the district had actually doubled its security budget over the past several years to invest in a variety of recommended precautions.

According to UCISD’s security page, the district employed a safety management system from security vendor Raptor Technologies, designed to monitor school visitors and screen for dangerous individuals. It also used a social media monitoring solution, Social Sentinel, that sifted through children’s online lives to scan for signs of violent or suicidal ideation. Students could download an anti-bullying app (the STOP!T app) to report abusive peers, and an online portal at ucisd.net allowed parents and community members to submit reports of troubling behavior to administrators for further investigation. As has been noted, UCISD also had its own police force, developed significant ties to the local police department, and had an emergency response plan. It even deployed “Threat Assessment Teams” that were scheduled to meet regularly to “identify, evaluate, classify and address threats or potential threats to school security.”

And yet, none of the new security measures seemed to matter much when a disturbed young man brought a legally purchased weapon to Robb and committed the deadliest school shooting in the state’s history. The perpetrator wasn’t a student and therefore couldn’t be monitored by its security systems.

Trolling through students’ online lives to look for signs of danger is now a routine procedure in many districts. In fact, legislators have discussed mandating such surveillance features for schools across the country. UCISD employed one such company, but Gov. Abbott said Wednesday that “there was no meaningful forewarning of this crime.” The shooter sent private messages threatening the attack via Facebook Messenger half an hour before it occurred, but they were private and therefore would have been invisible to outside observers.

Facial recognition is another technology that has been offered to schools as a basic safety mechanism. The number of schools that have adopted face recording solutions has risen precipitously in recent years (Clearview AI announced this week that it has its sights on cracking into the market). However, despite their growing popularity, there is little evidence that these security apparatuses actually do anything to stop school shootings. Even supporters of facial recognition admit that the systems probably won’t do much once a shooter’s on school property.

“Whether it’s facial recognition, monitoring software on school devices, cameras—all these types of surveillance have become extremely ubiquitous,” said Jason Kelley, digital strategist with the Electronic Frontier Foundation, in an interview with Gizmodo. “The companies that sell these tools are trying to do something positive—they’re trying to minimize tragedy,” he said. Yet not only can these products ultimately be ineffective, they can also end up having negative side-effects on the children they’re meant to protect, Kelley offered. The intrusiveness of the tools are such that students may grow up feeling as if they have to be surveilled to be safe—even if the surveillance isn’t actually keeping them safe.

Some studies suggest that what surveillance actually provides is punishment rather than protection. The cameras and software can turn schools into little panopticons, where student behavior is constantly analyzed and assessed, and where minor infractions can be spotted and disciplined.

289

San Francisco Police Are Using Driverless Cars as Mobile Surveillance Cameras

For the last five years, driverless car companies have been testing their vehicles on public roads. These vehicles constantly roam neighborhoods while laden with a variety of sensors including video cameras capturing everything going on around them in order to operate safely and analyze instances where they don’t.

While the companies themselves, such as Alphabet’s Waymo and General Motors’ Cruise, tout the potential transportation benefits their services may one day offer, they don’t publicize another use case, one that is far less hypothetical: Mobile surveillance cameras for police departments.

The use of AVs as an investigative tool echoes how Ring, a doorbell and home security company owned by Amazon, became a key partner with law enforcement around the country by turning individual consumer products into a network of cameras with comprehensive coverage of American neighborhoods easily accessible to police. Police departments around the country use automatic license plate readers (ALPRs) to track the movements of vehicles. The EFF has sued the SFPD for accessing business improvement district live cameras to spy on protestors.

332

Virginia Police Routinely Use Secret GPS Pings To Track People’s Cell Phones

The nonprofit online news site Virginia Mercury investigated their state police departments’ “real-time location warrants,” which are “addressed to telephone companies, ordering them to regularly ping a customers’ phone for its GPS location and share the results with police.” Public records requests submitted to a sampling of 18 police departments around the state found officers used the technique to conduct more than 7,000 days worth of surveillance in 2020. Court records show the tracking efforts spanned cases ranging from high-profile murders to minor larcenies…. Seven departments responded that they did not have any relevant billing records, indicating they don’t use the technique. Only one of the departments surveyed, Alexandria, indicated it had an internal policy governing how their officers use cellphone tracking, but a copy of the document provided by the city was entirely redacted….

Drug investigations accounted for more than 60 percent of the search warrants taken out in the two jurisdictions. Larcenies were the second most frequent category. Major crimes like murders, rapes and abductions made up a fraction of the tracking requests, accounting for just under 25 of the nearly 400 warrants filed in the jurisdictions that year.
America’s Supreme Court “ruled that warrantless cellphone tracking is unconstitutional back in 2012,” the article points out — but in practice those warrants aren’t hard to get. “Officers simply have to attest in an affidavit that they have probable cause that the tracking data is ‘relevant to a crime that is being committed or has been committed’…. There’s been limited public discussion or awareness of the kinds of tracking warrants the judiciary is approving.” “I don’t think people know that their cell phones can be converted to tracking devices by police with no notice,” said Steve Benjamin, a criminal defense lawyer in Richmond who said he’s recently noticed an uptick in cases in which officers employed the technique. “And the reality of modern life is everyone has their phone on them during the day and on their nightstand at night. … It’s as if the police tagged them with a chip under their skin, and people have no idea how easily this is accomplished.”
The case for these phone-tracking warrants?

  • The executive director of the Virginia Association of Chiefs of Police tells the site that physical surveillance ofen requires too many resources — and that cellphone tracking is safer. “It may be considered an intrusive way of gathering data on someone, but it’s certainly less dangerous than physical tracking.”
  • A spokesperson for the Chesterfield County police department [responsible for 64% of the state’s tracking] argued that “We exist to preserve human life and protect the vulnerable, and we will use all lawful tools at our disposal to do so.” And they added that such “continued robust enforcement efforts” were a part of the reason that the county’s still-rising number of fatal drug overdoses had not risen more.

The site also obtained bills from four major US cellphone carriers, and reported how much they were charging police for providing their cellphone-tracking services:

  • “T-Mobile charged $30 per day, which comes to $900 per month of tracking.”
  • “AT&T charged a monthly service fee of $100 and an additional $25 per day the service is utilized, which comes to $850 per 30 days of tracking…”
  • “Verizon calls the service ‘periodic location updates,’ charging $5 per day on top of a monthly service fee of $100, which comes to $200 per 30 days of tracking.”
  • “Sprint offered the cheapest prices to report locations back to law enforcement, charging a flat fee of $100 per month.”
367

Mitto Secret Surveillance Operation for Google, Twitter, WhatsApp, Microsoft’s LinkedIn, Telegram, TikTok, Tencent and Alibaba

The co-founder of a company that has been trusted by technology giants including Google and Twitter to deliver sensitive passwords to millions of their customers also operated a service that ultimately helped governments secretly surveil and track mobile phones, Bloomberg reported Monday, citing former employees and clients. From the report:
Since it started in 2013, Mitto AG has established itself as a provider of automated text messages for such things as sales promotions, appointment reminders and security codes needed to log in to online accounts, telling customers that text messages are more likely to be read and engaged with than emails as part of their marketing efforts. Mitto, a closely held company with headquarters in Zug, Switzerland, has grown its business by establishing relationships with telecom operators in more than 100 countries. It has brokered deals that gave it the ability to deliver text messages to billions of phones in most corners of the world, including countries that are otherwise difficult for Western companies to penetrate, such as Iran and Afghanistan. Mitto has attracted major technology giants as customers, including Google, Twitter, WhatsApp, Microsoft’s LinkedIn and messaging app Telegram, in addition to China’s TikTok, Tencent and Alibaba, according to Mitto documents and former employees.

But a Bloomberg News investigation, carried out in collaboration with the London-based Bureau of Investigative Journalism, indicates that the company’s co-founder and chief operating officer, Ilja Gorelik, was also providing another service: selling access to Mitto’s networks to secretly locate people via their mobile phones. That Mitto’s networks were also being used for surveillance work wasn’t shared with the company’s technology clients or the mobile operators Mitto works with to spread its text messages and other communications, according to four former Mitto employees. The existence of the alternate service was known only to a small number of people within the company, these people said. Gorelik sold the service to surveillance-technology companies which in turn contracted with government agencies, according to the employees.

410

Seemingly Normal Lightning Cable Will Leak Everything You Type

It looks like a Lightning cable, it works like a Lightning cable, and I can use it to connect my keyboard to my Mac. But it is actually a malicious cable that can record everything I type, including passwords, and wirelessly send that data to a hacker who could be more than a mile away. This is the new version of a series of penetration testing tools made by the security researcher known as MG. MG previously demoed an earlier version of the cables for Motherboard at the DEF CON hacking conference in 2019. Shortly after that, MG said he had successfully moved the cables into mass production, and cybersecurity vendor Hak5 started selling the cables. But the more recent cables come in new physical variations, including Lightning to USB-C, and include more capabilities for hackers to play with.

“There were people who said that Type C cables were safe from this type of implant because there isn’t enough space. So, clearly, I had to prove that wrong. :),” MG told Motherboard in an online chat. The OMG Cables, as they’re called, work by creating a Wi-Fi hotspot itself that a hacker can connect to from their own device. From here, an interface in an ordinary web browser lets the hacker start recording keystrokes. The malicious implant itself takes up around half the length of the plastic shell, MG said. MG said that the new cables now have geofencing features, where a user can trigger or block the device’s payloads based on the physical location of the cable. “It pairs well with the self-destruct feature if an OMG Cable leaves the scope of your engagement and you do not want your payloads leaking or being accidentally run against random computers,” he said. “We tested this out in downtown Oakland and were able to trigger payloads at over 1 mile,” he added. He said that the Type C cables allow the same sort of attacks to be carried out against smartphones and tablets. Various other improvements include being able to change keyboard mappings, the ability to forge the identity of specific USB devices, such as pretending to be a device that leverages a particular vulnerability on a system.

428

Investigation Reveals Widespread Cellphone Surveillance of the Innocent

Cellphones “can be transformed into surveillance devices,” writes the Guardian, reporting startling new details about which innocent people are still being surveilled (as part of a collaborative reporting project with 16 other media outlets led by the French nonprofit Forbidden Stories).

Long-time Slashdot reader shanen shared the newspaper’s critique of a “privatised government surveillance industry” that’s made NSO a billion-dollar company, thanks to its phone-penetrating spy software Pegaus:
[NSO] insists only carefully vetted government intelligence and law enforcement agencies can use Pegasus, and only to penetrate the phones of “legitimate criminal or terror group targets”. Yet in the coming days the Guardian will be revealing the identities of many innocent people who have been identified as candidates for possible surveillance by NSO clients in a massive leak of data… The presence of their names on this list indicates the lengths to which governments may go to spy on critics, rivals and opponents.

First we reveal how journalists across the world were selected as potential targets by these clients prior to a possible hack using NSO surveillance tools. Over the coming week we will be revealing the identities of more people whose phone numbers appear in the leak. They include lawyers, human rights defenders, religious figures, academics, businesspeople, diplomats, senior government officials and heads of state. Our reporting is rooted in the public interest. We believe the public should know that NSO’s technology is being abused by the governments who license and operate its spyware.

But we also believe it is in the public interest to reveal how governments look to spy on their citizens and how seemingly benign processes such as HLR lookups [which track the general locations of cellphone users] can be exploited in this environment.

It is not possible to know without forensic analysis whether the phone of someone whose number appears in the data was actually targeted by a government or whether it was successfully hacked with NSO’s spyware. But when our technical partner, Amnesty International’s Security Lab, conducted forensic analysis on dozens of iPhones that belonged to potential targets at the time they were selected, they found evidence of Pegasus activity in more than half.

The investigators say that potential targets included nearly 200 journalists around the world, including numerous reporters from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, and even the editor of the Financial Times.

In addition, the investigators say they found evidence the Pegasus software had been installed on the phone of the fiancée of murdered Saudi journalist Jamal Khashoggi. NSO denies this to the Washington Post. But they also insist that they’re simply licensing their software to clients, and their company “has no insight” into those clients’ specific intelligence activities.

The Washington Post reports that Amnesty’s Security Lab found evidence of Pegasus attacks on 37 of 67 smartphones from the list which they tested. But beyond that “for the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work.”

Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts. Spyware also can activate cameras and microphones for real-time surveillance.

417

Edward Snowden Calls For Spyware Trade Ban Amid Pegasus Revelations

Snowden, who in 2013 blew the whistle on the secret mass surveillance programs of the US National Security Agency, described for-profit malware developers as “an industry that should not exist.” He made the comments in an interview with the Guardian after the first revelations from the Pegasus project, a journalistic investigation by a consortium of international media organizations into the NSO Group and its clients. […] Snowden said the consortium’s findings illustrated how commercial malware had made it possible for repressive regimes to place vastly more people under the most invasive types of surveillance. For traditional police operations to plant bugs or wiretap a suspect’s phone, law enforcement would need to “break into somebody’s house, or go to their car, or go to their office, and we’d like to think they’ll probably get a warrant,” he said. But commercial spyware made it cost-efficient for targeted surveillance against vastly more people. “If they can do the same thing from a distance, with little cost and no risk, they begin to do it all the time, against everyone who’s even marginally of interest,” he said. “If you don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets. It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.”

Part of the problem arose from the fact that different people’s mobile phones were functionally identical to one another, he said. “When we’re talking about something like an iPhone, they’re all running the same software around the world. So if they find a way to hack one iPhone, they’ve found a way to hack all of them.” He compared companies commercializing vulnerabilities in widely used mobile phone models to an industry of “infectioneers” deliberately trying to develop new strains of disease. “It’s like an industry where the only thing they did was create custom variants of Covid to dodge vaccines,” he said. “Their only products are infection vectors. They’re not security products. They’re not providing any kind of protection, any kind of prophylactic. They don’t make vaccines — the only thing they sell is the virus.”

Snowden said commercial malware such as Pegasus was so powerful that ordinary people could in effect do nothing to stop it. Asked how people could protect themselves, he said: “What can people do to protect themselves from nuclear weapons? “There are certain industries, certain sectors, from which there is no protection, and that’s why we try to limit the proliferation of these technologies. We don’t allow a commercial market in nuclear weapons.” He said the only viable solution to the threat of commercial malware was an international moratorium on its sale. “What the Pegasus project reveals is the NSO Group is really representative of a new malware market, where this is a for-profit business,” he said. “The only reason NSO is doing this is not to save the world, it’s to make money.” He said a global ban on the trade in infection vectors would prevent commercial abuse of vulnerabilities in mobile phones, while still allowing researchers to identify and fix them. “The solution here for ordinary people is to work collectively. This is not a problem that we want to try and solve individually, because it’s you versus a billion dollar company,” he said. “If you want to protect yourself you have to change the game, and the way we do that is by ending this trade.”

443

Amazon Wants To Monitor You In Your Sleep, For Your Benefit

The Federal Communications Commission on Friday granted Amazon approval to use a radar sensor to sense motion and “enable contactless sleep tracing functionalities.” Amazon on June 22 asked the FCC, which regulates airwave uses, for permission to market a device that uses radar. The technology captures movement in three dimensions, enabling a user to control its features through simple gestures and movements, the company said in a filing. The capability, according to Amazon, could help people with “with mobility, speech, or tactile impairments,” and it could monitor sleep with a high degree of precision.

“The use of Radar Sensors in sleep tracking could improve awareness and management of sleep hygiene, which in turn could produce significant health benefits for many Americans,” Amazon said in its filing. “Radar Sensors will allow consumers to recognize potential sleep issues.” Amazon didn’t immediately respond to a request for comment. The company didn’t fully describe the device in its filing, but did say it would not be a mobile device. The FCC earlier granted similar permission to Google for radar to enable touchless control of Pixel smartphones, the agency said in its letter approving Amazon’s request.

459