z3r0trust Privacy Newsletter #1-21

A concise monthly privacy digest with experienced security insights. This article is also available in Spanish here.

“The default posture of our devices and software has been to haemorrhage our most sensitive data for anyone who cared to eavesdrop upon them.” — Cory Doctorow

Happy New Year! It’s January 2021 and despite the symbolism of new beginnings that come with each new year, in the world of digital privacy, we’re still dealing with many of the same battles being fought around privacy. As it has always been, those in power or rather those with the money who influence those who make the laws do not want average citizens around the world to have great privacy protection. This month, I look at how the Third-Party Doctrine makes it trivial for law enforcement agencies to obtain the cellphone tower ping location data of Capitol rioters and much more.

Privacy is a basic human right and it is recognized as such by the United Nations in Article 12 of the Universal Declaration of Human Rights. The Information Age hasn’t exactly been kind to our collective private citizen digital privacy. Governments, corporations, and cybercriminals have all taken advantage of collecting and exploiting whatever information they can with very little effort made in the U.S. anyway, to better protect user privacy.

Instead, the hyper-connected world we find ourselves living in continues to become exponentially more vulnerable to exploitation of our private information with the advent of poorly secured Internet of Things (IoT) devices that are being connected to the internet by the millions. Even for those of us who are privacy-conscious and who try to limit what personal information we put in our online presence, governments and corporations continue to get hacked on a weekly basis and our most sensitive data is spilled on the open or Dark Web by cybercriminals.

Third-Party Doctrine

The government has long been circumventing the Fourth Amendment of the Constitution by issuing subpoenas to compel third-party companies to turn over records of your activity information. This is known as the Third-Party Doctrine because if your data resides with a third-party, the courts have ruled that it is outside of the Fourth Amendment protections. Consequently, this has been a convenient way for the government to go around your Fourth Amendment protections against unlawful search and seizures. Why deal with getting a search warrant when you can just subpoena the data from a third-party ISP, right? It’s mindboggling how much of a bureaucratic process this is and how American’s Constitutional rights mean so little to the courts.

For those who participated in the insurrection attempt on the DC Capitol buildings on January 6th, 2021, you can run but you can’t hide. These people used tech to video and photograph what happened that day and posted it to their social media accounts on Twitter, Facebook, Gab, and Parler. Those same images and videos among other technology like telecom service provider phone records and Internet Service Provider (ISP) records will now be used by law enforcement officials (LEOs) as evidence to prosecute the rioters.

The events that occurred at the Capitol building in Washington, DC on January 6th, 2021, demonstrate that regardless of your political affiliations, even just owning a cellphone is a major privacy liability whether we want to admit it or not. However you felt about the events that transpired on that day, it was entirely predictable that law enforcement such as the FBI would obtain cellphone provider data surrounding the Capitol area. I can’t imagine any federal judge would’ve denied a search warrant for the FBI to obtain this data. In fact, telecoms were probably tripping over themselves to hand it over.

This time, the ease with which the FBI was able to scoop up cellphone tower ping data to identify potential Capitol rioters was a good thing to apprehend those who attempted to overthrow the government, even if it was only a half-hearted attempt. The FBI has been reportedly going door-to-door in DC questioning residents who were at or near the riots based on cellphone tower pings from their phones. Additionally, facial recognition systems (FRS) coupled with CCTV cameras have been used along with media video footage of the event to identify and track down people involved in the riot.

Destroying smartphones (e.g., even temporary-use ‘burner’ phones) and social media accounts will not help evade legal prosecution. In fact, the destruction of evidence of a crime is better known as the obstruction of justice and that is an additional crime that these people can be charged with. Perhaps if these folks would have paid attention to this series from the beginning they would’ve known better. However, something tells me that these folks are not the type who read a lot or regularly practice operational security (OpSec).

With all of the surveillance cameras, spying on Americans by every means conceivable, isn’t it ironic that authorities were not able to prevent the Nashville bomber from blowing himself up in an RV outside of the AT&T building? Additionally, with FRS technology and social media being used heavily to identify the 6 January Capitol rioters, it is guaranteed that the government will use this to demonstrate their need to further expand FRS and using third-party data collection firms to be able to track people down. They will also decry the need for encryption backdoors as they have been doing for years despite the fact that the government already has a plethora of different tools and techniques to collect data, identify and track down people, and legally prosecute them based on the collected data.

IoT Devices vs. Privacy

In yet another example of the privacy and security risks of using IoT devices, there has been quite a bit of chatter over President Biden taking office on January 20th and the thought of him bringing an insecure Peloton stationary bike into the White House. Oooh! Ohhh. A Peloton is just another type of WiFi-enabled IoT device that has an internet-connected microphone and camera. The US Secret Service (USSS) could simply disable the WiFi internet-connected features of the fitness bike or connect it to a more secure Ethernet cable. Or, President Biden could simply leave it at home if he considers it too much of a hassle.

“For example, they’ve hacked it to be able to show Netflix shows on the screen, which you really aren’t supposed to be able to do, but they’ve managed it. So someone could actually attack that Peloton bike, install malware, and reach out to other places in the White House.” — Max Kilger, Ph.D., director of the Data Analytics Program and Associate Professor in Practice at the University of Texas at San Antonio

Personally, I find the swirl over this very minor issue by the media and security pundits to be a bit overboard. Is there some level of security risk? Yes. Is it a major risk to the entire White House network? No, not if it is configured and segmented properly. On one hand, the White House is not a Sensitive Compartmented Information Facility (SCIF), so the ultra-tight restrictions on WiFi and Bluetooth-enabled devices aren’t necessary, at least not in all parts of the White House. On the other hand, WiFi is often able to be trivially exploited by skilled attackers and foreign threat actors will seek to exploit any vulnerability they can possibly find. Former President Trump brought an entire room-sized golf simulator that comes equipped with internet-connected sensors and cameras when he took office in 2017.

Fitbit was recently acquired by Google for $2.1B which invokes automatic privacy concerns for user health and wellness data. The EU GDPR restricts Google from using data from users’ Fitbits to serve ads to them but the U.S. does not have the same privacy law restrictions. Google is currently being sued in an anti-trust lawsuit launched by the federal and several state governments. As a consequence, the Fitbit acquisition may end up being nullified.

App Privacy Exposure

The Department of Justice (DOJ) has been griping about encryption backdoors for years now during their longstanding saga with Apple but a recent Wired article highlighted just how poorly Android and iPhone security really is. So why does the government keep calling for encryption backdoors if they’ve been able to find ways around it? Perhaps it’s really about something else instead? I suspect it’s that the government wants unilateral access to any encryption created by tech companies providing any kind of service or devices to Americans. This is needed of course only for matters of utmost national security interest. Wrong. Flat wrong.

Such an encryption backdoor is not only guaranteed to be abused by law enforcement and the government, but it will also inevitably be discovered by domestic and foreign cyber threat actors who will exploit the same backdoors in the code. There can be no compromises here with encryption, tech companies need to stand their ground against the government and potentially move their company headquarters outside of the U.S. if laws are passed requiring encryption backdoors.

If the U.S. eventually passes an encryption backdoor law, then any U.S.-based tech companies will undoubtedly see a noticeable exodus of users such as was recently seen by Facebook when it announced its new WhatsApp privacy policy that shares a lot of data with Facebook (i.e., something it had already done for years). With the Capitol riot investigation, many users decided to quit WhatsApp and flocked to Signal, Telegram, Wire, or other secure messaging apps. Governments and law enforcement officials have been able to circumvent smartphone encryption by paying for smartphone access tools like those produced by Grayshift or Cellebrite. We’re not in ‘danger’ of seeing any 100% secure mobile operating system code, so I think we’ve got some time before governments go into full panic mode over this issue.

Telegram was found to have a flaw in a feature known as “People Nearby” that visually depicts on a map the general location of other Telegram users. The problem is that a researcher found that it was possible to pinpoint the exact location of those users through a sort of walking ‘wardriving’ triangulation technique that involved spoofing your GPS location from three different points to triangulate the exact address of the other Telegram users. Telegram has reportedly declined to admit that the discovered flaw is a potential privacy fail for its users after stating that users voluntarily share their location but for a secure messaging app it is a curious feature to include. I also doubt that many users know that it’s possible for other users to determine their exact address. I can see this easily turning into a class-action lawsuit.

Data Breaches & Privacy Exposures

Now for a creepy case in Dallas, Texas, involving an ADT home security installation technician named Telesforo Aviles. Aviles pleaded guilty to spying on women and couples through the home security cameras he installed in their homes. His so-called ‘hack’ of the installation process was simply to add his personal email address on the customers’ ADT Pulse accounts because he said he needed to do so in order to verify everything worked correctly.

“This defendant, entrusted with safeguarding customers’ homes, instead intruded on their most intimate moments,” said Acting U.S. Attorney Prerak Shah. “We are glad to hold him accountable for this disgusting betrayal of trust.”

Aviles had access to the live video feed of over 200 ADT customers’ homes. He used this illegal access to spy on attractive women and intimate sexual activity. The disgusting part of this story beyond the peeping Tom aspect of it is that ADT forces customers to sign an arbitration clause when they sign up for their mandatory 2 or 3-year commitments. So, it is unknown if the class-action lawsuits will proceed against ADT or the court will send plaintiffs to arbitration instead.

This case illustrates the importance of using Do It Yourself (DIY) home security systems like Simplisafe or Wyze among others. Letting strangers into your home may seem like the simplest solution but nowadays it is very simple to DIY install a home security system yourself (which is what I did).

Privacy-related Lawsuits

Sometime around January 2020, cybercriminals breached the Hanna Andersson clothing retailer website which contained customer Personally Identifiable Information (PII) such as names, home addresses, payment card information, CVV codes, and card expiration dates for over 200,000 customers who made purchases on the website from September 16, 2019, to November 11, 2019. This data breach resulted in a class-action lawsuit under the California Consumer Privacy Act (CCPA). Hanna has agreed to pay $400,000 and implement tougher information security measures.

Privacy Tips

When you search for something using Google, Yahoo, Bing, or most search engines, the search terms are visible in the Uniform Resource Locator (URL). The URLs are collected by Internet Service Providers (ISPs) and sold to third-party data collectors who in turn aggregate the data and sell it to marketers who use the data to target you based on your internet search history. Law Enforcement Officers (LEOs) and the government can easily subpoena your internet search history from your ISP and learn about you simply from your search history and the sites you visit online.

If you understand how that works and the associated risks then you also understand how important it is to use a Virtual Private Network (VPN) and search engines such as DuckDuckGo which doesn’t collect your search history, or the Tor browser to anonymize your online identity. I’d even go as far to suggest not using Google Chrome either because Google is very crafty and most assuredly has engineered the Chrome browser to collect search history regardless of which search engines you use with Chrome. It’s best to skip the Chrome browser altogether. Brave, Firefox, and Tor are more privacy-focused.

Privacy-themed Social Media

If you’re looking for a decentralized social media option that allows you, the user, to own your own data and not sign your rights over to a corporation to sell it, check out the diaspora Project. You choose a pod, you can remain anonymous or use your true identity (not recommended), and create an account. You’ll find many of the same feature options as more well-known social media sites like Twitter and Facebook.

Disconnect Premium

Disconnect is a privacy app that works on Android, MacOS, and iOS that you can download for a small price that will help lock down your privacy on all of your computing devices. I’ve not personally tried Disconnect yet but someone I trust, a long-time IT professional, @Infination said about the Disconnect app, “[I] like the intelligence it gives me on who’s tracking me perpetually. it blocks ~8000 trackers/month on my iPhone. 80% of it is @Google and @Facebook.”

That’s it for this installment. I hope I have given you something to think about in terms of digital privacy. There’s plenty more to read that I’ve written about at the links below. Remember to maintain a low profile and be safe out there.

Trust No One. Verify Everything. Leave No Trace.

Additional Digital Privacy Resources:

z3r0trust Privacy Newsletters: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, #4–20, #5–20, #6–20, #32–20, #33–20, #8–20, #9–20, 16, 17, 45–20, 46–20, 47–20, 48–20 | EFFector | Atlas of Surveillance | Privacy Tools

think bad, do good | cybersecurity & privacy engineering | keybase.io/d3structo

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store