z3r0trust Privacy Newsletter #3–21

A monthly privacy digest curated with experienced security insights. This article is also available in Spanish here.

Welcome to the March 2021 edition of the z3r0trust Privacy Newsletter. This month I cover invisible beacons in your emails that spy on you, the latest SMS hijacking nonsense that should’ve been addressed years ago, and one of the best privacy smartphones on the market.

Sooner or later, each one of us has to make a decision in life. A decision as to whether we want convenience or privacy in this new digital era. To be clear, it’s often one or the other with technology. Rarely is it ever possible to simultaneously achieve both convenience and privacy. It’s kind of like that old saying, “Sometimes the right path is not the easiest.”

Whether we realize it or not, every time we purchase goods we vote with our wallets and also when we vote in elections with who we elect to political office. Those companies we give our money to and the politicians we elect wield the most influence over whether our privacy is to be valued and respected or if it’ll be sold downriver to the highest bidder as has been happening for so long.

Private Data Exposures

Google’s announcement that it plans to shift to a privacy-focused first-party data model and abandon third-party tracking cookies or that it has no alternative cross-site tracking mechanisms is very promising but it isn’t set to take effect until 2022 and a lot can happen between now and then (Duball, 2021). By doing so, Google is telling advertisers that its own Google cookies will be the only website cross-site tracking cookies.

“Advertising is essential to keeping the web open for everyone, but the web ecosystem is at risk if privacy practices do not keep up with changing expectations,” Google Director of Product Management for Ads Privacy and Trust David Temkin said in a news release.

Advertising is ‘essential’ to keeping the web open for everyone? Please don’t make me laugh… Google is effectively not sharing this profit-opportunity anymore with other third-parties which is kind of similar to what Apple is doing by requiring Apps to implement a privacy notification to iPhone users which will allow users to opt-out of data collection. However, don’t be fooled. Google is still planning to profit off of collecting user data from its own cookies but no longer allowing third-party cookies. Google appears to be positioning itself to one day start charging users to opt-out of being tracked by Google online as they visit various websites.

Many internet users may not be aware that there are spy pixels within emails that some companies use to log whether an email was opened and how many times the recipient opened it; what devices were used to open the email; and the rough physical location based on the recipient’s IP address without every clicking on any links (Kelion, 2021). It is important for everyone who uses the internet to understand how companies and authorities spy on users. This technique is yet another tool in the spy toolbox and it’s not new.

Also known as ‘invisible beaconing’, the technique is very similar to how malware communicates with command and control (C2) servers and can also be lumped into the digital steganography category because it hides malicious code or spyware code in this case, within plain sight but is invisible to the naked eye. This email spyware operates by using .gif or .png files that can be as tiny as 1x1 pixels inserted into the header, footer, or body of an HTML email. One simple method of blocking such spy pixel email trackers is to set your browser to block all images or view emails as plain text by default (Kelion, 2021).

The Chrome-like Brave internet browser has acquired German-based Cliqz’s Tailcat, which is a privacy-focused, no logging, no user profile, internet search engine similar to DuckDuckGo or Startpage. Now in beta-testing, Brave has named their new search engine “Brave Search” (Shankland, 2021).

Brave has grown considerably in recent years currently reporting 25 million monthly users. A lesser-known interesting aspect to Brave’s privacy-focused browser for those who are uninitiated is that users can opt-in to see ads and Brave actually pays users via their “Brave Rewards” up to 70% (Shankland, 2021). Brave is not going to take over the top spot as the #1 internet search engine away from Google or their Chrome browser any time soon but it remains yet another good option for privacy-concerned internet users.

Vice’s Motherboard recently wrote an expose on how a potential attacker can reroute your text messages to their device for $16 (Cox, 2021). Crazy, right? Actually, this SS7 Short Message Service (SMS) type of “hacks,” if we can call it that, is unsurprising. We, as a security community, have been calling for the deprecation of SMS to a newer, more secure protocol for years. The telecom providers don’t want to take action because they say it’ll cost too much to implement and our spineless FCC is hardly advocating on consumers’ behalf.

Small tech companies like Sakari offer special SMS message re-direct services obtained via agreements with telecom providers which should not be available to normal consumers to potentially abuse for the right price. Let alone a $16 introductory trial offer. Yet, time and time again, we’ve seen numerous examples of companies selling access to real-time GPS locations or in this case, access to phone messages that can be used to take over other accounts protected via Two-Factor Authentication (2FA).

No commercial enterprise or other individuals should ever be able to take over your phone number without your explicit authorization. This is something that should never have been allowed in the first place but it appears in a follow-up piece to this story (also by Motherboard), that T-Mobile, AT&T, and Verizon have since implemented measures to stop SMS hijacks following the Motherboard investigation (Cox, 2021). They most likely only did so out fear of being sued into oblivion though. This latest transgression serves as yet another poignant reminder not to use SMS for 2FA if it can be avoided. If available, use a stronger 2FA option such as Universal Two Factor (U2F) security keys or an authentication app instead like Duo, or Authy.

One additional note to go along with this story. If you’re a security researcher going by an alias such as the security researcher “Lucky225” did when they brought the SMS redirection hack to Motherboard’s attention, it is not advisable then for you to also list your company’s name (i.e., Okey Systems) and your job position as the CIO of said company. This is because it’s trivial to identify someone by using basic OSINT methods like Google searching. If anonymity is your aim, please understand that you’re not completely anonymous, to begin with. Associating your company and job title is not helping your anonymity. I won’t name any names publicly because that’s pretty much the opposite of what I believe is the right thing to do and very much anti-privacy.

This whole story and the announcement of this SMS vulnerability strikes me as a bit odd only because it almost appears to have been this sort of catalyst publicity stunt to launch this new Okey Systems security company that seems to have, well would you look at that, established a Twitter presence this month (March 2021), in fact. Hmm… Does that seem suspicious to you? There’s no SEC filing so it’s not a publicly-traded company, it’s a private company based out of Colorado. Nothing wrong with that, I just like to do a little research on where my information is coming from and try to understand what the motivations are for releasing it. It could also just be a brand new business so I don’t want to jump to conclusions but there’s virtually zero information about this company on their website which is strange.

The Clop ransomware group posted SSNs and grades on the Dark Web belonging to students from the Universities of Colorado and Miami (Abrams, 2021). The group appears to have exploited a group of unpatched vulnerabilities in the Accellion FTA file transfer application that was the subject of a CISA Joint Cybersecurity Advisory on February 24, 2021. Interestingly enough, the University of Colorado reported a data breach in February that included PII for active students and prospective students. Oof! To not even be a student at a university and have your personally identifiable information breached and published is bad news. Either way, it’s bad news for any victim but it makes me think about all of those job application sites that if popped would hemorrhage troves of job seeker PII.

Cyber threat actors don’t waste time. There is a reason “Patch Tuesday, Exploit Wednesday” is a common saying within the information security industry. Organizations and individuals using software found to contain vulnerabilities must patch quickly or risk being exploited, possibly have their data held ransom, be locked out of their computer systems, or worse. In some cases, ransoms were paid and the ransomed data was still sold off anyway. There is no bargaining with data terrorists. Wipe your servers and start over with the latest backup if possible. Learn from your failures and move on but never, ever, pay these clowns.

Among your personal list of tech companies you may not want to work for, if you’re a principled person then chances are Amazon probably ranks pretty high up on the list. Amazon has earned a reputation in recent years for being one of, if not the worst, employer for employee rights abuses. In addition to complaints that employees don’t get enough time to take bathroom breaks during their work shifts, Amazon’s has hired union busters to thwart unionization attempts, and now their 75,000 delivery drivers have been told they either have to sign a biometric consent form so Amazon can monitor the drivers with AI-powered four-lens Netradyne cameras that measure driver fatigue symptoms, as well as the usual GPS location type of tracking data or they will get fired if they refuse to sign (Gurley, 2021).

Does that sound fair to you? People need jobs though, some Amazon is banking on the fact that most employees are desperate enough to agree to the terms without putting up a fight. If they try to fight it, they will surely be fired. The only means of recourse is a class-action lawsuit which is probably what it’s going to take to change things at Amazon.

Disney has announced it will be testing facial recognition system (FRS) technology for park entrance at its Orlando, Florida Disney World theme park. Guest participation is optional during the 30-day trial period but I predict we will soon see this technology used at all of their resorts because they can use FRS for a multitude of different things not at the park entrances for admission but also within the theme parks, parking lots, stores, etc. That seems to be the trend these days. Either go big with FRS or don’t use it at all.

Developments in Privacy-related Law

The 117th U.S. Congress saw the introduction of the Information Transparency and Personal Data Control Act, a bill that is sponsored by Rep. Suzan DelBene (D-Wash.), designed to carve out protections for processing sensitive personal information and appropriates $350 million for the Federal Trade Commission to enforce data privacy and security (Bryant, 2021). Of course, at the national level, any data privacy bill is sure to face fierce opposition as many of our elected officials are in the pockets of big-name corporations that stand to lose a great deal of profit if such a bill were passed nationally.

Clearview AI is still fighting lawsuit after lawsuit in court after amassing more than 3 billion photos of people by web scraping social media sites like Twitter, Instagram, and Facebook with acquiring anyone’s permission to do so and then sells these AI-powered facial recognition data points to governments and law enforcement agencies (Taylor, 2021). Clearview AI asserts it is their First Amendment right to do so here in the United States despite the fact that it is a foreign-owned business.

Clearview AI also collects images of people that were not even taken by those individuals in the photos. Imagine having your photo taken by someone who was at a concert with you only to learn later on that you were identified through the use of an AI-powered facial recognition system by your employer who is a subscriber of Clearview AI’s services. That day you called in sick to work but actually went to the concert instead? Well, your employer just fired your ass for it.

Both California and Illinois have sued Clearview AI and the European Union (EU) also stated that the company violated the GDPR. The illegal activity of this company continues even while it is being sued in court with its CEO stating over 2,400 law enforcement agencies use its services and Clearview AI is making millions selling access to their illegally-collected facial recognition database consisting of web-scraped images.

Tiktok has agreed to settle a class-action lawsuit out of court and pay $92 million for their “collection, use, and transmission of highly sensitive personal data” that violated state and federal laws including Illinois’ Biometric Information Privacy Act (BIPA), the U.S. Computer Fraud and Abuse Act, the California Comprehensive Data Access and Fraud Act, and the Video Privacy Protection Act (Sakin, 2021).

Now it’s important to take a step back and think about why Tiktok settled out of court. Had the case gone to trial, not only could Tiktok have faced stiffer financial penalties but also a “narrowing or broadening of the term biometric identifier” which could have an even greater impact on their app and other apps like it that collect similar user data.

Additionally, U.S. District Judge John Lee disapproved the proposed terms of the settlement because Tiktok only intended to notify approximately 30 million class-action suit members via email instead of alerting all 89 million Tiktok users via the Tiktok app which would potentially result in more claimants and a greater payout percentage. More to follow on this story.

Privacy Tips

As far as privacy tech products go, people get really picky when it comes to their smartphones. Rightly so too, most people use their smartphones for damn near everything today. It stands to reason that if you value privacy, you might also be willing to pay a little more for a secure, privacy-designed phone. On that note, DarkMatter’s KATIM R01 phone is considered one of, if not the most, secure phones on the market. The company claims it is good enough for heads of state and corporations which makes one wonder about its low price point.

Made by cybersecurity professionals, the KATIM phone boasts by default “self-destructing messages and even self-destruction of the device itself if tampered with.” KATIM runs on a proprietary KATIM OS which is a hardened version of Android 7.x (Nougat). The phone sports some impressive tech specs and rugged durability as you might expect but that’s not what’s impressive about it in terms of privacy and security. The phone has a SHIELD MODE and LOCKED MODE to obscure the screen from prying eyes and disables the microphone, camera, motion sensors, and Bluetooth/WiFi (e.g., airplane mode).

The KATIM R01 has a protected bootloader (i.e., think of Microsoft’s Trusted Platform Module); employs AES-256 bit end-to-end device encryption; biometric-based 2FA; and a cryptographic key microSD card to make encrypted phone calls with. For those iPhone lovers, Apple still ranks relatively high on privacy with their iPhone 12 Pro Max which offers many of the same features but $1,450. One credit I will give to Apple, however, is that they do a great job of pushing patches for their iOS software. Other privacy-focused phone providers do not have the same reputation or power either when it comes to standing up to authorities who demand encryption backdoors.

Closing Thoughts

Every one of us should have the right as private citizens to opt-out of any technology service that we want to. I can simply stop using the technology or in some cases, just use aliases. I don’t need a state or federal law to exercise my right to abstain but smart privacy legislation helps keep data-hungry companies from unduly collecting and selling our private user information. Some personal information is allowed to be publicly traded but much of what is being collected now via smartphone apps and website cookies is simply not protected by law.

People need to be aware of what personal information is available about themselves online. You can do that by performing internet searches and setting up alerts for your name and the names of your family members. Additionally, they need to also be aware of what measures they can take to remove certain information.

Never Trust. Always Verify. Think Like An Adversary.


Abrams, L. (2021, March 23). Ransomware gang leaks data stolen from Colorado, Miami universities. Retrieved from https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-stolen-from-colorado-miami-universities/

Bryant, J. (2021, March 19). Notes from the IAPP, March 19, 2021. Retrieved from https://iapp.org/news/a/notes-from-the-iapp-march-19-2021/

Cox, J. (2021, March 15). A Hacker Got All My Texts for $16. Retrieved https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber

Cox, J. (2021, March 25). T-Mobile, Verizon, AT&T Stop SMS Hijacks After Motherboard Investigation. Retrieved from https://www.vice.com/en/article/5dp7ad/tmobile-verizon-att-sms-hijack-change

Duball, J. (2021, March 3). Google says it won’t pursue a cross-site tracking after phasing out cookies. Retrieved from https://iapp.org/news/a/google-doubles-down-on-third-party-cookies-abandonment/

Gurley, L.K. (2021, March 23). Amazon Delivery Drivers Forced to Sign ‘Biometric Consent’ Form or Lose Job. Retrieved from https://www.vice.com/en/article/dy8n3j/amazon-delivery-drivers-forced-to-sign-biometric-consent-form-or-lose-job

Kelion, L. (2021, February 17). ‘Spy pixels in emails have become endemic’. Retrieved from https://www.bbc.com/news/technology-56071437

Sakin, N. (2021, March 23). TikTok settlement highlights power of privacy class actions to shape US protections. Retrieved from https://iapp.org/news/a/tiktok-settlement-highlights-power-of-privacy-class-actions-to-shape-u-s-protections/

Shankland, S. (2021, March 3). Brave takes on Google with privacy-focused search engine. Retrieved from https://www.cnet.com/news/brave-takes-on-google-with-privacy-focused-search-engine/

Taylor, E. (2021, March 9). Clearview AI uses your online photos to instantly ID you. That’s a problem, lawsuit says. Retrieved from https://weekdaytimes.com/technology/2021/03/09/clearview-ai-uses-your-online-photos-to-instantly-id-you-thats-a-problem-lawsuit-says

Additional Digital Privacy Resources

z3r0trust Privacy Newsletters: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, #4–20, #5–20, #6–20, #32–20, #33–20, #8–20, #9–20, 16, 17, 45–20, 46–20, 47–20, 48–20, #1–21, #2–21 | EFFector | Atlas of Surveillance | Privacy Tools | IAPP | ACLU | PogoWasRight.org | DataBreaches.net

think bad, do good | cybersecurity & privacy engineering | keybase.io/d3structo

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store