These kinds of data brokers fuel a large and mostly invisible data market. But there are times where aspects of it (accidentally) emerge from the shadows.
Recent reporting, first covered by 404 Media, reveals how Fog Reveal sells geolocation services to government agencies. Geofences can be placed around targeted persons’ friends’ and families’ homes, places of worship, doctors’ offices, and offices of a person’s lawyer. Fences can be established retroactively as well as proactively.
Fog Reveal and similar companies are offering an expansive for-sale surveillance capacity. And the capacity, which was once the thing of science fiction, has somehow become banally available for those who can convince private vendors to provide access to the data they have collected.
There remains an open question of how to remedy the current situation: should the focus be on regulating bad actors after they appear or, instead, invest the political capital required to stop the processes enabling the data collection in the first place?
It can be remarkably easy to target communications to individuals’ based on their personal location. Location information is often surreptitiously obtained by way of smartphone apps that sell off or otherwise provide this data to data brokers, or through agreements with telecommunications vendors that enable targeting based on mobile devices’ geolocation.
Senator Wyden’s efforts to investigate this brokerage economy recently revealed how this sensitive geolocation information was used to enable and drive anti-abortion activism in the United States:
Wyden’s letter asks the Federal Trade Commission and the Securities and Exchange Commission to investigate Near Intelligence, a location data provider that gathered and sold the information. The company claims to have information on 1.6 billion people across 44 countries, according to its website.
The company’s data can be used to target ads to people who have been to specific locations — including reproductive health clinic locations, according to Recrue Media co-founder Steven Bogue, who told Wyden’s staff his firm used the company’s data for a national anti-abortion ad blitz between 2019 and 2022.
…
In a February 2023 filing, the company said it ensures that the data it obtains was collected with the users’ permission, but Near’s former chief privacy officer Jay Angelo told Wyden’s staff that the company collected and sold data about people without consent, according to the letter.
While the company stopped selling location data belonging to Europeans, it continued for Americans because of a lack of federal privacy regulations.
While the company in question, Near Intelligence, declared bankruptcy in December 2023 there is a real potential for the data they collected to be sold to other parties as part of bankruptcy proceedings. There is a clear and present need to legislate how geolocation information is collected, used, as well as disclosed to address this often surreptitious aspect of the data brokerage economy.
Writing for the New York Times, Krolik, Mozur, and Satariano have published new details about the state of Russia’s telecommunications surveillance capacity. They include documentary evidence in some cases of what these technologies can do, including the ability to:
identify if mobile phones are proximate to one another to detect meetups
identify whether a person’s phone is proximate to a burner phone, to de-anonymize the latter
use deep packet inspection systems to target particular kinds of communications metadata associated with secure communications applications
These types of systems are appearing in various repressive states and are being used by their governments.
Similar systems have long been developed in advanced Western democratic countries which leads me to wonder whether what we’re seeing from authoritarian countries will ultimately usher in the use of similar technologies in higher rule-of-law states or if, instead, Western companies will merely export the tools without them being adopted in the countries developing them.
In effect, will the long-term result of revealing authoritarian capabilities lead to the gradual legitimization of their use in democratic countries so long as using them is tied to judicial oversight?
For the past year, the Toronto Star has repeatedlyrunarticles that take mobility data from mobile device advertisers, to then assess the extent to which Torontonians are moving too much. Reporting has routinely shown how people are moving more or less frequently, with articles often suggesting that people are moving too much when they’re supposed to be staying put.
The problem? The ways in which ‘too much’ is assessed runs contrary to public health advice and lacks sufficient nuance to inform the public. In the most recent reporting, we find that:
Between Jan. 18 and Feb. 28, average mobility across Ontario increased from 58 per cent to 65 per cent, according to the marketing firm Environics Analytics. Environics defines mobility as a percentage of residents 15 or older who travelled 500 metres or more beyond their home postal code.
To be clear: in Ontario the provincial and local public health leaders have strongly stated that people should get outside and exercise. That can involve walking or other outdoor activities. Those activities are not supposed to be restricted to 500 metres from your home, which was advice that was largely provided in more restrictive lockdowns in European countries. And we know that mobility data is often higher in areas with higher percentages of BIPOC residents because they tend to have lower-paying jobs and must travel further to reach their places of employment.
As has become the norm, the fact that people have moved around more frequently as (admittedly ineffective) restrictions have been raised, and that people are ‘region hopping’ by going from more restricted zones to less restricted ones, is being tightly associated with personal or individual failures. From a quoted expert, we find that:
“It shows that once things start to open, people just seem to do whatever, and that’s a recipe for disaster.”
I would suggest that what we are seeing is a pent up, pretty normal, human response: the provincial government has behaved erratically and you have some people racing around to get stuff done before returning to another (ineffective) set of restrictions, and a related set of people who believe that if the government is letting them move around then things must be comparatively safer. To put it another way, in the former case you have people behaving rationally (if, in some eyes, selfishly) whereas in the latter you have a failure by government to solve a collective action problem by downloading responsibility to individuals. In both cases you are seeing an uptick in behaviour which is suggestive that they believe it’s safer to do things, now, than weren’t before when the government assumed some responsibility and signalled that moving was less safe and actively discouraged it by keeping businesses and other ‘fun’ things shut down.
Throughout the pandemic response in Ontario, what has been evident is that the provincial government simply cannot develop and implement effective policies to mitigate the spread of the pandemic. The result of muddling through things has been that the public, and especially small business, has suffered extraordinarily whilst the gains have been meagre. The lack of paid sick leave, as an example, has seriously stymied the ability of lower-income workers to actually keep themselves apart from others while they wait for diagnoses and, if positive, recover from their infections.
To be fair, the Toronto Star and other outlets have covered paid sick leave issues, along with lots of other failures by the provincial government in its handling of the pandemic. And there is certainly some obligation on individuals to best adhere to public health advice. But we’ve long known these are collective action problems: there is a need to move beyond downloading responsibility to individuals and for governments to behave effectively, coherently, and accountably throughout major crises. The provincial government has failed, and continues to fail, on every one of these measures to the effect that individuals are responding to the past, present, and expected future actions of the government: more unpredictability and more restrictions on their daily lives as a result of government ineptitude.
Whereas the journalists could have cast what Ontarians are doing as a semi-natural response to the aforementioned government failings, instead those individuals are being castigated. We shouldn’t be blaming the victims of the pandemic, but I guess that’s what happens when assessing mobility data.
But if the operator is O’Hanlon and not Verizon — that identity is compromised. “The IMSI is revealed during this interchange, during the early stages of the conversation. It’s not encrypted,” he says.
This type of activity is called passive monitoring, because it doesn’t require a specific active attack or malware. It only works in some cases, however.
O’Hanlon also developed a couple active attacks that would get the job done, one involving masquerading as the operator’s endpoint where the Wi-Fi call is being directed, and another using a man-in-the-middle attack to intercept it.
Apple is the only company that has taken steps to mitigate the privacy and security risk, he says — they added additional security protocols when he brought up the issue over the summer. It was addressed in iOS 10, though there are still ways to get around the protections. But the problem is less with the companies and more with the way the connections were set up in the first place.
Yet another time that Apple has dedicated engineering resources to better protect their customers whereas their major competitor has declined to do so. And this wasn’t even an Apple or Google problem, per se, but a protocol level issue.
At its core, respecting the user means that, when designing or deploying an information system, the individual’s privacy rights and interests are accommodated right from the outset. User-centricity means putting the interests, needs, and expectations of people first, not those of the organization or its staff. This is key to delivering the next generation of retail experience because empowering people to play active roles in the management of their personal data helps to mitigate abuses and misuses. To this end, Aislelabs provides an opt out site that allows individuals to choose not to have their retail traffic data included in any anonymous analytics.
It’s incredible that any company – let alone a Canadian Privacy Commissioner – would claim that an opt-out mechanism for hidden and secretive tracking technologies (i.e. monitoring your mobile devices as you walk through the world so retailers can better sell you things) constitutes “putting the interests, needs, and expectations of people first, not those of the organization or its staff.” For such an assertion to be valid the ‘people’ should be given the opportunity to opt-in, not out, of a surveillance system that few will know about and fewer will understand. There are vast bodies of academic and industry literatures which show opt-out mechanisms generally do not work; they’re not effectively centralized and they add considerable levels of friction that hinder consumers’ abilities to express their actual interests. And that’s just fine for many retailers and analytics companies because they’re concerned with turning people into walking piggy banks, not with thinking of individuals as deserving any semblance of a reasonable expectation of privacy.
Android fragmentation is a very real problem; not only does it hinder software developers’ abilities to build and sell apps but, also, raises security issues. In a recent report from Open Signal, we learn that 34.1% of Android users are using the 2.3.3–2.3.7 version of Android, whereas just 37.9% of users using 4.x versions of the operating system, most of whom are themselves using a years-old version of Android. In effect, an incredibly large number of Android users are using very outdated versions of their mobile phone’s operating systems.
It’s easy to blame this versioning problem on the carriers. It’s even easier to blame the issue on the manufacturers. And both parties deserve blame. But perhaps not just for the reasons that they’re (rightly!) often crucified for: I want to suggest that the prevalence of 2.3.x devices in consumers’ hands might have as much to do with consumers not knowing how to update their devices, as it does with updates simply not being provided by carriers and manufacturers in the first place.
Earlier this month I spent some time with ‘normal’ gadget users: my family. One family member had a Samsung Galaxy S2…which was still using version 2.x of the Android operating system. Since February 2013, an operating system update has been available for the phone that would bring it up to Android version 4.1.2, but my family member neither knew or cared that it was available.
They didn’t know about the update because they had received no explicit notice that an update was available, or at least didn’t recall being notified. To be clear, they hadn’t updated the phone even once since purchasing the device about two years ago, and there have been a series of updates to the operating system since purchase time.
The family member also didn’t care about there being an update, because they only used the phone for basic functions (e.g. texting, voice calls, the odd game, social networking). They’re not a gadget monkey and so didn’t know about any of the new functions incorporated into the updated Android operating system. And, while they appreciate some of the new functionality (e.g. Google Now) they wouldn’t have updated the device unless I had been there.
A key reason for having not updated their phone was the absolute non-clarity in how they were supposed to engage in this task: special software had to be downloaded from Samsung to be installed on their computer,[1] and then wouldn’t run because the phone’s battery had possess at least a 50% charge,[2] and then it took about 3 hours because the phone couldn’t be updated to the most recent version of Android in one fell swoop. Oh, and there were a series of times when it wasn’t clear that the phone was even updating because the update notices were so challenging to understand that they could have been written in cipher-text.
Regardless of whether it was Rogers’, Samsung’s, Google’s, or the tooth fairy’s fault, it was incredibly painful to update the Android device. Painful to the point that there’s no reason why most people would know about the update process, and little reason for non-devoted Android users to bother with the hassle of updating if they knew what a pain in the ass it was going to be.
The current state of the Android OS ecosystem is depressing from a security perspective. But in addition to manufacturers and carriers often simply not providing updates, there is a further problem that Android’s OS update mechanisms are incredibly painful to use. Only after the significant security SNAFUs of Windows XP did Microsoft really begin to care about desktop OS security, and Google presently has a decent update mechanism for their own line of Nexus devices. What, exactly, is it going to take for mobile phone manufacturers (e.g. Samsung, HTC) and mobile phone carriers (e.g. Rogers, TELUS) to get their acts together and aggressively start pushing out updates to their subscribers? When are these parties going to ‘get’ that they have a long-term duties and commitments to protect their subscribers and consumers?[3]
In theory there is an over the air update system that should have facilitated a system update in a relatively painless way. Unfortunately, that system didn’t work at all and so Samsung’s software had to be used to receive the updates. ↩
Really, this made no sense. To update the device it had to be plugged into a computer; why, then, did the phone (which was charging because it was plugged into the computer) need to have a 50%+ charge? ↩
I actually have a few ideas on this that will, hopefully, start coming to fruition in the coming months, but I’m open to suggestions from the community. ↩
But there was nothing extraordinary about what Verizon Wireless apparently did. Hundreds of thousands of times every year, cellphone companies turn over personal call records to law enforcement with neither a warning nor a judge’s involvement. Privacy activists said it’s no way for carriers to treat paying customers. They said they hope the AP controversy will force the big cell companies to change their ways.
“This is the phone companies putting the interest of law enforcement before their customers, and that’s wrong,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union. “None of them tell users. They all suck.”
I love just how direct Chris is these days when speaking with the press about the telcos and their utterly abhorrent practices.
The new Home app/UX/quasi-OS is deeply integrated into the Android environment. It takes an effort to shut it down, because Home’s whole premise is to be always on and be the dashboard to your social world. It wants to be the start button for apps that are on your Android device, which in turn will give Facebook a deep insight on what is popular. And of course, it can build an app that mimics the functionality of that popular, fast-growing mobile app. I have seen it done before, both on other platforms and on Facebook.
But there is a bigger worry. The phone’s GPS can send constant information back to the Facebook servers, telling it your whereabouts at any time.
(…)
And most importantly it is Facebook, a company that is known to have played loose-and-easy with consumer privacy and data since its very inception, asking for forgiveness whenever we caught them with its hand in the cookie jar. I don’t think we can be that forgiving or reactive with Facebook on mobile.
Excited Pixels 