Link

In western China, thought police instill fear

From the Associated Press:

Southern Xinjiang, where Korla is located, is one of the most heavily policed places on earth.

In Hotan, police depots with flashing lights and foot patrols are set up every 500 meters. Motorcades of more than 40 armored vehicles rumble down city boulevards. Police checkpoints on every other block stop cars to check identification and smartphones for religious content.

Xinjiang’s published budget data shows public security spending this year is on track to increase 50 percent from 2016 to roughly 45 billion yuan ($6.8 billion) after rising 40 percent a year ago. It’s quadrupled since 2009, when a Uighur riot broke out in Urumqi, killing nearly 200 people.

But much of the policing goes unseen.

Shoppers entering the Hotan bazaar must pass through metal detectors and place their national identification cards on a reader while having their faces scanned. AP reporters were stopped outside a hotel by a police officer who said the public security bureau had been remotely tracking the reporters’ movements by watching surveillance camera footage.

The government’s tracking efforts have extended to vehicles, genes and even voices. A biometric data collection program appears to have been formalized last year under “Document No. 44,” a regional public security directive to “comprehensively collect three-dimensional portraits, voiceprints, DNA and fingerprints.” The document’s full text remains secret, but the AP found at least three contracts referring to the 2016 directive in recent purchase orders for equipment such as microphones and voice analyzers.

The extent of the of technical and human surveillance, and punishments that are meted out for failing to adequately monitor family members and friends, is horrifying.1 And while the surveillance undertaken in this area of China is particularly severe, the kinds of monitoring that occur in China is more extensive and ever-present throughout the country than many people who haven’t travelled into China can appreciate. The Chinese surveillance infrastructure is the kind of apparatus that exists to sustain itself, first and foremost, by ensuring that contrary ideologies and philosophies are threatened and — where possible — rendered impotent by way of threats and fear.

  1. While much of the contemporary surveillance is now provided by Chinese-based companies it’s worth remembering that, historically, this equipment was sold by Western companies.
Link

How to protect yourself (and your phone) from surveillance

I understand what the person interviewed for this article is suggesting: smartphones are incredibly good at conducting surveillance of where a person is, whom they speak with, etc. But proposing that people do the following (in order) can be problematic:

  1. Leave their phones at home when meeting certain people (such as when journalists are going somewhere to speak with sensitive sources);
  2. Turn off geolocation, Bluetooth, and Wi-fi;
  3. Disable the ability to receive phone calls by setting the phone to Airplane mode;
  4. Use strong and unique passwords;
  5. And carefully evaluate whether or not to use fingerprint unlocks;

Number 1. is something that investigative journalists already do today when they believe that a high level of source confidentiality is required. I know this from working with, and speaking to, journalists over the past many years. The problem is when those journalists are doing ‘routine’ things that they do not regard as particularly sensitive: how, exactly, is a journalist (or any other member of society) to know what a government agency has come to regard as sensitive or suspicious? And how can a reporter – who is often running several stories simultaneously, and perhaps needs to be near their phone for other kinds of stories they’re working on – just choose to abandon their phone elsewhere on a regular basis?

Number 2 makes some sense, especially if you: a) aren’t going to be using any services (e.g. maps to get to where you’re going); b) attached devices (e.g. Bluetooth headphones, fitness trackers); c) don’t need quick geolocation services. But for a lot of the population they do need those different kinds of services and thus leaving those connectivity modes ‘on’ makes a lot of sense.

Number 3 makes sense as long as you don’t want to receive any phone calls. So, if you’re a journalist, so long as you never, ever, expect someone to just contact you with a tip (or you’re comfortable with that going to another journalist if your phone isn’t available) then that’s great. While a lot of calls are scheduled calls that certainly isn’t always the case.

Number 4 is a generally good idea. I can’t think of any issues with it, though I think that a password manager is a great idea if you’re going to have a lot of strong and unique passwords. And preferably a manager that isn’t tied to any particular operating system so you can move between different phone and computer manufacturers.

Number 5 is…complicated. Fingerprint readers facilitate the use of strong passwords but can also be used to unlock a device if your finger is pressed to a device. And if you add multiple people to the phone’s list of who can decrypt the device then you’re dealing with additional (in)security vectors. But for most people the concern is that their phone is stolen, or accessed by someone with physical access to the device. And against those threat models a fingerprint reader with a longer password is a good idea.

Link

How a Facial Recognition Mismatch Can Ruin Your Life

Via The Intercept:

“As an analytical scientist, whenever someone gives me absolute certainty, my red flag goes up,” said Jason Latham, who worked as a biochemist prior to becoming a forensic scientist and certified video examiner. “When I came from analytical sciences to forensic sciences, I was like some of these guys are not scientists. They are voodoo witchcraft.”

Forensic reports generally provide few details about the methods they use to arrive at points of similarity. But in Talley’s case, the FBI examiner’s report displayed a high degree of certainty. George Reis, a facial examiner who has testified more than 50 times for state, federal, and military courts throughout the country on forensic visual comparisons, pointed out that the report on Talley’s case was vague. “It is generally considered best practice to be specific in reports and to point out features of similarity, as well as differences, in any comparison illustration or chart,” Reis noted. “In the Talley case no such markings exist. The video frames that were used in the FBI illustration were of poor quality and limited value.”

Facial recognition: sorta fun if you’re using it for commercial stuff like tagging your friends, but really dangerous if its part of what is used to convict persons for crimes they’re alleged to have committed.

Link

RCMP is overstating Canada’s ‘surveillance lag’ | Toronto Star

From a piece that I wrote with Tamir Israel for the Toronto Star:

The RCMP has been lobbying the government behind the scenes for increased surveillance powers on the faulty premise that their investigative powers are lagging behind those foreign police services.

The centrepiece of the RCMP’s pitch is captured in an infographic that purports to show foreign governments are legislating powers that are more responsive to investigative challenges posed by the digital world. On the basis of this comparison, the RCMP appears to have convinced the federal government to transform a process intended to curb the excesses of Bill C-51 into one dominated by proposals for additional surveillance powers.

The RCMP’s lobbying effort misleadingly leaves an impression that Canadian law enforcement efforts are being confounded by digital activities.

An Op-ed that I published with a colleague of mine, Tamir Israel, earlier this week that calls out the RCMP for deliberately misleading the public with regards to government agencies’ existing surveillance powers and capabilities.

Link

Hackers and Law Enforcement Could Hijack Wi-Fi Connections to Track Cellphones

From The Intercept:

But if the operator is O’Hanlon and not Verizon — that identity is compromised. “The IMSI is revealed during this interchange, during the early stages of the conversation. It’s not encrypted,” he says.

This type of activity is called passive monitoring, because it doesn’t require a specific active attack or malware. It only works in some cases, however.

O’Hanlon also developed a couple active attacks that would get the job done, one involving masquerading as the operator’s endpoint where the Wi-Fi call is being directed, and another using a man-in-the-middle attack to intercept it.

Apple is the only company that has taken steps to mitigate the privacy and security risk, he says — they added additional security protocols when he brought up the issue over the summer. It was addressed in iOS 10, though there are still ways to get around the protections. But the problem is less with the companies and more with the way the connections were set up in the first place.

Yet another time that Apple has dedicated engineering resources to better protect their customers whereas their major competitor has declined to do so. And this wasn’t even an Apple or Google problem, per se, but a protocol level issue.

Link

Privacy experts fear Donald Trump accessing global surveillance network

Thomas Drake, an NSA whistleblower who predated Snowden, offered an equally bleak assessment. He said: “The electronic infrastructure is fully in place – and ex post facto legalised by Congress and executive orders – and ripe for further abuse under an autocratic, power-obsessed president. History is just not kind here. Trump leans quite autocratic. The temptations to use secret NSA surveillance powers, some still not fully revealed, will present themselves to him as sirens.”

Bush and Cheney functionally authorized the NSA to undertake unlawful operations and actively sought to hinder authorizing courts from understanding what was going on. At the same time, that administration established black sites and novel detention rules for persons kidnapped by the CIA from around the world.

Obama and Biden developed legal theories that were accompanied by authorizing legislation to make the NSA’s previously unlawful activities lawful. The Obama presidency also failed to close Gitmo or convince the American public that torture should be forbidden or that criminal (as opposed to military) courts are the appropriate ways of dealing with suspected terror suspects. And thoughout the NSA deliberately misled and lied to its authorizing court, the CIA deliberately withheld documents from investigators and spied on those working for the intelligence oversight committees, and the FBI continued to conceal its own surveillance operations as best it could.

There are a lot of things to be worried about when it comes to the United States’ current trajectory. But one of the more significant items to note is that the most sophisticated and best financed surveillance and policing infrastructure in the world is going to be working at the behest of an entirely unproven, misogynistic, racist, and bigoted president.

It’s cause to be very, very nervous for the next few years.