One of the things we learned from the Snowden documents is that the NSA conducts “about” searches. That is, searches based on activities and not identifiers. A normal search would be on a name, or IP address, or phone number. An about search would something like “show me anyone that has used this particular name in a communications,” or “show me anyone who was at this particular location within this time frame.” These searches are legal when conducted for the purpose of foreign surveillance, but the worry about using them domestically is that they are unconstitutionally broad. After all, the only way to know who said a particular name is to know what everyone said, and the only way to know who was at a particular location is to know where everyone was. The very nature of these searches requires mass surveillance.
The FBI does not conduct mass surveillance. But many US corporations do, as a normal part of their business model. And the FBI uses that surveillance infrastructure to conduct its own about searches. Here’s an arson case where the FBI asked Google who searched for a particular street address:
Homeland Security special agent Sylvette Reynoso testified that her team began by asking Google to produce a list of public IP addresses used to google the home of the victim in the run-up to the arson. The Chocolate Factory [Google] complied with the warrant, and gave the investigators the list. As Reynoso put it:
On June 15, 2020, the Honorable Ramon E. Reyes, Jr., United States Magistrate Judge for the Eastern District of New York, authorized a search warrant to Google for users who had searched the address of the Residence close in time to the arson.
The records indicated two IPv6 addresses had been used to search for the address three times: one the day before the SUV was set on fire, and the other two about an hour before the attack. The IPv6 addresses were traced to Verizon Wireless, which told the investigators that the addresses were in use by an account belonging to Williams.
Google’s response is that this is rare:
While word of these sort of requests for the identities of people making specific searches will raise the eyebrows of privacy-conscious users, Google told The Register the warrants are a very rare occurrence, and its team fights overly broad or vague requests.
“We vigorously protect the privacy of our users while supporting the important work of law enforcement,” Google’s director of law enforcement and information security Richard Salgado told us. “We require a warrant and push to narrow the scope of these particular demands when overly broad, including by objecting in court when appropriate.
“These data demands represent less than one per cent of total warrants and a small fraction of the overall legal demands for user data that we currently receive.”
Here’s another example of what seems to be about data leading to a false arrest.
According to the lawsuit, police investigating the murder knew months before they arrested Molina that the location data obtained from Google often showed him in two places at once, and that he was not the only person who drove the Honda registered under his name.
Avondale police knew almost two months before they arrested Molina that another man his stepfather sometimes drove Molina’s white Honda. On October 25, 2018, police obtained records showing that Molina’s Honda had been impounded earlier that year after Molina’s stepfather was caught driving the car without a license.
Data obtained by Avondale police from Google did show that a device logged into Molina’s Google account was in the area at the time of Knight’s murder. Yet on a different date, the location data from Google also showed that Molina was at a retirement community in Scottsdale (where his mother worked) while debit card records showed that Molina had made a purchase at a Walmart across town at the exact same time.
Molina’s attorneys argue that this and other instances like it should have made it clear to Avondale police that Google’s account-location data is not always reliable in determining the actual location of a person.
“About” searches might be rare, but that doesn’t make them a good idea. We have knowingly and willingly built the architecture of a police state, just so companies can show us ads. (And it is increasingly apparent that the advertising-supported Internet is heading for a crash.)
On Executive Order 12333
Mark Jaycox has written a long article on the US Executive Order 12333: “No Oversight, No Limits, No Worries: A Primer on Presidential Spying and Executive Order 12,333“:
Abstract: Executive Order 12,333 (“EO 12333”) is a 1980s Executive Order signed by President Ronald Reagan that, among other things, establishes an overarching policy framework for the Executive Branch’s spying powers. Although electronic surveillance programs authorized by EO 12333 generally target foreign intelligence from foreign targets, its permissive targeting standards allow for the substantial collection of Americans’ communications containing little to no foreign intelligence value. This fact alone necessitates closer inspection.
This working draft conducts such an inspection by collecting and coalescing the various declassifications, disclosures, legislative investigations, and news reports concerning EO 12333 electronic surveillance programs in order to provide a better understanding of how the Executive Branch implements the order and the surveillance programs it authorizes. The Article pays particular attention to EO 12333’s designation of the National Security Agency as primarily responsible for conducting signals intelligence, which includes the installation of malware, the analysis of internet traffic traversing the telecommunications backbone, the hacking of U.S.-based companies like Yahoo and Google, and the analysis of Americans’ communications, contact lists, text messages, geolocation data, and other information.
After exploring the electronic surveillance programs authorized by EO 12333, this Article proposes reforms to the existing policy framework, including narrowing the aperture of authorized surveillance, increasing privacy standards for the retention of data, and requiring greater transparency and accountability.
About Bruce Schneier
I am a public-interest technologist, working at the intersection of security, technology, and people. I’ve been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I’m a fellow and lecturer at Harvard’s Kennedy School and a board member of EFF. This personal website expresses the opinions of neither of those organizations.
An international study has used data from a major provider of home IP security cameras to evaluate potential privacy risks for users.
IP home security cameras are Internet-connected security cameras that can be installed in people’s homes and remotely monitored via the web. These cameras are growing in popularity and the global market is expected to reach $1.3 billion by 2023.
For the study, researchers from the Chinese Academy of Science and Queen Mary University of London tested if an attacker could infer privacy-compromising information about a camera’s owner from simply tracking the uploaded data passively without inspecting any of the video content itself.
Camera traffic can be monitored
The findings, published at the IEEE International Conference on Computer Communications, showed that the traffic generated by the cameras could be monitored by attackers and used to predict when a house is occupied or not.
The researchers even found that future activity in the house could be predicted based on past traffic generated by the camera, which could leave users more at risk of burglary by discovering when the house it unoccupied.
They confirmed that attackers could detect when the camera was uploading motion, and even distinguish between certain types of motion, such as sitting or running. This was done without inspecting the video content itself but, instead, by looking at the rate at which cameras uploaded data via the Internet.
“Once considered a luxury item, these cameras are now commonplace in homes worldwide. As they become more ubiquitous, it is important to continue to study their activities and potential privacy risks. Whilst numerous studies have looked at online video streaming, such as YouTube and Netflix, to the best of our knowledge, this is the first study which looks in detail at video streaming traffic generated by these cameras and quantifies the risks associated with them. By understanding these risks, we can now look to propose way to minimise the risks and protect user privacy,” said Dr Gareth Tyson, Senior Lecturer at Queen Mary University of London.
A series of creepy Ring camera intrusions, including one where a stranger sang to an 8-year-old child and said he was Santa Claus, may be linked through a forum and associated livestream podcast, a new report finds.
The cluster of hacks, first reported by local media outlets, have become national news in the past few days. In all the cases, some bad actor accessed indoor Ring cameras (not doorbells) and used them to harass, intimidate, or attempt to extort the residents.
One family in Florida suddenly heard racist commentary about their teenage son coming from their Ring camera on Sunday night. On Monday, someone yelled at a couple in Georgia to “wake up.” Another family, in Tennessee, heard a voice taunting their daughter through a camera in their kids’ room on Tuesday. And in Texas yesterday, someone tried to demand a ransom to exit the household camera system, telling the homeowners to pay 50 bitcoin (roughly $360,000).
In all the cases, the residents stopped the intrusions by unplugging or removing the batteries from their devices, successfully cutting off access to them.
In response to the incidents, Ring said it had not suffered any kind of breach or intrusion and urged subscribers not to use account credentials that could have been stolen in one of the thousands of other data breaches that happen in any given year. That’s excellent advice for all services, as far as it goes, as is enabling two-factor authentication on any service that supports it (which Ring does), particularly as cameras have been easy targets for years. In at least one instance, however, the camera owner said her Ring account used a specific passphrase she has not associated with any previous accounts.
Cheap tools for accessing Ring illicitly are plentiful and easy to get, reporters for Vice Motherboard found yesterday. The reporters also found a reason so many incidents using those tools are popping up all at once: the NulledCast.
The NulledCast is livestreamed on Discord, Motherboard explains, and it’s connected to the forum (also called Nulled) where the tools for accessing Ring cameras are sold and traded. Motherboard continues:
“Sit back and relax to over 45 minutes of entertainment,” an advertisement for the podcast posted to a hacking forum called Nulled reads. “Join us as we go on completely random tangents such as; Ring & Nest Trolling, telling shelter owners we killed a kitten, Nulled drama, and more ridiculous topics. Be sure to join our Discord to watch the shows live.”
Motherboard was able to see a message from a now-deleted thread saying, in part, “Hello everyone. As you probably have heard, I was featured on the news for a stunt I pulled,” apparently linked to one of the media reports. The national spotlight is, however, more attention than the Ring hackers apparently wanted to draw. Motherboard found that, since yesterday, posts in the forum relating to Ring hacking have apparently been deleted, as has some content from the Discord server.
As of Wednesday, members of the server insisted that the livestream would be continuing with another installment on Friday. Earlier this afternoon, however, Motherboard reporter Joseph Cox (no relation) said on Twitter that Discord banned the server and all its users. That said, the Internet being what it is, they are likely to pop up somewhere else before long.