Cracked Labs reports: In recent years, a wide range of companies has started to monitor, track and follow people in virtually every aspect of their lives. The behaviors, movements, social relationships, interests, weaknesses and most private moments of billions are now constantly recorded, evaluated and analyzed in real-time. The exploitation of personal information has become a multi-billion industry. Yet only the tip of the iceberg of today’s pervasive digital tracking is visible; much of it occurs in the background and remains opaque to most of us.
This report by Cracked Labs examines the actual practices and inner workings of this personal data industry. Based on years of research and a previous 2016 report, the investigation shines light on the hidden data flows between companies. It maps the structure and scope of today’s digital tracking and profiling ecosystems and explores relevant technologies, platforms and devices, as well as key recent developments.
While the full report is available as PDF download, this web publication presents a ten part overview. [Continue reading…]
Category Archives: surveillance
Using texts as lures, Mexican government spyware targets journalists and their families
The New York Times reports: Mexico’s most prominent human rights lawyers, journalists and anti-corruption activists have been targeted by advanced spyware sold to the Mexican government on the condition that it be used only to investigate criminals and terrorists.
The targets include lawyers looking into the mass disappearance of 43 students, a highly respected academic who helped write anti-corruption legislation, two of Mexico’s most influential journalists and an American representing victims of sexual abuse by the police. The spying even swept up family members, including a teenage boy.
Since 2011, at least three Mexican federal agencies have purchased about $80 million worth of spyware created by an Israeli cyberarms manufacturer. The software, known as Pegasus, infiltrates smartphones to monitor every detail of a person’s cellular life — calls, texts, email, contacts and calendars. It can even use the microphone and camera on phones for surveillance, turning a target’s smartphone into a personal bug.
The company that makes the software, the NSO Group, says it sells the tool exclusively to governments, with an explicit agreement that it be used only to battle terrorists or the drug cartels and criminal groups that have long kidnapped and killed Mexicans.
But according to dozens of messages examined by The New York Times and independent forensic analysts, the software has been used against some of the government’s most outspoken critics and their families, in what many view as an unprecedented effort to thwart the fight against the corruption infecting every limb of Mexican society. [Continue reading…]
How Trump exposes himself to foreign surveillance on a regular basis
ProPublica reports: Two weeks ago, on a sparkling spring morning, we went trawling along Florida’s coastal waterway. But not for fish.
We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained.
A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, New Jersey, with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation.
We have also visited two of President Donald Trump’s other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Virginia. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.
The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises.
“Those networks all have to be crawling with foreign intruders, not just ProPublica,” said Dave Aitel, chief executive officer of Immunity, Inc., a digital security company, when we told him what we found. [Continue reading…]
Fight brews over push to shield Americans in warrantless surveillance
The New York Times reports: Obscured by the furor over surveillance set off by the investigations into possible Trump campaign coordination with Russia during the election, a major debate over electronic spying that defies the usual partisan factions is quietly taking shape in Congress.
The debate centers on the National Security Agency’s incidental eavesdropping on Americans via its warrantless surveillance program, which spies on foreigners abroad whose communications pass through American phone and internet services. Its legal basis, the FISA Amendments Act, is set to expire at the end of 2017.
A bipartisan coalition of privacy-minded lawmakers has started to circulate draft legislation that would impose new limits on the government’s ability to use incidentally gathered information about Americans who are in contact with foreign targets.
Many of those lawmakers are veterans of a fight two years ago over the U.S.A. Freedom Act, a law that ended an N.S.A. program that gathered Americans’ calling logs in bulk. They won that fight against security hawks because the statute on which the program was based, part of the Patriot Act, was expiring and they were unwilling to extend it without ending the bulk collection.
The privacy advocates in Congress are using that same lesson this time around, hoping to leverage their colleagues’ concerns that the program will lapse if they fail to extend the law.
But the intelligence and law enforcement communities and their allies in Congress appear determined to extend the warrantless surveillance program law, Section 702 of the FISA Amendments Act, without changes. They are framing the debate as being about a program that is too important to be held hostage to any push for changes, lest gridlock kill it. [Continue reading…]
NSA halts collection of Americans’ emails about foreign targets
The New York Times reports: The National Security Agency said Friday that it had halted one of the most disputed practices of its warrantless surveillance program, ending a once-secret form of wiretapping that dates to the Bush administration’s post-Sept. 11 expansion of national security powers.
The agency is no longer collecting Americans’ emails and texts exchanged with people overseas that simply mention identifying terms — like email addresses — for foreigners whom the agency is spying on, but are neither to nor from those targets.
The decision is a major development in American surveillance policy. Privacy advocates have argued that the practice skirted or overstepped the Fourth Amendment.
The change is unrelated to the surveillance imbroglio over the investigations into Russia and the Trump campaign, according to officials familiar with the matter. Rather, it stemmed from a discovery that N.S.A. analysts had violated rules imposed by the Foreign Intelligence Surveillance Court barring any searching for Americans’ information in certain messages captured through such wiretapping. [Continue reading…]
Susan Rice’s remarks on Trump surveillance
The Atlantic reports: Former National Security Advisor Susan Rice told MSNBC’s Andrea Mitchell Tuesday she did not spy on President Trump or members of his team for political purposes, and that she had not leaked information gleaned from intelligence reports about them.
But while she refused to confirm it directly, citing classified information, Rice seemed to imply she requested that members of the Trump team whose names were redacted in intelligence reports be “unmasked,” or identified, as a report Monday from Bloomberg View’s Eli Lake asserted. The stories focus on “incidental collection,” when an American is caught up in surveillance of a foreign target, in which case the American’s name is redacted but can legally be revealed at the request of certain officials, including the national security adviser.
“There were occasions when I would receive a report in which a U.S. person was referred to, name not provided,” Rice said. “Sometimes in that context in order to understand the significance of the report and assess its significance, it was necessary to request the information as to who that person was.”
For example, Rice said, if a hypothetical report dealt with an American trying to sell bomb-making equipment to foreigners, she would want to know whether the American was a “kook” or a credible person, in which case the report would be taken more seriously. She said any unmasking request had to run through an established intelligence-community protocol. Rice also said she never requested reports, but sometimes asked for unmasking in reports sent to her by intelligence officials. [Continue reading…]
GCHQ dismisses ‘utterly ridiculous’ claim it helped wiretap Trump
The Guardian reports: British intelligence officials have denied an allegation that the UK helped former president Barack Obama “wiretap” Donald Trump during the 2016 election.
The claim was repeated by the White House press secretary, Sean Spicer, on Thursday and dismissed as “utterly ridiculous” by a GCHQ spokesperson.
The spokesperson added in a statement: “Recent allegations made by media commentator judge Andrew Napolitano about GCHQ being asked to conduct ‘wiretapping’ against the then president-elect are nonsense. They are utterly ridiculous and should be ignored.”
This week, Napolitano, Fox News judicial analyst, claimed during an interview on the network that three intelligence sources confirmed to him that the Obama administration used GCHQ to spy on Trump so that there would be “no American fingerprints on this”.
Sean Spicer, the White House press secretary, quoted Napolitano’s allegation in an effort to validate Trump’s unfounded claim that Obama tapped his phones last year. [Continue reading…]
The Guardian reports: The Republican and Democratic leaders of the Senate intelligence committee have rubbished Donald Trump’s incendiary claim that Barack Obama placed Trump Tower under surveillance.
“Based on the information available to us, we see no indications that Trump Tower was the subject of surveillance by any element of the United States government either before or after election day 2016,” the Republican Richard Burr of North Carolina and the Democrat Mark Warner of Virginia said in a joint statement on Thursday.
Burr and Warner helm one of the congressional committees investigating ties to Russia by Trump’s associates. Those unfolding inquiries have expanded their focus to include Trump’s evidence-free accusation, made on Twitter on 4 March, that Obama ordered surveillance of his eventual successor.
Their counterparts on the House intelligence committee, the Republican Devin Nunes and the Democrat Adam Schiff, both of California, announced the same conclusion on Wednesday. [Continue reading…]
CNN reports: The White House has apologized to the British government after alleging that a UK intelligence agency spied on President Donald Trump at the behest of former President Barack Obama.
National security adviser H.R. McMaster spoke with his British counterpart on Thursday about press secretary Sean Spicer’s comment from the White House podium about a Fox News report that said British intelligence helped wiretap Trump Tower during the 2016 campaign, a White House official said Friday.
The official described the conversation as “cordial” where McMaster described Spicer’s comment as “unintentional.”
McMaster also told his counterpart that “their concerns were understood and heard and it would be relayed to the White House.”
The official said there were “at least two calls” from British officials on Thursday and that the British ambassador to the United States called Spicer to discuss the comment.
“Sean was pointing to the breadth of reporting, not endorsing any specific story,” the official said.
A senior administration official told CNN that Spicer and McMaster offered what amounted to an apology to the British government.
Earlier Friday, a spokesman for British Prime Minister Theresa May said senior UK officials had protested to the Trump administration after the claims were repeated by Spicer. [Continue reading…]
Republicans are threatening to expose Trump as the emperor with no clothes
Aaron Blake writes: It’s almost as though Republicans are tired of having President Trump’s evidence-free allegations laid at their feet. Almost.
Late Monday, a spokesman for House Intelligence Committee Chairman Devin Nunes (R-Calif.) threatened to subpoena the Trump administration to produce evidence of Trump’s claim that President Barack Obama wiretapped Trump Tower during the campaign. The White House has declined to produce this evidence publicly, offering various excuses, including the Constitution’s separation of powers and — most recently on Monday — arguing that Trump wasn’t speaking literally when he made the claim.
The Justice Department missed Nunes’s deadline to provide evidence Monday, which drew Nunes’s subpoena threat.
“If the committee does not receive a response, the committee will ask for this information during the March 20 hearing and may resort to a compulsory process if our questions continue to go unanswered,” Nunes spokesman Jack Langer said.
Then, on Tuesday, Sen. Lindsey O. Graham (R-S.C.) made his own threat. Last week, Graham — who is clearly skeptical of the wiretapping claim and chairs a subcommittee looking into it — asked the Justice Department and the FBI to provide copies of any warrants or court orders related to the alleged wiretapping. Having not received anything, Graham said Tuesday that he would announce his next steps Wednesday and may push for a special committee. [Continue reading…]
Reuters reports: A UK spy agency did not eavesdrop on Donald Trump during and after last year’s U.S. presidential election, a British security official said on Tuesday, denying an allegation by a U.S. television analyst.
The official, who is familiar with British government policy and security operations, told Reuters that the charge made on Tuesday by Fox News analyst Andrew Napolitano, was “totally untrue and quite frankly absurd.” [Continue reading…]
Don’t let WikiLeaks scare you off of Signal and other encrypted chat apps
Wired reports: Of all the revelations to come out of the 9,000-page data dump of CIA hacking tools, one of the most explosive is the possibility that the spy agency can compromise Signal, WhatsApp, and other encrypted chat apps. If you use those apps, let’s be perfectly clear: Nothing in the WikiLeaks docs says the CIA can do that.
A close reading of the descriptions of mobile hacking outlined in the documents released by WikiLeaks shows that the CIA has not yet cracked those invaluable encryption tools. That has done little to prevent confusion on the matter, something WikiLeaks itself contributed to with a carelessly worded tweet:
WikiLeaks #Vault7 confirms CIA can effectively bypass Signal + Telegram + WhatsApp + Confide encryptionhttps://t.co/h5wzfrReyy
— WikiLeaks (@wikileaks) March 7, 2017
The end-to-end encryption protocols underpinning these private messaging apps protect all communications as they pass between devices. No one, not even the companies providing the service, can read or see that data while it is in transit. Nothing in the CIA leak disputes that. The underlying software remains every bit as trustworthy now as it was before WikiLeaks released the documents. [Continue reading…]
It ain’t easy getting a FISA warrant: I was an FBI agent and should know
Asha Rangappa writes: In his latest round of twiplash, President Trump on Saturday leveled a very serious accusation: that President Obama had personally ordered the “tapping” of telephone lines in Trump Tower in the months leading up to the November 2016 election. His tweets (scarily) reveal more about what he believes the office of the President is capable of than the reality of what the law allows. As someone who obtained FISA warrants while conducting counterintelligence investigations for the FBI, I can attest to the fact that they not only don’t involve the White House, but the process includes too many layers of approval to be granted without strong evidence.
There are two ways to obtain a wiretap – also known as electronic surveillance – on U.S. persons (citizens and permanent residents), and both include the courts. For criminal investigations, the FBI can seek a warrant under Title III of the U.S. criminal code by showing a federal court that there is probable cause to believe the target has engaged, or is engaging in, criminal activity. This is a fairly high standard because of a strong presumption in favor of our Fourth Amendment right to privacy, and requires a showing that less intrusive means of obtaining the same information aren’t feasible.
The standard for electronic surveillance for foreign intelligence purposes, though, is a little lower. This is because when it comes to national security, as opposed to criminal prosecutions, our Fourth Amendment rights are balanced against the government’s interest in protecting the country. The Foreign Intelligence Surveillance Act (FISA) allows the FBI to get a warrant from a secret court, known as the Foreign Intelligence Surveillance Court (FISC), to conduct electronic surveillance on U.S. persons if they can show probable cause that the target is an “agent of a foreign power” who is “knowingly engag[ing]…in clandestine intelligence activities.” In other words, the government has to show that the target might be spying for a foreign government or organization. [Continue reading…]
Obama opens NSA’s vast trove of warrantless data to entire Intelligence Community, just in time for Trump
The Intercept reports: With only days until Donald Trump takes office, the Obama administration on Thursday announced new rules that will let the NSA share vast amounts of private data gathered without warrant, court orders or congressional authorization with 16 other agencies, including the FBI, the Drug Enforcement Agency, and the Department of Homeland Security.
The new rules allow employees doing intelligence work for those agencies to sift through raw data collected under a broad, Reagan-era executive order that gives the NSA virtually unlimited authority to intercept communications abroad. Previously, NSA analysts would filter out information they deemed irrelevant and mask the names of innocent Americans before passing it along.
The change was in the works long before there was any expectation that someone like Trump might become president. The last-minute adoption of the procedures is one of many examples of the Obama administration making new executive powers established by the Bush administration permanent, on the assumption that the executive branch could be trusted to police itself. [Continue reading…]
The IP Act: UK’s most extreme surveillance law
Jim Killock writes: The Investigatory Powers Act will come into force at the start of 2017, and will cement ten years of illegal surveillance into law.
It includes state powers to intercept bulk communications and collect vast amounts of communications data and content. The security and law enforcement agencies – including government organisations such as HMRC (Her Majesty’s Revenue and Customs) – can hack into devices of people in the UK.
Under this law, the intelligence agencies can use bulk hacking powers to hack devices and networks outside the UK. They can also access and analyse entire databases, whether they are held by private companies or public organisations – even though they have admitted that most people on them will not be suspected of any crimes.
One of the new and most intrusive powers is that Internet Service Providers (ISPs) can be compelled to collect a record of our web browsing activity and this can be accessed by the police and 48 government departments, including the Food Standards Agency and the HMRC. [Continue reading…]
‘Extreme surveillance’ becomes UK law with barely a whimper
The Guardian reports: A bill giving the UK intelligence agencies and police the most sweeping surveillance powers in the western world has passed into law with barely a whimper, meeting only token resistance over the past 12 months from inside parliament and barely any from outside.
The Investigatory Powers Act, passed on Thursday, legalises a whole range of tools for snooping and hacking by the security services unmatched by any other country in western Europe or even the US.
The security agencies and police began the year braced for at least some opposition, rehearsing arguments for the debate. In the end, faced with public apathy and an opposition in disarray, the government did not have to make a single substantial concession to the privacy lobby.
US whistleblower Edward Snowden tweeted: “The UK has just legalised the most extreme surveillance in the history of western democracy. It goes further than many autocracies.” [Continue reading…]
UK security agencies unlawfully collected data for 17 years, court rules
The Guardian reports: British security agencies have secretly and unlawfully collected massive volumes of confidential personal data, including financial information, on citizens for more than a decade, senior judges have ruled.
The investigatory powers tribunal, which is the only court that hears complaints against MI5, MI6 and GCHQ, said the security services operated an illegal regime to collect vast amounts of communications data, tracking individual phone and web use and other confidential personal information, without adequate safeguards or supervision for 17 years.
Privacy campaigners described the ruling as “one of the most significant indictments of the secret use of the government’s mass surveillance powers” since Edward Snowden first began exposing the extent of British and American state digital surveillance of citizens in 2013.
The tribunal said the regime governing the collection of bulk communications data (BCD) – the who, where, when and what of personal phone and web communications – failed to comply with article 8 protecting the right to privacy of the European convention of human rights (ECHR) between 1998, when it started, and 4 November 2015, when it was made public. [Continue reading…]
Yahoo secretly scanned customer emails for U.S. intelligence
Reuters reports: Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.
The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.
Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency’s request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.
It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.
Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.
According to two of the former employees, Yahoo Chief Executive Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc. [Continue reading…]
The Wall Street Journal reports: Big technology companies, including Google, Microsoft Corp., Twitter Inc. and Facebook Inc. denied scanning incoming user emails on behalf of the U.S. government, following a report that Yahoo Inc. had built such a system. [Continue reading…]
Some British taxi drivers being trained to spy on passengers
Middle East Eye reports: Taxi drivers in the UK are being trained to become the “eyes and ears” of local authorities and police in the hunt for potential terrorists as part of safeguarding schemes being rolled out across the country.
Drivers in several British towns and cities are receiving Prevent counter-terrorism training as part of mandatory “knowledge” tests introduced by local councils.
One flagship scheme, run by Calderdale Council in West Yorkshire, northern England, was considered so successful that councillors discussed extending it to staff working in takeaway food outlets and bars.
Manchester City Council also incorporated Prevent awareness into a safeguarding handbook issued to taxi drivers last year, while Dartford Borough Council in Kent is among the latest to introduce Prevent training as part of its safeguarding requirements for taxi drivers.
But taxi industry organisations and trade unions have raised concerns about the training which they say is being introduced in a piecemeal and inconsistent way across the country and risks creating an “air of suspicion” within communities.
Critics of Prevent also questioned the legality of the training and accused the Government of seeking to turn the UK into a “counter-terrorism state” in which citizens were expected to spy on each other. [Continue reading…]
It’s time to pardon Edward Snowden
Kenneth Roth and Salil Shetty write: Edward J. Snowden, the American who has probably left the biggest mark on public policy debates during the Obama years, is today an outlaw. Mr. Snowden, a former National Security Agency contractor who disclosed to journalists secret documents detailing the United States’ mass surveillance programs, faces potential espionage charges, even though the president has acknowledged the important public debate his revelations provoked.
Mr. Snowden’s whistle-blowing prompted reactions across the government. Courts found the government wrong to use Section 215 of the Patriot Act to justify mass phone data collection. Congress replaced that law with the USA Freedom Act, improving transparency about government surveillance and limiting government power to collect certain records. The president appointed an independent review board, which produced important reform recommendations.
That’s just in the American government. Newspapers that published Mr. Snowden’s revelations won the Pulitzer Prize. The United Nations issued resolutions on protecting digital privacy and created a mandate to promote the right to privacy. Many technology companies, facing outrage at their apparent complicity in mass surveillance, began providing end-to-end encryption by default. Three years on, the news media still refer to Mr. Snowden and his revelations every day. His actions have brought about a dramatic increase in our awareness of the risks to our privacy in the digital age — and to the many rights that depend on privacy.
Yet President Obama and the candidates to succeed him have emphasized not Mr. Snowden’s public service but the importance of prosecuting him. Hillary Clinton has said Mr. Snowden shouldn’t be brought home “without facing the music.” Donald J. Trump has said, “I think he’s a total traitor and I would deal with him harshly.”
Eric H. Holder Jr. struck a more measured tone in May, upon leaving office as Mr. Obama’s attorney general. He recognized that while Mr. Snowden broke the law, “he actually performed a public service” by raising the national debate on surveillance practices. [Continue reading…]
How spy tech firms let governments see everything on a smartphone
The New York Times reports: Want to invisibly spy on 10 iPhone owners without their knowledge? Gather their every keystroke, sound, message and location? That will cost you $650,000, plus a $500,000 setup fee with an Israeli outfit called the NSO Group. You can spy on more people if you would like — just check out the company’s price list.
The NSO Group is one of a number of companies that sell surveillance tools that can capture all the activity on a smartphone, like a user’s location and personal contacts. These tools can even turn the phone into a secret recording device.
Since its founding six years ago, the NSO Group has kept a low profile. But last month, security researchers caught its spyware trying to gain access to the iPhone of a human rights activist in the United Arab Emirates. They also discovered a second target, a Mexican journalist who wrote about corruption in the Mexican government.
Now, internal NSO Group emails, contracts and commercial proposals obtained by The New York Times offer insight into how companies in this secretive digital surveillance industry operate. The emails and documents were provided by two people who have had dealings with the NSO Group but would not be named for fear of reprisals.
The company is one of dozens of digital spying outfits that track everything a target does on a smartphone. They aggressively market their services to governments and law enforcement agencies around the world. The industry argues that this spying is necessary to track terrorists, kidnappers and drug lords. The NSO Group’s corporate mission statement is “Make the world a safe place.”
Ten people familiar with the company’s sales, who refused to be identified, said that the NSO Group has a strict internal vetting process to determine who it will sell to. An ethics committee made up of employees and external counsel vets potential customers based on human rights rankings set by the World Bank and other global bodies. And to date, these people all said, NSO has yet to be denied an export license.
But critics note that the company’s spyware has also been used to track journalists and human rights activists.
“There’s no check on this,” said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “Once NSO’s systems are sold, governments can essentially use them however they want. NSO can say they’re trying to make the world a safer place, but they are also making the world a more surveilled place.” [Continue reading…]