This week we start with a story that we’ve had to reread three times because it was just so unbelievable.
We stick to phones in a global round-up of details on another scheme to compromise you through it, advice from the Australian government as to what to do with it, and who’s going to court for selling data from it.
We discover a programmer who has just come up with a brilliant Chat GPT interface for an operating system that might be at the bottom of your mothers’ closet.
We finish off the week with another list of what Americans hate, and you might be surprised to see what’s topping it out.
There’s never a dull moment in the realms of IT privacy and security and this week is no exception so flip up your hoodie, grab your phone, start the camera app, and let’s go!
US: LexisNexis Is Selling Your Personal Data To ICE So It Can Try To Predict Crimes
The legal research and public records data broker LexisNexis are providing U.S. Immigration and Customs Enforcement with tools to target people who may potentially commit a crime – before any actual crime takes place, according to a contract document obtained by The Intercept.
LexisNexis then allows ICE to track the purported pre-criminals’ movements.
The unredacted contract overview provides a rare look at the controversial $16.8 million agreement between LexisNexis and ICE, a federal law enforcement agency whose surveillance of and raids against migrant communities are widely criticized as brutal, unconstitutional, and inhumane.
“The purpose of this program is mass surveillance at its core,” said Julie Mao, an attorney, and co-founder of Just Futures Law, which is suing LexisNexis over allegations it illegally buys and sells personal data.
Mao told The Intercept the ICE contract document, which she reviewed for The Intercept, is “an admission and indication that ICE aims to surveil individuals where no crime has been committed and no criminal warrant or evidence of probable cause.”
While the company has previously refused to answer any questions about precisely what data it’s selling to ICE or to what end, the contract overview describes LexisNexis software as not simply a giant bucket of personal data, but also a sophisticated analytical machine that purports to detect suspicious activity and scrutinize migrants – including their locations.
The document, a “performance of work statement” made by LexisNexis as part of its contract with ICE, was obtained by journalist Asher Stockler through a public records request and shared with The Intercept.
LexisNexis Risk Solutions, a subsidiary of LexisNexis’s parent company, inked the contract with ICE, a part of the Department of Homeland Security, in 2021.
The document reveals that over 11,000 ICE officials, including within the explicitly deportation-oriented Enforcement and Removal Operations branch, were using LexisNexis as of 2021.
“This includes supporting all aspects of ICE screening and vetting, lead development, and criminal analysis activities,” the document says. In practice, this means ICE is using software to “automate” the hunt for suspicious-looking blips in the data, or links between people, places, and property.
It is unclear how such blips in the data can be linked to immigration infractions or criminal activity, but the contract’s use of the term “automate” indicates that ICE is to some extent letting computers make consequential conclusions about human activity. The contract further notes that the LexisNexis analysis includes “identifying potentially criminal and fraudulent behavior before crime and fraud can materialize.”
(ICE did not respond to a request for comment.)
“LexisNexis Risk Solutions prides itself on the responsible use of data, and the contract with the Department of Homeland Security encompasses only data allowed for such uses,” said LexisNexis spokesperson Jennifer Richman.
She says the company’s work with ICE doesn’t violate the law or federal policy.
So what’s the upshot for you? We report a lot of unbelievable stories here, but even we did a triple-take on this story.
Global: Who’s taking your photo and with What?
1.81 trillion photos are taken worldwide every year, which equals 57,246 per second, or 5.0 billion per day.
By 2030, around 2.3 trillion photos will be taken every year.
According to Photutorial data, 1.2 trillion were taken worldwide in 2021 and 1.72 trillion in 2022.
The number will increase to 1.81 trillion in 2023.
By 2025, more than 2 trillion photos will be taken each year.
The average user has around 2,100 photos on their smartphone in 2023.
iOS smartphone users have approximately 2,400 photos on their phones, while Android users have around 1,900 photos on their phones.
The global pandemic reduced the number of images taken by 25% in 2020 and 20% in 2021.
By region, the number of photos taken by a smartphone user is led by the US: 20.2/day,
Asia-Pacific 15/day, Latin America 11.8/day, Africa 8.1/day, and Europe 4.9/day.
12.4 trillion photos have been taken throughout history.
By 2030, this number will increase to 28.6 trillion.
Users share the most images on WhatsApp: 6.9 billion per day.
1.3 billion images are shared on Instagram daily, with about 100 million in posts and more than 1 billion on stories and chats.
750 billion images are on the internet, which is only 6% of the total photos that were ever taken since most of the photos we take are never shared.
92.5% of photos are taken with smartphones and only 7% with cameras.
There are 136 billion images on Google Images.
By 2030, there will be 382 billion images on Google Images.
So what’s the upshot for you? Smile and say ”cheese”.
CA: SMishing is getting out of hand.
The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. “smishing”) messages that spoofed UPS and other top brands.
The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn’t be shipped unless the customer paid an added delivery fee.
In a snail mail letter sent this month to Canadian customers, UPS Canada Ltd. said it is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered, and that it has been working with partners in its delivery chain to try to understand how the fraud was occurring.
“During that review, UPS discovered a method by which a person who searched for a particular package or misused a package lookup tool could obtain more information about the delivery, potentially including a recipient’s phone number,” the letter reads.
“Because this information could be misused by third parties, including potentially in a smishing scheme, UPS has taken steps to limit access to that information.”
The written notice says that UPS believes the data exposure “affected packages for a small group of shippers and some of their customers from February 1, 2022, to April 24, 2023.”
In a statement provided by Sandy Springs, Ga. based UPS said the company has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it.
“Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries,” reads an email from Brian Hughes, director of financial and strategy communications at UPS.
“Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted,” Hughes said.
“We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting the UPS Fight Fraud website.”
So what’s the upshot for you? We are seeing the incidence of Smishing going way up. Whether it’s through SMS or What’s App or Telegraph, be careful with messages you are not expecting and if possible use the desktop version of the app to check URLs before clicking on anything.
AU: Turn your phone off every night for five minutes, Australian PM tells residents
Australia’s prime minister, Anthony Albanese, has told residents they should turn their smartphones off and on again once a day as a cybersecurity measure – and tech experts agree.
Albanese said the country needed to be proactive to thwart cyber risks, as he announced the appointment of Australia’s inaugural national cybersecurity coordinator.
“We need to mobilize the private sector, we need to mobilize, as well, consumers,” the prime minister said on Friday.
"We all have a responsibility. Simple things, turn your phone off every night for five minutes.
For people watching this, do that every 24 hours, do it while you’re brushing your teeth or whatever you’re doing."
So what’s the upshot for you? The Australian government’s advice is not new.
In 2020, the United State’s National Security Agency issued best-practice guidelines for mobile device security, which included rebooting smartphones once a week to prevent hacking.
…And if you get in the habit of turning it off overnight you don’t get SMished while you are half asleep either.
Global: US Vendor Accused of Violating GDPR with its Reputation-Scoring of EU Citizens.
TeleSign, a U.S.-based fraud prevention company, has allegedly collected data from millions of EU citizens and processed it in the United States using automated tools without their knowledge.
The complaint “alleges that TeleSign is in violation of the GDPR’s provisions that ban use of automated profiling tools, as well as rules that require affirmative consent be given to process EU citizen’s data.”
The complaint was filed by Austrian privacy advocacy group noyb (noyb - European Center for Digital Rights is a non-profit organization based in Vienna, Austria), helmed by lawyer Max Schrems, and it doesn’t pull any punches in its claims that TeleSign, through its former Belgian parent company BICS, secretly collected data on cellphone users around the world.
That data, noyb alleges, was fed into an automated system that generates “reputation scores” that TeleSign sells to its customers, which includes TikTok, Salesforce, Microsoft and AWS, among others, for verifying the identity of a person behind a phone number and preventing fraud.
BICS, which acquired TeleSign in 2017, describes itself as “a global provider of international wholesale connectivity and interoperability services,” in essence operating as an interchange for various national cellular networks.
in 2021 Belgian telecom giant Proximus bought out BICS’ other shareholders, making it the sole owner of both the telecom interchange and TeleSign.
Per noyb, BICS operates in more than 200 countries around the world and “gets detailed information (e.g. the regularity of completed calls, call duration, long-term inactivity, range activity, or successful incoming traffic) [on] about half of the worldwide mobile phone users.” That data is regularly shared with TeleSign, noyb alleges, without any notification to the customers whose data is being collected and used.
“Your phone provider likely forwards data to BICS who then forwards it to TeleSign. TeleSign generates a ‘trust score’ about you and sells phone data to third parties like Microsoft, Salesforce or TikTok – without anyone being informed or giving consent,” Schrems said.
So what’s the upshot for you? noyb is seeking cessation of all data transfers from BICS to TeleSign, processing of said data, and is requesting deletion of all unlawfully transmitted data.
It’s also asking for Belgian data protection authorities to fine Proximus, which noyb said could reach as high as $257 million – a mere 4 percent of Proximus’s global turnover.
UK: Apple Joins Opposition in UK To Encrypted Message App Scanning
Apple has criticized powers in the UK’s Online Safety Bill that could be used to force encrypted messaging tools like iMessage, WhatsApp, and Signal to scan messages for child abuse material.
Its intervention comes as 80 organizations and tech experts have written to Technology Minister Chloe Smith urging a rethink on the powers. Apple told the BBC the bill should be amended to protect encryption. End-to-end encryption (E2EE) stops anyone but the sender and recipient from reading the message.
Police, the government, and some high-profile child protection charities maintain the tech – used in apps such as WhatsApp and Apple’s iMessage – prevents law enforcement and the firms themselves from identifying the sharing of child sexual abuse material.
But in a statement, Apple said: "End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats. "It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches.
The Online Safety Bill poses a serious threat to this protection and could put UK citizens at greater risk. “Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all.”
So what’s the upshot for you? We agree with Apple and others. Backdooring encryption is effectively no encryption and no encryption is no privacy, something we all should have a right to.
EU: 3-Year Probe Into Encrypted Phones Led To Seizure of Hundreds of Tons of Drugs, Prosecutors Say
Investigations triggered by the cracking of encrypted phones three years ago have so far led to more than 6,500 arrests worldwide and the seizure of hundreds of tons of drugs, French, Dutch, and European Union prosecutors said Tuesday.
The announcement underscored the staggering scale of criminality – mainly drugs and arms smuggling and money laundering – that was uncovered as a result of police and prosecutors effectively listening in to criminals using encrypted EncroChat phones.
“It helped to prevent violent attacks, attempted murders, corruption, and large-scale drug transports, as well as obtain large-scale information on organized crime,” European Union police and judicial cooperation agencies Europol and Eurojust said in a statement.
The French and Dutch investigation gained access to more than 115 million encrypted communications between some 60,000 criminals via servers in the northern French town of Roubaix, prosecutors said at a news conference in the nearby city of Lille.
As a result, 6,558 suspects have been arrested worldwide, including 197 “high-value targets.” Seized drugs included 30.5 million pills, 103.5 metric tons (114 tons) of cocaine, 163.4 metric tons (180 tons) of cannabis, and 3.3 metric tons (3.6 tons) of heroin.
The investigations also led to nearly 740 million euros ($809 million) in cash being recovered and assets or bank accounts worth another 154 million euros ($168 million) frozen.
So what’s the upshot for you? Police announced in 2020 they had cracked the encryption of EncroChat phones and effectively listened in on criminal gangs.
EncroChat sold phones for around 1,000 euros ($1,094) worldwide and offered subscriptions with global coverage for 1,500 euros ($1,641) per six months.
The devices were marketed as offering complete anonymity and were said to be untraceable and easy to erase if a user was arrested.
French law enforcement authorities launched investigations into the company operating EncroChat in 2017.
The probe led to a device being installed that was able to evade the phones’ encryption and gain access to users’ communications.
UK: Why is it so rare to hear about Western cyber-attacks?
From his desk overlooking the Moscow Canal, the cyber-security worker watched as strange pings began to register on the company wi-fi network.
Dozens of staff mobile phones were simultaneously sending information to strange parts of the internet.
But this was no ordinary company.
This was Russia’s biggest cyber company Kaspersky, investigating a potential attack on its own employees.
After painstaking analysis of “several dozen” infected iPhones, Igor realized their hunch had been right - they had indeed unearthed a large sophisticated surveillance-hacking campaign against their own staff.
The type of attack they had found is the stuff of nightmares for cyber defenders.
The hackers had invented a way to infect iPhones simply by sending an iMessage that automatically deletes itself once the malicious software is injected into the device.
“Wham, you’re infected - and you don’t even see it,” Igor says.
On the same day, Kaspersky announced its discovery, Russian security services put out an urgent bulletin saying they had “uncovered a reconnaissance operation by American intelligence services carried out using Apple mobile devices”.
Only last month, the US government issued a joint announcement with Microsoft - Chinese government hackers had been found lurking inside energy networks in US territories.
And this announcement was swiftly and predictably followed by a chorus of agreement from America’s allies in cyber-space - the UK, Australia, Canada, and New Zealand - known as the Five Eyes.
China’s response was a rapid denial saying the story was all part of a “collective disinformation campaign” from the Five Eyes countries.
Chinese Foreign Ministry official Mao Ning added China’s regular response: “The fact is the United States is the empire of hacking.”
So what’s the upshot for you? Why is it so rare to hear about Western attacks in Western countries? If you are reading this in a “Western” country, what sort of public relations exercise would that be?
Unknown: Get Chat GPT on your Windows 3.1 machine!
Even the hard-core security boffins who put this update together had to laugh at this one.
A developer has taken the time to write an interface for ChatGPT that runs on Windows 3.1. the 31-year-old operating system from Microsoft.
Obviously, as you crank up that old Windows box we’d like to remind you that you have almost no security on that system, nor with the interface to ChatGPT will you have any privacy, but if you are curious and cleaning your closets out anyway, you might want to try this, just before you remove the hard disk, smash it with a hammer, and throw the whole thing away;
The author, who wishes to remain anonymous left this on the Hacker News website:
"Hey HN, I didn’t want my Gateway 4DX2-66 from 1993 to be left out of the AI revolution, so I built an AI Assistant for Windows 3.1, based on the OpenAI API.
The most interesting parts of building this were:
Getting TLS 1.2 and 1.3 working on Windows 3.1 so that WinGPT could directly connect to OpenAI’s server without relying on a modern machine for TLS termination.
Learning about the memory segmentation architecture on 16-bit Windows, including the difference between far and near pointers.
Building the UI in plain C code with the Windows API and limited selection of controls in Windows 3.1."
So what’s the upshot for you? You have to have a lot of spare time on your hands to be engineering new projects for Windows 3.1. Just saying.
Global: DuckDuckGo Browser Beta for Windows
Privacy-focused firm DuckDuckGo has released a public beta of its browser for Windows, offering more default privacy protections and an assortment of Duck-made browsing tools.
Like its Mac browser, DuckDuckGo (DDG) uses “the underlying operating system rendering API” rather than its own forked browser code.
That’s “a Windows WebView2 call that utilizes the Blink rendering engine underneath,” according to DuckDuckGo’s blog post.
Fittingly, the browser reports itself as Microsoft Edge at most header-scanning sites. Inside the DuckDuckGo browser, you’ll find:
- Duck Player, which shows (most) YouTube videos “without privacy-invading ads” and doesn’t feed your recommendations
- Tracker blocking that DDG cites as “above and beyond” other browsers, including third-party tracker loading
- Enforced encryption
- The “fire button” that instantly closes all tabs and clears website data
- Cookie pop-up management, automatically selecting a private option and hiding “I accept” pop-ups
- Email protection, making it easier to use an auto-forwarding duck.com address on web forms
So what’s the upshot for you? This is good news.
We’d like to see a release candidate for Windows soon!
Mac users already have a version. https://duckduckgo.com/mac?ref=duckduckgo
US: Look Ma a New Smartwatch!"
Service members across the military have reported receiving smartwatches unsolicited in the mail.
These smartwatches, when used, have auto-connected to Wi-Fi and began connecting to cell phones unprompted, gaining access to a myriad of user data.
These smartwatches may also contain malware that would grant the sender access to saved data including banking information, contacts, and account information such as usernames and passwords.
Malware may be present which accesses both voice and cameras, enabling actors access to conversations and accounts tied to the smartwatches.
These products may also be used for Brushing.
This is the practice of sending products, often counterfeit, unsolicited to seemingly random individuals via mail in order to allow companies to write positive reviews in the receiver’s name allowing them to compete with established products.
What to do if you receive one of these devices:
DO NOT turn the device on.
Report it to your local counterintelligence (this was a US Army posting. In your case you might want to give it away or lose it.)
So what’s the upshot for you? Nice. They saw this model work during the Strava base reveal of 2018.
…so who would not want a wonderful smartwatch on their wrists?
Importantly for any wearer of one of these generally oddly named Chinese fitness watches, many have an app that relays your data to China for processing. You don’t want that.
US: Americans Hate ISPs Almost As Much As They Hate Gasoline Stations
Americans hate their internet service providers (ISPs) more than any other segment of the consumer economy – except gas (Petrol|Essence|Benzina) stations.
A fresh set of rankings from the American Consumer Satisfaction Index (ACSI) reveals that few consumers are happy with the way their ISP’s conduct business, preferring them only over trips to the pump in a list of 43 major industries.
The rankings come courtesy of the ACSI’s most recent telecommunications study, which the organization publishes annually.
The study covers subscription TV services, video streaming services, and ISPs of both the fiber and non-fiber variety.
Using interviews with 22,061 American consumers conducted between April 2022 and March 2023, this year’s telecommunications study investigates just how happy people are with their ISPs, then pits that data against that of several other industries.
This year, ISPs ranked lower than the endlessly frustrating automobile, banking, and health insurance industries, as well as 39 others that people tend to have an easier time with, such as breweries and athletic shoes.
There was only one industry that ranked lower than ISPs…
As much as Americans generally dislike the way ISPs manage hardware, pricing, customer service, outages, and more, they dislike gas (Petrol|Essence|Benzina) stations even more, giving the category a measly score of 65.
While the ACSI doesn’t share respondents’ reasoning (it’s a telecommunications study), it’s easy to see why consumers might not enjoy spending obscene money to fill their tanks at dusty roadside stops.
So what’s the upshot for you? This survey has obviously forgotten online mobile (cell) phone service providers and their mindless chatbots.
Please also remember that ISP and mobile (cell) service providers make almost as much money from selling you the service as they do selling on your browsing, purchasing, location, and phone habits.
And the quote of the week - “When you learn anything new, learn it as slowly as you can so that you can deliver it faster later.” — the No BS Watchmaker
That’s it for this week. Stay safe, stay secure, turn your phone off, and see you in se7en.