Sowing the seeds of the IT Privacy and Security Weekly Update for the week ending March 28th., 2023


This week we kick off in Canada and finish in Norway.

In between, we hear why the big push to ban TikTok from our phones may be less effective than we think.

We get the inside scoop of a malaise that’s hitting Google, Meta, and Amazon… and through them you.

There’s an update on the surveillance state that will keep you in the picture literally from your driveway to the 2024 Olympics in Paris.

We get news on leaky Ai and how much confidential data is being pushed into some of the online chatbots, and a way, perhaps, for that same Ai to redeem itself and help you through tough job interviews and even tougher dates.

Small Plant and Globe
click on the globe to hear the podcast

We take you around the world twice in this week’s update, and then we deliver you looking sharp, crisply dressed, and fully informed.

Grab a packet and let’s go sow some seeds.

US: TikTok Trackers Embedded in U.S. State-Government Websites, Review Finds

Toronto-based Feroot Security “found that so-called tracking pixels from the TikTok parent company were present in 30 U.S. state-government websites across 27 states,” reports the Wall Street Journal, “including some, where the app has been banned from state networks and devices.”

The review was performed in January and February.

The presence of that code means that U.S. state governments around the country are inadvertently participating in a data-collection effort for a foreign-owned company, one that senior Biden administration officials and lawmakers of both parties have said could be harmful to U.S. national security and the privacy of Americans.

Administrators who manage government websites use such pixels to help measure the effectiveness of advertising they have purchased on TikTok…

The presence of the TikTok tracking code on government websites underlines the challenge for those who deem the China-owned app a potential data-security threat.

Lawmakers in both parties are considering a nationwide ban, but simply uprooting the app from U.S. smartphones wouldn’t stop all data-tracking activities…

So what’s the upshot for you? And Finally, let’s put this into context: Feroot found that the average website it studied had more than 13 embedded pixels.

Google’s were far and away the most common, with 92% of websites examined having some sort of Google tracking pixel embedded.

About 50% of the websites the firm examined had Microsoft Corp. or Facebook pixels.

TikTok had a presence in less than 10% of the sites examined.

But effectively what this says is that banning the app from users’ phones, still wouldn’t stop a huge amount of data from making its way to TIkTok.

Global: Big Tech’s big downgrade

In recent years, Google users have developed one very specific complaint about the ubiquitous search engine: They can’t find any answers.

A simple search for “best pc for gaming” leads to a page dominated by sponsored links rather than helpful advice on which computer to buy.

Meanwhile, the actual results are chock-full of low-quality, search-engine-optimized affiliate content designed to generate money for the publisher rather than provide high-quality answers.

As a result, users have resorted to workarounds and hacks to try and find useful information among the ads and low-quality chum. In short, Google’s flagship service now sucks.

And Google isn’t the only tech giant with a slowly deteriorating core product. Facebook, a website ostensibly for finding and connecting with your friends, constantly floods users’ feeds with sponsored (or “recommended”) content, and seems to bury the things people want to see under what Facebook decides is relevant.

And as journalist John Herrman wrote earlier this year, the “junk-ification of Amazon” has made it nearly impossible for users to find the high-quality product they want — instead diverting people to ad-riddled result pages filled with low-quality products from sellers who know how to game the system.

All of these miserable online experiences are symptoms of an insidious underlying disease: In Silicon Valley, the user’s experience has become subordinate to the company’s stock price.

Google, Amazon, Meta, and other tech companies have monetized confusion, constantly testing how much they can interfere with and manipulate users.

So what’s the upshot for you? And that’s why it’s getting more exhausting to find the things you want or buy the things you need.

That’s why social media is chock-full of sponsored videos rather than pictures of friends.

CA/FR: Pwn2Own: Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

During the annual two-day contest, ethical researchers from 10 countries demonstrated bugs discovered across a wide range of technologies:

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own hacking contest in Vancouver.

The attacks gave them deep access to subsystems controlling the vehicle’s safety and other components.

One of the exploits involved executing what is known as a time-of-check-to-time-of-use attack on Tesla’s Gateway energy management system.

They showed how they could then — among other things — open the front trunk or door of a Tesla Model 3 while the car was in motion. The less than two-minute attack fetched the researchers a new Tesla Model 3 and a cash reward of $100,000.

In the second hack, again Synacktiv researchers exploited a heap overflow vulnerability and an out-of-bounds write error in a Bluetooth chipset to break into Tesla’s infotainment system and, from there, gain root access to other subsystems.

The exploit garnered the researchers an even bigger $250,000 bounty and Pwn2Own’s first-ever Tier 2 award — a designation the contest organizer reserves for particularly impactful vulnerabilities and exploits.

Note: Because of the risk involved in hacking an actual Tesla vehicle, the researchers demonstrated their exploits on an isolated vehicle head unit. Tesla head units are the control unit of the car’s infotainment system and provide access to navigation and other features.

So what’s the upshot for you? Teslas weren’t the only exploits demonstrated this year, just the most dramatic.

US: World’s first 3D-printed rocket launches successfully, but fails to reach orbit

Following on from a previous update: In a third attempt, the world’s first 3D-printed rocket made it off the launch pad Wednesday night but failed to reach orbit and eventually crashed into the Atlantic Ocean in a key test flight by a California-based aerospace startup.

Several minutes into the flight, mission controllers reported the 110-foot rocket experienced an anomaly with its upper stage that prevented it from reaching orbit.

The upper stage is designed to ignite separate engines mid-flight to boost the rocket into space.

The startup wanted to put the rocket – dubbed “Good Luck, Have Fun,” or “GLHF” – into a 125-mile-high orbit for several days before having it plunge through the atmosphere and burn up along with the rocket’s upper stage.

The first stage was accomplished after liftoff from Cape Canaveral and separated as planned.

In the end, the upper stage appeared to ignite and then shut down.

Overall, “GLHF” was successful beyond what Relativity had initially hoped.

So what’s the upshot for you? What was the 3D-printed rocket’s mission?

The goal of the launch was to prove the 7.5-foot-diameter 3D-printed vehicle is durable enough for launch and space flight.

So any lack of success in this mission was due to mechanical failure rather than the 3-d printing!

RU/CN: Pinduoduo App Malware Detailed By Cybersecurity Researchers

Security researchers at Moscow-based Kaspersky Lab have identified and outlined potential malware in versions of PDD Holdings’ Chinese shopping app Pinduoduo, days after Google suspended it from its Android app store.

In one of the first public accountings of the malicious code, Kaspersky laid out how the app could elevate its own privileges to undermine user privacy and data security.

It tested versions of the app distributed through a local app store in China, where Huawei Technologies, Tencent Holdings, and Xiaomi run some of the biggest app markets.

Kaspersky’s findings, shared with Bloomberg News, were among the clearest explanations from an independent security team for what triggered Google’s action and malware warning last week.

The cybersecurity firm, which has played a role in uncovering some of the biggest cyberattacks in history, said it found evidence that earlier versions of Pinduoduo exploited system software vulnerabilities to install backdoors and gain unauthorized access to user data and notifications.

So what’s the upshot for you? These latest findings agreed in large part with those of researchers that had posted their discoveries online in the past few weeks.

BE: Belgian intelligence puts Huawei on its watchlist

Belgium’s intelligence service is scrutinizing the operations of technology giant Huawei as fears of Chinese espionage grow around the EU and NATO headquarters in Brussels, according to confidential documents seen by POLITICO and three people familiar with the matter.

In recent months, Belgium’s State Security Service has requested interviews with former employees of the company’s lobbying operation in the heart of Brussels’ European district.

The intelligence gathering is part of security officials’ activities to scrutinize how China may be using non-state actors – including senior lobbyists in Huawei’s Brussels office – to advance the interests of the Chinese state and its Communist party in Europe, said the people, who requested anonymity due to the sensitivity of the matter.

The scrutiny of Huawei’s EU activities comes as Western security agencies are sounding the alarm over companies with links to China.

British, Dutch, Belgian, Czech, and Nordic officials – as well as EU functionaries – have all been told to stay off TikTok on work phones over concerns similar to those surrounding Huawei, namely that Chinese security legislation forces Chinese tech firms to hand over data.

So what’s the upshot for you? The scrutiny comes amid growing evidence of foreign states’ influence on EU decision-making – a phenomenon starkly exposed by the recent Qatargate scandal, where the Gulf state sought to influence Brussels through bribes and gifts via intermediary organizations.

Global: OpenAI: ChatGPT payment data leak caused by an open-source bug

OpenAI says a Redis client open-source library bug was behind last Monday’s ChatGPT outage and data leak, where users saw other users’ personal information and chat queries.

ChatGPT displays a history of historical queries you made in the sidebar, allowing you to click on one and regenerate a response from the chatbot.

Last Monday morning, numerous ChatGPT users reported seeing other people’s chat queries listed in their history.

As first reported by PC Magazine, multiple ChatGPT Plus subscribers also reported seeing other people’s email addresses on their subscription pages.

Soon after, OpenAI took ChatGPT offline to investigate an issue but did not provide details as to what caused the outage.

OpenAi published a post-mortem report explaining that a bug in the Redis client open-source library caused the ChatGPT service to expose other users’ chat queries and the personal information for approximately 1.2% of ChatGPT Plus subscribers.

So what’s the upshot for you? Sensitive data currently makes up 11% of what employees paste into ChatGPT, with the average company leaking sensitive data to ChatGPT hundreds of times each week, according to security research firm Cyberhaven.

US: Clearview AI is used nearly 1m times by US police, it tells the BBC

Facial recognition firm Clearview has run nearly a million searches for US police, its founder has told the BBC

CEO Hoan Ton-That also revealed Clearview now has 30bn images scraped from platforms such as Facebook, taken without users’ permission.

The company has been repeatedly fined millions of dollars in Europe and Australia for breaches of privacy.

Critics argue that the police’s use of Clearview puts everyone into a “perpetual police line-up”.

“Whenever they have a photo of a suspect, they will compare it to your face,” says Matthew Guaragilia from the Electronic Frontier Foundation says. “It’s far too invasive.”

In a rare admission, Miami Police has confirmed to the BBC it uses this software for every type of crime.

The company is banned from selling its services to most US companies after the American Civil Liberties Union (ACLU) took Clearview AI to court in Illinois for breaking privacy law.

But there is an exemption for police, and Mr. Ton-That says his software is used by hundreds of police forces across the US.

Police in the US do not routinely reveal whether they use the software, and it is banned in several US cities including Portland, San Francisco, and Seattle.

The use of facial recognition by the police is often sold to the public as only being used only for serious or violent crimes.

In a rare interview with law enforcement about the effectiveness of Clearview, Miami Police said they used the software for every type of crime, from murders to shoplifting.

So what’s the upshot for you? “Clearview is a private company that is making face prints of people based on their photos online without their consent. It’s a huge problem for civil liberties and civil rights, and it absolutely needs to be banned.”


At a city council meeting in June 2021, Mayor Thomas Kilgore, of Lakeway, Texas, made an announcement that confused his community.

“I believe it is my duty to inform you that a surveillance system has been installed in the city of Lakeway,” he told the perplexed crowd.

Kilgore was referring to a system consisting of eight license plate readers, installed by the private company Flock Safety, that was tracking cars on both private and public roads.

Despite being in place for six months, no one had told residents that they were being watched.

Kilgore himself had just recently learned of the cameras.

“We find ourselves with a surveillance system,” he said, “with no information and no policies, procedures, or protections.”

The deal to install the cameras had not been approved by the city government’s executive branch.

Instead, the Rough Hollow Homeowners Association, a nongovernment entity, and the Lakeway police chief had signed off on the deal in January 2021, giving police access to residents’ footage.

By the time of the June city council meeting, the surveillance system had notified the police department over a dozen times.

“We thought we were just being a partner with the city,” Bill Hayes, the chief operating officer of Legend Communities, which oversees the Rough Hollow Homeowners Association, said at the meeting.

Lakeway is just one example of a community that has faced Flock’s surveillance without many homeowners’ knowledge or approval.

Neighbors in Atlanta, Georgia, remained in the dark for a year after cameras were put up.

In Lake County, Florida, nearly 100 cameras went up “overnight like mushrooms,” according to one county commissioner – without a single permit.

In a statement, Flock Safety brushed off the Lake County incident as “an honest misunderstanding,” but the increasing surveillance of community members’ movements across the country is no accident.

It’s a deliberate marketing strategy.

Flock Safety, which began as a startup in 2017 in Atlanta and is now valued at approximately $3.5 billion, has targeted homeowners associations, or HOAs, in partnership with police departments, to become one of the largest surveillance vendors in the nation.

So what’s the upshot for you? There are key strategic reasons that make homeowners associations the ideal customer.

HOAs have large budgets – they collect over $100 billion a year from homeowners – and it’s an opportunity for law enforcement to gain access into gated, private areas, normally out of their reach.

FR: France Sets EU Precedent With 2024 Olympics Surveillance Arsenal

France’s AI-powered array of surveillance cameras for the 2024 Paris Summer Olympics cleared a final legislative hurdle last Thursday.

The French government wants to experiment with large-scale, real-time camera systems supported by an algorithm to spot suspicious behavior, including unsupervised luggage and triggering alarms to warn of crowd movements like stampedes, for the mega-sports event next year.

In a sparsely-attended chamber, French members of parliament approved the controversial bill after more than seven hours of heated debate.

The text can still be challenged before the country’s top constitutional court.

Last week, a group of about 40 European lawmakers – mainly left-wing – asked their French counterparts to vote against the text.

They warned in a letter that “France would set a surveillance precedent of the kind never before seen in Europe, using the pretext of the [2024 Paris Summer] Olympic games.”

In the past few months, the plan was also met with intense pushback from digital rights Non-Governmental Organizations (NGO)s, including France’s La Quadrature du Net, as well as international groups such as Amnesty International and Access Now.

Besides privacy concerns, they pointed out a potential conflict with the EU’s Artificial Intelligence Act, which is currently under discussion in Brussels and could limit biometric surveillance.

The government argues that algorithmic surveillance cameras are necessary to ensure the safety of the millions of tourists expected to visit Paris next year.

During the debates Wednesday evening, lawmakers from President Emmanuel Macron’s party claimed AI-powered cameras could have prevented the 2016 Nice terror attack by spotting the truck before it could drive into the crowd.

They also said it could have helped avoid the security fiasco at the football Champions League final last summer.

So what’s the upshot for you? And once the games are over, you are left with even larger holes punched through the privacy of global citizens.

US: New AI will tell you the perfect things to say during a date

As a society, we are only just becoming aware of the full capabilities of artificial intelligence (AI). New technology created by Stanford students has been labeled “scary” after it tells people what to say during an awkward date or job interview.

Four Stanford Students have created a tool named RizzGPT, which is designed to help people with awkward conversations through the use of both AI and augmented reality (AR).

It works through the use of the GPT-4 language model and Whisper, an OpenAI voice recognition tool, which helps to generate responses to questions asked during the conversation.

Then, by wearing a pair of glasses fitted with an AR monocle, a person can then read out the generated response as if they had come up with it themselves.

So what’s the upshot for you? Unfortunately we didn’t see the date but we thought the interview was pretty entertaining.

The important part is that the interviewer “got the job”!

(We hope the date went the same way.)

NO: Probably the most private place on Earth

In the frigid Norwegian Arctic, a gray wedge-shaped building protrudes from a mountain. Snow blows across the small metal bridge that leads to its entrance, above which a pattern of steel, mirrors, and prisms reflect a ghostly green light.

Large letters on the building’s side hint at the precious collection held within, declaring that here is the entrance to the “Svalbard Global Seed Vault.”

Only a handful of people are allowed inside the vault, and its five metal doors are only opened a few times each year for new entries of seeds.

Carved into Plateau Mountain on the Norwegian island of Spitsbergen, it holds more than 1.2 million seed samples from almost every country in the world, including recent first-time depositors Albania, Croatia, North Macedonia, and Benin.

Meant to protect crop biodiversity in case of a localized catastrophe, this curious depository is often referred to as the “doomsday seed vault.”

“From here in Svalbard, the world looks different. This seed vault represents hope, unity, and security,” says Stefan Schmitz, executive director of the Crop Trust, a co-manager of the vault, in a press release.

“In a world where the climate crisis, biodiversity loss, natural catastrophes, and conflicts increasingly destabilize our food systems, it has never been more important to prioritize safeguarding these tiny seeds that hold so much potential to adapt our future food to such global threats.”

The contents of this doomsday vault are effectively backup storage for a global network of more than 1,700 smaller vaults called gene banks.

Countries deposit copies of the seeds they hold in their own banks, and the Svalbard facility keeps them safe.

This year, new seed deposits of wild strawberries, wheat, maize, and rice have joined the ranks of other preserved plants. An organization from North Macedonia deposited seeds from an ajvarka red pepper variety used to make a popular traditional relish.

The seeds remain the property of the depositing country, to be withdrawn in the event their own stockpile is compromised.

In 2015, for example, seeds from the vault were used to restart the International Center for Agricultural Research in the Dry Areas after its Aleppo seed bank had to be abandoned during the Syrian civil war.

To preserve its contents, the Arctic vault is protected by almost 400 feet of rock at its deepest point.

So what’s the upshot for you?
Since its establishment in 2008, the vault’s collection has continued to grow. It is the largest global security reserve of seeds for food and feed crops, according to the Norwegian government.

In a tumultuous world where wars and extreme weather events wreak havoc, those who run the vault say it’s an important symbol of cooperation and global community.

To celebrate the 15th anniversary of the Vault, you can take a virtual tour of the facility via the link provided.

lotsaPlants on Globe

click on the globe to hear the podcast

Our Quote of the week: "The only time you fail is when you fall down and stay down.” - Stephen Richards

That’s it for this week. Stay safe, stay secure, check your shoes for topsoil, and see you in se7en.