Comments

Who? November 21, 2024 7:29 AM

Because users agreed to an opaque terms of service page…

This one is the very reason I do not have a smartphone. We have no control over them. The core at this problem is not terms of service being opaque, it is that we have only two choices: accept them or install nothing (and “nothing” here means exactly that, all smartphone “apps” are tracking code specialized on stealing anything they can from us while tracking our movements).

No, the problem is not some apps having obscure terms of service; the problem is that there are no privacy-friendly alternatives for most of these apps. We need a healthy ecosystem, with privacy friendly smartphone operating systems and apps that allow us work without compromising our privacy.

…and then it enters in the game the “certified” operating systems running on the modems of those smartphones. Operating systems running on small computers inside our phones that are able to dump any range of memory on the device and can be accessed from cell towers using digital certificates whose private part is stored in the modem firmware.

Thinking on it twice, the problem are not the apps either. It is the entire industry, working together with TLAs and governments around the world to run massive spying networks on citizens.

There is even a branch of business now built on it: private corporations whose business model is developing spyware for governments targeting dangerous terrorists (let us say security experts, journalists, academics, human rights organizations and so on) and data brokers.

A truly Orwellian nightmare, it isn’t?

lurker November 21, 2024 12:49 PM

@Who

We have no control over [smartphones].

Yet we are given the illusion of control. I choose carefully apps that can operate with data and location services OFF, i.e. no ads required. I have paid for the “ad-free” version of some apps. But being a hardware guy brought up with switches that can be seen to stop current flowing, I have nagging doubts about touching a spot on a screen to see a message saying “OFF”. Oh, really? What is actually going on in the unseen depths? That is my small version of an Orwellian nightmare.

As for

the entire industry, working together with TLAs and governments around the world to run massive spying networks on citizens.

this is the problem of governments seeing the world in terms of “us, or them”, which is beyond the scope of this blog.

Wannabe Techguy November 21, 2024 1:19 PM

@ Who?
Yes I think so too.People laugh at me and some even think I’m a techphobe because I have a Tracfone flip phone even though I know more than most of them(thanks to this site, Brian Krebs, Steve Gibson and others). That’s ok. I sometimes tell them I’m in good company with the young NASA engineer who produces rotary dial cell phones.

tom November 21, 2024 1:28 PM

all smartphone “apps” are tracking code specialized on stealing anything they can from us while tracking our movements

Sounds like you need to use FDroid or something…. ? Rather than throwing the house out with the bath water.

m November 21, 2024 2:41 PM

I’m frequently glad that I use LineageOS with F-Droid and no gapps. And no apps outside of F-droid. This is one of these times.

ResearcherZero November 22, 2024 12:03 AM

Who?

Not if you leave your phone at home while doing your assassinations or whatever. Also don’t print out the plan in your office at the presidential palace.

‘https://edition.cnn.com/2024/11/21/americas/brazilian-ex-president-jair-bolsonaro-indicted-over-attempted-coup-plot/index.html

sitaram November 22, 2024 1:59 AM

This one is the very reason I do not have a smartphone. We have no control over them

“Baby and bath water” comes to mind 🙂

My main phone has playstore disabled, no google account connected, and I only install apps from F-Droid.

Specifically, you will appreciate reading https://f-droid.org/en/docs/Anti-Features/ to see why this is safe.

You can get a pretty good set of tools which do not spy on you but are, nevertheless, useful to have. GPS is always disabled, since I don’t have Google maps anyway it’s not an issue.

At that point, what anyone can get from my phone in the context of this thread, they can get even from a non-smartphone — by asking the telco which tower I am near etc.

A short sample of apps I have: Firefox, Antennapod (podcasts), Feeder (RSS feeds), NewPipe (youtube), KDE Connect and Syncthing (transfer files between phone and laptop), KeePassDX, OrgzlyRevived (todo list etc), Heliboard (keyboard).

ResearcherZero November 22, 2024 4:44 AM

Trust requires equal commitment and vulnerability from both parties.

“Consider that one can rely on inanimate objects, such as alarm clocks; but when they break, one is not betrayed, although one may be disappointed. Reliance without the possibility of betrayal is not trust. Thus, people who rely on one another in a way that makes betrayal impossible do not trust one another.”

‘https://plato.stanford.edu/archIves/sum2013/entries/trust/index.html

Clive Robinson November 22, 2024 9:23 AM

@ Who, ALL,

With regards,

“A truly Orwellian nightmare, it isn’t?”

All technology of any use can be used for just about anything to some extent. Because that is what makes it “of any use”. The problem is some see a use as good and some see it as bad.

When you consider things, the use is selected not by the technology, but by a “Mind” be it human or not the Mind directs the use. Other minds will see the use and consider it against their point of view.

As a general rule a “Directing Mind” will have a “purpose” and that dictates the use. The purpose exists for some reason known to the Directing Mind and thus in some way the use will be considered “good” even if the purpose is considered “bad” or even “evil”.

An “Observing Mind” that sees the use of the technology may or may not be aware of the “Directing Minds” purpose or the context in which the purpose exists.

Thus some observers might see the use as “good” and others as “bad”. Which holds sway should be decided by the “general populace” we call the citizenry of the “society” where the use is carried out. But all to often these days it is not, things are done, as some hope, “sight unseen”… Which means those minds are for some reason being deceitful for some “purpose” other than that which necessitates the use.

This good/bad issue thus spreads out like the waves on a pond when a pebble is dropped in.

But what of those that are neither the “Directing Minds” or “Observing Minds”, but are those against which the use is directed. Do they have the possibility of “preventing the use” the answer is surprisingly yes.

For technology to be “used for a purpose” it must be possible for it to “have access” to either a person or thing. Deny the access and the technology can not be used for the Directing Minds purpose.

Most readers here will be aware of the history of “Front Panel Access” where the argument once was, in effect you “controlled the computer” with above super-user access if you had “Front Panel Access”.

Whilst Front Panel Access is nolonger true, what remains true is “You can not use what you have no access to”. This is true for both the “Directing Mind” and the person against which the technology might be used.

So if you have no mobile phone, then it can not be used against you, or for you. But also consider someone in close proximity to you might have their mobile phone used against you.

We’ve recently seen publicly an example of this obvious approach with “Close Protection Team” members and their “fitness watches” and US Secret Service.

Apparently this was significant news, even though there have been repeated examples with regards soldiers involved with hostilities, and others involved in politics and other public positions. The earliest I remember getting front page MSM coverage was two people at dinner with friends witnessed by a minor TV Celeb who were falsely accused of kidnapping and abusing a woman[1].

The question arises of can you “opt-out” of being within the sphere of potential surveillance of a mobile phone. Many have said it’s not possible to exist in modern Western society without having “the spy in your pocket”.

Actually in the UK there is legislation banning the operating of mobile phones and similar activities under what many would consider normal everyday activities. Likewise other everyday activities stop mobile phones from functioning due to the laws of nature.

So the answer is, if you are required or forced to opt-out in normal everyday activities, it must be possible to opt-out partially or fully at any time.

In the past I’ve mentioned that using a mobile phone more like a land-line phone of the past century or so is actually possible fairly easily.

You can “turn them off” effectively and you can “leave them in one place”.

So the question changes to why you would not do so…

It’s why I’m more concerned about “Blue Tooth Beacons” and similar that are very low power and can thus be hidden from sight and instrumentation.

These are the likes of electronic luggage tags, fitness devices, life preserving medical electronics and even pens and pointers.

Many do not have “off switches” and also “store movement” and other info when not in communication. The use of a heart rate monitor data as evidence in several murder trials has already been used.

Thus another question arises, even if you can entirely opt-out of mobile phones and similar, can you opt-out of everything that might be used to track you or others close to you in some way?

The answer increasingly appears not.

[1] It is now getting on for a quarter of a century ago, and interestingly the use of mobile phone location data was to clear the falsely accused and arrested people,

‘http://news.bbc.co.uk/1/hi/uk/1513963.stm

ResearcherZero November 22, 2024 11:24 PM

The data the Secret Service would be looking for is of people in positions where they could attempt an assassination. People are asking that they prevent such acts.

Rarely do you know about an assassination attempt before it takes place. You cannot easily identify the perpetrator prior to an event. Everyone expects the Secret Service to soak up bullets and responsibility for other individuals and their behaviour, but when Secret Service agents fail to absorb every bullet with their bodies, there is a lot of criticism.

If we all volunteer our own bodies as bullet-proof glass, we can all be victims together.
These kinds of changes psychosocial changes within society have long been predicted.

‘https://www.theatlantic.com/national/archive/2010/07/the-culture-of-victimism-gives-way-to-a-culture-of-bullying/60643/

JG5 November 23, 2024 12:39 AM

I Don’t Own a Cellphone. Can This Privacy-Focused Network Change That?
https://www.404media.co/i-dont-own-a-cellphone-can-this-privacy-focused-network-change-that/
Joseph Cox · Nov 21, 2024 at 9:00 AM News
https://archive.ph/TxWeU
I haven’t owned a cellphone since around 2017.

Might other officials at the FBI be worried about a tool like this being more widely available? “Probably at a high level,” Doyle said.
For ten days in Kansas City recently, the U.S. government hunted people who were using Cape to test the company’s capabilities, Doyle said. Armed with IMSI catchers and simulated insider access to a major telecom, the red teamers were unable to locate the Cape users, Doyle added.

For the offering to high-risk individuals at the moment, those users can get all of the IMSI, IMEI, and MAID rotations. Cape said when it rolls out more broadly to the public, that offering won’t include a physical phone or the same degree of identity obfuscation.

ResearcherZero November 23, 2024 4:19 AM

Re: consider someone in close proximity to you might have their mobile phone used against you.

This is an important consideration, as data privacy is a social problem that has effects for all of society, it requires a concerted effort to bring about change.

The US introduced a tort for invasion of privacy almost 100 years ago. Australia’s laws never even recognised it as an offence, until now. For the first time legislation has been introduced with penalties for serious invasions of privacy and also measures to hold corporate bodies accountable for privacy failures and breaches, not just acts by individuals.

(I won’t comment on my frustration over how long it took introduce penalties for serious invasions, but I will say that there have been some appalling examples.)

Other recommendations have not yet been implemented unfortunately…

The Bill does not contain a large number of reforms proposed by the Attorney-General’s review of the Privacy Act:

‘https://kennedyslaw.com/en/thought-leadership/article/2024/a-small-but-significant-first-step-forward-new-australian-privacy-act-reforms-introduced/

Rontea November 23, 2024 8:47 AM

“We are no longer a world class organization; we are the class of the world.“ -Body of Secrets

Clive Robinson November 25, 2024 11:21 AM

@ ResearcherZero, ALL,

You make two linked points as your first paragraph,

“The data the Secret Service would be looking for is of people in positions where they could attempt an assassination. People are asking that they prevent such acts.”

The first thing to note is that the Secret Service can not the second point unless…

“The person going to carry out an act of assassination is either ‘ill informed/unknowledgeable or stupid/does not care’.”

Quite surprisingly to more than a few, all to many assassins are in no way the brightest bulb in the corridor or care if they are caught. In fact some don’t care if they fail entirely as long as their name has a slot in history…

Which brings us back to your first point of “people in positions”.

You do not make clear if this is a physical position from which to “take the shot” or a hierarchical position to give the “commit order”.

As a very rough rule of thumb, unless an organisation has a very long history of remaining covert at all levels they will be susceptible to either infiltration or leakage (think physical world equivalents of information world “side channels” and “traffic analysis”).

It’s why certain agencies are desperate to have software that finds potential social “groups and linking” via the likes of mobile phone data. Not just by direct contact of calls and SMS/Email/Messaging, but also “meta-data” of if they are in the same area at the same time, or “meta-meta-data” of being inactive or out of pattern for having the phone off or left in a given place.

This has become way way easier since C19 and the “contact tracing” built in to phone OS’s and Hardware by BLE or similar “track and trace” beaconing.

I can see how the US SS could use not just current but historic data to see who might join watched groups and track other suspects automatically and raise not just “they are in the area” flags, but also “they have broken routine” flags.

It is also possible to use an inbuilt Emergency Feature in not just mobile phones that gives “Operator listen in”[1]. Such as –thanks to the US Gov faking “Health and Safety” concern– all mobile phones sold in the US are supposed to have not just the GPS chip set and antennas but it can be remotely activated (even though cell point triangulation can be way more accurate).

In essence you the user do not control your mobile phone, it is controlled via “the network operator” through the SIM card and radio module, that even in smart phones takes priority over users wishes (look up what is called “SMS 0” messages to see how part of the “Over The Air”(OTA) control communicates).

But also remember that “Third Party Business Records” that contain very substantial information about your life, are not just kept for upto 7years by the business, but sold to other organisations that pretends to be “Data Brokers” and similar. Who intern shovel your “organised” private data by the bucket load into amongst others the US Federal and State Law Enforcement and similar Agencies.

Thus it’s unsurprising that the US SS might well have a list of flagged if not hot mobile phone Serial Numbers and Service supply numbers to actively seek out.

But do the US SS need that list, probably not.

In an event such as a “rally” the “general public” tend to frequent “public spaces” not “private places”. Thus simply knowing the location of any phone in the area can in effect “rule out” or more importantly “rule in” by the geographic information of the place, especially if it is not “public”.

Without going into obvious details, a VIP with Close Support/Protection Detail will follow Guided Paths at Predictable Times to the CPD. This allows the use of a Real Time detailed “Geographical Information System”(GIS) to indicate where potential attack or advantage points are and if people are there and potentially who they are, automatically. As such the US SS do not actually require a Warrant for this. Because US Legislation tends to regard “anything transmitted” is available as “Public Knowledge”… (Hence police frequency scanning was/is not illegal “by the public”). Such information only gets a small amount of protection once it’s nolonger “in the air” such as in system technical and billing records that by definition are Third Party Business Records…

However the problem with “Fully Automatic Systems” is first they become “an organisational crutch” then a method by which arguments for head count cuts can be made… And that is effectively the point in time when things can start to go bad, and will do when those who can “test the system” can find the loop holes and exploit them.

Oddly enough there is a First Person Shooter game that highlights this. Put simply there is a building between the player and the target, that on in game maps shows there is not a usable vantage point on the non target side of the building. However as some game players found out you could shoot through one window and out another thus going right through the building.

In real life this can actually happen with large corner offices or meeting rooms. Likewise thick “tree lines”, on woods and similar get “harvested” which means suddenly a usable gap may open up. Likewise fences and perimeter barriers against humans and vehicles may not be proof to much smaller objects, sight lines, and various forms of EM radiation (60W Laser LEDs and focusing systems are now very easily available at very low cost to not just locate and range find, but do actual damage to eyes etc).

I suspect that “open air” and other types of rally are from this year onwards going to get less and less popular with VIPs or their CPD cohorts.

Especially when you consider that the issues in Eastern Europe have given rise to not just glide bombs with a more than 20mile radius, loitering munitions with similar ranges and the ability to stay in the air for quite some time. And worse “jam proof” or near jam proof control and guidance systems using very light weight fiber optics, and variations on “Smart Weapon” illumination.

It’s been noted that on the Western side some troops have got drone etc use down to such a fine art it’s in effect “Over the horizon sniping” with the near equivalent of “one shot one kill” or “non geo-locating smart shell on target” with equivalent accuracy.

Though remember there are two types of “loitering munition” those drones and some glide bombs are the “airborne” variety. But there are those shells made for field guns that can accurately deploy a hundred or so small and anti-personnel mines that can sit on the ground effectively indefinitely… Some can also mass detonate on command. Such weapons are really quite cheap and as is being proved, commercial drones can be easily upgraded or functionally changed. Thus a commercial drone of less cost than a field gun shell can be upgraded to even have limited AI systems such they auto-target. Back in the 1980’s when the UK was developing it’s own MLRS spotting “tank hatches” with 8 and 16 bit computers and second ASIC based co-pros running a form of AI cost a great deal of money (think millions). Now it’s in stripped down mobile phone for pre-graduate student project territory.

As our host @Bruce points out,

“Attacks only get better, they never get worse”.

And as history of the last century shows, war collapses the time to develop new systems from years to months. Sometimes just days, a smart mind directing an experienced hand will make in a garage, that which the MIC would never contemplate let alone build.

An example is the US bunker/tunnel buster some know as a thermobaric bomb, the guidance system was “off the shelf”, the bomb casing likewise, and the explosive composition, shaped charges and positioning took three days from phone call to range test…

Necessity might be the mother of invention, but it’s the hardly noticed engineer who delivers the goods ready to go with bits from the scrap heap.

[1] Have a read of the first half of the 1980’s book by Peter Wright “Spycatcher” about other technical tricks. Oh and remember that Peter’s father Maurice Wright was the Director/head of UK Electronics company Marconi Research that made much of the then “Establishments” surveillance equipment and Peter’s assistant in MI5 was Tony Sale who rescued Bletchly Park. But astoundingly we know that despite the valid research, even into this century MI5 were still not putting “lessons learned into practice… Which hurt or altogether stopped other activities such as investigating the then Terrorist PIRA organisation in Spain.

Clive Robinson November 25, 2024 10:28 PM

@ ResearcherZero, ALL,

With regards,

“This is an important consideration, as data privacy is a social problem that has effects for all of society, it requires a concerted effort to bring about change.”

Just today I read that the issue of,

“… someone in close proximity to you might have their mobile phone used against you.”

Has been used with WiFi,

https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/

This is actually quite serious when you consider that for many WiFi manufacturers they appear to consider a high number of CVE’s a “badge of merit” rather than a “mark of iniquity”.

Clive Robinson November 26, 2024 6:25 AM

@ Bruce, ALL,

Somewhat related, via the NOBUS and similar issues having a “deep down effect” on system design thinking.

With the latest potential claim in that direction being from US Senator Mark R Warner from Virginia. Who due to one of his job functions as chair of the US Gov Senate Intelligence Committee has heard something. Hence the title of a Register article,

“China has utterly pwned ‘thousands and thousands’ of devices at US telcos”

‘https://www.theregister.com/2024/11/25/salt_typhoon_mark_warner_warning/

But there is a fun side to it, apparently there has been a “My hair is on Fire” alarm from the politician about the supposed fact China has compromised every US Telco and can listen in on every phone call they want to and potentially worse…

Senate Intelligence Committee chair says his ‘hair is on fire’ as execs front the White House

What is not mentioned in all the OMG the worlds about to end theatrics is that all the “Chinese Kit” such a fuss was made about over half a decade or so back, should have been completely replaced by “US Labeled Kit” quite some time ago at the US Gov direction (and tax payer money to the Telco’s).

Whilst there is much Chicken Little behaviour on the –more than expected– issue, there is actually no more than finger pointing and theatrics which is of no use to anyone trying to resolve issues (if there are actually any new ones, mis-attribution being a US Gov speciality for a decade and a half).

So unsurprisingly China’s response is,

“What are you lot blathering about?”

Or similar in a more traditional diplomatic form.

But a look in The Register’s comments section on the subject is both amusing and speculatively informing,

https://forums.theregister.com/forum/all/2024/11/25/salt_typhoon_mark_warner_warning/

With one pointing out,

“I seem to recall the telcos putting in monitoring and backdoor features at the request of the FBI. Who would have guessed that somebody else might take advantage of those tools?”

That starts a relevant anti-NOBUS discussion. Which mentions just a little of the fall out from the “German Chancellor Angela Merkel’s cellphone” getting illegally evesdropped on a decade ago, and further comments indicating in effect,

“The kettle calling the pot black.”

And one commenter hitting the NOBUS issue on the nose,

“Did anyone note the phrase “perhaps by using carriers’ wiretapping capabilities” – to paraphrase that, “ANY backdoor into ANY communications channel in favour of a government, is very likely to be exploited by the people you least need to be exploiting it. That applies to “secret” government decryption keys etc. etc. Put in “government – only” back doors and it rapidly becomes “government plus evil b******d’s” back door.”

As they say “Who’d have thunk”…

Paul Sagi November 26, 2024 9:33 AM

‘Consent’ has been distorted to ‘Con-sent’, con the user of the phone (or other device) and their data is sent, likely to a data broker and/or advertiser.
The lack of transparency is fundamentally a problem of ethics.

ResearcherZero November 26, 2024 10:30 PM

@Clive Robinson

Consumers want the ability to enforce their right to privacy.

‘https://www.consumerreports.org/electronics/privacy/americans-want-much-more-online-privacy-protection-a9058928306/

Dan M November 29, 2024 8:50 PM

This is why I recently bought a new Google pixel 8 and then flashed GrapheneOS onto it. Yes, this means that I have to trust the developers for GrapheneOS, but you’ve gotta trust someone.

Graphene disables access to ALL of the sensors on your phone, like GPS, bluetooth, accelerometer, thermometer, whatever, as well as location, contacts and all the usual app permissions. You can choose to only allow those that you want per app. It doesn’t have the Google infrastructure on it. If you want that, you can install it, but it runs in a sandbox.

Again, not perfect, but it greatly cuts down on a lot of the app data and meta data leakage.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.