Here are this week’s surveil-links: reading and summarizing the latest news in digital privacy so you don’t have to.
You can easily, and slightly more privately, navigate to each link by browsing to “surveil.link/” followed by the link’s corresponding number. For example, surveil-link #12 can be found at surveil.link/12.
This week was a busy week in surveillance all over the world. The first two surveil-links this week should have made the list last week. Better late than never, right?
Minneapolis joined a growing list of U.S. cities to ban the use of facial recognition by its police department, TechCrunch reports. The unanimous vote by the 13 member city council comes as one of many sweeping police reforms after the city became ground zero of the movement for racial justice this summer after Minneapolis police murdered George Floyd.
Surveil-link #32: Stanford researchers find Clubhouse audio traffic routed through Chinese infrastructure
Clubhouse, according to the New York Times, had just a few thousand users sending ephemeral audio messages back and forth to each other this past summer. Now, it is a billion dollar startup with millions of users all over the world. The Chinese government quickly blocked the app when they realized it was enabling conversations of topics that are typically censored, such as the government’s current treatment of the Uighur population or the 1989 Tiananmen Square protest.
Internet researchers at Stanford University analyzed the application’s internet infrastructure and found that the audio recorded in the app is hosted and transferred using services from Shanghai-based company Agora. The report claims that this matters because it makes the content of everyone’s audio subject to Chinese law.
While Agora claims it does not store the audio, many governments, especially in China, have been known to tap networks to get the data they want. Furthermore, other Chinese companies such as Huawei are suspected to still share user data with their government despite claiming the contrary.
Forbes reported last Monday that Israeli company AnyVision has applied for a U.S. patent entitled “Adaptive Positioning of Drones for Enhanced Face Recognition.” The patent describes the possibility of a drone using a vision system to assess where it needs to go in relation to a target’s face in order to capture an image suitable enough to identify them using a facial recognition algorithm.
As I have discussed before in various other surveil-links, facial recognition is extremely inaccurate when identifying individuals with Black or Brown skin. What’s more, it is most accurate when the subject’s face is level with the camera. These facts naturally have made opponents to the technology concerned.
Forbes, paraphrasing the company’s CEO Avi Golan, said, “whilst AnyVision didn’t have any in-production drones with facial recognition, they would be a reality soon.”
Emails obtained via a public records request by the Electronic Frontier Foundation and reported on by the Intercept, show that the Los Angeles Police Department requested footage from Ring doorbell cameras in July 2020. Like most major cities in the U.S., LA was seeing many protests for racial justice after George Floyd was killed. According to the Los Angeles Times, the LAPD’s own data shows the “vast majority” of protests were peaceful during this time.
Despite this fact, Ring sent emails to video doorbell owners on behalf of the LAPD asking for footage because “during recent protests, individuals were injured & property was looted, damaged, and destroyed.” Matthew Guariglia, a surveillance policy analyst with the EFF says that these “requests provide an unregulated avenue through which police could theoretically use a trash can being knocked over as justification for requesting footage of 12 hours of peaceful protesting.”
Ring has an active program in which it allows exactly these types of requests from law enforcement and its used by hundreds of agencies across the country. Despite this, Ring insists they prohibit law enforcement from obtaining video of lawful activities such as protests and believe the LAPD was simply attempting to “identify individuals responsible for theft, property damage, and physical injury.” Seems like quite the fine line they are walking seeing that a 2019 report by Motherboard shows that they literally coach law enforcement how to obtain this footage without a warrant.
Surveil-link #35: EU and US activist organizations urge respective governments to curb facial recognition surveillance
This past week, in both the European Union and the United States, activists groups urged their executive branches to stop the use of facial recognition surveillance.
In Europe, they are petitioning the EU Commission “to prohibit, in law and in practice, indiscriminate or arbitrarily-targeted uses of biometrics which can lead to unlawful mass surveillance.” It goes on to demand that “These intrusive systems must not be developed, deployed (even on a trial basis) or used by public or private entities insofar as they can lead to unnecessary or disproportionate interference with people’s fundamental rights.” They also argue the practice violates existing EU privacy laws.
On the other side of the pond, a coalition of organizations including the ACLU, the EFF, Access Now, and Fight for the Future, wrote a letter to newly-elected President Biden with three specific asks:
- Place a moratorium on the use of facial recognition and other biometric surveillance by the U.S. federal government.
- Place a hold on the acquisition of these technologies with U.S. federal funds.
- Express support for the Facial Recognition and Biometric Technology Moratorium Act currently proposed in both Houses of Congress.
If either government takes those promptings and passes legislation regulating the technology, they will be the first to do so on a national level. Thus far, efforts to stop facial recognition have largely been a local matter, as seen in Minneapolis in surveil-link #31.
- TikTok does not comply with the GDPR when it comes to the protection of user data.
- Users appear to only be able to opt out of the delivery of personalized advertising, but not the processing of their data that makes it possible.
- Certain TikTok security practices recently brought to light imply that the company is not putting sufficient data protections in place.
- TikTok appears to not differentiate between the data of children under 13 and other users, again, in violation with GDPR.
Jef Ausloos, a legal scholar and an author of the complaint, told TechCrunch this complaint was in the making for several years. Since then, many of TikTok’s privacy practices have changed significantly. He tweeted the day the report was filed that he’s worried this is a tactic to evade regulatory scrutiny.
The Intercept released a damning report last Thursday revealing internal presentations and documents from tech giant Oracle showing active advertisement to Chinese police claiming it could advance “centralized processing and smart analysis of public safety information.” As we learned in surveil-link #12, the Chinese police state has mounds of data that primarily targets the countries Muslim population which would likely fall under the category of “public safety information.”
An Oracle representative insists that the presentations simply show “what our products could do if others built on top of them” and that they “do not indicate any targeted or intended sales/support.” But the documents leave little doubt that Oracle has indeed advertised their products as tools to enable surveillance. One 2015 brochure entitled “Social-Enabled Policing” boasts that Oracle’s Social Relationship Management product can sift through “700 million messages per day” from major social messaging apps, including WeChat and Weibo, apps primarily used in China.
The Intercept points out the irony that Oracle was one of the first companies to jump at the chance to acquire the U.S. operations and infrastructure of TikTok, a popular social media app made by the Beijing-based company ByteDance. The deal, sparked by a Trump executive order out of concern for data privacy of the millions of U.S. citizens using TikTok, is currently being held up in court. In other words, a company that appears to be enabling the Chinese surveillance state could own a stake of an app that Trump wanted out of the hands of the Chinese surveillance state.
The Electronic Frontier Foundation, on behalf of four immigrant and racial justice groups, sued the Departments of Homeland Security and Health and Human Services on Friday. The groups are particularly concerned about a system called HHS Protect maintained by controversial private surveillance company Palantir. HHS Protect was used to collect COVID-19 statistics and data when the Trump administration asked hospitals to cease reporting data to the Centers for Disease Control and Prevention and report to HHS instead.
The groups submitted Freedom of Information Act requests for more information about how that data was being used in HHS Protect but have yet to receive any such records. The lawsuit “demands the government immediately process the groups’ FOIA request, and make the records available to them.”
If a website depends on tracking its users for revenue, you can bet your ass they will find a way to circumvent every anti-tracking technique employed by those users. This is highlighted in surveil-links #7 and #22, describing the efforts of various browsers to block supercookies. Well, Ars Technica reports on University of Illinois researchers that have found a new supercookie.
Each website a user visits has an icon that appears in the left corner of the tab the site is opened in. Those icons are called favicons and they are stored in an entirely different cache that is not typically cleared with the rest of the browser’s caches. Through a series of redirects and caching various different favicons, the researchers were able to successfully track users even when the browser was in private or incognito mode.
Ars Technica reports that major browsers are working on a solution to the problem.
Surveil-link #40: Airlines and governments begin experimenting with facial recognition for vaccine passports
TechRepublic reports that several airlines, after a difficult year for business, are testing out a facial recognition application made by Corsight AI. The application, known as Travel Pass, uses the technology to identify a person and inform the airline if they are properly vaccinated.
The company’s CEO recently hired a Chief Privacy Officer and claims he doesn’t “want to live in an Orwellian society”. However, a spokesperson for Privacy International calls this “surveillance opportunism.”
The Thomson Reuters Foundation reported an exclusive story showing that over half of London’s boroughs are using surveillance cameras made by Hikvision and Zhejiang Dahua Technology, both partially state-owned Chinese companies whose products are actively used in state-run concentration camps holding much of the country’s Uighur population. The acquisition of equipment from these companies has been barred in the U.S.
This has naturally raised both privacy and human rights concerns among London residents. Aziz Isa Elkun, a Uighur activist in London said, “These concentration camps are testing grounds for Chinese technology - they test them on the Uighurs ... and then they go commercial and try to make money from it.”
Silkie Carlo, director at privacy watchdog group Big Brother Watch expressed deep concern that UK taxpayer money is being spent to “[fund] firms that work hand in hand with the Chinese state, that do ethnic profiling, and enable what looks like ethnic cleansing ... we can't tolerate our own Chinese-built panopticon”
Other notable links
These are the surveil-links which also may be of interest, but I perhaps felt could be better summarized with a simple sentence or two. You can navigate to them the same way as the other surveil-links.
- Surveil-link #42: Facebook fined (again) 7 million euros in Italy for not being clear about how it monetizes users data - TechCrunch
- Surveil-link #43:Chrome for iOS adds features to lock incognito tabs behind fingerprint or face lock - BleepingComputer
- Surveil-link #44: Bug in privacy-centric browser Brave exposes domains meant for private Tor network to DNS providers - BleepingComputer
- Surveil-link #45: The FBI is using flimsy laws to collect all cell phones records from around the U.S. Capitol the day of the insurrection - The Intercept
- Surveil-link #46: TechCrunch analyzes the scary intersection of surveillance capitalism and financial tech companies
- Surveil-link #47: One Zero’s General Intelligence blog dives into the “shoddy science behind emotional recognition tech”
- Surveil-link #48: A proposal by Customs and Border Patrol of installing new cameras along the Vermont and Canadian border has some Vermont residents and politicians worried about privacy - VT Digger.