Billions of people are inseparable from their phones. Their devices are within reach – and earshot – for almost every daily experience, from the most mundane to the most intimate.

Few pause to think that their phones can be transformed into surveillance devices, with someone thousands of miles away silently extracting their messages, photos and location, activating their microphone to record them in real time.

Such are the capabilities of Pegasus, the spyware manufactured by NSO Group, the Israeli purveyor of weapons of mass surveillance.

NSO rejects this label. It insists only carefully vetted government intelligence and law enforcement agencies can use Pegasus, and only to penetrate the phones of “legitimate criminal or terror group targets”.

Yet in the coming days the Guardian will be revealing the identities of many innocent people who have been identified as candidates for possible surveillance by NSO clients in a massive leak of data.

Without forensics on their devices, we cannot know whether governments successfully targeted these people. But the presence of their names on this list indicates the lengths to which governments may go to spy on critics, rivals and opponents.

First we reveal how journalists across the world were selected as potential targets by these clients prior to a possible hack using NSO surveillance tools.

Over the coming week we will be revealing the identities of more people whose phone numbers appear in the leak. They include lawyers, human rights defenders, religious figures, academics, businesspeople, diplomats, senior government officials and heads of state.

Our reporting is rooted in the public interest. We believe the public should know that NSO’s technology is being abused by the governments who license and operate its spyware. But we also believe it is in the public interest to reveal how governments look to spy on their citizens and how seemingly benign processes such as HLR lookups can be exploited in this environment.

[…]

Companies such as NSO operate in a market that is almost entirely unregulated, enabling tools that can be used as instruments of repression for authoritarian regimes such as those in Saudi Arabia, Kazakhstan and Azerbaijan.

The market for NSO-style surveillance-on-demand services has boomed post-Snowden, whose revelations prompted the mass adoption of encryption across the internet. As a result the internet became far more secure, and mass harvesting of communications much more difficult.

But that in turn spurred the proliferation of companies such as NSO offering solutions to governments struggling to intercept messages, emails and calls in transit. The NSO answer was to bypass encryption by hacking devices.

Two years ago the then UN special rapporteur on freedom of expression, David Kaye, called for a moratorium on the sale of NSO-style spyware to governments until viable export controls could be put in place. He warned of an industry that seemed “out of control, unaccountable and unconstrained in providing governments with relatively low-cost access to the sorts of spying tools that only the most advanced state intelligence services were previously able to use”.

His warnings were ignored. The sale of surveillance continued unabated. That GCHQ-like surveillance tools are now available for purchase by repressive governments may give some of Snowden’s critics pause for thought.

[…]

Source: Huge data leak shatters the lie that the innocent need not fear surveillance | Surveillance | The Guardian

[…]

Watkins, a self-described privacy advocate whose mother and grandmother shredded personal information when he was growing up, said he is unwilling to complete the identity verification process his state now requires, which includes having his face analyzed by a little-known company called ID.me.

He sent a sharply worded letter to his state’s unemployment agency criticizing ID.me’s service, saying he would not take part in it given his privacy concerns. In response, he received an automated note from the agency: “If you do not verify your identity soon, your claim will be disqualified and no further benefit payments will be issued.” (A spokesperson for the Colorado Department of Labor and Employment said the agency only allows manual identity verification “as a last resort” for unemployment claimants who are under 18 — because ID.me doesn’t work with minors — and those who have “technological barriers.”)

[…]

Watkins is one of millions across the United States who are being instructed to use ID.me, along with its facial recognition software, to get their unemployment benefits. A rapidly growing number of US states, including Colorado, California and New York, turned to ID.me in hopes of cutting down on a surge of fraudulent claims for state and federal benefits that cropped up during the pandemic alongside a tidal wave of authentic unemployment claims.

As of this month, 27 states’ unemployment agencies had entered contracts with ID.me, according to the company, with 25 of them already using its technology. ID.me said it is in talks with seven more. ID.me also verifies user identities for numerous federal agencies, such as the Department of Veterans Affairs, Social Security Administration and IRS.

[…]

The face-matching technology ID.me employs comes from a San Francisco-based startup called Paravision

[…]

Facial recognition technology, in general, is contentious. Civil rights groups frequently oppose it for privacy issues and other potential dangers. For instance, it has been shown to be less accurate when identifying people of color, and several Black men, at least, have been wrongfully arrested due to the use of facial recognition. It’s barely regulated — there are no federal laws governing its use, though some states and local governments have passed their own rules to limit or prohibit its use. Despite these concerns, the technology has been used across the US federal government, as a June report from the Government Accountability Office showed.

Several ID.me users told CNN Business about problems they had verifying their identities with the company, which ranged from the facial recognition technology failing to recognize their face to waiting for hours to reach a human for a video chat after encountering problems with the technology. A number of people who claim to have had issues with ID.me have taken to social media to beg the company for help with verification, express their own concerns about its face-data collection or simply rant, often in response to ID.me’s own posts on Twitter. And some like Watkins are simply frustrated not to have a say in the matter.

[…]

ID.me said it does not sell user data — which includes biometric and related information such as selfies people upload, data related to facial analyses, and recordings of video chats users participate in with ID.me — but it does keep it. Biometric data, like the facial geometry produced from a user’s selfie, may be kept for years after a user closes their account.

Hall said ID.me keeps this information only for auditing purposes, particularly for government agencies in cases of fraud or identity theft. Users, according to its privacy policy, can ask ID.me to delete personally identifiable information it has gathered from them, but the company “may keep track of certain information if required by law” and may not be able to “completely delete” all user information since it “periodically” backs up such data. (As Ryan Calo, codirector of the University of Washington’s Tech Policy Lab, put it, this data retention policy is “pretty standard,” but, he added, that “doesn’t make it great!”)

[…]

Beyond state unemployment agencies, ID.me is also becoming more widespread among federal agencies such as the IRS, which in June began using ID.me to verify identities of people who want to use its Child Tax Credit Update Portal.

“We’re verifying more than 1% of the American adult population each quarter, and that’s starting to compress more to like 45 or 50 days,” Hall said. The company has more than 50 million users, he said, and signs up more than 230,000 new ones each day.

[…]

Vasquez said that, when a state chooses to use a tool it knows has a tendency to not work as well on some people, she thinks that “starts to invade something more than privacy and get at questions of what society values and how it values different members’ work and what our society believes about dignity.”

Hall claims ID.me’s facial recognition software is over 99% accurate and said an internal test conducted on hundreds of faces of people who had failed to pass the facial recognition check for logging in to the social security website did not show statistically significant evidence of racial bias.

In cases where users are able to opt out of the ID.me process, it can still be arduous and time-consuming: California’s Employment Development Department website, for instance, instructs people who can’t verify their identity via ID.me when applying online to file their claim over the phone or by mail or fax.

Most people aren’t doing this, however; it’s time consuming to deal with snail mail or wade through EDD’s phone system, and many people don’t have access to a fax machine. An EDD spokesperson said that such manual identity verification, which used to be a “significant” part of EDD’s backlog, now accounts for “virtually none” of it.

Long wait times for some

Eighty-five percent of people are able to verify their identity with ID.me immediately for state workforce agencies without needing to go through a video chat, Hall said.

What happens to the remaining 15% worries Akselrod, of the ACLU, since users must have access to a device with a camera — like a smartphone or computer — as well as decent internet access. According to recent Pew research, 15% of American adults surveyed don’t have a smartphone and 23% don’t have home broadband.

“These technologies may be inaccessible for precisely the people for whom access to unemployment insurance is the most critical,” Akselrod said.

[…]

Source: Want your unemployment benefits? You may have to submit to facial recognition first – CNN

What this excellent article doesn’t go into is what a terrible idea having huge centralised databases is, especially one filled with biometric information (which you can’t change) of an entire population

A series of Samsung apps that allow customers to control their internet-connected appliances require access to all the phone’s contacts and, in some cases, the phone call app, phone’s location, and camera. Customers have been furious about this for years.

On Wednesday, a Reddit user complained that their washing machine app, the Samsung Smart Washer, wouldn’t work “unless I give it access to my contacts, location and camera.”

This is a common complaint.

[…]

These situations speak to two issues: Apps that demand permissions that they don’t need, and “smart” and internet of things devices that make formerly simple tasks very complicated, and open up potential privacy and security concerns.

Generally speaking, over the last few years, people have become more sensitive to what they’re giving up in privacy and potentially security when they deal with big tech companies. Smart TVs (Samsung included), for example, have been caught listening to users and automatically deliver ads. Tech companies have had to adapt and do better. For example, both Apple and Google allow users to see what data an app has access to, and in some cases users can toggle the permissions individually. The upcoming new version of Android will even have a dedicated “Privacy Dashboard” where users can see which apps used what permissions, and revoke them if they want. Apple’s iOS has similar functionality. But none of this stops app developers from asking users to accept unnecessary permissions.

It’s unclear why apps that are designed to let you set the type of washing cycle you want, or see how long it’s gonna take for the dryer to be done, would need access to your phone’s contacts. In an FAQ for another Samsung app, the company says it needs access to contacts “to check if you already have a Samsung account set up in your device. Knowing this information helps mySamsung to make the sign-in process seamless.”

[…]

Source: Samsung Washing Machine App Requires Access to Your Contacts and Location

Federal law enforcement agencies secretly seek the data of Microsoft customers thousands of times a year, according to congressional testimony Wednesday by a senior executive at the technology company.

Tom Burt, Microsoft’s corporate vice president for customer security and trust, told members of the House Judiciary Committee that federal law enforcement in recent years has been presenting the company with between 2,400 to 3,500 secrecy orders a year, or about seven to 10 a day.

“Most shocking is just how routine secrecy orders have become when law enforcement targets an American’s email, text messages or other sensitive data stored in the cloud,” said Burt, describing the widespread clandestine surveillance as a major shift from historical norms.

[…]

Brad Smith, Microsoft’s president, called for an end to the overuse of secret gag orders, arguing in a Washington Post opinion piece that “prosecutors too often are exploiting technology to abuse our fundamental freedoms.” Attorney General Merrick Garland, meanwhile, has said the Justice Department will abandon its practice of seizing reporter records and will formalize that stance soon.

[…]

Burt said that while the revelation that federal prosecutors had sought data about journalists and political figures was shocking to many Americans, the scope of surveillance is much broader. He criticized prosecutors for reflexively seeking secrecy through boilerplate requests that “enable law enforcement to just simply assert a conclusion that a secrecy order is necessary.”

[…]

As possible solutions, Burt said, the government should end indefinite secrecy orders and should also be required to notify the target of the data demand once the secrecy order has expired.

Just this week, he said, prosecutors sought a blanket gag order affecting the government of a major U.S. city for a Microsoft data request targeting a single employee there.

“Without reform, abuses will continue to occur and they will occur in the dark,” Burt said.

Source: Microsoft exec: Targeting of Americans’ records ‘routine’

Lawmakers in the House have introduced five new bills that would place significant limits on major tech companies, including Apple, Google, Facebook and Amazon.The proposed legislation is part of a broader effort to step up antitrust enforcement against tech giants.The bills would place new limits on the companies’ ability to acquire new business and change how they treat their own services compared with competitors.

“From Amazon and Facebook to Google and Apple, it is clear that these unregulated tech giants have become too big to care and too powerful to ever put people over profit,” Rep. Pramila Jayapal said in a statement. “By reasserting the power of Congress, our landmark bipartisan bills rein in anti-competitive behavior, prevent monopolistic practices, and restore fairness and competition while finally leveling the playing field and allowing innovation to thrive.”

The bills include:

• The American Choice and Innovation Online Act: A measure that would prevent tech platforms from advantaging their own business over a competitor. Rep. David Cicilline, chair of the House Antitrust subcommittee, said the bill would prevent Amazon “from manipulating their marketplaces to promote their own products.” It could also address concerns that Apple preferences its own services in the App Store.
• The Ending Platform Monopolies Act: Co-authored by Rep. Jayapal, whose district includes Amazon, the bill targets the online retail giant. It would prevent big tech companies from “selling products in marketplaces they control.”
• The Platform Competition and Opportunity Act: The bill would prevent “dominant platforms” from acquiring companies that represent “competitive threats.” Members of Congress have previously questioned Mark Zuckerberg over Facebook’s aggressive pursuit of competitors.
• The Augmenting Compatibility and Competition by Enabling Service Switching Act of 2021 (ACCESS): The bill is meant to make it easier to “quit social media and take your data with you,” according to Cicilline.
• The ‘Merger Filing Fee Modernization Act of 2021: The bill would help the FTC and Department of Justice raise more money for antitrust enforcement by increasing the fees companies pay when requesting government approval for acquisitions.

Notably, the bills have bipartisan support, as limiting the power of big tech platforms has been a rare source of bipartisan agreement in Congress. Though the bills don’t name individual companies, the legislation could have a significant impact on Facebook, Google, Amazon and Apple, which have faced increasing scrutiny from Congress over their business practices and market dominance.

Source: House introduces five antitrust bills targeting Apple, Google, Facebook and Amazon | Engadget

Apple didn’t know the Department of Justice was requesting metadata of Democratic lawmakers when it complied with a subpoena during a Trump-era leak investigation, CNBC reports. And it wasn’t the only tech giant tapped in these probes: Microsoft confirmed Friday it received a similar subpoena for a congressional staffer’s personal email account. Both companies were under DOJ gag orders preventing them from notifying the affected users for years.

These instances are part of a growing list of questionable shit the DOJ carried out under former President Donald Trump amid his crusade to crack down on government leakers. The agency also quietly went after phone and email records of journalists at the Washington Post, CNN, and the New York Times to uncover their sources, none of whom were notified until last month.

On Thursday, a New York Times report revealed that a Trump-led DOJ seized records from two Democrats on the House Intelligence Committee who were frequently targeted in the president’s tantrums: California Representatives Eric Swalwell and Adam Schiff (Schiff now chairs the committee). The subpoena extended to at least a dozen people connected to them, including aides, family members, and one minor, in an attempt to identify sources related to news reports on Trump’s contacts with Russia. All told, prosecutors found zero evidence in this seized data, but their efforts have prompted the Justice Department’s inspector general to launch an inquiry into the agency’s handling of leak investigations during the Trump administration.

[…]

Source: Apple and Microsoft Say They Had No Idea Trump-Era DOJ Requested Data on Political Rivals

Google has agreed to pay a €220 million ($267 million) fine and change its ad practices after France’s competition authority found it had abused its dominant online ad position. Following a 2019 complaint by News Corp. and French newspaper Le Figaro, France ruled that Google was favoring its own advertising services to the detriment of rivals.

[…]

In a blog post, Google explained how it planned to change its ad rules by offering publishers “increased flexibility” by improving interoperability between its ad manager and third-party ad servers. “Also, we are reaffirming that we will not limit Ad Manager publishers from negotiating specific terms or pricing directly with other sell-side platforms.”

Google’s ad division has faced scrutiny from French regulators in the past. In 2019, the watchdog fined Google €150 million ($167 million) for opaque and unpredictable advertising rules after it suspended the Google Ads account of a French company without notice. Google has also clashed with regulators and publishers in the nation over the use of snippets of content in its news section.

Source: Google to adapt its ad technology after France hands it a $267 million fine | Engadget

Apple chief executive Tim Cook has long argued it needs to control app distribution on iPhones, otherwise the App Store would turn into “a flea market.”

But among the 1.8 million apps on the App Store, scams are hiding in plain sight. Customers for several VPN apps, which allegedly protect users’ data, complained in Apple App Store reviews that the apps told users their devices have been infected by a virus to dupe them into downloading and paying for software they don’t need. A QR code reader app that remains on the store tricks customers into paying $4.99 a week for a service that is now included in the camera app of the iPhone. Some apps fraudulently present themselves as being from major brands such as Amazon and Samsung.

Of the highest 1,000 grossing apps on the App Store, nearly two percent are scams, according to an analysis by The Washington Post. And those apps have bilked consumers out of an estimated $48 million during the time they’ve been on the App Store, according to market research firm Appfigures. The scale of the problem has never before been reported. What’s more, Apple profits from these apps because it takes a cut of up to a 30 percent of all revenue generated through the App Store. Even more common, according to The Post’s analysis, are “fleeceware” apps that use inauthentic customer reviews to move up in the App Store rankings and give apps a sense of legitimacy to convince customers to pay higher prices for a service usually offered elsewhere with higher legitimate customer reviews.

Two-thirds of the 18 apps The Post flagged to Apple were removed from the App Store.

[…]

Apple has long maintained that its exclusive control of the App Store is essential to protecting customers, and it only lets the best apps on its system. But Apple’s monopoly over how consumers access apps on iPhones can actually create an environment that gives customers a false sense of safety, according to experts. Because Apple doesn’t face any major competition and so many consumers are locked into using the App Store on iPhones, there’s little incentive for Apple to spend money on improving it, experts say.

[…]

Apple unwittingly may be aiding the most sophisticated scammers by eliminating so many of the less competent ones during its app review process, said Miles, who co-authored a paper called “The Economics of Scams.”

[…]

Apple has argued that it is the only company with the resources and know-how to police the App Store. In the trial that Epic Games, the maker of the popular video game “Fortnite,” brought against Apple last month for alleged abuse of its monopoly power, Apple’s central defense was that competition would loosen protections against unwanted apps that pose security risks to customers. The federal judge in the case said she may issue a verdict by August.

The prevalence of scams on Apple’s App Store played a key role at trial. Apple’s lawyers were so focused on the company’s role in making the App Store safe that Epic’s attorneys accused them of trying to scare the court into a ruling in favor of Apple. In other internal emails unearthed during trial that date as far back as 2013, Apple’s Phil Schiller, who runs the App Store, expressed dismay when fraudulent apps made it past App Store review.

After a rip-off version of the Temple Run video game became the top-rated app, according to Schiller’s email exchange, he sent an irate message to two other Apple executives responsible for the store. “Remember our talking about finding bad apps with low ratings? Remember our talk about becoming the ‘Nordstroms’ of stores in quality of service? How does an obvious rip off of the super popular Temple Run, with no screenshots, garbage marketing text, and almost all 1-star ratings become the #1 free app on the store?” Schiller asked his team. “Is no one reviewing these apps? Is no one minding the store?” Apple declined to make Schiller available to comment. At trial, Schiller defended the safety of the app store on the stand. The app review process is “the best way we could come up with … to make it safe and fair.”

Eric Friedman, head of Apple’s Fraud Engineering Algorithms and Risk unit, or FEAR, said that Apple’s screening process is “more like the pretty lady who greets you with a lei at the Hawaiian airport than the drug sniffing dog,” according to a 2016 internal email uncovered during the Epic Games trial. Apple employs a 500-person App Review team, which sifts through submissions from developers. “App Review is bringing a plastic butter knife to a gun fight,” Friedman wrote in another email.

[…]

Though the App Store ratings section is filled with customer complaints referring to apps as scams, there is no way for Apple customers to report this to Apple, other than reaching out to a regular Apple customer service representative. Apple used to have a button, just under the ratings and reviews section in the App Store, that said “report a problem,” which allowed users to report inappropriate apps. Based on discussions among Apple customers on Apple’s own website, the feature was removed some time around 2016.

[…]

 

Source: Apple’s tightly controlled App Store is teeming with scams – Anchorage Daily News