Saturday, March 16, 2013

License to Intrude, Part 4

There have been no updates to the blog in a few months, and this series in particular has not been updated in almost a year. But, what I haven't written about is actually quite interesting.

First, a review. In Part 1 we saw how the FBI - government agents whose job is to protect our Constitutional form of government - were taking shortcuts around the Constitution to collect and retain information on law-abiding American citizens who were engaged in lawful activities. (!) We also saw how connected Facebook's senior leadership was to the Obama regime, and this certainly raised the question about potential for abuse. Then, in Part 2, we saw how Facebook collected extensive information on its users, and considered Facebook's policy of sharing information collected with government agencies based on the presumed good faith of those agencies.

Well, in Part 3 we looked at issues being addressed with recent proposed legislation regarding privacy and security and cyberspace. We then went on to see how Facebook was making the location of its users public, and we saw how this trend might likely evolve, with apps that could tell you about the people around you. Of course, if the app can tell you about the people around you, it could also tell someone else about the people around you, and thus about whom you hang around with. ;)

Of course, what has happened since that last post is hardly surprising, but it is important to consider.

First, we examine excerpts from a December 27, 2012, article entitled Prevent Facebook from automatically importing photos by CNET's Dennis O'Reilly (I have reproduced links found in the original):

A few weeks ago, Facebook introduced the ability to sync photos taken on your iPhones, iPads, and Android phones to your Facebook account automatically. Jason Cipriani describes how to enable the feature in "Getting started with Facebook photo sync on Android, iPhone."


As you can imagine, having all the photos taken by your phone or tablet uploaded to Facebook imperils your privacy and security. As's Brandon Bailey reported earlier this month, Facebook claims it will not use the data associated with the photos until they are posted.

The referenced article, Facebook says it won't use data from private photos, by Brandon Bailey, December 4, 2012, has this to say:

Some analysts raised the possibility this week that Facebook might analyze private photos for digital clues about where they were taken or even the identities of people in the photos, perhaps applying that information in the same way it relies on other user data to determine which ads and other messages are shown to different users.

A Facebook representative appeared to dispute that on Tuesday, saying in a statement: "We only utilize photo data after users decide to share them to Facebook." In response to a follow-up question, the representative said that means the company won't use data from uploaded photos in the user's private album, although the company would apply its normal policies if the user opts to share the photos on Facebook.


Bloggers and security experts have praised some aspects of the Photo Sync feature, while cautioning that it could still give Facebook access to more data if it leads to users sharing more photos, and that it might also increase the chances for sharing photos inadvertently.

Of course, let us trust both the ability and the intentions of Facebook. The next logical question is: Who really cares what Facebook does or what Facebook says it will do? Haven't we established in this series that Facebook is a de facto feeder of raw data to the government? And, again, we are assuming government employees are acting competently and in good faith. Considering all the scandals governments are known for, can we trust the people who brought us Fast and Furious with this information?

As pointed out in Prevent Facebook from automatically importing photos:

However, all the data associated with the photos, including where and when they were taken, is still accessible to Facebook and can be used to determine the ads you see. Privacy advocates have pointed out that Facebook users are much more likely to post photos that are already uploaded, often inadvertently.

And, if it is accessible to Facebook, then it is accessible to whom else? Government agents? Hackers? Obamanista operatives?

A situation that is not dissimilar has hit close to home for Facebook. In an article from December 26, enttiled Randi Zuckerberg loses control on Facebook (and Twitter), author Chris Matyszczyk points out how the sister of Facebook's CEO inadvertently posted publicly a photo that she had intended to be seen only by her friends. The article addresses issues such as human decency.

My point, however, is that Facebook's senior leadership is well-connected with an administration that traffics weapons to at least one Mexican drug cartel. Believing that such a government acts in good faith and therefore releasing information to that government's agents trumps any hopes for human decency regarding the possibilities for what might happen with all this information that Facebook has by tracking us online even when we are not logged in to Facebook, and by tracking our location in the physical world, and by automatically uploading photos of the places we are and the people with whom we interact into Facebook's database.

But, of course, it doesn't end there, does it?

What happens once the FBI gets all this information on you, including photos uploaded automatically from your smartphone of where you are and of whom you are with?

Well, FBI security has not always been the best, and another recent scandal specifically illustrates the danger of FBI databases.

Back on September 3, activists involved in AntiSec, an operation run in part by members of the hacker group Anonymous, posted online one million Apple Unique Device Identifiers (UDIDs) from a database of 12 million it claimed to have hacked.

Several articles (AntiSec claims to have snatched 12M Apple device IDs from FBI, September 3, 2012; FBI finds no evidence that AntiSec hacked its laptop, September 4, 2012; How the FBI might've been owned (12M Apple records), September 4, 2012) tell the story of how AntiSec claims to have exploited a bug in Java to access a laptop being used by FBI Special Agent Christopher K. Stangl.

Some key details emerge in this excerpt from FBI finds no evidence that AntiSec hacked its laptop which, in turn, links to another of the articles listed above:

Stangl was among a group of four dozen or so U.S. and UK law enforcement agents who were recipients of an e-mail that AntiSec members got ahold of related to investigating AntiSec, Anonymous and their affiliates. The e-mail was sent last January to organize a conference call among the agents which the hackers then listened in on. Robert David Graham speculates on his Errata Security blog that the hackers got Stangl's e-mail address off that list and targeted him for compromise with a phishing e-mail.

The @AnonyOps Twitter account responded to the FBI statement, saying "FBI says there was no hack. That means either they're lying or they *gave* the information up to someone in #antisec. It's happened before."

Security Space Rogue, the former editor of Hacker News Network, tweeted: "FBI statement is ambiguously short. States not from an 'FBI' laptop. How about a personal laptop of an FBI agent?" An FBI spokesperson did not immediately respond when asked that question late this afternoon.

So, the question hangs as to whether SA Stangl was using this database on a personal laptop. If so, was he doing his official work on his personal computer? Many people do, though one would expect government agencies dealing with issues requiring security and confidentiality would not permit this.

Or, was non-official work being done with this database?

Apparently, access to SA Stangl's laptop (and possibly to other devices?) was gained by exploiting this Java bug after Anonymous intercepted an email with SA Stangl's email address on it. The email had the addresses of many other law enforcement officials, and was scheduling a conference call for French, British, Europol and FBI personnel to discuss these hacktivists and their activities.

It all makes for a nice package, really.

Facebook gets your information (location, photos) automatically, shares it based on presumed good faith with the government run by an administration of a President for whom Facebook officers have campaigned and fundraised. The FBI is then targeted by hackers whom the FBI is investigating and who have successfully stolen other personal information from computers used by FBI agents.

If the FBI can't protect itself and its investigation from the group it is investigating, how well will it protect your information? Will it even admit it has your information, and that your information has been compromised?

Why does the Clinton/FBI Filegate scandal come to mind here?

Of course, there is more to this, isn't there?

An alleged Anonymous hacker was arrested because his presumed girlfriend posted a picture of her breasts online, and US authorities supposedly traced this back to the hacker they were looking for by tying in GPS data of where the photo was taken with a statement the hacker had made online about the location of his female friend.

The article, Breasts lead to arrest of Anonymous hacker, dated April 14, 2012, by Chris Matyszczyk (another of whose articles was mentioned above), concludes thusly:

However, the photograph of the breasts apparently linked authorities to Ochoa -- because, taken with an iPhone, it contained GPS information. The information allegedly suggested she lived in Melbourne, Australia.

Further burrowing led the police to discover a posting on Ochoa's Facebook page that allegedly revealed his girlfriend was Australian.

The claim is that police have managed to match pictures of her that Ochoa allegedly posted on Facebook to the breast image.

To the untrained eye, this might seem curious, as the Facebook pictures allegedly show her face, while the taunting picture does not.

Perhaps the authorities have gone beyond mere facial-recognition technology and are in possession of software that can match other bodily parts with astonishing accuracy.

So, photos get uploaded to Facebook automatically - who knows where they go from there? - and now an expert with a highly reputable computer news magazine speculates that the authorities may have software that can do recognition of other body parts besides faces.

Why do I feel it is not just Hooters girls who need be concerned about this?