At a glance.
- What happened to the UK's centralized contact-tracing technology.
- Tracking a suspect through open-source searches.
- An intersection of marketing and law enforcement.
- Russia and Iran independently move toward an autarkic Internet, with close control of content.
- The EFF's case for keeping Section 230.
NHSX's contact-tracing app: a post mortem.
The UK has decided to shelve the contact-tracing app it developed and piloted, moving instead toward the Apple-Google decentralized contact notification approach. An essay in MIT Technology Review discusses the decisions that in its view led to NHSX's failure to field a satisfactory centralized system. The NHSX app is regarded as having underperformed during its trials on the Isle of Wight, and despite initial hopeful signs, the app was not fielded.
Technology Review argues that there are lessons to be drawn from what its headline characterizes as a "fiasco." Some of those lessons are familiar, almost endemic to any large program conceived and executed in haste: chaotic management and bureaucratic infighting that lead to financial waste and lost time are so familiar as to hardly deserve mention. But one misstep Technology Review calls out is worth considering: "[T]he team focused on the potential upsides of a centralized app and initially disregarded all the extra challenges it involved. Outside concerns, many aired publicly, were ignored." Among the upsides that seem to have captured the team was the tracking potential Bluetooth brought to the project, but there wasn't due consideration given to the many impediments to easy Bluetooth sharing vendors had long put in place to help secure user privacy. And in general there seems to have been a tendency to underestimate the resistance any centralized data repository would arouse, given its inherent potential for post-pandemic abuse.
"Fiasco" may be too strong a word. Give the National Health Service this much credit: it did cut its losses instead of trying to force an unwelcome and arguably kludgy system on a resistant public. To be sure, time and money were spent in ways that didn't pan out, but that's almost inevitable in a crisis.
Law enforcement's use of online data to identify and track suspects.
The United States Attorney for the Eastern District of Pennsylvania has charged one Lore-Elisabeth Blumenthal of Philadelphia "by criminal complaint for the arson of two Philadelphia Police Department (PPD) vehicles." Ms Blumenthal allegedly torched the two police cars during May 30th demonstrations against police brutality as recently manifested in killing of George Floyd.
Arson is of course not a cybercrime, especially when it's not mediated by anything other than the arsonist's arm flinging burning material into a target. What is interesting, from a cybersecurity point of view, is how Ms Blumenthal was identified and apprehended. An FBI Special Agent watched aerial news footage of apparent arson, and said, in an affidavit submitted in the course of obtaining a warrant, that the video showed "a white female in a blue tee shirt and jeans, wearing a brown/green backpack, grey gloves, multicolored mask, and black boots." He obtained other images from an amateur photographer that provided more detail, including the slogan on the tee shirt ("KEEP THE IMMIGRANTS, DEPORT THE RACISTS") as well as a distinctive tattoo (of a stylized peace sign). Another video of the incident was found on Vimeo by the Department of Homeland Security, which shared it with the Bureau. A further look through Instagram persuaded the Special Agent investigating that he was on the right track, but the challenge of finding the individual shown in the videos remained.
The Special Agent and his colleagues found, in Etsy Store A's public page, a tee shirt for sale with exactly that slogan ("KEEP THE IMMIGRANTS," etc.) and generally consistent with the shirt worn by the woman in the various videos. Naturally, like most e-commerce site, Etsy offers a space for customer comment. And on March 24 of this year a customer with the screen name "Xx Mv" left a five-star review of that particular shirt, with an appreciative "Fast shipping, thanks very much!" The Etsy profile, also publicly available, for Xx Mv gives a location of Philadelphia, and "the user name from the Etsy url for that profile displays as 'alleycatlore.'"
A search for alleycatlore (the affidavit emphasizes throughout that these are "open source' searches) turned up a Poshmark result with a user going by "lore-elisabeth." So the investigators searched for "Lore Elizabeth" in Philadelphia, found a LinkedIn page matching a Lore Elisabeth who worked for a massage therapy company. The company's website has several massage videos posted, and the massage therapist's right arm visible in some of the videos has the "stylized peace sign" visible in some of the images of the (alleged) arson. That website also listed a phone number for Lore Elizabeth, and that number was associated with Lore Blumenthal, at an address in Philadelphia. A check of Pennsylvania Department of Motor Vehicle records provided more converging information, and that was enough to get a grand jury subpoena for Etsy Store A records, which confirmed that a blue tee shirt with the "KEEP THE IMMIGRANTS" slogan had indeed been shipped to Ms Blumenthal's address. And that was enough for an arrest warrant.
If nothing else this arrest shows how much information about individuals is freely available online, especially given the distinctively if not exclusively American predilection for indulging the libido ostentandi, the itch to put oneself on display.
The IRS explored the use of marketing data in criminal investigations.
The FBI's investigation depended on little more than some virtual shoe leather, but other law enforcement agencies have twigged to the utility of the large databases market research firms collect and sell. The Wall Street Journal reports that the US Internal Revenue Service (IRS) has answered an inquiry from Senator Ron Wyden (Democrat of Oregon) by acknowledging that it had contracted with Venntel, a Virginia-based contractor that resells marketing data to Government agencies, to provide it with a database it used in “significant money-laundering, cyber, drug and organized-crime cases.” The IRS says it's let its contract with Venntel lapse, but the Journal points out that the use case shows that marketing data can provide an alternative to the cell-phone data recent court decisions have rendered more difficult to obtain.
Both Russia and Iran clamp down on Internet content.
Radio Free Europe | Radio Liberty reports that Tehran has increased pressure on sites that post material inconsistent with the Islamic Republic's preferred narratives. The Intelligence Branch of the Islamic Revolutionary Guard Corps is apparently extending existing controls over broadcast media to social media.
Human Rights Watch notes with concern Russia's progress toward online autarky, which rests, the group says, on "two pillars: control and increasing isolation from the World Wide Web."
The case for keeping Section 230.
The Electronic Frontier Foundation (EFF) makes a case against two recent proposals to reform Section 230 of the US Communications Decency Act, which affords online platforms certain protections against liability for the content they host. The EFF argues that a Justice Department proposal and a bill introduced by Senator Josh Hawley (Republican of Missouri) would both, if enacted, give a kind of heckler's veto in the form of expensive and interminable litigation to people who disliked content that appeared on various online media.