At a glance.
- Privacy advocates sue for disclosure of Federal efforts to obtain Facebook information.
- Spyware in Google Play.
- NSO Group employee used the company's products, off the books.
- Lawful intercept companies offer their tools for contact tracing.
Privacy advocates sue for disclosure of Federal efforts to obtain Facebook information.
The Washington Post, the Electronic Frontier Foundation, and the American Civil Liberties Union are arguing in the US Ninth Circuit that a 2018 decision relevant to the Government's access to encrypted communications should be unsealed, Courthouse News reports. The sealed decision, rendered by Judge Lawrence O’Neill in the US District Court for the Central District of California, denied a Justice Department request that would have required Facebook to reveal the contents of encrypted communications in Facebook Messenger. The issue touches on enforcement of the Wiretap Act. The Washington Post quotes its attorney's argument “The public and other courts need to see and understand the limitations of the government’s police powers under the Wiretap Act,” attorney Duffy Carolan said, adding, “Here the issue being addressed is whether or not the service provider can provide the technical assistance [to the government] with a minimum of interference with its [encrypted] service under the wiretap statute.” The original case involved an investigation into the MS-13 gang, and Judge O'Neill found for Facebook, which was not required to turn the communications over to the Justice Department.
NSO Group employee spied with spyware, off the books.
Motherboard reports that an employee of the NSO Group, makers of the controversial lawful intercept product Pegasus, used the company's software to keep tabs on a love interest, a woman known to the employee. Motherboard's sources at the NSO Group say that the company fired the employee for his activities.
Spyware in Google Play.
A cyberespionage campaign Kaspersky calls "PhantomLance" has been able to infiltrate Google Play, and it appears to be the work of Vietnam's Ocean Lotus group. PhantomLance, whose masters appear interested in collecting both domestic and foreign intelligence, is relatively quiet (it tailors itself to its targets the better to avoid overloading them with noisy and unneeded functionality). It's also relatively selective in its choice of targets: since 2016 roughly three-hundred attempts have been observed, with most of the targets in India, Vietnam, Bangladesh and Indonesia. Algeria, Iran, South Africa, Nepal, Myanmar, and Malaysia also figured on the list.
Contact-tracing apps and lawful intercept.
Vendors of lawful intercept tools ("spyware," in popular jargon, and when misused) are offering their products to governments as a quick approach to scaling COVID-19 contact tracing. Israel-based Cellebrite has, according to Reuters, offered its product to police in India as an aid to tracking people who may have been exposed to infection. Cellebrite is best known for a tool that law enforcement agencies have used to gain access to iPhones in the course of criminal investigations. Cellebrite points out that it's long offered its product to law enforcement, and that it recommends that participation in such contact tracing should be voluntary. The Israeli government is said to be working with NSO Group (whose Pegasus intercept tool has gained notoriety) to develop similar capabilities. Cyprus-based Intellexa and New York-based Verint have also offered their products to governments interested in contact tracing.
Observers suggest that surveillance tools of this kind are too imprecise for contract tracing purposes. For that to be done effectively, it would need to be able to determine proximity within ten meters or less, and ideally to within two meters. Bluetooth-based apps may be able to do that, but the geolocation provided by surveillance tools are generally thought by critics to be too coarse for such purposes.
Governments aren't alone in their desire to obtain a contact-tracing capability. Corporations are, too, as the Washington Post notes. Their motives range from a desire to serve a government market (as in the four companies Reuters mentions), to an interest in employee health and workplace safety, to something indistinguishable from public spirit.
Many of the Bluetooth-based contact tracing apps, like those under development by Apple and Google, are both voluntarily installed and decentralized. Treating mobile devices as proxies for persons is of course imperfect (not everyone has a device, and not everyone who does carries it around with them), but the simplifying assumption that the presence of a phone more-or-less equals the presence of a person should still have considerable utility.
A study conducted at Oxford University estimated that, to stop an epidemic, a population would have to participate at rates of about 60%, although even lower levels of participation could be expected to have a positive effect. The Oxford researchers offer survey data they regard as encouraging: they've collected "feedback from over 6000 potential app users in 5 countries, which suggest that 84.3% of users would definitely or probably install a contact tracing app for coronavirus in the UK after lockdown, and between 67.5% - 85.5% in France, Germany, Italy and the USA."
But that seems excessively optimistic. Even the success stories fall below half the population, and in most cases they're lower than the 40% participation rate a story in the publication the Conversation says authorities in Australia (to take one example) would be happy with. The Washington Post reports that most Americans are either unwilling or unable to use even the relatively nonintrusive, voluntary, and decentralized contact-tracing apps. A Washington Post-University of Maryland poll finds widespread reluctance among Americans to install such an app, and concludes that skepticism about Big Tech's reliability as a steward of personal data forms the principal basis of that reluctance.