Best Infosec-Related Long Reads for the Week, 9/30/23

Google maintains one of the world’s most comprehensive repositories of location information. Drawing from phones’ GPS coordinates, plus connections to Wi-Fi networks and cellular towers, it can often estimate a person’s whereabouts to within several feet. It gathers this information in part to sell advertising, but police routinely dip into the data to further their investigations. The use of search data is less common, but that, too, has made its way into police stations throughout the country.

Police say these warrants can unearth valuable leads when detectives are at a loss. But to get those leads, officers frequently have to rummage through Google data on people who have nothing to do with a crime. And that’s precisely what worries privacy advocates.

Traditionally, American law enforcement obtains a warrant to search the home or belongings of a specific person, in keeping with a constitutional ban on unreasonable searches and seizures. Warrants for Google’s location and search data are, in some ways, the inverse of that process, says Michael Price, the litigation director for the National Association of Criminal Defense Lawyers’ Fourth Amendment Center. Rather than naming a suspect, law enforcement identifies basic parameters—a set of geographic coordinates or search terms—and asks Google to provide hits, essentially generating a list of leads.

At other times, Huawei hastened to help Greek government officials with their personal technology, according to the communications.

In July 2021, Mr. Tamvakidis rushed to find a replacement device for an unnamed immigration official who had contacted him about a broken screen on a Mate X, a foldable smartphone that retailed for more than €2,000. Huawei had given it to him as a “present,” according to the messages.

“He uses it only for making photos with his Huawei laptop we gave him,” Mr. Tamvakidis said in the messages.

Under Greek law, it is illegal for people in the private sector to offer gifts to government officials in exchange for favors. Government ministers, members of Parliament and civil servants also cannot accept gifts that could be considered linked to their official responsibilities, said Stefanos Loukopoulos, director of Vouliwatch, a government watchdog group in Athens.

Ultimately, Troy Hunt may not be the perfect choice to be running such a vital piece of the world’s cybersecurity infrastructure.

But if he wasn’t doing it, who would?

Australia’s privacy laws require companies to self-report data breaches but there’s evidence to suggest that isn’t working so well.

Even if all of the world’s governments got their act together, a patchwork of national systems would be of little use. Data has no trouble crossing international borders.

“We struggle with all forms of global, shared regulatory architecture,” Professor Andrew says. “They’re just incredibly difficult to create.”

“[Troy] is outside of government and corporate status, which gives him an agility to solve a really complex global problem.”

When asked if his database of stolen data could be eventually handed over to the government for safekeeping, Troy fires back: “Which government?”

Earlier this year another victim Matthew (I agreed to not publish his full name) was wearing a brightly patterned shirt and a reflective visor while waving a Pride flag. A social media content creator popular on TikTok and Instagram interviewed Matthew as he pointed a microphone into Matthew’s face. In a video the creator filmed, the two bantered back and forth in the short 26 second clip, including about actor Pedro Pascal.

Matthew never provided the interviewer his full name or any identifiable personal information. It was a fleeting moment that ordinarily would have ended there. But it didn’t.

Shortly after, the facial recognition TikTok account responded to the original video with their own. The video shows the user taking several screenshots of Matthew. Then they opened a website called Pimeyes that lets anyone run facial recognition searches. They uploaded the screenshots, selected Matthew’s face from the photos, and hit search.

Nearly immediately, Pimeyes provided a hit: a photo of Matthew on his employer’s website. The person scrolls down the employer’s website and easily finds Matthew’s full name. They then copy and paste that name into Instagram and find Matthew’s profile. To punctuate their public unmasking of a stranger on the internet, the TikTok creator screenshots Matthew’s Instagram, as if—mission complete. At the time of writing, the TikTok revealing Matthew’s name, employer, and personal social media account has around 676,000 views. The comments are a mix of people making sexual jokes about Matthew, some marveling at the capability of Pimeyes, and others asking whether the practice is even legal.

Matthew, meanwhile, had no idea someone had just taken an otherwise anonymous clip of him and run facial recognition tech against it. At the time, he was on his honeymoon in South Africa, he told me. Some friends had seen the original video and told him they found it funny. But then he started to hear about this second video that unmasked him.

“My Instagram exploded,” Matthew told me. “I think I got about 2000+ follow requests, dozens of DMs asking me things like ‘what is my OnlyFans.’” One person even emailed Matthew’s work email, he said.

Still on his honeymoon, Matthew said he couldn’t relax. He “felt a bit violated really.” He hated the fact the TikTok creator had used his employer’s website to find him. Matthew reported the video to TikTok but received no response, and the video, and the account, remained online.

Because I enjoy living dangerously, I did plug my phone in, unlocked it with my passcode, trusted the “computer” and let the website take me to the App Store, where I downloaded the EZ Cast App, which has a 2.1/5 rating and 878 reviews. Example reviews: “It’s not working.” “Useless and frustrating.” “Why go through all this trouble for a mirroring device?” “I don’t understand why I have to buy an app from a third party company to use what looks to be an apple product in appearance” “SCAM!” “Doesn’t work,” “Don’t fall for this app at a karaoke machine,” “Totally fake … It makes me suspicious of Spyware. This App and the cable = JUNK.” Some of the reviews said they bought the cable from Amazon, another mentions it came from Walmart, another mentions eBay.

After opening the app, I was immediately prompted to give EZ Cast my location and to accept a Privacy Policy from a company called Actions Microelectronics Co., Ltd. that says EZ Cast would be collecting my email address, use tracking cookies, take my location, track my “favorite videos, videos watched, and bookmarks,” as well as “Location Data, Sensor Data, Tracking Cookies Data, Installed Apps Data,” and would be using that data to target ads to me. It also required access to my Local Network, asked for access to my photos, settings, Bluetooth, and camera.