Menu

Timesdelhi.com

June 16, 2019
Category archive

surveillance

Amazon faces greater shareholder pressure to limit sale of facial recognition tech to the government

in aclu/Amazon/American Civil Liberties Union/Cloud/Delhi/facial recognition/Government/India/law enforcement/learning/Politics/privacy/publishing/San Francisco/Security/skills/surveillance/surveillance technologies/United States by

This week could mark a significant setback for Amazon’s facial recognition business if privacy and civil liberties advocates — and some shareholders — get their way.

Months earlier, shareholders tabled a resolution to limit the sale of Amazon’s facial recognition tech giant calls Rekognition to law enforcement and government agencies. It followed accusations of bias and inaccuracies with the technology, which they say can be used to racially discriminate against minorities. Rekognition, which runs image and video analysis of faces, has been sold to two states so far and Amazon has pitched Immigrations & Customs Enforcement. A second resolution will require an independent human and civil rights review of the technology.

Now the ACLU is backing the measures and calling on shareholders to pass the the resolutions.

“Amazon has stayed the course,” said Shankar Narayan, director of the Technology and Liberty Project at the ACLU Washington, in a call Friday. “Amazon has heard repeatedly about the dangers to our democracy and vulnerable communities about this technology but they have refused to acknowledge those dangers let alone address them,” he said.

“Amazon has been so non-responsive to these concerns,” said Narayan, “even Amazon’s own shareholders have been forced to resort to putting these proposals addressing those concerns on the ballot.”

It’s the latest move in a concerted effort by dozens of shareholders and investment firms, tech experts and academics, and privacy and rights groups and organizations who have decried the use of the technology.

Critics say Amazon Rekognition has accuracy and bias issues. (Image: TechCrunch)

In a letter to be presented at Amazon’s annual shareholder meeting Wednesday, the ACLU will accuse Amazon of “failing to act responsibly” by refusing to stop the sale of the technology to the government.

“This technology fundamentally alters the balance of power between government and individuals, arming governments with unprecedented power to track, control, and harm people,” said the letter, shared with TechCrunch. “It would enable police to instantaneously and automatically determine the identities and locations of people going about their daily lives, allowing government agencies to routinely track their own residents. Associated software may even display dangerous and likely inaccurate information to police about a person’s emotions or state of mind.”

“As shown by a long history of other surveillance technologies, face surveillance is certain to be disproportionately aimed at immigrants, religious minorities, people of color, activists, and other vulnerable communities,” the letter added.

“Without shareholder action, Amazon may soon become known more for its role in facilitating pervasive government surveillance than for its consumer retail operations,” it read.

Facial recognition has become one of the most hot button topics in privacy in years. Amazon Rekognition, its cloud-based facial recognition system, remains in its infancy yet one of the most prominent and available systems available. But critics say the technology is flawed. Exactly a year prior to this week’s shareholder meeting, the ALCU first raised “profound” concerns with Rekognition and its installation at airports, public places and by police. Since then, the technology was shown to struggle to detect people of color. In its tests, the system struggled to match 28 congresspeople who were falsely matched in a mugshot database who had been previously arrested.

But there has been pushback — even from government. Several municipalities have rolled out surveillance-curtailing laws and ordnances in the past year. San Francisco last week became the first major U.S. city government to ban the use of facial recognition.

“Amazon leadership has failed to recognize these issues,” said the ACLU’s letter to be presented Wednesday. “This failure will lead to real-life harm.”

The ACLU said shareholders “have the power to protect Amazon from its own failed judgment.”

Amazon has pushed back against the claims by arguing that the technology is accurate — largely by criticizing how the ACLU conducted its tests using Rekognition.

Amazon did not comment when reached prior to publication.

Read more:

Security lapse exposed a Chinese smart city surveillance system

in alibaba/Alibaba Cloud/Artificial Intelligence/Asia/Beijing/China/Delhi/facial recognition/Government/India/Kuala Lumpur/law enforcement/national security/Politics/privacy/Security/skills/surveillance/United Nations/United States/video surveillance by

Smart cities are designed to make life easier for their residents: better traffic management by clearing routes, making sure the public transport is running on time and having cameras keeping a watchful eye from above.

But what happens when that data leaks? One such database was open for weeks for anyone to look inside.

Security researcher John Wethington found a smart city database accessible from a web browser without a password. He passed details of the database to TechCrunch in an effort to get the data secured.

The database was an Elasticsearch database, storing gigabytes of data — including facial recognition scans on hundreds of people over several months. The data was hosted by Chinese tech giant Alibaba. The customer, which Alibaba did not name, tapped into the tech giant’s artificial intelligence-powered cloud platform, known as City Brain.

“This is a database project created by a customer and hosted on the Alibaba Cloud platform,” said an Alibaba spokesperson. “Customers are always advised to protect their data by setting a secure password.”

“We have already informed the customer about this incident so they can immediately address the issue. As a public cloud provider, we do not have the right to access the content in the customer database,” the spokesperson added. The database was pulled offline shortly after TechCrunch reached out to Alibaba.

But while Alibaba may not have visibility into the system, we did.

The location of the smart city’s many cameras in Beijing (Image: supplied)

While artificial intelligence-powered smart city technology provides insights into how a city is operating, the use of facial recognition and surveillance projects have come under heavy scrutiny from civil liberties advocates. Despite privacy concerns, smart city and surveillance systems are slowly making their way into other cities both in China and abroad, like Kuala Lumpur, and soon the West.

“It’s not difficult to imagine the potential for abuse that would exist if a platform like this were brought to the U.S. with no civilian and governmental regulations or oversight,” said Wethington. “While businesses cannot simply plug in to FBI data sets today it would not be hard for them to access other state or local criminal databases and begin to create their own profiles on customers or adversaries.”

We don’t know the customer of this leaky database, but its contents offered a rare insight into how a smart city system works.

The system monitors the residents around at least two small housing communities in eastern Beijing, the largest of which is Liangmaqiao, known as the city’s embassy district. The system is made up of several data collection points, including cameras designed to collect facial recognition data.

The exposed data contains enough information to pinpoint where people went, when and for how long, allowing anyone with access to the data — including police — to build up a picture of a person’s day-to-day life.

A portion of the database containing facial recognition scans (Image: supplied)

Alibaba provides technologies like City Brain to customers to understand the data they collect from various sources, including license plate readers, door access controls, smart things and internet-connected devices and facial recognition.

Using City Brain’s data-crunching back-end, the cameras can process various facial details, such as if a person’s eyes or mouth are open, if they’re wearing sunglasses, or a mask — common during periods of heavy smog — and if a person is smiling or even has a beard.

The database also contained a subject’s approximate age as well as an “attractive” score, according to the database fields.

But the capabilities of the system have a darker side, particularly given the complicated politics of China.

The system also uses its facial recognition systems to detect ethnicities and labels them — such as “汉族” for Han Chinese, the main ethnic group of China — and also “维族” — or Uyghur Muslims, an ethnic minority under persecution by Beijing.

Where ethnicities can help police identify suspects in an area even if they don’t have a name to match, the data can be used for abuse.

The Chinese government has detained more than a million Uyghurs in internment camps in the past year, according to a United Nations human rights committee. It’s part of a massive crackdown by Beijing on the ethnic minority group. Just this week, details emerged of an app used by police to track Uyghur Muslims.

We also found that the customer’s system also pulls in data from the police and uses that information to detect people of interest or criminal suspects, suggesting it may be a government customer.

Facial recognition scans would match against police records in real time (Image: supplied)

Each time a person is detected, the database would trigger a “warning” noting the date, time, location and a corresponding note. Several records seen by TechCrunch include suspects’ names and their national identification card number.

“Key personnel alert by the public security bureau: “[name] [location]” – 177 camera detects key individual(s),” one translated record reads, courtesy of TechCrunch’s Rita Liao. (The named security bureau is China’s federal police department, the Ministry of Public Security.)

In other words, the record shows a camera at a certain point detected a person’s face whose information matched a police watchlist.

Many of the records associated with a watchlist flag would include the reason why, such as if a recognized person was a “drug addict” or “released from prison.”

The system is also programmed to alert the customer in the event of building access control issues, smoke alarms and equipment failures — such as when cameras go offline.

The customer’s system also has the capability to monitor for Wi-Fi-enabled devices, such as phones and computers, using sensors built by Chinese networking tech maker Renzixing and placed around the district. The database collects the dates and times that pass through its wireless network radius. Fields in the Wi-Fi-device logging table suggest the system can collect IMEI and IMSI numbers, used to uniquely identify a cellular user.

Although the customer’s smart city system was on a small scale with only a few dozen sensors, cameras and data collection points, the amount of data it collected in a short space of time was staggering.

In the past week alone, the database had grown in size — suggesting it’s still actively collecting data.

“The weaponization and abuse of A.I. is a very real threat to the privacy and security of every individual,” said Wethington. “We should carefully look at how this technology is already being abused by other countries and businesses before permitting them to be deployed here.”

It’s hard to know if facial recognition systems like this are good or bad. There’s no real line in the sand separating good uses from bad uses. Facial and object recognition systems can spot criminals on the run and detect weapons ahead of mass shootings. But some worry about the repercussions of being watched every day — even jaywalkers don’t get a free pass. The pervasiveness of these systems remain a privacy concern for civil liberties groups.

But as these systems develop and become more powerful and ubiquitous, companies might be better placed to first and foremost make sure its massive data banks don’t inadvertently leak.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Alphabet’s Sidewalk Labs is developing visual cues to indicate when their tech is monitoring you

in boston/data management/Delhi/human rights/India/law enforcement/London/national security/New York/Politics/Prevention/privacy/Safety/Security/sidewalk labs/smart city/surveillance/TC/toronto by

Alphabet’s subsidiary focused on urban tech development, Sidewalk Labs, is now trying to reinvent signage for smart cities. These signs aren’t to direct the flow of traffic, or to point the way to urban landmarks — they’re designed to let citizens know when they’re being monitored.

The proposal is part of a push by the company to acclimate people to the technologies that it’s deploying in cities like New York and Toronto.

Globally, competition for contracts to deploy sensors, data management and predictive technologies in cities can run into the tens of millions, if not billions of dollars, and Sidewalk Labs knows this better than most. Because its projects are among the most ambitious deployments of sensing and networking technologies for smart cities, the company has also faced the most public criticism.

So at least partially in an attempt to blunt attacks from critics, the company is proposing to make its surveillance and monitoring efforts more transparent.

“Digital technology is all around us, but often invisible. Consider: on any one urban excursion (your commute, perhaps), you could encounter CCTVs, traffic cameras, transit card readers, bike lane counters, Wi-Fi access points, occupancy sensors that open doors — potentially all on the same block,” writes Jacqueline Lu, whose title is “assistant director of the public realm” at Sidewalk Labs.

Lu notes that while the technologies can be useful, there’s little transparency around the data these technologies are collecting, who the data is being collected by and what the data is collected for.

Cities like Boston and London already indicate when technology is being used in the urban environment, but Sidewalk Labs convened a group of designers and urban planners to come up with a system for signage that would make the technology being used even more public for citizens going about their day.

Image courtesy of Sidewalk Labs

Back in 2013, the U.S. Federal Trade Commission called for the development of these types of indicators when it issued a call for mobile privacy disclosures. But that seems to have resulted in companies just drafting reams of jargon-filled disclosures that obscured more than they revealed.

At Sidewalk, the goal is transparency, say the authors of the company’s suggested plan.

“We strongly believe that people should know how and why data is being collected and used in the public realm, and we also believe that design and technology can meaningfully facilitate this understanding. For these reasons, we embarked on a collaborative project to imagine what digital transparency in the public realm could be like,” writes Lu and her co-authors Principal Designer Patrick Keenan and Legal Associate Chelsey Colbert.

As an example, Sidewalk showed off potential designs for signage that would alert people to the presence of the company’s Numina technology.

That tech monitors traffic patterns by recording, anonymizing and transmitting data from sensors using digital recording and algorithmically enhanced software to track movement in an area. These sensors are installed on light poles and transmit data wirelessly.

At the very least, the technology can’t be any worse than the innocuously intended cameras that are monitoring public spaces already (and can be turned into surveillance tools easily).

The hexagonal designs indicate the purpose of the technology, the company deploying it, the reason for its use, whether or not the tech is collecting sensitive information and a QR code that can be scanned to find out more information.

The issue with experiments like these in the public sphere is that there’s no easy way to opt out of them. Sidewalk Lab’s Toronto project is both an astounding feat of design and the apotheosis of surveillance capitalism.

Once these decisions are made to cede public space to the private sector, or sacrifice privacy for security (or simply better information about a location for the sake of convenience), they’re somewhat difficult to unwind. As with most of the salient issues with technology today, it’s about unintended consequences.

Information about a technology’s deployment isn’t enough if the relevant parties haven’t thought through the ramifications of that technology’s use.

ICE has a huge license plate database targeting immigrants, documents reveal

in california/Delhi/Government/India/law enforcement/mass surveillance/national security/Politics/privacy/Security/surveillance by

Newly released documents reveal Immigration and Customs Enforcement is tracking and targeting immigrants through a massive license plate reader database supplied with data from local police departments — in some cases violating sanctuary laws.

The documents, obtained by a Freedom of Information lawsuit filed by the American Civil Liberties Union and released Tuesday, reveal the vehicle surveillance system collects more than a hundred million license plates a month from some of the largest cities in the U.S., including New York and Los Angeles, both of which are covered under laws limiting police cooperation with immigration agencies.

More than 9,000 ICE agents have access to the database, run by Vigilant Solutions, feeding some six billion vehicle detection records into Thomson Reuters’ investigative platform LEARN, to which police departments can buy access.

“The public has a right to know when a government agency — especially an immoral and rogue agency such as ICE — is exploiting a mass surveillance database that is a threat to the privacy and safety of drivers across the United States,” said Vasudha Talla, staff attorney with the ACLU of Northern California, in an email to TechCrunch.

Talla, who sued ICE to release the documents, said the government “should not have unfettered access to information that reveals where we live, where we work, and our private habits.” Critics have noted several high-profile cases of police misusing and improperly accessing license plate data.

Automatic license plate readers (ALPR) scan and detect license plates, along with the time, date and location from thousands of cameras installed across the country to spot criminals and fugitives with warrants out for their arrest. The ACLU previously called it one of the new and emerging forms of mass surveillance in the United States. Companies like Vigilant feed data collected from ALPR cameras into databases accessible to law enforcement and federal agencies, which the ACLU accused ICE of using to find and deport immigrants.

ICE has a “hot list” of more than 1,100 license plates of suspects, felons or other subjects of interest, according to the documents released. Plates on the hot list trigger an alert to ICE that the vehicle has been spotted, including where and when.

“Hot lists are just one method by which ICE agents can track drivers with this system,” said Talla.

A spokesperson for ICE did not comment by our deadline on how many hot list detections led to deportations or removals from the U.S. Spokespeople for Thomson Reuters and Vigilant Solutions also did not comment.

It’s the third effort by ICE to secure access to the database in the past five years, after earlier attempts in 2014 over privacy concerns and 2015 over price negotiations failed. The agency rushed to secure the contract before a planned hike in cost by Thomson Reuters toward the end of 2017.

ICE spent $6.1 million on its latest contract in February 2018, gaining access to 80 law enforcement agencies covering almost two-thirds of the U.S. population. To allay fears of potential misuse, the agency was required to pass a revised privacy impact assessment explaining how ICE can and cannot use the license plate data. In one released email to an NPR reporter, ICE said agents “can only access data” uploaded by police departments if they elect to share it through the system.

But the ACLU found emails of ICE agents directly contacting local law enforcement officers to ask for license plate search data, circumventing the database.

Correspondence between ICE and a local police detective asking for license plate data outside of the ALPR database (Image: ACLU/supplied)

Over a years-long effort, one ICE agent — whose name was redacted by the government — sent several requests to a La Habra police detective by email asking for license plate data.

La Habra is one of 169 police departments in California, and is one of dozens of departments known to use ALPR. But the city’s police department is not on Vigilant’s list of law enforcement partners that supply license plate data to ICE, the documents show.

We asked La Habra Chief of Police Jerry Price if turning over records to ICE was in violation of California’s sanctuary status, but he would not comment.

“By going to local police informally, ICE is able to access locally collected driver location data without having to ask for formal access to the local system through the LEARN network, which could trigger local oversight or concern,” said Talla.

A list of local U.S. police departments contributing license plate data to the database, to which ICE has access (Image: ACLU/supplied)

Other police departments were named as partners that actively feed data into the ICE-accessible database, like Upland, Merced and Union City — three cities in California, which in 2018 passed state-wide laws that offer sanctuary to immigrants who might be in the country illegally or otherwise subject to deportation by ICE. The laws prohibit law enforcement in the state from sharing of license plate data with federal agencies, said Talla.

When reached, Union City Police Department chief Victor Derting did not comment. Spokespeople for Upland and Merced police departments did not respond to a request for comment.

The ACLU called on the immediate end to the license plate information sharing.

The documents also revealed how ICE initially considered trying to keep the database a secret, arguing that disclosing the capability would “almost immediately diminish its effectiveness as a law enforcement tool.”

Amid a controversial and questionable national emergency declared by the Trump administration, ICE remains a divisive agency more than ever. Last year, 19 of the top ICE investigators that investigate serious criminal cases, like drug smuggling and sex trafficking rings, called on the government to distance their work from ICE’s enforcement and removal operations unit, which investigates immigration violations and handles deportations.

In January, TechCrunch revealed dozens of ALPR cameras are still exposed on the internet — many of which are accessible without a password.

New flaws in 4G, 5G allow attackers to intercept calls and track phone locations

in 5g/Asia/Delhi/Europe/GSM/India/mobile security/Politics/privacy/san diego/Security/spokesperson/surveillance/Technology/telecommunications/torpedo/United States/Verizon by

A group of academics have found three new security flaws in 4G and 5G, which they say can be used to intercept phone calls and track the locations of cell phone users.

The findings are said to be the first time vulnerabilities have affected both 4G and the incoming 5G standard, which promises faster speeds and better security, particularly against law enforcement use of cell site simulators, known as “stingrays.” But the researchers say that their new attacks can defeat newer protections that were believed to make it more difficult to snoop on phone users.

“Any person with a little knowledge of cellular paging protocols can carry out this attack,” said Syed Rafiul Hussain, one of the co-authors of the paper, told TechCrunch in an email.

Hussain, along with Ninghui Li and Elisa Bertino at Purdue University, and Mitziu Echeverria and Omar Chowdhury at the University of Iowa are set to reveal their findings at the Network and Distributed System Security Symposium in San Diego on Tuesday.

“Any person with a little knowledge of cellular paging protocols can carry out this attack… such as phone call interception, location tracking, or targeted phishing attacks.” Syed Rafiul Hussain, Purdue University

The paper, seen by TechCrunch prior to the talk, details the attacks: the first is Torpedo, which exploits a weakness in the paging protocol that carriers use to notify a phone before a call or text message comes through. The researchers found that several phone calls placed and cancelled in a short period can trigger a paging message without alerting the target device to an incoming call, which an attacker can use to track a victim’s location. Knowing the victim’s paging occasion also lets an attacker hijack the paging channel and inject or deny paging messages, by spoofing messages like as Amber alerts or blocking messages altogether, the researchers say.

Torpedo opens the door to two other attacks: Piercer, which the researchers say allows an attacker to determine an international mobile subscriber identity (IMSI) on the 4G network; and the aptly named IMSI-Cracking attack, which can brute force an IMSI number in both 4G and 5G networks, where IMSI numbers are encrypted.

That puts even the newest 5G-capable devices at risk from stingrays, said Hussain, which law enforcement use to identify someone’s real-time location and log all the phones within its range. Some of the more advanced devices are believed to be able to intercept calls and text messages, he said.

According to Hussain, all four major U.S. operators — AT&T, Verizon (which owns TechCrunch), Sprint and T-Mobile — are affected by Torpedo, and the attacks can carried out with radio equipment costing as little as $200. One U.S. network, which he would not name, was also vulnerable to the Piercer attack.

The Torpedo attack — or “TRacking via Paging mEssage DistributiOn. (Image: supplied)

We contacted the big four cell giants, but none provided comment by the time of writing. If that changes, we’ll update.

Given two of the attacks exploit flaws in the 4G and 5G standards, almost all the cell networks outside the U.S. are vulnerable to these attacks, said Hussain.  Several networks in Europe and Asia are also vulnerable.

Given the nature of the attacks, he said, the researchers are not releasing the proof-of-concept code to exploit the flaws.

It’s the latest blow to cellular network security, which has faced intense scrutiny no more so than in the last year for flaws that have allowed the interception of calls and text messages. Vulnerabilities in Signaling System 7, used by cell networks to route calls and messages across networks, are under active exploitation by hackers. While 4G was meant to be more secure, research shows that it’s just as vulnerable as its 3G predecessor. And, 5G was meant to fix many of the intercepting capabilities but European data security authorities warned of similar flaws.

Hussain said the flaws were reported to the GSMA, an industry body that represents mobile operators. GSMA recognized the flaws, but a spokesperson was unable to provide comment when reached. It isn’t known when the flaws will be fixed.

Hussain said the Torpedo and IMSI-Cracking flaws would have to be first fixed by the GSMA, whereas a fix for Piercer depends solely on the carriers. Torpedo remains the priority as it precursors the other flaws, said Hussain.

The paper comes almost exactly a year after Hussain et al revealed ten separate weaknesses in 4G LTE that allowed eavesdropping on phone calls and text messages, and spoofing emergency alerts.

1 2 3 4
Go to Top