Issue 65

Everyone spies on everyone

Delivered on 17 February 2020 by Justin Pyvis. About a 6 min read.

Unless you've been living under a rock for the past decade or think that governments actually have your interests at heart, the 'revelations' last week that again confirmed the US, China and Australia all spy on us should not have come as a shock.

First, Australia. Remember that law that required the retention of people's metadata from just over a year ago (covered in Issue 13)? Yeah, turns out it's being abused to gather up even more data than was intended:

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) is conducting a review of the controversial metadata retention laws that require telecommunication companies to retain records of every single person’s calls, texts, and internet browsing history for at least two years. In hearings last week, the Commonwealth Ombudsman confirmed that law enforcement agencies are receiving URLs as part of the mandatory data retention regime, despite this practice being explicitly banned under the legislation.

“More than ever, this shows what was warned from the start – that the scheme would be abused, and safeguards overstepped. The government should immediately move to repeal this legislation, or at a bare minimum make significant improvements to bring it in line with Australia’s human rights obligations,” says Digital Rights Watch chair Tim Singleton Norton.

Next up, the United States accused China of spying:

US officials say they have evidence that Huawei has backdoor access to mobile-phone networks around the world.

"We have evidence that Huawei has the capability secretly to access sensitive and personal information in systems it maintains and sells around the world," US National Security Adviser Robert O'Brien told the Journal.

The audacity! Finally, China was having none of that and so it responded in kind:

"As evidenced by the Snowden leaks, the United States has been covertly accessing telecom networks worldwide, spying on other countries for quite some time," Huawei said in a six-paragraph statement sent to news organizations. "The report by the Washington Post this week about how the CIA used an encryption company to spy on other countries for decades is yet additional proof."

I'm beginning to sound like a broken record here but if there's one thing you can be certain about it's governments spying on each other and their respective citizens. It's why proper encryption and privacy legislation that enshrines that protection, rather than undermines it as Australia's does, are so important.

Yes, the Chinese government will try to spy on foreign citizens (and its own) by any means possible, and that includes the risk that it has asked Huawei to backdoor its hardware. So will Australia. So will the United States. And so on. I mean, the CIA has literally been using hardware backdoors for decades:

The company, Crypto AG, got its first break with a contract to build code-making machines for U.S. troops during World War II. Flush with cash, it became a dominant maker of encryption devices for decades, navigating waves of technology from mechanical gears to electronic circuits and, finally, silicon chips and software.

The Swiss firm made millions of dollars selling equipment to more than 120 countries well into the 21st century. Its clients included Iran, military juntas in Latin America, nuclear rivals India and Pakistan, and even the Vatican.

But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages.

That specific case targeted foreign governments, but you're kidding yourself if you don't think the CIA/NSA has backdoors in American-made consumer grade hardware (e.g. here, here, here, here, here, here, here, and here).

I find it's best to assume that whatever you're transmitting will at some stage be intercepted, no matter the country within which you happen to reside. The only way to prevent a malicious actor from getting any value out of it is through end-to-end encryption, and the best way to achieve that is to use software built with it in mind from the get-go, such as Signal Private Messenger, Keybase Chat, or the decentralised use all three).

Enjoy the rest of this week's issue. Cheers,

— Justin

Other bits of interest

If you're not paying for the product... are the product. It's amazing how often that phrase needs to be repeated, yet here we are:

The popular Edison email app, which is in the top 100 productivity apps on the Apple app store, scrapes users' email inboxes and sells products based off that information to clients in the finance, travel, and e-Commerce sectors. The contents of Edison users' inboxes are of particular interest to companies who can buy the data to make better investment decisions, according to a J.P. Morgan document obtained by Motherboard.

You have two choices when using a third-party app. One, pay for it (and please, please read the privacy policy or at least search for comments from other people who have). Two, find an open source equivalent financed by some kind of voluntary contribution or institution. For email, that's FairEmail.

Learn more:

AT&T blocks Tutanota, an encrypted email provider

I have, for a long time, debated and flipped on the issue of whether or not encrypting email is even worth the effort.

While I would love to encrypt my email, the email protocol is (by design) insecure, so unless the people you're communicating with also go out of their way to encrypt their emails, there's not much point. For anything private enough to warrant encrypting you should probably be using a modern protocol such as Signal, not email.

Given that threat model, I've personally settled for an email provider based outside of the '5 eyes', but not one that encrypts everything by default, such as Tutanota and ProtonMail. In other words, I'm opting for usability over the small gains in privacy that an encrypted email provider would offer, given that 99% of my emails are to/from people who do not also use encryption.

Nonetheless, when the NSA asks a major US telco to block access to an encrypted email provider it's a pretty good sign that it's actually private (Russia recently blocked a Tutanota competitor, ProtonMail).

Learn more:

China is embracing blockchain

The People’s Bank of China has filed more than 80 patents related to its secretive plans to launch a digital currency, according to new research that shows the extent of Beijing’s ambitions to digitise the renminbi.

Uncovered by the Chamber of Digital Commerce, their contents shed light on Beijing’s mounting efforts to digitise the renminbi, which has sparked alarm in the west and spurred central bankers around the world to begin exploring similar projects.

“The theme is that China has made massive investments and are taking this very seriously,” said Perianne Boring, president of the chamber. “That is drastically different from the United States’ approach and this just highlights that.”

This remains a very interesting space and it's a front on which China is leading the United States. China's push for currency digitisation comes down to its desire to control its citizens and prevent them from engaging in capital flight. Still, I think the move to digital currencies is inevitable and that with time more secure, less manipulable Swiss franc-type digital currencies will emerge.

Learn more:

How not to stop spying

undermining encryption and spending big dollars on dodgy apps such as Voatz.West Virginia (and other US states) are using a mobile application to facilitate voting. The problem is, the app is a useless piece of ... you know what. If you're concerned about China, you should spend less time worrying about Chinese hardware and more time worrying about your own government

The app, called Voatz, also has problems with how it handles authentication between the voter’s mobile phone and the backend server, allowing an attacker to impersonate a user’s phone. Even more surprising, although the makers of Voatz have touted its use of blockchain technology to secure the transmission and storage of votes, the researchers found that the blockchain isn’t actually used in the way Voatz claims it is, thereby supplying no additional security to the system.

According to Alex Halderman, an election security expert and professor of computer science at the University of Michigan, the most interesting part of the research is that it appears to show that there’s no blockchain technology involved in transferring the vote to Voatz’ server. “That transfer is protected only by an https connection as far as the network connectivity goes,” he told Motherboard. “As a result, there’s nothing more advanced going on in protecting the vote transmission from the app than there would be just with a simple web browser. There’s no ‘there’ there.”

Learn more:

Issue 65: Everyone spies on everyone was compiled by Justin Pyvis and delivered on 17 February 2020.