They Were Waiting for It

Verizon was ready with new spy tech, to force onto people’s phones when it became legal for them to begin tracking and selling customer data. [boingboing]

AppFlash’s privacy policy makes it pretty clear it’s Verizon’s version of Google toolbar:

We collect information about your device and your use of the AppFlash services. This information includes your mobile number, device identifiers, device type and operating system, and information about the AppFlash features and services you use and your interactions with them.  We also access information about the list of apps you have on your device.

With your permission, AppFlash also collects information about your device’s precise location from your device operating system as well as contact information you store on your device.

Ghost Dog sending SMS messages

Ghost Dog sending SMS messages

This doubtless makes the government happy, too: it’s another way of seeing who is using “dark web” services, VPNs, or anything naughty (where “naughty” is defined as “trying to escape ubiquitous surveillance”)  Since it’s commercial data/transactional data, it’s already covered under CALEA and PATRIOT and the FBI can demand access to it. If I was a leaker in the Trump administration, I wouldn’t use a phone. Or the internet at all. Or the mail. I’d have to use a carrier pigeon, like Ghost Dog.

It hardly matters, but the Orwellian “With your permission, AppFlash also collects information” really annoys me. They’re saying “That which is not expressly forbidden is compulsory” and following it with “Thank you for your cooperation.”  Of course, the “With your permission” bit is a fig-leaf: since you’re using a commercial service they buried somewhere, in something you had to ‘agree’ to in service terms, “You can collect any data you want on me.”

The legislation was signed this week, and Verizon’s already got the app ready to go. That means they didn’t just throw it together at the last minute (it’s going to need a pretty substantial data collection architecture on the backend) they’ve known this was coming and they built it months ago. Or maybe this is the backend collection architecture from Verizon’s “super cookies” project, updated with a new front-end.

Remember those? [quartz]

Unlike regular cookies, which are bits of data stored locally on a device after being downloaded from websites, “supercookies” are not cookies at all. The Unique Identifier Headers (UIDH) used by Verizon were injected at the network level when users visited websites over an encrypted connection.

They dump all that TOR usage data into the retro-scope. That’s not for sending targeted advertising, that’s for tracking origin data for encrypted links. Having targets run a locally hosted tracker app is much, much better. I assume this sort of capability is built into Windows 10 (which regurgitates a great deal of information up to Microsoft) and iTunes.

With your permission, we have installed a handy keylogger that will automatically back up copies of your passwords to our cloud service in case you ‘lose’ them!


benjaminsI always had my doubts about the wisdom of letting carriers own the operating system distribution, which is why I stayed the hell away from Android. That, and I assumed that having multiple independent versions of an operating system would dramatically reduce its security because of different patch-levels (I lived through the UNIX Wars of the 80s…) – Apple’s approach was always guaranteed to produce a more reliable product. On the other hand, using Apple’s architecture means that there’s a single place for the FBI to go with a warrant, and you should never, ever, assume for a second that Apple is your friend or cares about your privacy.

I need to emphasize: this is not just Verizon. Look for similar moves from all the providers. If you are doing anything naughty, don’t use the internet.

If you’re thinking that the tracking headers stuff sounds mighty complicated, you need to re-think that a bit. Tracking headers are what those big F5 load balancers in every data center do. It’s how most state-of-the-art denial of service attack blocking is done, too. In those cases it’s mostly being done for ‘good’ instead of ‘evil’ but you shouldn’t ignore the fact that there is a large and vibrant commercial market of devices that exist to have nothing but exactly that capability.