Issue 48

The situation in Hong Kong

Most of you are, by now, aware of the ongoing  turmoil in Hong Kong. While like most I have an opinion on various  aspects of it, I'm not going to get into that here and will instead  focus on the technological side. Specifically, that throughout the drama  there has been an ongoing battle between protesters and police taking  place in the background, with the latter trying - and struggling - to  identify members of the protesters, presumably so that they can be  detained at a later date.

In their latest attempt to "unmask" front-line protesters, the police even added blue dye to their water cannons:

Not  exactly high-tech but potentially effective; the protesters are, after  all, normal people with jobs or classes to which they must attend during  the week. It'll be pretty obvious to everyone what you were up to on  the weekend if you show up looking like a smurf.

But the reason  the police have resorted to such low-tech solutions is because they have  been trying, with limited success, to both discover the identities of  protesters and intercept their communications using more sophisticated  means. Their problem is that almost everyone protesting in Hong Kong  covers their face and wields an umbrella, and even shoot lasers that interfere with the government's facial recognition cameras. They also encrypt their communications using popular messaging apps such as Telegram:

"They  have lots of phones and they're using forums. They have their own  forums and they're using Telegram as a place where they hold a lot of  these discussions. In fact, apologies for yesterday's incident came out  of these forums there — the soul searching, and 'we shouldn't ever let  this happen again' came out of these forums. So I don't really know how  it will play out, but everybody's so digitally adept.
...
Obviously,  the phones are tracked and they're aware of it. Some of them have  multiple phones and some of them turn off their phones. They wear a lot  of masks and [they use] umbrellas to block CCTV when they get off at a  subway station: The first one jumps out and opens umbrellas covering all  the visibly closed circuit CCTVs. And then when they want to make  decisions, they open their umbrellas and huddle under it. It's not fully  protective against surveillance, but just like many other ...  surveilled [people], when I asked them if they were worried about  surveillance, they usually say, "There's so many of us. There's hundreds  of thousands of us in the streets." And that's probably their only real  protection. I don't think they can [remain undetected] even with their  umbrellas and cool tactics. I don't think they can avoid the  surveillance, so they're just counting on the fact that they probably  cannot jail that many of them all at once."

Encryption  has thwarted many an attempt by the Hong Kong police to gather  evidence, to the point that they even resorted to the ol' wrench technique.

Mr.  Cheung, a skinny 29-year-old, was grabbed at a mall around noon on July  18, according to his account. Four plainclothes officers waited for him  to unlock his phone and then jumped on him, trying to pry it out of his  hands.

After the officers tried to use his face to unlock the  phone, they took him to a police station, where, he said, he was roughed  up and interrogated. Later, officers went to his home and used a USB  drive loaded with hacking software to break into his computers,  according to his account of the incident. He said that he had been held  for more than 10 hours and that he was not sure how the police had  identified him.

You can take steps to protect your  data, for example as Mr Cheung did by using a privacy-friendly messaging  app such as Telegram, but ultimately it all comes down to your threat model, and the protesters may have got this one wrong.

While it might help prevent the police gather evidence, whether or not their messages are encrypted is largely irrelevant; they are, after all, using Telegram as a forum/group chat, i.e. for mass communication, something easily intercepted regardless of whether or not it's encrypted (it only takes one 'insider').

What matters is whether or not individuals in those chats can be identified, something that is still possible in Telegram group chats:

"Per reports, an attacker can add tens of thousands of sequential phone numbers to a phone's address book. The attacker then connects to a Telegram channel where protests are being organized and syncs their contacts with the Telegram app.

At this point, the Telegram app will tell the attacker which of the sequential phone numbers has an account active on the protesters' group. A state law enforcement agency, or intelligence service, can then force local mobile telcos to disclose the names of the persons behind those phone numbers. In the case of the Hong Kong protests, Chinese officials could get a list of people who organized or coordinated protests via Telegram."

While Telegram is working on a patch(which might even be geographically restricted to those in China/Hong Kong), there is a chance that the flaw in Telegram at least contributed to both Mr Cheung's identification and last week's arrest of 28 people(according to the police) connected to the protests, including Joshua Wong and Agnes Chow, who led the pro-democracy protests in 2014.

Now I don't know whether the arrests were warranted or not and I'm not going to speculate either way, but the lesson here is just because something is encrypted does not necessarily make it the right tool for the situation.

Enjoy the rest of this week's issue. Cheers,

— Justin


The bits

It would be great...

...if  the US focused more on actual issues, such as China's use of facial  recognition software or its treatment of the Uyghurs, than the opaque  "national security" argument that is so obviously just a cover for  Trump's ridiculous long pre-determined trade dispute (tip: bilateral  trade balances don't matter). How long until Vietnam starts to threaten  the US' "national security"?

Learn more:

The internet's demise starts in Europe

Europe  will have a different, less dynamic, internet to the rest of the world.  Don't get me wrong, Facebook erred, but Europe's response is the wrong  one.

Learn more:


Other bits of interest


Image of the week

Remember when Paris Hilton launched an ICO? Floyd Mayweather? This week's image is the ICO bubble, visualised.

"It's  now obvious that ICOs were a massive bubble that's unlikely to ever see  a recovery. The median ICO return in terms of USD is -87% and  constantly dropping... The ICO failure can very easily be explained by  misaligned incentives between founders and investors. Unlike in VC, the  founders raised money from unsophisticated (mostly retail) investors  with a product in very early stages. ICO investors had no claim on the  project's assets."

If famous people start pushing products they clearly know nothing about, it's time to sell.


This week's data breaches

No commentary from me this week but lots of interesting articles,  especially that iPhones were for a long time being compromised by simply  visiting a website, giving hackers control of the entire device (Google  discovered the flaw).

The breaches:

That's all for now. If you enjoyed this issue, feel free to share it via email


Issue 48: The situation in Hong Kong was compiled by Justin Pyvis and delivered on 03 September 2019. Feel free to send feedback, suggestions for future issues, ideas, insults, or pretty much anything that crosses your mind to their Keybase or Riot.im account.