Issue 65

Everyone spies on everyone

Unless you've been living under a rock for the  past decade or think that governments actually have your interests at  heart, the 'revelations' last week that again confirmed the US, China  and Australia all spy on us should not have come as a shock.

First, Australia. Remember that law that required the retention of people's metadata from just over a year ago (covered in Issue 13)? Yeah, turns out it's being abused to gather up even more data than was intended:

The  Parliamentary Joint Committee on Intelligence and Security (PJCIS) is  conducting a review of the controversial metadata retention laws that  require telecommunication companies to retain records of every single  person’s calls, texts, and internet browsing history for at least two  years. In hearings last week, the Commonwealth Ombudsman confirmed that  law enforcement agencies are receiving URLs as part of the mandatory  data retention regime, despite this practice being explicitly banned  under the legislation.

“More than ever, this shows what was  warned from the start – that the scheme would be abused, and safeguards  overstepped. The government should immediately move to repeal this  legislation, or at a bare minimum make significant improvements to bring  it in line with Australia’s human rights obligations,” says Digital  Rights Watch chair Tim Singleton Norton.

Next up, the United States accused China of spying:

US officials say they have evidence that Huawei has backdoor access to mobile-phone networks around the world.

"We  have evidence that Huawei has the capability secretly to access  sensitive and personal information in systems it maintains and sells  around the world," US National Security Adviser Robert O'Brien told the  Journal.

The audacity! Finally, China was having none of that and so it responded in kind:

"As  evidenced by the Snowden leaks, the United States has been covertly  accessing telecom networks worldwide, spying on other countries for  quite some time," Huawei said in a six-paragraph statement sent to news  organizations. "The report by the Washington Post this week about how  the CIA used an encryption company to spy on other countries for decades  is yet additional proof."

I'm beginning to sound like a broken record  here but if there's one thing you can be certain about it's governments  spying on each other and their respective citizens. It's why proper  encryption and privacy legislation that enshrines that protection,  rather than undermines it as Australia's does, are so important.

Yes, the Chinese government will try to spy on  foreign citizens (and its own) by any means possible, and that includes  the risk that it has asked Huawei to backdoor its hardware. So will  Australia. So will the United States. And so on. I mean, the CIA has  literally been using hardware backdoors for decades:

The  company, Crypto AG, got its first break with a contract to build  code-making machines for U.S. troops during World War II. Flush with  cash, it became a dominant maker of encryption devices for decades,  navigating waves of technology from mechanical gears to electronic  circuits and, finally, silicon chips and software.

The Swiss firm  made millions of dollars selling equipment to more than 120 countries  well into the 21st century. Its clients included Iran, military juntas  in Latin America, nuclear rivals India and Pakistan, and even the  Vatican.

But what none of its customers ever knew was that Crypto  AG was secretly owned by the CIA in a highly classified partnership  with West German intelligence. These spy agencies rigged the company’s  devices so they could easily break the codes that countries used to send  encrypted messages.

That specific case targeted foreign  governments, but you're kidding yourself if you don't think the CIA/NSA  has backdoors in American-made consumer grade hardware (e.g. here, here, here, here, here, here, here, and here).

I find it's best to assume that whatever  you're transmitting will at some stage be intercepted, no matter the  country within which you happen to reside. The only way to prevent a  malicious actor from getting any value out of it is through end-to-end  encryption, and the best way to achieve that is to use software built  with it in mind from the get-go, such as Signal Private Messenger, Keybase Chat, or the decentralised Riot.im (I use all three).

Enjoy the rest of this week's issue. Cheers,

— Justin


Other bits of interest

If you're not paying for the product...

...you are the product. It's amazing how often that phrase needs to be repeated, yet here we are:

The popular Edison email app, which is in the top 100 productivity apps on the Apple app store, scrapes users' email inboxes and sells products based off that information to clients in the finance, travel, and e-Commerce sectors. The contents of Edison users' inboxes are of particular interest to companies who can buy the data to make better investment decisions, according to a J.P. Morgan document obtained by Motherboard.

You have two choices when using a third-party app. One, pay for it (and please, please read the privacy policy or at least search for comments from other people who have). Two, find an open source equivalent financed by some kind of voluntary contribution or institution. For email, that's FairEmail.

Learn more:

AT&T blocks Tutanota, an encrypted email provider

I have, for a long time, debated and flipped on the issue of whether or not encrypting email is even worth the effort.

While I would love to encrypt my email, the email protocol is (by design) insecure, so unless the people you're communicating with also go out of their way to encrypt their emails, there's not much point. For anything private enough to warrant encrypting you should probably be using a modern protocol such as Signal, not email.

Given that threat model, I've personally settled for an email provider based outside of the '5 eyes', but not one that encrypts everything by default, such as Tutanota and ProtonMail. In other words, I'm opting for usability over the small gains in privacy that an encrypted email provider would offer, given that 99% of my emails are to/from people who do not also use encryption.

Nonetheless, when the NSA asks a major US telco to block access to an encrypted email provider it's a pretty good sign that it's actually private (Russia recently blocked a Tutanota competitor, ProtonMail).

Learn more:

China is embracing blockchain

The People’s Bank of China has filed more than 80 patents related to its secretive plans to launch a digital currency, according to new research that shows the extent of Beijing’s ambitions to digitise the renminbi.

Uncovered by the Chamber of Digital Commerce, their contents shed light on Beijing’s mounting efforts to digitise the renminbi, which has sparked alarm in the west and spurred central bankers around the world to begin exploring similar projects.

“The theme is that China has made massive investments and are taking this very seriously,” said Perianne Boring, president of the chamber. “That is drastically different from the United States’ approach and this just highlights that.”

This remains a very interesting space and it's a front on which China is leading the United States. China's push for currency digitisation comes down to its desire to control its citizens and prevent them from engaging in capital flight. Still, I think the move to digital currencies is inevitable and that with time more secure, less manipulable Swiss franc-type digital currencies will emerge.

Learn more:

How not to stop spying

undermining encryption and spending big dollars on dodgy apps such as Voatz.West Virginia (and other US states) are using a mobile application to facilitate voting. The problem is, the app is a useless piece of ... you know what. If you're concerned about China, you should spend less time worrying about Chinese hardware and more time worrying about your own government

The app, called Voatz, also has problems with how it handles authentication between the voter’s mobile phone and the backend server, allowing an attacker to impersonate a user’s phone. Even more surprising, although the makers of Voatz have touted its use of blockchain technology to secure the transmission and storage of votes, the researchers found that the blockchain isn’t actually used in the way Voatz claims it is, thereby supplying no additional security to the system.

According to Alex Halderman, an election security expert and professor of computer science at the University of Michigan, the most interesting part of the research is that it appears to show that there’s no blockchain technology involved in transferring the vote to Voatz’ server. “That transfer is protected only by an https connection as far as the network connectivity goes,” he told Motherboard. “As a result, there’s nothing more advanced going on in protecting the vote transmission from the app than there would be just with a simple web browser. There’s no ‘there’ there.”

Learn more:

That's all for now. If you enjoyed this issue, feel free to share it via email


Issue 65: Everyone spies on everyone was compiled by Justin Pyvis and delivered on 17 February 2020. Feel free to send feedback, suggestions for future issues, ideas, insults, or pretty much anything that crosses your mind to their Keybase or Riot.im account.