Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Security

NSO Used Real People's Location Data To Pitch Its Contact-Tracing Tech, Researchers Say (techcrunch.com) 19

Spyware maker NSO Group used real phone location data on thousands of unsuspecting people when it demonstrated its new COVID-19 contact-tracing system to governments and journalists, researchers have concluded. From a report: NSO, a private intelligence company best known for developing and selling governments access to its Pegasus spyware, went on the charm offensive earlier this year to pitch its contact-tracing system, dubbed Fleming, aimed at helping governments track the spread of COVID-19. Fleming is designed to allow governments to feed location data from cell phone companies to visualize and track the spread of the virus. NSO gave several news outlets each a demo of Fleming, which NSO says helps governments make public health decisions "without compromising individual privacy." But in May, a security researcher told TechCrunch that he found an exposed database storing thousands of location data points used by NSO to demonstrate how Fleming works -- the same demo seen by reporters weeks earlier. TechCrunch reported the apparent security lapse to NSO, which quickly secured the database, but said that the location data was "not based on real and genuine data." NSO's claim that the location data wasn't real differed from reports in Israeli media, which said NSO had used phone location data obtained from advertising platforms, known as data brokers, to "train" the system. Academic and privacy expert Tehilla Shwartz Altshuler, who was also given a demo of Fleming, said NSO told her that the data was obtained from data brokers, which sell access to vast troves of aggregate location data collected from the apps installed on millions of phones.
This discussion has been archived. No new comments can be posted.

NSO Used Real People's Location Data To Pitch Its Contact-Tracing Tech, Researchers Say

Comments Filter:
  • That is why (Score:4, Interesting)

    by Rosco P. Coltrane ( 209368 ) on Wednesday December 30, 2020 @01:23PM (#60879548)

    I've never installed any COVID tracking app, and I never will. Maybe the app is innocuous, maybe it's spyware. But you can't tell because the government contacts private companies to do that sort of job, and don't bother to check on what they do afterwards. It's so sloppy that spyware makers feel they have a chance to bid for the contract.

    I'll take my chances with masks and social distancing thank you very much. No tracking app for me.

    • Re:That is why (Score:5, Insightful)

      by cayenne8 ( 626475 ) on Wednesday December 30, 2020 @02:05PM (#60879718) Homepage Journal

      I've never installed any COVID tracking app, and I never will. Maybe the app is innocuous, maybe it's spyware. But you can't tell because the government contacts private companies to do that sort of job, and don't bother to check on what they do afterwards. It's so sloppy that spyware makers feel they have a chance to bid for the contract.

      I'll take my chances with masks and social distancing thank you very much. No tracking app for me.

      It appears they were buying location data from many different 3rd party apps directly and data integrators....

      So, to try to thwart that at least a little bit, you need to leave your cell phone at home at times, or at least in your car when you leave to go into stores, restaurants, etc....

      If you don't have it they can't track you....

      Although, you will likely need to ditch the smart watch and/or fitness tracker too.

      Sad....1984 was supposed to be a fictional novel....not a blueprint for the future government and corporate entities.

    • I went through the source of the UK one. The app itself is innocuous.

      If anything nefarious is to happen, it will happen in the backend.

      It is happening there already: ANPR, credit card, travel card, face recog, mobile location data, streams of location data from advertisers purchased "legally" by the government, streams of location data from Google and Co given to "friendly governments" to butter the relationship and ensure they do not get nailed on competition law, etc. A COVID tracking app would add ve

    • Re: That is why (Score:5, Insightful)

      by BAReFO0t ( 6240524 ) on Wednesday December 30, 2020 @03:49PM (#60880016)

      Exactly. If it had been a simple open source app, experts could have combed through it and it'd become trustworthy enough to use in a matter of days.

      But come in! I'm not installing *literally* a centralized people tracing app that won't even tell me what it's doing!

    • Re:That is why (Score:4, Informative)

      by holloway ( 46404 ) on Wednesday December 30, 2020 @04:41PM (#60880148) Homepage
      New Zealand's covid tracer app is open source, as are many others https://github.com/minhealthnz... [github.com] They do not report location data back to a server, instead they keep a log of your QR Code scan locations on the device, and the server pushes all outbreak locations to the device, and so the device checks whether you were there. So it has a lot of privacy built in. App Store code doesn't necessarily align with source code, but (1) neither necessarily would a website, and (2) some governments are doing a good job of managing privacy and covid tracing.
    • by DrYak ( 748999 ) on Wednesday December 30, 2020 @04:45PM (#60880166) Homepage

      Maybe the app is innocuous, maybe it's spyware. But you can't tell because the government contacts private companies to do that sort of job, and don't bother to check on what they do afterwards.

      Open source

      In some countries, the the protocol is clearly documented and the source of the actual app is open (e.g.: Swiss variation) [github.com].
      This has enabled fuflly opensource reimplementations by independent hackers (example with the German variation [flypig.co.uk]).

      The procol itself is rather sound [ncase.me] and offers quite good balance of privacy, actually even better than good old in-person detective work. (That doesn't stop some people from protesting about possible attacks [onyxbits.de] which, in my opinion, aren't actually worse than what is possible with old-school tracing already).

      The trouble

      The problem isn't the app itself. The problem stems from the fact that this type of app would require to run continuously in the background (to be able to ping the bluetooth) and is at risk of getting forcibly closed by the app manager of your smartphone (e.g.: on Andoird, the window-cards are actually only the view component of the software. Whether the software itself runs or not is left entirely at the discretion of your Android. You might software that has no open windows but runs in the background, you might have an open windows that is just a picture of the interface and the software got killed to save battery.

      Thus such software is at risk of being killed at the most important time. So to avoid this risk, Google and Apple have came up with GAEN - Google/Apple Exposure Notification [wikipedia.org] which is basically the same thing as DP-3T, except that instead of having the tracing being done inside an opensource app whose code can be checked by anyone, now the same protocol is handled as part of a proprietary blob that comes with the system itself. With Apple that's inside iOS itslef, with Google that's the "Google Play Service" that is require by a large number of apps and comes pre-installed with a large amount of western phone (but is banned in China). The app is now merely a glorified interface to talk to the server (for pushing exposure alert to the network and fetching list of potential exposers).

      Reportedly, according to Google and Apple: as that runs inside the system there's no risk if the app gets killed, the service's system daemon keep registering exposure.

      The trouble according to some is that this system component is a blob that can't be checked, because both Android's Google Play server and iOS are delivered as proprietary blob, and can't be rebuild from source.

      Note that at least on the Google side of things, there are opensource reimplementations of the same interface as those inside Google Play Service blob [microg.org] (and that opensource version at least covers the exposure notification suffessfully. Meaning that again you have a solution to have a verifiable opensource implementation of the contact tracing - if you accept to replace the whole google proprietary shebang with opensource reimplementations that aren't 100% compatible yet.

      But...

      Actual troubles

      By this point, you should realize that if worried about the contact tracing being at the hand of Google and Apple and proprietary blobs, you're completely missing the point. It's Google and Apple. They are already running extremely large swathes of proprietary blocs. (The whole OS in the case of Apple, and and a giant monolith that is "Basically anything which isn't AOSP itself").

      It's already well-known that they are continuously syphonning ginormous amount of private data anyway [e.foundation]. Why to you think that they wou

  • They believe the data is real, but they have no proof. Sounds familiar, doesn't it? They believe it violates the privacy of 32,000 people, but they don't know who they are ... That's about the same bullshit as Trump telling us he won, but the dog ate the proof.

    Please, come with proof. Until then is the privacy of these people effectively safe.

    • You have no proof of your existence. You're only telling us.

      I think I made you up. So I will stop making you up ... now.
      *poof*

      • So I will stop making you up ... now.
        *poof*

        Hey! It worked!!

        No, wait... and more on topic, NSO is being accused of using data of actual COVID19 patients, and so far is there not even proof that it's data from people, unrelated to COVID19 or not, or if it's just a good fake data set or an old, anonymised data set from a legit broker.

        All they need to do is to find one person to which they can link the data. Just saying it looks real is no proof at all. Especially since we started using AI technology does it only get harder to tell the differences betwe

  • invites the entire NSO staff over ... and then arrests them and throws them in prison for spying ... will gain my citizenship.

  • Spyware maker NSO Group used real phone location data on thousands of unsuspecting people when it demonstrated its new COVID-19 contact-tracing system to governments

    I call them "Privacy Rapists", instead of malware/spyware makers.

  • Comment removed based on user account deletion
  • There is always tension between an individual's rights and the public good. It's a story as old as organized society and will never have a clear-cut answer. Situational ethics tries to address this by positing circumstances dictate response. That's a somewhat flawed line of reasoning, but, so are all the alternative arguments, includng all the privacy-first and public good first quotes listed by other posters. Human beings are complicated, and human social interaction is messy. Looking for absolute rule

Do you suffer painful hallucination? -- Don Juan, cited by Carlos Casteneda

Working...