“Means of Control” is such an overwhelming, educational, and entertaining book that this bald man was in tears when he finished it just yesterday.

You need to read this one.

It examines the dismal state of surveillance we are subjected to in our daily lives (apps, cookies, data flows for ad personalization, automobiles, connected devices, smartwatches)…

…but not from the standpoint of “private privacy” or the much-discussed rampant noncompliance with regulations by large corporations.

No: the book details the purchase, use, and abuse of these same data by the State: police, intelligence agencies, the military, and private military contractors.

The perspective is staggering.

In keeping with one of the golden rules—ending on a high note—the author includes a couple of depth charges that, read today, seem prophetic:

“Or in other words, the consequences of persistent tracking had largely fallen on other people for decades: terrorism suspects, unauthorized immigrants, criminals, and people living outside the United States. The suspicious patterns of life, or signatures, that the most powerful agencies in the U.S. government have been scanning for in huge piles of data have generally been ones that do not affect many middle-class Americans. But the Dobbs decision made data collection suddenly feel personal to hundreds of millions who had never felt vulnerable before.”

[The Dobbs decision was the U.S. Supreme Court ruling that granted each state the freedom to criminalize or not criminalize abortion.]

“Today, what separates the United States from China is a thin membrane of laws, norms, social capital, and—perhaps most of all—a lingering culture of discomfort among both government officials and ordinary citizens about too much power and too much information in the hands of the state. It’s a deeply American distrust of centralized power and of government authority. But much of that hangs in the balance: the United States is at a critical moment for deciding its technological future. We have functioning courts and checks and balances. We have freedom of speech and fair elections.”

You're reading ZERO PARTY DATA, a newsletter about AI, tech, and data protection by Jorge García Herrero and Darío López Rincón. Each week, we recommend reads as good as this one—just shorter.

Remember—we don’t get a single damn cent for recommending what we recommend.

We only share the same good shit we consume ourselves.

Things you didn¨t know about Grinder…

“As Yeagley showed, all that information was available for sale, for cheap. And it wasn’t just Grindr, but rather any app that had access to a user’s precise location—other dating apps, weather apps, games. Yeagley chose Grindr because it happened to generate a particularly rich set of data and its user base might be uniquely vulnerable.”

… metadata (p.e.: WhatsApp)…

“A 2016 Stanford study that collected the phone metadata of volunteers willing to be surveilled in the name of science gave examples of what inferences one could draw from the telephone records of participants. Participant B, for example, “received a long phone call from the cardiology group at a regional medical center, talked briefly with a medical laboratory, answered several short calls from a local drugstore, and made brief calls to a self-reporting hotline for a cardiac arrhythmia monitoring device.” Participant D “placed calls to a hardware outlet, locksmiths, a hydroponics store, and a head shop in under 3 weeks.” And participant E “made a lengthy phone call to her sister early one morning. Then, 2 days later, she called a nearby Planned Parenthood clinic several times. Two weeks later, she placed brief additional calls to Planned Parenthood, and she placed another short call 1 month after.” It’s safe to assume that participant B recently had a heart attack, that participant D was preparing to grow marijuana, and that participant E was seeking an abortion. All of that could be inferred without ever tapping their telephone lines and listening to the content of their calls. Metadata can tell you a lot. The former director of both the CIA and the NSA, Michael Hayden, put it even more bluntly in 2014: “We kill people based on metadata.”

… OSINT…

“While intelligence community analysts had been warning for years about the potential for civil unrest, as well as the instability and corruption of governments in North Africa and the Middle East, few had forecast a once-in-a-generation event that would sweep across nearly every country in the region in some form or another, toppling numerous governments and sparking multiple civil wars. “We had become too accustomed to stealing secrets and were not paying enough attention to important information that was streaming on Twitter for the world to see,” the deputy CIA director Michael Morell conceded in his memoir after his retirement from government service.”

… FBI… (this is not even news, actually)

“Most infamously, Church’s probe would reveal that the FBI had engaged in intense surveillance and harassment of the Reverend Martin Luther King, even once sending him a letter and a tape recording that the late civil rights leader believed was an attempt to drive him to suicide.”

… Twitter…

“Twitter often attracted a large number of users tweeting under semi-anonymous pseudonyms. That gave them the illusion of privacy and anonymity. But those pseudonyms were not as private as people believed, and real insights into their identities and personalities were embedded in the data in their photos, the information in their tweets, the people or the topics that they followed, or just the sheer volume of tiny clues about their identity they left behind online. When the FBI director, James Comey, let slip once he was lurking on Twitter under a pseudonymous account, the Gizmodo writer Ashley Feinberg identified his supposedly private account after only four hours of digging. If the director of the FBI can’t keep a low profile using a pseudonym, what hope is there for the rest of us?”

“After Musk’s acquisition, Twitter stopped replying to journalists. The email account that reporters used to ask the company for comment now replies with a poop emoji.”

…how they located (and killed) the lunatics who joined ISIS…

“They were joining an international terrorist group that was being hunted by a multinational coalition made up of some of the most capable and sophisticated military powers on the planet. But they were so used to sharing their lives with strangers that it didn’t occur to many that the GPS coordinates in their tweets, the mountains in the backgrounds of their photos, the faces of their fellow jihadis, and dozens of other digital breadcrumbs were all like homing beacons that the U.S.-led anti-ISIS coalition could use to target them. An untold many paid for those operational security errors with their lives.”

… and from those lunatics, they moved on to… other things:

“what led to Reed’s arrest and indictment was the fact that he inadvertently added an “undercover” Facebook account controlled by the Page police officer Christopher Seamster to his private Facebook group with a handful of friends. And so for dozens of pages of messages over the course of a few days, a space that Reed and some of his friends and neighbors perceived as private was being monitored by authorities in real time. By 2020, these undercover accounts had become the favorite tool of police departments of all sizes—from big-city police departments like the LAPD to the tiny twenty-three-officer force that is responsible for public safety in Page, Arizona, population of about seventy-five hundred. A tactic once used to keep ISIS terrorists in place while a fighter plane locked on target had trickled down to all levels of domestic law enforcement.”

… the f*cking wheels of your car…

“Ever wondered how your car’s computer knows the pressure of each tire? Well, those aren’t hardwired sensors. There is a tiny wireless tire pressure monitoring sensor, or TPMS, device inside each tire. And it is constantly broadcasting something like “I’m Acura tire k192e3bc and my tire pressure is 42 psi.” The message is meant for the central computer of your own car, but anybody with an antenna can listen in. Car manufacturers have never bothered to secure the transmission with encryption or any other kind of privacy mechanism. In 2020, a Finnish programmer named Tero Mononen placed a digital radio near his window that was programmed to capture transmissions in a certain frequency for seventy-five days—just to see what he might get back. The answer was 1.5 million rows of data, mostly from devices in his own home like car keys and smoke detectors. But to his surprise, he was able to capture 75,000 readings from 10,000 unique tires from passing cars. He concluded in a blog post that “TPMS data capture could be utilized by researchers, spies and people who are being followed.”

He was right.”

… Burner phones…

“In 2013, The New York Times revealed that the Drug Enforcement Administration could seemingly detect “burner” phones using big data. Similar reports surfaced that the NSA has the same capability. In general, if one phone is being switched off at the same time and general location that another phone is being switched on, they could potentially be associated.”

… the Senate Intelligence Committee…

“In March 2013, the then director of national intelligence, James Clapper, appeared in front of the Senate Intelligence Committee. “Does the NSA collect any type of data at all on millions, or hundreds of millions, of Americans?” Wyden asked. “No, sir,” replied Clapper. “It does not?” Wyden said, eyebrows arched, in a surprised tone bordering on incredulous. “Not wittingly,” Clapper said. This entire scene was Kabuki theater.”

“The internet would never be the same. In response to the Snowden disclosures, tech companies made major changes.”

… geolocation on your mobile phone…

“I’m here to tell you if you’ve ever been on a dating app that wanted your location or if you ever granted a weather app permission to know where you are 24/7, there is a good chance a detailed log of your precise movement patterns has been vacuumed up and saved in some data bank somewhere that tens of thousands of total strangers have access to. That includes intelligence agencies. It includes foreign governments. It includes private investigators. It even includes nosy journalists.

If you cheated on your spouse in the last few years and you were careless about your location data settings, there is a good chance there is evidence of that in data that is available for purchase. If you checked yourself into a mental hospital or inpatient drug rehab, that data is probably sitting in a data bank somewhere. Are you being treated for erectile dysfunction at a sexual health clinic? That data is obtainable by strangers. If you told your boss you took a sick day and went to the beach or interviewed at a rival company, that could be in there. If you visited a divorce lawyer’s office but then decided not to go through with it and reconciled with your spouse, your visit might nevertheless be logged. If you frequent gay bars or boutique sex shops and aren’t open about your habits or lifestyle, someone could figure it all out. If you let emotion get the best of you and threw a brick through a storefront window during the George Floyd protests, well, your cell phone might link you to that bit of vandalism. And if you once had a few pints before causing a car crash and drove off without calling the police, data telling that story likely still exists somewhere.”

“The company’s thesis was that “where you go is who you are,” White would say in interviews. “We felt the most powerful signal of who we are as individuals was not the websites we visit, but the places we visit in the events we attend.”

“In short, the adtech data that Venntel and Babel were brokering was a gold mine for law enforcement. For one, it freed law enforcement from having to do pesky paperwork to get a subpoena or a warrant approved by a judge. There was also little public awareness that this kind of data was even for sale, so few people were opting out. Like me, most people had no idea about the “Limit Ad Tracking” menu on their iPhones or the AAID that Google had given even Android devices. Many still don’t.”

“No mobile app privacy policy that I’ve ever found discloses that a government intelligence agency or security service may be buying the data. Many do acknowledge they might have to turn over user data in response to a warrant, but in general privacy policies around data sales and sharing make two claims: first, that user data is anonymized if it’s transferred and no personally identifiable information is shared; second, the purpose of that data is for analytics or advertising or commerce. Neither is true.”

The “highest bidder” isn’t always the USA: sometimes it’s also Russia or North Korea.

“Over beers one night in Washington, D.C., a former government insider pushed his phone across the table to me. On it was a list of all of the advertising exchanges that America’s intelligence agencies had access to in one way or another (…)

Somehow, the U.S. government through a maze of contractors, shell companies, or proxies was able to collect data from all the major ad exchanges. Or they could serve ads or malware using those networks. It’s probably no exaggeration to say that every smartphone, tablet, and computer on earth is passing data back to these exchanges in some way. Worse, the source told me that China, Russia, North Korea—all these nations—were sitting on the same networks. They were using shells and cutouts like nContext to obtain data on Americans by the petabyte. And nobody wanted to talk about it because America does the same thing.”

“The success lies in the secrecy.”

…Al-Moazin…

It was a popular Android app that helped Muslims pray: based on GPS location, it notified users of the exact prayer times (which depend on the time of year and the sun's position) and the precise direction of Mecca from their location.

“Beyond collecting the usual GPS location, the app could collect an exceedingly large amount of data about its users’ phones and send it off to an unknown third party. First, when a user connected to a Wi-Fi network, Al-Moazin could collect information about every other device running on the network. It could see every other phone, tablet, router, smart TV, and smart speaker connected to that Wi-Fi and the special unique digital identifiers belonging to those devices. This could enable whoever was receiving the data to map out the social network of the phones’ owners—by seeing what other phones’ devices were in proximity at a given time. Second, it could also copy the material on the phone’s clipboard—which often included sensitive information like passwords—and the email address of the owner of the phone as well as the phone number assigned to the phone. This was new. Data received by companies like Gravy Analytics and X-Mode contained no explicit personal information like an email address or a phone number. With some basic tradecraft or some additional commercial data, a name can usually be inferred. But the software code running inside Al-Moazin could directly map a person’s identity to their movements through the world. Most bizarrely, it had the capability to scan the WhatsApp downloads folder of any phone it was installed on. It couldn’t necessarily read the contents of the files, but it seemed to take an inventory of the file names stored there. This could be a remarkably valuable intelligence-gathering tool. WhatsApp is a popular chat app owned by Facebook that is used around the world as an alternative to standard text messages. And unlike standard texts, its messages are encrypted, meaning that governments have great difficulty intercepting them. This software in Al-Moazin could circumvent some of that and see what kinds of files users were trading on WhatsApp—whether cat memes, pornography, state secrets, or terrorist propaganda.”

… TikTok…

“National security officials remain so concerned about TikTok because the United States engages in the same practice: collecting data through apps at scale to project national power.”

“TikTok offers numerous ways for an adversary like China to cause trouble. For one, through a social network like TikTok, China can collect immense amounts of behavioral data on Americans. It can understand their likes, dislikes, preferences, habits, and routines. The friend networks and social circles of Americans can also be collected through TikTok by mapping out who follows whom and who interacts with whom. Finally, Americans are uploading a great deal of biometric information—their faces, for example—to these services. American law enforcement and intelligence pull facial data from social media sites, so it’s hard to imagine that China would not use its unprecedented access to all data that flows through its country to do the same. Finally, TikTok has a tremendous influence on global public opinion and online discourse.”

Have a great week.

Jorge García Herrero

Data Protection Officer