False Friends of Digital Privacy

Source: The American Conservative

“Everyone sees what you appear to be, few really know what you are, and those few dare not oppose themselves to the opinion of the many.”

Nicolo Machiavelli, The Prince

The period following May 2013 witnessed a slew of disclosures about mass surveillance. There were jaw-dropping revelations about National Security Agency programs, software, and spy gear. Someone leaked an entire catalog of malware developed by the Central Intelligence Agency. And let’s not forget all the juicy reports about companies secretly cooperating with the intelligence community to install backdoors, establish data-stream backchannels, and provide early access to information on vulnerabilities. Despite the bad publicity, it’s extremely unlikely that these covert programs and relationships abruptly ground to a halt. On the contrary, if the intelligence budget is any indication, the associated skullduggery has proliferated such that sophisticated cyberattacks are no longer the sole purview of three-letter agencies. This state of affairs has unsettling implications that Big Tech would prefer to sweep under the rug.

Advertisement

After being caught in bed with spies, the C-suites knew they would have to contrive ways to regain trust. To this end, they engaged in conspicuous displays of resistance, lauded strong encryption as a panacea, and shoveled cash to trade magazines. Opportunities for redemption conveniently appeared. For example, in early 2016, Apple was involved in a legal dispute with the Federal Bureau of Investigation over access to an iPhone 5C linked to the mass shooting in San Bernardino, Calif. The device in question was finally unlocked by a mercenary firm whose engineers used a carefully crafted sequence of instructions (known in the business as an “exploit chain”) to gain access to the iPhone 5C by leveraging unpatched bugs. 

The unlocking was mostly an afterthought, however. What really generated headlines was the fight between Apple and the United States government. Members of the press announced that Apple was working on a new unhackable iPhone while the company’s CEO was depicted as a defender of digital privacy. The result of this hyperbolic coverage was the impression that Apple was the vendor of choice for people who entrusted their lives with tech (e.g. journalists, political activists). Once the confetti settled from the media frenzy, developers at an Israeli outfit known as the NSO Group proved just how wrong this notion was. Team NSO built an enterprise-class product that could get into virtually any iPhone on demand, without any interaction by the targeted user—a devastating “zero-click” attack platform. Eat your heart out, Tim Cook.   

Fast forward to July 2022 and the executives at Apple are once again eager to reassure users. There’s a shiny new feature called “Lockdown Mode.” Sounds impressive, right? That’s the idea. And once again, tech publications are drinking the Kool-Aid (e.g., it’s the “coolest security idea ever”), reinforcing the dubious presumption that, somehow, things will be different this time. 

The media’s talking points are an indicator of sorts. Think about it: what better way to collect sensitive information than corralling users into the same parcel of digital real estate by convincing them to adopt a technology ostensibly designed to protect their privacy? The prospect of security attracts users in droves, though. At the same time, the resulting popularity of an allegedly secure venue attracts people who devote their lives to compromising said security. Just like watering holes bring together gazelles and lions, one side is drawn in by secrecy and the other by secrets.  

The crime-phone vendor Anom accomplished this feat by hiring “influencers,” known figures in the underground who could wield their credibility by offering endorsements for Anom’s phones. It worked like a charm and Anom sold over 12,000 phones. What customers, as well as influencers, didn’t realize was that Anom was actually a massive honeypot in disguise being controlled behind the scenes by the feds. Suffice it to say that Operation Trojan Shield resulted in hundreds of arrests as authorities conducted a wave of raids.  

Advertisement

So perhaps the constellation of celebrities orbiting around the encrypted messaging app called Signal is to be expected: everyone from former spies such as Ed Snowden (“I use it every day and I’m not dead”), to award-winning journalists such as Seymour Hersh (“You better get Signal”), to tech luminaries such as Bruce Schneier (“Use Signal whenever you can”), to billionaires such as Elon Musk (“Use Signal”). The big names are unanimously giving Signal two thumbs up. 

These testimonies are likely of little comfort to Stewart Rhodes, the leader of the Oath Keepers, who was caught transmitting some pretty strong words via Signal, all of which are now trial evidence. It may not be surprising, then, that Proud Boys leader Henry “Enrique” Tarrio is in the same boat. His encrypted chats are likewise being used against him by prosecutors. Listen carefully and you can almost hear surveillance experts chuckling, reminding us that “current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems.” Once more, in rare fits of honesty spies will concede that iPhone users are zombies who pay for their own surveillance. 

Can users be blamed for wanting to believe in silver bullets? Given the onslaught of data breaches and mass surveillance they have valid reasons to flock to something — anything — that might provide a semblance of relief. 

Sadly, there won’t be any relief. As Morgan Freeman would quip, “John Doe has the upper hand.” 

Offensive developments underscore that the privacy technology commonly promoted by very serious people is likely nothing more than a speed bump to the black hats. If intruders really want your secrets, they’ll get them. For instance, researchers have recently unearthed malware out in the wild that literally hides inside computer hardware. Staking out a foothold in chip firmware that’s invisible to the operating system while achieving unfettered access to data, the malware dubbed CosmicStrand has been lurking around the Internet largely unseen since 2016. In other words, none of the common prescriptions (e.g., USB-bootable operating systems, encrypted messaging apps, onion routing) fit the bill with regard to confidentiality. 

If anything, tools like TAILS, Signal, and Tor create a false sense of security that loosens lips, which is what watchers are hoping for. This is similar to how British intelligence elicited secrets from captured German officers in World War II; they treated prisoners with dignity, placed them in comfortable surroundings, and made sure drinks were readily available. Then, when the German officers finally felt safe, they started to talk.   

Proponents, in an effort to downplay this threat, will reflexively note that only an organization like the NSA could pull such a thing off. And they would be wrong. This isn’t the sort of technology that’s limited to apex intelligence collectors. Circa 2009, your author was present for a talk given by a trio of researchers from Poland who successfully implemented a firmware-level rootkit on a shoestring budget. Now imagine what an organized group with a couple million in funding can accomplish. And yes, there are plenty of commercial entities that fit that description. Your author has had some exposure to this scene and it’s pretty active. Please keep in mind that hardware subversion has had well over a decade to mature and advance. Firmware rootkits are now mainstream, available to anyone with a budget and a list of intelligence objectives.

Honestly, you’d think that people would muster a bit more skepticism. The public record is chock full of instances where high-end security tech failed spectacularly. Consider, for instance, the case of crime-phone vendor Encrochat, which supported a sprawling network of some 60,000 users worldwide, charging thousands of dollars per year for each subscriber line. In what became known as Operation Venetic, authorities in Europe found a way to hack the company’s phones, thereby sidestepping encryption safeguards; in the summer of 2020, police made close to 800 arrests across Britain alone. And which messaging protocol was deployed on Encrochat? The very same one used by Signal.

In 1984, the creator of UNIX, Ken Thompson, presciently warned that “you can’t trust code that you did not totally create yourself.” Now, an entire industry exists that acquires access to data by manipulating bugs in sloppy code. Some of these bugs are accidents, and some of them aren’t. Spies claim to be amused by the fact that it’s hard to tell the difference. Faced with pervasive hacking and stealthy backdoors Silicon Valley have tendered its response: more. More technology, more connectivity, more bandwidth, more user data, more aggregation, more societal footprint, more money, and ultimately more power. It’s the pretty lie of Big Tech: “You can protect your privacy with this one neat app.” But anything that emits a signal can and will be tracked. The convenience of mobile devices has shown itself to be a lure and the belief that they’ll protect individual privacy is a tenuous leap of faith. If history shows anything, it’s that this faith is misplaced, particularly when it matters the most. The great reset is afoot, dear reader, and technology that was originally introduced as a means of liberation has proven itself to be far more effective as a means of indoctrination and social control. This leaves a stark choice to anyone concerned about their civil liberties: freedom or the trendy widgets of Silicon Valley?