A Shadow of a Monster
Technologies of AI surveillance are developed and deployed locally, but they can spread beyond their initial playgrounds
Happy Friday, Control Spy, Delete readers! Your weekly dose of digital surveillance and censorship news is here.
This week offered a chance to look at government approaches to surveillance in some very different parts of the world. While businesses, activists and politicians dispute the boundaries of the government’s power to track citizens in the U.S., Canada, and Europe, China is quietly spreading practices of unbridled, unchecked state surveillance in Asia and Africa.
But in a global world, technology naturally spreads across borders and spheres of influence. In the future, we may see countries use Western-made AI technology for systems based on the Chinese approach.
Companies may refuse to export their products to certain nations, but technology can be leaked, stolen, or reverse-engineered, not to mention trickling through neutral nations that are trying to take the best from the two worlds.
In the end, when it comes to AI-powered surveillance, everyone around the world involved with such technologies is building the same, world-sized monster, which, once it’s ready, won’t be limited by policies or embargoes.
Whatever is being built now will ultimately become available beyond the scope of its original purpose – just as the malware originally developed by the National Security Agency was stolen and used by hackers in 2017 in one of the worst global ransomware campaigns (WannaCry).
That’s something to keep in mind for everyone working on AI systems today – and for the rest of us, a reminder that no story or pattern we hear from the other side of the world is too far-fetched to impact our own reality one day.
That’s why I’m trying to bring you stories from all around the world – and without further ado, let’s get into it!
Share this newsletter with privacy-minded friends to spread awareness.
Biometrics briefing
The U.S. Department of Homeland Security will pay $25 million for more than 1,500 iris scanning devices to equip ICE officers. – NPR
Facebook, YouTube and Venmo sent cease-and-desist letters to Clearview AI, a leading facial recognition startup that builds its database by scraping the web for face images. – Mashable
Erie County in New York State has passed a law against private businesses collecting, storing and selling customers’ biometric data. – WIVB
Chinese police in the city of Tianjin are using smart glasses with facial recognition. – China Daily
Sierra Leone has launched mandatory biometric verification for foreign nationals. – Biometric Update
Ghana is rolling out biometric digital visas for visitors. – Biometric Update
This school bus is watching you
BusPatrol, a company installing cameras on school buses, is going to turn those cameras into automated license plate readers, 404 Media learned. The company has its cameras on more than 40,000 buses across 24 states. BusPatrol is also planning to partner with Axon, a major provider of tech devices and software to police.
The license plate reader plan will effectively turn all school buses with BusPatrol cameras into a surveillance fleet recording every car that passes by, along with its location, regardless of whether it violated any traffic rules. Normally, the cameras’ purpose is to register when drivers don’t respect the stop signs and illegally pass a bus letting school kids in or out.
Automated license plate readers (ALPRs) have become controversial in the U.S. recently, due to the most popular one, Flock, being used by ICE to look up the movements of immigrants the agency is targeting.
Some cities cancelled contracts with Flock after learning that local traffic data could be shared with federal agencies with no oversight. Police departments can look up locations of vehicles through ALPRs with no warrant, nationwide, and immigration authorities have been reportedly using the police access.
Adding school buses to the network of ALPRs will make this surveillance network even more powerful.
Bossware at the New York Times
The trade union of the New York Times’ technology staff is not fond of new AI surveillance inside the company, The Verge reports. The Tech Guild represents hundreds of software engineers, designers, product and project managers, and data analysts who work for the newspaper.
The NYT has recently deployed several AI productivity management tools that track the tech staff’s output and efficiency. The results of that tracking are used to evaluate each worker’s productivity, but the metrics used miss a lot of nuance and do not reflect the actual quality of work, software engineer Ben Harnett told The Verge.
The Tech Guild and the Times Guild (representing the NYT editorial staff) filed unfair labor practice charges against the company, saying the NYT did not give clear answers about its use of the workplace tracking tools. The moment is sensitive: the Times Guild is currently bargaining for a new contract, which includes guardrails around AI use.
Journalists have recently found themselves at the forefront of the big AI overhaul as companies, including media corporations, are trying to use AI as much as they can to maximize efficiency and profit. Conflicts like the one around the NYT will show whether the media industry will choose an AI-for-humans or a humans-for-AI approach – The Reuters Institute for the Study of Journalism wrote a great analysis on this if you’re curious.
Inside peek into Beijing’s surveillance machine
This week has brought some new insights into the Chinese surveillance apparatus, offering a glimpse of what a modern surveillance state may look like when no political or social institutions are keeping it in check.
The Financial Times gained access to procurement documents from 12 government tenders, showing how the Chinese law enforcement is building predictive policing protocols on a new generation of AI-powered surveillance cameras.
According to the documents, the latest products by Hikvision and Huawei allow analyzing video directly on the device that captured it, thanks to newer, more powerful chips. Such cameras allow identifying and predicting behaviour patterns while interpreting video feeds in real time, FT writes. They also allow the police to search for pieces of footage by entering text descriptions, so that officers don’t have to manually review the footage.
The systems are trained to predict behaviors like erratic driving, trespassing, crowd forming, and suicidal behaviour. Some Hikvision cameras can identify the gender, posture and clothing of people on the footage.
According to the FT sources, these kinds of cameras have already been deployed in some densely populated city neighborhoods, as well as areas around military facilities and government buildings.
Another sneak peek into China’s surveillance apparatus this week came as a result of poor cybersecurity at some governmental quarters. A pseudonymous cybersecurity researcher going by NetAskari stumbled upon an unprotected database of foreign nationals monitored by the Chinese government, Deutsche Welle reports. NetAskari found a demo version of an electronic tracking system designed for the 2022 Winter Olympics in Beijing.
The product was a test version but based on real datasets, DW writes, which included passport photos, cellphone numbers, visa details and dates of birth of almost every foreign journalist based in Beijing around 2021.
The system combines data from the network of CCTV cameras, mobile payments systems, social networks, face-scanning gates at the Zhangjiakou ski resort, the train ticketing system and other sources. It can track an individual via a range of various parameters, including gas consumption and regular shopping locations.
This system allows authorities not only to track people in real time but also to predict their moves, DW writes – and in the case of foreign journalists, anticipate which locations they are going to visit, what they are potentially investigating and with whom they are planning to talk. And with such insights, the authorities can do a lot to prevent reporters from seeing and hearing what they are not supposed to – by intimidating sources, for example.
China has been known for its pervasive digital surveillance, being something of the world’s model surveillance state. But systems and tools it is using are not unique – cameras with facial recognition, electronic payments and online shopping systems, tools for gathering cellphone location data – these are things any government can use.
And some already see China as a great example to follow – read this feature by the New York Times about China’s surveillance practices’ expansion to countries in Southeast Asia, Africa, and Central Asia. “It allows China to portray their system as a public safety success rather than a human rights failure,” says Sheena Chestnut Greitens, a political scientist at the University of Texas.
Many countries are already on their way to adopting this “public safety success.”
A fight for privacy in Canada
The Canadian government is dealing with a massive pushback against its attempt to give law enforcement broader digital surveillance powers. The country’s parliament is in the process of passing new legislation, Bill C-22, also known as the Lawful Access Act, which offers new rules for digital service providers when police request their users’ data.
The part of the bill that caused outrage requires a broad range of tech companies to create and implement “capabilities related to extracting and organizing information that is authorized to be accessed,” as well as manage “equipment or other thing that may enable an authorized person to access information.”
Major tech companies, messaging apps and VPN providers are sounding the alarm that these requirements will effectively allow the government to demand backdoors in encrypted communications protocols, destroying Canadians’ privacy.
The government denies that, and the bill itself has a provision saying that providers don’t have to comply with the requests that would require them to introduce “a systemic vulnerability.” However, legal experts argue that this provision is not strong enough and can be circumvented.
Law professor Michael Geist writes that the “systemic vulnerability” is not defined clearly enough, allowing the government to defang the provision by issuing a narrow definition of encryption and vulnerability. Canada’s Business Software Alliance also points to the weakness of the “systemic vulnerability” exception and its inconsistency with the rest of the bill. In written comments to the bill, the group also noted that it would allow warrantless searches of data centers.
A number of tech companies have already signaled their readiness to pull out of Canada if the bill becomes a law, including Signal messenger app, VPN provider Windscribe and others. Google, Meta and Apple also criticized the bill and called for its overhaul.
“This legislation could allow the Canadian government to force companies to break encryption by inserting backdoors into their products – something Apple will never do,” Apple said in a statement.
Bill C-22, which is a revamped version of last year’s failed Bill C-2 (it suggested even broader surveillance powers for Canadian law enforcement), offers an interesting case study into how a fairly liberal government can maintain the balance between privacy and surveillance – and what the public can do about it.
Let’s see how it goes.
IP map for shutdowns
Some news on internet censorship and surveillance from Russia: the country’s internet censorship agency, Roskomnadzor, started punishing the country’s telcos for failing to provide users’ IP addresses, according to the Moscow-based news outlets Izvestia and RBK.
Last spring, the agency issued an order obliging internet operators to tell Roskomnadzor about all IP addresses their customers are using, along with their geography and filtering devices processing traffic from those addresses – the devices sit on operators’ web infrastructure and help Roskomnadzor analyze web traffic and block prohibited websites. The agency reportedly has issued fines to 85 operators that failed to provide the lists of IP addresses.
Russian cybersecurity firm Positive Technologies explains in a blog post that the data allows Roskomnadzor to map IP address usage and see when users change addresses while using virtual private network services (VPNs) to circumvent restrictions and access blocked websites.
VPNs have become a crucial tool for Russians to keep using the World Wide Web as during the past several years, Russia has drastically increased internet censorship, blocked major messenger apps like WhatsApp, Telegram and Signal, and put entire regions on indefinite internet shutdowns. So the VPNs themselves have naturally become a target for Roskomnadzor.
Who will win: a government agency with unlimited recourses or a population that learned to use VPNs? The battle goes on.
Tips and Tricks: Does your phone have spyware?
Canadian news website Inside Halton offers some instructions for checking your phone for symptoms of spyware. Spyware programs are usually deployed by governments to get into the phones of journalists, activists and other people deemed worth watching – if you think you might be in the risk group, here are some signs:
inexplicable increase in battery usage;
unusual and intrusive pop-up ads;
unusual icons indicating microphone or camera access, especially when you’re not using them;
new apps you didn’t download;
changes to settings you didn’t make;
low hard drive space.
In many cases, spyware programs don’t reveal themselves at all, but if you notice suspicious things it might be a sign to check your phone with professionals – for example, The Citizen Lab helps journalists, activists and human rights advocates check their devices for spyware. And read the Inside Halton article and this explainer by Bitdefender for more details.
***
That is all from me for this week, guys!
Stay vigilant.
Anna