Notices by Wolfie Christl (wchr@mastodon.social)

Volkswagen left an unprotected database with up to two years of sensitive personal data on 800k networked VW, Seat, Audi and Skoda cars accessible online, including names, user IDs, sensor and geolocation data.

CCC talk by @fluepke and @michaelkreil (in German):
https://streaming.media.ccc.de/38c3/relive/598

Spiegel article:
https://www.spiegel.de/netzwelt/web/volkswagen-konzern-datenleck-wir-wissen-wo-dein-auto-steht-a-e12d33d0-97bc-493c-96d1-aa5892861027

The network technology giant Cisco offers to turn Wi-Fi access points installed in offices and other buildings into a system that tracks the location of employees, customers, smartphones, laptops and other devices for a wide range of purposes #workersurveillance

I took a deep dive ⬇️ [thread]

The system uses 'behavioral risk models' to assess whether employees are in financial distress, show 'decreased productivity' or intend to leave the job, how they communicate with colleagues and whether they access 'obscene' content or show 'negative sentiment' in their communications.

Here's a list of built-in risk models, see p. 16 in my report:
https://crackedlabs.org/dl/CrackedLabs_Christl_SecurityRiskProfiling.pdf

Based on behavioral profiling, Forcepoint's technology continuously calculates risk scores for employees, singles out those who are assessed as suspicious, ranks them by risk and raises alerts.

To identify 'anomalous' behavior, it can analyze behavioral data on many or all employees, which is recommended by Forcepoint.

Forcepoint's systems can analyze:

- data from employee computers/devices, e.g. file, web, app, clipboard, keyboard, screen activity
- employee communication contents, e.g. email, chat, voice calls
- networking data, e.g. firewall, proxy
- performance reviews from HR systems
- data on physical access to buildings and rooms via badging systems
- activity log data from many other software systems, e.g. Microsoft, Salesforce, SAP, Cisco
- external data, e.g. criminal history, financial distress

First, the report investigates insider risk and behavioral monitoring technology offered by Forcepoint, a major US cybersecurity vendor that is affiliated with the defense/intelligence sector.

Forcepoint promises to help organizations identify cyberattacks and employees who are considered a risk, whether by carelessness, negligence or intention.

Potential threats include “disgruntled employees” who had a “huge fight with the boss” and “internal activists” who leak information to journalists.

The report is part of a larger project which examines how employers (mis)use worker data, funded by Austrian Arbeiterkammer:
https://crackedlabs.org/en/data-work

To illustrate wider practices, the report investigates software for cybersecurity and risk profiling from two major vendors including Microsoft. While employers can use these systems for legitimate purposes, the report focuses on potential implications for employees.

The Register's @thomasclaburn wrote about my research:
https://www.theregister.com/2024/08/27/microsoft_workplace_surveillance/

Forcepoint was until recently owned by defense giant Raytheon. Its behavioral surveillance tech was initially funded by the CIA's venture capital firm In-Q-Tel.

A co-founder of RedOwl which later became Forcepoint Behavioral Analytics is a former US army intelligence and NSA officer who was previously the CEO of Berico, which was involved in a large-scale plan to discredit labor unions in the US.

Overall, Forcepoint claims to analyze 5 billion activity records per day from 900 million devices.

I published a new report that shows how today's cybersecurity and risk profiling systems are turning into employee mass surveillance and predictive policing tools.

Based on log, device and network data,
they let companies monitor almost everything employees do or say.

We need a serious debate about what is necessary and proportionate for what purpose and about safeguards that prevent misuse.

My 76-page report focusing on software from Forcepoint/Everfox and Microsoft:
https://crackedlabs.org/en/data-work/publications/securityriskprofiling

"A data broker is offering sensitive passport data of thousands of people for sale – and publishing some of it openly online. Our investigation leads to an airline as a possible source. Data protection authorities are alarmed"

"netzpolitik.org was able to identify several people on the list. They live in Bavaria or Lower Saxony and confirm that their data and ID numbers are genuine. Some were shocked to learn their data was public"

Passport numbers for sale in the EU: https://netzpolitik.org/2024/european-data-broker-sensitive-passport-data-of-germans-published-online/

LiveRamp, formerly known as Acxiom, sits at the core of much of today's opaque personal data sharing for marketing purposes and maintains comprehensive identity records about everyone in many countries, including in Europe and the UK.

We examined LiveRamp's identity surveillance system, which facilitates digital tracking and profiling across many companies.

New 60-page report published today:
https://crackedlabs.org/en/identity-surveillance

"Each Facebook user is monitored by thousands of companies ... Using a panel of 709 volunteers who shared archives of their Facebook data, Consumer Reports found that a total of 186,892 companies sent data about them to the social network. On average, each participant in the study had their data sent to Facebook by 2,230 companies"
https://themarkup.org/privacy/2024/01/17/each-facebook-user-is-monitored-by-thousands-of-companies-study-indicates

The video includes a demo of the Patternz system. An archived version should be soon available here:
https://web.archive.org/web/20231122160629/https://www.youtube.com/watch?v=P6EZF0vdzYw

The video seems to be a sales pitch to a Peruvian cybersecurity firm and the government of Peru for covid tracking purposes, but it also explains that Patternz was originally 'designed and built' as a 'homeland security platform', for 'anti-riots and protesting'.

Weird that this is publicly available. Uploaded in January 2023, but it might actually be older, 2020/21/22?

Xandr/Microsoft also lists Nuviad as a "partner which may receive Platform Data":
https://docs.xandr.com/bundle/service-policies/page/third-party-providers.html

Here's Nuviad boasting about '2.5 billion user profiles' and 'analyzing over 700k ad opportunities every second'. From an Amazon AWS event in 2018:
https://de.slideshare.net/AmazonWebServices/success-has-many-query-engines-tel-aviv-summit-2018

The commercial data industry is complicit. Google, the IAB, adtech firms, data brokers, publishers and advertisers are complicit.

Whenever someone visits a website or uses a mobile app that displays digital ads, profile data is broadcasted to dozens or hundreds of companies and other entities in uncontrolled ways.

This occurs billions and billions of times a day. Billions of people are affected globally, hundreds of millions in Europe.

(see our report: https://www.iccl.ie/wp-content/uploads/2023/11/Europes-hidden-security-crisis.pdf)

Although we cannot verify their claims, the docs and web sources suggest that Patternz turns the intrusive global surveillance infrastructure that has been built for digital advertising into a system for mass and targeted surveillance for national security agencies, and perhaps also other actors.

It's now the best-documented example of how personal data that is routinely processed to provide consumer services and digital advertising can be exploited for completely unrelated purposes at scale.

To my knowledge, this 2020 Forbes article provided evidence for the first time that a firm who sells surveillance tech to governments was running its own DSP to harvest personal data from RTB bid requests in digital advertising. There was not a lot of detail, but it has been a known issue for years:
https://www.forbes.com/sites/thomasbrewster/2020/12/11/exclusive-israeli-surveillance-companies-are-siphoning-masses-of-location-data-from-smartphone-apps/

Of course, it's ridiculous to believe that only 'Western' state actors would access RTB bidstream data. I'm sure several state and malicious actors do.

It was a deliberate decision to create the RTB advertising system in this bad way, and even worse, the data industry has since then been fighting hard to keep it running, for years, at any cost, from lobbying policymakers to trying to delay GDPR enforcement.

Anyway, thousands of adtech firms and a much larger number of publishers and advertisers have NO CONTROL over who they share personal data with.

Which means they cannot have a legal basis to do so under the GDPR. Which means it's illegal.

RTB undermines the privacy and data rights of billions of people, and it undermines trust into digital technology at large.

RTB is also a national security threat, because of course the data sharing doesn't stop for political leaders, sensitive personnel, military staff and their families.

In our report published today we call for the European Commission, ENISA and EEAS to take action:
https://www.iccl.ie/wp-content/uploads/2023/11/Europes-hidden-security-crisis.pdf

We also call for the US FTC and Congress to take action:
https://www.iccl.ie/wp-content/uploads/2023/11/Americas-hidden-security-crisis.pdf

As such, the digital advertising industry systemically enables the worst possible kind of decontextualized misuse of everyone's personal information.

In Europe, GDPR enforcement has failed. Otherwise, uncontrolled personal data sharing via the RTB bidstream would have been shut down years ago. GDPR regulators must take action now, start a high-priority investigation, mandate processing bans.