False Friends of Digital Privacy

“Everyone sees what you appear to be, few really know what you are, and those few dare not oppose themselves to the opinion of the many.”

Nicolo Machiavelli, The Prince

The period following May 2013 witnessed a slew of disclosures about mass surveillance. There were jaw-dropping revelations about National Security Agency programs, software, and spy gear. Someone leaked an entire catalog of malware developed by the Central Intelligence Agency. And let’s not forget all the juicy reports about companies secretly cooperating with the intelligence community to install backdoors, establish data-stream backchannels, and provide early access to information on vulnerabilities. It’s unlikely, despite the negative publicity, that these secret programs and relationships suddenly stopped. On the contrary, if the intelligence budget is any indication, the associated skullduggery has proliferated such that sophisticated cyberattacks are no longer the sole purview of three-letter agencies. Big Tech prefers to ignore the disturbing implications of this situation.

After being caught with spy spies the C-suites realized they had to find ways to win back trust. They engaged in conspicuous resistance and praised strong encryption as the panacea. There were many opportunities for redemption. For example, in early 2016, Apple was involved in a legal dispute with the Federal Bureau of Investigation over access to an iPhone 5C linked to the mass shooting in San Bernardino, Calif. The device in question was finally unlocked by a mercenary firm whose engineers used a carefully crafted sequence of instructions (known in the business as an “exploit chain”) to gain access to the iPhone 5C by leveraging unpatched bugs.

Unlocking was a secondary concern. The fight between Apple, the United States government was what really made headlines. Members of the press announced that Apple was working on a new unhackable iPhone while the company’s CEO was depicted as a defender of digital privacy. This hyperbolic coverage gave the impression that Apple is the preferred vendor for those who trust their lives to tech (e.g. Journalists, activists. After the media frenzy had subsided, the NSO Group Israeli developers proved that this idea was false. Team NSO built an enterprise-class product that could get into virtually any iPhone on demand, without any interaction by the targeted user–a devastating “zero-click” attack platform. Tim Cook, take a deep breath.

Fast forward to July 2022 and the executives at Apple are once again eager to reassure users. There’s a shiny new feature called “Lockdown Mode.” Sounds impressive, right? This is the concept. And once again, tech publications are drinking the Kool-Aid (e.g., it’s the “coolest security idea ever“), reinforcing the dubious presumption that, somehow, things will be different this time.

The media’s talk points can be used as a guide. It’s easy to see how the media is interpreting these talking points. The prospect of security attracts users in droves, though. People who are willing to compromise security for the sake of a secure space attract many users. Like watering holes bringing together gazelles or lions. One side is attracted in by secrecy, the other is attracted by secrets.

The crime-phone vendor Anom accomplished this feat by hiring “influencers,” known figures in the underground who could wield their credibility by offering endorsements for Anom’s phones. It worked like a charm and Anom sold over 12,000 phones. Customers and influencers didn’t know that Anom was actually an enormous honeypot disguised as a government-controlled operation. Suffice it to say that Operation Trojan Shield resulted in hundreds of arrests as authorities conducted a wave of raids.

So perhaps the constellation of celebrities orbiting around the encrypted messaging app called Signal is to be expected: everyone from former spies such as Ed Snowden (“I use it every day and I’m not dead”), to award-winning journalists such as Seymour Hersh (“You better get Signal”), to tech luminaries such as Bruce Schneier (“Use Signal whenever you can”), to billionaires such as Elon Musk (“Use Signal”). Signal is getting two thumbs up from the big stars.

These testimonies are likely of little comfort to Stewart Rhodes, the leader of the Oath Keepers, who was caught transmitting some pretty strong words via Signal, all of which are now trial evidence. So it may come as no surprise that Henry Tarrio, the leader of Proud Boys, is also in this boat. His encrypted chats are likewise being used against him by prosecutors. Listen carefully and you can almost hear surveillance experts chuckling, reminding us that “current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems.” Once more, in rare fits of honesty spies will concede that iPhone users are zombies who pay for their own surveillance.

Can users be blamed if they believe there are silver bullets to solve their problems? Users have good reasons to believe in silver bullets, given the growing number of data breaches and mass surveillance.

Unfortunately, there will not be relief.

Unfortunately, there won’t be any relief.

Offensive developments underscore that the privacy technology commonly promoted by very serious people is likely nothing more than a speed bump to the black hats. Intruders will get your secrets if they really do want them. For instance, researchers have recently unearthed malware out in the wild that literally hides inside computer hardware. Staking out a foothold in chip firmware that’s invisible to the operating system while achieving unfettered access to data, the malware dubbed CosmicStrand has been lurking around the Internet largely unseen since 2016. The malware, also known as CosmicStrand, has been lurking around the Internet largely unseen since 11.

Tools like Signal and TAILS create an illusion of security, which loosens the lips. This is exactly what watchers want. This is similar to how British intelligence elicited secrets from captured German officers in World War II; they treated prisoners with dignity, placed them in comfortable surroundings, and made sure drinks were readily available. After the German officers felt secure, they began to speak.

Subscribe Today

Get weekly emails in your inbox

Proponents will try to minimize this threat by pointing out that it is impossible for an organization such as the NSA to pull off such a feat. They would be mistaken. These are not the kind of technologies that is restricted to intelligence gatherers at high levels. Circa 2009, your author was present for a talk given by a trio of researchers from Poland who successfully implemented a firmware-level rootkit on a shoestring budget. Imagine what an organized group can do with just a few million dollars. Yes, many commercial entities fit this description. Your author has had some exposure to this scene and it’s pretty active. Please keep in mind that hardware subversion has had well over a decade to mature and advance. Now, firmware rootkits are mainstream and available to everyone with an intelligence objective list.

You’d expect people to be more skeptical. There are many instances in which high-end security technology has failed catastrophically. Consider, for instance, the case of crime-phone vendor Encrochat, which supported a sprawling network of some 60,000 users worldwide, charging thousands of dollars per year for each subscriber line. In what became known as Operation Venetic, authorities in Europe found a way to hack the company’s phones, thereby sidestepping encryption safeguards; in the summer of 2020, police made close to 800 arrests across Britain alone. And which messaging protocol was deployed on Encrochat? Signal used the exact same protocol.

In 1984, the creator of UNIX, Ken Thompson, presciently warned that “you can’t trust code that you did not totally create yourself.” Now, an entire industry exists that acquires access to data by manipulating bugs in sloppy code. There are some bugs that are accidental, while others are not. The fact that the distinction is hard to make makes spy spies laugh. Silicon Valley has responded to pervasive hacking with stealthy backdoors by offering more. Silicon Valley has responded with more technology and more connections, bandwidth, user data, money and power. It’s the pretty lie of Big Tech: “You can protect your privacy with this one neat app.” But anything that emits a signal can and will be tracked. Mobile devices have proven to be attractive and the idea that they will protect privacy has been questioned. If history shows anything, it’s that this faith is misplaced, particularly when it matters the most. Dear reader, the great reset is underway and technology originally created as a way to liberate people has proved itself far more efficient as an instrument of social control and indoctrination. Anyone concerned about civil liberties has a clear choice: Freedom or Silicon Valley’s trendy widgets.