Tag: sousveillance

CountryWatch – Rural Surveillance

Eighteen months or so ago, looking for a bite to eat in advance of going to catch a flight, we stumbled across a village somewhere, with a village green… and a surveillance camera.

Over the weekend, in rural Devon, down a steep, single track road, leading to an out of the way beach, and a coastal walk: a car park.

A pay on exit carpark.

A pay on exit car park with ANPR.

A pay on exit car park with ANPR and car registration autocomplete as part of the payment machine UI.

I hate modern technology.

PS Meanwhile, in Downderry, Devon, some villagers at least seem to be of the mind that “the arrival of the [ANPR] cameras [in the local pub car park] was ‘an offence in a village setting'”.

49587277613_5fd30811fe_o

Ad-Tech – A Great Way in To OSINT

Open Source Intelligence – OSINT – is intelligence that can be collected from public sources. That is to say, OSINT is the sort of intelligence that you should be able to collect using a browser and a public or academic library that also provides access to public subscription content. (For an intro to OSINT, see for example Sailing the Sea of OSINT in the Information Age; for example context, Threat Intelligence: Collecting, Analysing, Evaluating). OSINT can be used as much by corporates as by the security services. It’s also up for grabs by journalists, civil society activists and stalkers…

Looking at the syllabus for a OSINT beginners course, such as IMSL’s Basic Open Source (OSINT) Research & Analysis Tradecraft turns up the sorts of thing you might also expect to see as part of one of Phil Bradley or Karen Blakeman’s ILI search workshops:

  • Appreciation of the OS environment
    • Opportunities, Challenges and Threats
  • Legal and Ethical Guidance
  • Search Tradecraft
    • Optimising Search
    • Advanced Search Techniques
  • Profile Management and Risk Reduction
    • Technical Anonymity/Low Attribution
    • Security Tradecraft
  • Social Media exploitation
    • Orientation around the most commonly used platforms Twitter, Facebook, LinkedIn etc.
    • Identifying influence
    • Event monitoring
    • Situational Awareness
    • Emerging social media platforms
  • Source Evaluation
    • Verifying User Generated Content on Social Media

And as security consultant Bruce Schneier beautifully observed in 2014, [s]urveillance is the business model of the Internet.

What may be surprising, or what may help explain in part their dominance, is that a large part of the surveillance capability the webcos have developed is something they’re happy to share to with the rest of us. Things like social media exploitation, for example, allow you to easily identify social relationships, and pick up personal information along the way (“Happy Birthday, sis..”). You can also identify whereabouts (“Photo of me by the Eiffel Tower earlier to day”), captioned or not – Facebook and Google will both happily tag your photos for you to make them, and the information, or intelligence, they contain more discoverable.

Part of the reason that the web companies have managed to grow so large is that they operate very successful two-sided markets. As the FT Lexicon defines it, these are markets that provide “a meeting place for two sets of agents who interact through an intermediary or platform”. In the case of the web cos, “social users” who gain social benefit from interacting with each other through the platform, and the advertisers who pay the platform to advertise to the social users (Some Notes on Churnalism and a Question About Two Sided Markets).

A naive sort of social media intelligence would focus, I think, on what can be learned simply through the publicly available activity on the social user side of the platform, albeit activity that may be enriched through automatic tagging by the platform itself.

But there is the other side of the platform to consider too. And the tools on that side of the platform, the tools developed for the business users, are out and out designed to provide the business users – the advertisers – with intelligence about the social users.

Which is all to say that if surveillance is your thing, then ADINT – Adtech Intelligence – could be a good OSINT way in, as a recent paper from the Paul G. Allen School of Computer Science & Engineering, University of Washington describes: ADINT: Using Targeted Advertising for Personal Surveillance (read the full paper; Wired also picked up the story: It Takes Just $1,000 to Track Someone’s Location With Mobile Ads). Here’s the paper abstract:

Targeted advertising is at the heart of the largest technology companies today, and is becoming increasingly precise. Simultaneously, users generate more and more personal data that is shared with advertisers as more and more of daily life becomes intertwined with networked technology. There are many studies about how users are tracked and what kinds of data are gathered. The sheer scale and precision of individual data that is collected can be concerning. However, in the broader public debate about these practices this concern is often tempered by the understanding that all this potentially sensitive data is only accessed by large corporations; these corporations are profit-motivated and could be held to account for misusing the personal data they have collected. In this work we examine the capability of a different actor — an individual with a modest budget — to access the data collected by the advertising ecosystem. Specifically, we find that an individual can use the targeted advertising system to conduct physical and digital surveillance on targets that use smartphone apps with ads.

The attack is predicated in part around knowing the MAID – the Mobile Advertising ID (MAID) – of a user you want to track, and several strategies are described for obtaining that.

I haven’t looked at adservers for a long time (or Google Analytics for that matter), so I thought I’d have a quick look at what the UIs support. So for example, Google AdWords seems to offer quite a simple range of tools, that presumably let me target based on various things, like demographics:

or location:

or time:

It also looks like I can target ads based on apps a user users:

or websites they visit:

though it’s not clear to me if I need to be the owner of those apps or webpages?

If I know someone’s email address, it also looks like I can use that to vector an ad towards them? Which means Google cookies presumably associate with an email address?

This email vectoring is actually part of Google’s “Customer Match” offering, which “lets you show ads to your customers based on data about those customers that you share with Google”.

So how about Facebook? As you might expect, there’s a range of audience targeting categories that draw heavily on the information users provide to the system:

(You’ve probably heard the slogan “if you aren’t paying for the product, you are the product” and thought nothing of it. Are you starting to feel bought and sold, yet?)

Remember that fit of anger, or joy, when you changed your relationship, maybe also flagging a life event (= valuable to advertisers)?

Or maybe when you bought that thing (is there a Facebook Pay app yet, to make this easier for Facebook to track?):

And of course, there’s location:

If you fancy exploring some more, the ADINT paper has a handy table summarising what’s offered by various other adtech providers:

On the other hand, if you want to buy readymade audiences from a data aggregator, try the Oracle Data Marketplace. It looks as if they’ll happily resell you audiences derived from Experian data, for example:

So I’m wondering, what other sorts of intelligence operation could be mounted against a targeted individual using adtech more generally? And what sorts of target identification can be achieved through a creative application of adtech, and maybe some simple phishing to entice a particular user onto a web page you control and which you can use to grab some preliminary tracking information from targeted users you entice there?

Presumably, once you can get your hooks into a user, maybe by enticing them to a web page that you have set up to show your ad so that the adserver can spear the user, you can also use ad retargeting or remarketing (that follows users around the web, in the sense of continuing to show them ads from a particular campaign) to keep a tail on them?

[This post was inspired by an item on Mike Caulfield’s must read Traces weekly email newsletter. Subscribe to his blog – Hapgood – for a regular dose of digital infoskills updating. You might also enjoy his online book Web Literacy for Student Fact-Checkers.]

UK Ministry of Justice GPS Tagging Trial

A couple of days ago, NOMS (the National Offender Management Service) and the Ministry of Justice put out a toolkit for a pilot GPS tagging programme, or as they call it, an Electronic Monitoring Global Positioning System.

According to the toolkit documentation, tags can be be used as a condition of bail:

The Bail Act 1976 is the legislation governing court-imposed bail. This allows the use of electronic monitoring but only to ensure compliance with another bail condition (e.g. curfew, geographical exclusion): s6ZAB. To note there is no power to impose Electronic Monitoring as a stand-alone bail condition but only to monitor another pre-existing bail condition. … Where the court does impose electronic monitoring of a pre-existing bail condition then a person must be made responsible for the monitoring. That person can only be someone named by the Secretary of State in secondary legislation. (s.3AC).

If you’re looking for key phrases throughout bits of legislation relating to court orders that can be used to justify tagging as a condition, “electronic monitoring requirement” looks to be a good one. I assume there is also a corresponding “electronic monitoring equipment” phrase defined somewhere, in which case it would be good to know how tightly that is defined or how broadly it can be interpreted…

More generally, the toolkit states that:

“Electronic monitoring” is a generic term, which encompasses different technologies, it is generally used to support punitive requirements, however in principle EM can also be seen as a preventative measure if, for example, an exclusion zone prevents the offender from approaching a specific person or location. It is important to note that EM with location monitoring should only be proposed where it provides a particular identifiable value in protecting the public or specific victims, or in deterring the offender from crime.

The system looks like it provides a range of geo-fencing services, going by some of the instructions given to offenders wearing the tag, who must:

  • stay at their approved address (usually their home) during your curfew;
  • not enter any exclusion zones included in the order, bail or licence conditions;
  • not leave any inclusion zones included in the order, bail or licence conditions.

This is backed up by case study examples:

annex_a_-_case_studies_pdf

I’m not sure if an exclusion zone can be dynamic? For example, two offenders, both wearing tags, not allowed to be with 50m of each other – can one be the centre of an exclusion zone defined for another? (Also, I’m not sure what the resolution of the devices is?)

According to the toolkit, an inclusion or exclusion zone:

… must be unambiguous. Ideally it should be marked on a map so that the monitoring centre can clearly see what the judge or magistrate intended. If the monitoring centre cannot interpret an exclusion or inclusion zone they may request clarification if the requirement is unclear. … [O]ther conditions that might be supported by a GPS tag, such as attendance at work or at a programme. Again, the purpose must be clear, and where applicable timings should be included. 

That said, the pilot seems to be a bit hacky…

GPS tags used for the pilot cannot easily monitor a curfew without a manual workaround so for the purposes of the pilot we have excluded GPS tagging alongside an electronically monitored curfew.

Oh good…

Also, how do they track location when the offender is indoors or otherwise out of line of site of the GPS satellites? (Does it use cell tower triangulation as an assist?) How do the devices report back to the control centre (via the mobile phone network?)? According to the product documentation for the tag that appears to be being used in the pilot:

The 3M Electronic Monitoring units store rules in the device, allowing autonomous tracking and monitoring capability without dependence on wireless signal availability. Offenders are immediately alerted in the event of a rule violation. These alerts notify the offender that corrective action is required and serve to help modify the offender’s behavior.

So maybe there are two alerts – one local on the offender, and one when the device phones home. Presumably, an alert is raised if the tag doesn’t phone home within a specified period? But what if that’s because the offender doesn’t fully appreciate the USP of the The Faraday Cage Cafe where they go for coffee and doughnuts?

The toolkit document further suggests that the pilot is not appropriate for:

  • Offenders of no fixed abode – electronic monitoring is reliant on a fixed supply to charge.
  • Offenders with serious identified mental health or learning disabilities – there may be particular difficulties with an offender’s ability to understand the device i.e. need to charge, purpose behind GPS), which could make GPS unsuitable.
  • Subjects under 18 years of age
  • Anyone subject to an electronically monitored curfew should not be given a condition monitored through a GPS tag.

Wider concerns are also touched upon in in the toolkit document. For example, when making a recommendation to enter an offender into the pilot:

Authors [of pre-sentence reports] must take account of the balance between a right to a private family life and public protection. Application of the requirement should be proportionate to the risks identified and clearly evidenced to ensure that there is no unintentional bias impacting the proposal and subsequently impacting the individual’s liberty.

The device itself is a rather clunky wearable, as shown in the GPS Tagging Handbook

ankletag

(By the by, I wonder if that tattoo is personally identifying…?)

I’m guessing this product was developed for the US, by the plug on the charger?

tagcharger

Looking at the 3M product page, this seems to be their One Piece GPS Tracking System; they also have a  Two Piece GPS Tracking System.

A guidance leaflet suggests the data may be used in various ways…

Relevant information gathered will be used to monitor your compliance with your licence conditions. If you fail to meet any of the conditions you may be recalled to prison custody. Where justified, the information gathered, including your location data, may be shared with Criminal Justice Agencies, including the Police for other purposes such as the prevention and detection of crime.

fair processing notice covers this in legalese:

In the event you have been fitted with a GPS tag as part of the Ministry of Justice’s pilot scheme and in order to give effect to a Court order or condition on your prison licence, your whereabouts will be captured by the system 24 hours a day for the duration of the Order or licence condition. Your personal data, including your location data may be shared with other organisations for example (but not limited to) contractors, probation providers and the Police to give effect to the Order/licence, manage your compliance and enforce the requirements or conditions imposed.

Where it is justified, necessary and proportionate to do so, your data, may be shared with others including Criminal Justice agencies (e.g. the Police), for purposes such as (but not limited to) crime prevention, detection, investigation or to facilitate an arrest. Your data may also be shared with other government departments where necessary, such as in the case of legal proceedings.

When undertaking all of these tasks the Ministry of Justice will comply with the provisions of the Data Protection Act 1998. This will include:
– keeping the personal data up to date;
– storing and destroying them securely;
– protecting personal data from loss, misuse, unauthorised access and disclosure;
– ensuring that appropriate technical measures are in place to protect the personal data processed in line with Her Majesty’s Government standards;

All data captured during this pilot shall be retained securely by the Ministry of Justice for a period of at least six years from the end of the analysis of the pilot. Data that has been shared with stakeholders will be held by them in accordance with their data retention policies which must accord with the Data Protection Act 1998.

You have the right to request your personal data (including certain details about them) processed as part of the pilot by contacting the pilot monitoring team (details are at the end of this notice).

Please note that a payment of £10 will be required if you wish to obtain a copy of your data. Each request will be considered carefully in line with the Data Protection Act 1998. Some data may be covered by an exemption within the Act or other legislation which may prevent it being disclosed to you.

The toolkit documentation sets up the scene for the (desired) chilling effect that the tag is presumably expected to exert on a wearing offender, I wonder why consumer tagging devices (phones, fitbits, wearables, etc) aren’t also subject to the same chilling effect?

The pilots will seek to test how the use of a GPS tag might impact upon the behaviour of offenders and decision makers in the Criminal Justice System and how it might help to improve rehabilitative outcomes. They may also allow us to see what other benefits GPS tagging may bring and identify any potential barriers to wider implementation.

Location monitoring is live and alerts to the monitoring centre in the event of a potential breach are immediate. The monitoring centre will look into the circumstances and where a breach is confirmed the responsible officer will be notified of a breach.

High risk cases can be flagged on the monitoring system and prioritised for an emergency response. This may act as a deterrent against non-compliance for some offenders. An assessment should be made in relevant cases whether this form of monitoring is likely to deter in the particular case.

The monitoring centre will respond immediately to a breach. When a breach occurs it is flagged on the system. The monitoring centre staff will open up the record and investigate the breach. They are able to look at data 30 minutes before the breach and data post breach.

Here, then, are are a couple of reasons why we need to keep tabs on things like the Investigatory Powers Bill on the one hand, and the data collected by service operators who have access to geolocation information on the other: firstly, to try to make sense of the extent to which information collected by those services can be accessed using a a warrant; secondly, the extent to which the data could be used by comparing it to how data specifically collected for the purpose of regulating behaviour (using things like tags) can be used.

The document that perhaps requires the closest reading is the Code of Practice – Electronic Monitoring Data, which opens with a description of where the pilot will run:

annex_j_-_code_of_practice_pdf

To a certain extent, the pilot seems to be a fishing expedition:

4. The pilot will test a range of factors including:

  • how GPS tagging might impact on the behaviour of offenders released from prison on licence, suspects on bail and offenders sentenced by the Courts;
  • how Courts, probation staff, Parole Board members, and prison governors respond when given the option of imposing a location monitoring requirement as part of a Court Order or condition as part of a prison licence;
  • what other benefits GPS tagging might confer; and
  • how GPS might best be implemented in practice, and the challenges of operating GPS tagging.

Note the last two…

11. For the purposes of the pilot the data that will be gathered and processed will be that which is required to:

  • identify and tag suspects and offenders who fall within scope for the pilot and who have been made the subject of an electronic monitoring requirement by way of either a Court Order or prison licence;
  • monitor compliance with and enforce the requirements of such orders;
  • minimise the risk to staff involved in the tagging process e.g. any threatening or violent behaviour by the subject or others at the premises;
  • where justified and only in accordance with legislative provisions, the data captured may be shared with Criminal Justice Agencies and other Government Departments to assist with criminal enquiries or to seek advice/representation. The circumstances in which such data will be shared are set out in the body of this document;
  • assist in the evaluation of the pilot and to inform future policy formation and implementation.

The code seems a bit weaselly to me (my emphasis):

12. Personal and sensitive personal data will be collected and, where required and as permitted by legislation, shared for the purposes of meeting the requirements set out above. The electronic monitoring technical solution will capture the subject’s location 24 hours a day. In some cases (e.g. where location monitoring is only imposed to monitor an exclusion/inclusion zone) some of the location data captured at times of compliance will be extraneous to the purposes of monitoring the terms of the order. The technology available for the pilot does not allow for the monitoring of an exclusion zone in another way that would prevent this data being captured. This will be explained to the subject as part of a Fair Processing Notice (see paragraph 35). However, monitoring staff will only monitor the subject’s compliance with the requirements of the order and will not access the extraneous data unless there is a lawful reason to do so. So, if the order imposes an exclusion zone, the subject’s whereabouts will be monitored if they approach and breach that zone. It will not be actively monitored at other times (see paragraphs 35-47 for further details of how data will be shared).

So they haven’t taken the opportunity to design a certain amount of privacy in that does not collect the extraneous data. (The toolkit mentioned being able to look at data in the period before a breach, so if extraneous information was location data outside an exclusion zone, and the wearer breached by entering the exclusion zone, does the location data outside that area become “traneous”? To what extent are safeguards in place to prevent access to data unless “there is a lawful reason to do so”? NB This is covered in the Code of Practice – see below.

I wonder to what extent the data from several subjects can be merged? For example, are there screens that show the co-location of two people wearing tags?

Regarding datasharing, the Code seems to try to lock it down, but then opens it up again? For example:

Private prisons will provide notifications of an electronic monitoring requirement of those individuals released from their custody on a prison licence. They will not need access to the monitoring data. However, should the subject be recalled and end up back in their custody, information regarding the reasons for the recall will be shared with them via another source (NOMS Public Protection Casework Section). Once electronic monitoring data has been passed to a private prison they will become Data Controllers of the information in their possession.

Why would they need the monitoring data and how extensive will that data be? Data will also be shared outside the police in other ways:

22. The Data Processors of electronic monitoring information will be:

  • The third party contractor appointed to provide the tags and monitoring system;
  • The third party contractor employed to evaluate the outcomes of the pilot; and
  • The Bail Accommodation and Support Services (BASS) contractor [eg as described in this Commons Library Research Briefing: The Bail Accommodation and Support Service], as it is required to encourage compliance of individuals held in their premises with the provisions of relevant orders and report any breaches or concerns to the appropriate body.

I’m not sure who the respective third party contractors are?

The data collected includes personal data and sensitive personal data, as defined by the Data Protection Act, and as such subject to it – though maybe with wriggle room:

31. Furthermore, section 29 of the DPA, provides an exemption from a sub set of the DPA requirements in processing of personal data, if it is for prevention or detection of crime purposes. This is not a blanket exemption and so whether this exemption applies or not, will be considered on a case by case basis. In any event, a Schedule 2 condition and for sensitive personal data, a Schedule 3 condition, will still need to be satisfied.

32. Moreover the processing of personal and sensitive personal information engages Article 8 of the European Convention of Human Rights (i.e. the right to respect for private and family life). However, Article 8 is not an absolute right and public authorities are permitted to interfere with it if it is in accordance with the law, necessary in a democratic society for a legitimate aim and proportionate to do so. Therefore, any proposals for data sharing must be both justifiable and proportionate with the appropriate safeguards in place to ensure that personal data is not arbitrarily disclosed.

I’m not sure if Chinese Walls also apply to separate concerns:

The Police will have routine access to the following data for the specified reasons;

In their capacity as the Monitoring Team

i) All data captured as part of the pilot, to discharge its function as the monitoring body for the pilot project.
ii) All data on a single electronic monitoring requirement order imposed as part of a community order or suspended sentence order, and HDC cases, to meet the obligations bestowed upon them as part of this pilot for such orders (see paragraphs 23-26 above).

In their capacity as the Police

iii) Data on Court ordered bail subjects, as they act as the Responsible Officers in such cases.
iv) Data necessary to assist with managing compliance of other subjects such as MAPPA cases and prolific offenders;
v) Any data necessary to assist in the apprehension of subjects who have breached their Court Order / prison licence and are required to be returned to Court or to prison custody.

On the matter of the extraneous data:

33. The system will capture some extraneous location data as mentioned in paragraph 12 above. Those that are tagged will be informed that the tag will capture their whereabouts 24 hours a day as part of the Fair Processing Notice that will be provided to them on induction. Relevant stakeholders will only be provided with location data that is relevant to monitoring compliance with the conditions of the order. Access to the extraneous data will be restricted as set out in paragraph 43 below.

41. Relevant location tracking data i.e. the location data gathered for the purposes of monitoring compliance with Court Order /licence conditions, will be provided to relevant stakeholders via secure email. Where location tracking is in place solely to monitor exclusion/inclusion zones, the data that will be provided to stakeholders by the monitoring team will usually be restricted to the duration of the non-compliance and 30 minutes either side of it. Allowing a window of 30 minute either side of the non-compliance is considered to be relevant data which is necessary for stakeholders to contextualise any breach and for risk assessment purposes.

And as far as wider sharing goes:

43. During the course of the pilot, should public authorities require access to data for other reasons or other data, including access to extraneous location data, they will need to submit an External Agency Request (EAR) to the monitoring team. The request must explain why access to the information is required and failure to provide sufficient and appropriate justification will lead to it being rejected. By way of example, Code of Practice – Electronic Monitoring Data Code of Practice – Electronic Monitoring Data 13 should access to data for the purposes of detection or prevention of a particular crime, the requestor will need to set out the reasons why they believe that the specific suspect(s) are likely to be, or were likely to have been, involved in the criminal behaviour that is under investigation. The monitoring team will handle the more straightforward requests using guidance issued by the MoJ. Any further requests, including those that seek access to the extraneous location data will be escalated to the Ministry of Justice to consider. However, if request is urgent, arrives out of working hours, and the data is needed to manage a significant risk to the public, then, provided the request is justified as set out above, the monitoring team will release the necessary information and the MoJ will conduct a retrospective check.

Presumably, as art of the pilot is to see what other benefits GPS tagging might confer, external requests may well be looked on favourably as part of that?

As far as the operation of the tags goes:

48. Data transferred from GPS tags to the monitoring centre will be via mobile networks and will be encrypted. All data shared with stakeholders will be via secure email.

so the question arises: what about users who are out of signal range? (Are the devices set up for roaming, and capable of phoning home using all mobile operator networks? Or are the tags limited to using a single network?)

It should also be noted that by connecting to the mobile phone network the mobile operators will be able to track the devices in the same way they track mobile phones. If the operator can identify the tag as a tag, offenders’ identities could well be disclosed to the network if they carry a mobile phone around with them all the time that is persistently colocated with the tag device.

As hinted at above, I think this pilot is interesting for several reasons:

  • it is explicitly about using GPS monitoring information to track – and potentially influence the behaviour of the tracked user because they are aware they’re being tracked (panopticon style);
  • there are practical technical issues associated with the technology (GPS, mobile phone network connectivity and tracking);
  • there are issues around data collection and sharing;

More generally, in terms of system design, I see no reason why third party tracking data (collected from other devices, such as mobile phones or beacons) couldn’t be used as a source of location data, which means the pilot gives us an insight into what the police might be able to use this sort data for as part of a 24 hour surveillance regime.

Of course, if you;ve done nothing wrong, there’s no chilling effect to be afraid of…