Citizen Continues Its Push To Become Cops-For-Hire By Leaking Sensitive Data... Twice

from the another-confidence-boosting-PR-debacle dept

The bad news keeps coming for Citizen, the app that really wants to be a cop.

Not only is its desire to become some sort of private party/law enforcement hybrid generating it some bad press, but its prior incarnation as "Vigilante" suggests it has always wanted to be in the business of taking down bad guys, with or without the requisite lawfulness.

The former "Vigilante" proved true to its past moniker following a wildfire in California, promising a $30,000 bounty to any user or employee who took down the bad guy identified by Citizen. Well… misidentified. After calls from CEO Andrew Frame to "GET THE FUCKER," Citizen had to offer up a bunch of apologies for turning an innocent person into a prime suspect.

Coming on the heels of all of this bad news is even more bad news. First off, as Joseph Cox reported late last week, Citizen leaked a bunch of users' COVID-related data following its expansion into contact tracing late year under the name "SafePass."

Crime and neighborhood watch app Citizen, which also launched a COVID-19 contact-tracing feature and broader citywide COVID surveillance program, exposed users' COVID-related data to the public internet, allowing anyone to view specific users' recent self-reported symptoms, test results, and whether their device had recorded any close contacts with other people using the feature. The information is directly linked to a person's username, which often is the person's full name.

Hacker collective Anonymous was able to access the data and pointed Motherboard in its direction. The exposure of this data runs contrary to Citizen's security claims.

The feature's privacy policy says that "We have specific systems to control data access, and all access is logged and regularly audited." The SafePass website says "Data is private and encrypted" and that contact tracing data is deleted after 30 days (some of the data in the exposed cache dates from earlier than 30 days ago).

Citizen fixed its leak shortly thereafter, claiming the exposure only affected a limited number of users. But that set the stage for a larger breach and another successful hacking of Citizen's databases.

A hacktivist has scraped a wealth of data from the crime and neighborhood watch app Citizen and posted it on a dark web site, Motherboard has learned. The data includes a huge amount of data related to 1.7 million "incidents"—events that Citizen informs users about concerning crime or perceived crime in their area—such as the GPS coordinates of where the incident took place, its update history, a clip of the police radio that the incident relates to, and associated images.

Posted with the accompanying slogan of "Fuck snitches, fuck Citizen, fuck Andrew Frame and remember, kids: Cops are not your friends.", the data appears to contain plenty of what's already publicly-available through Citizen's online portal. The difference here is it's all in one place, which makes it much easier for researchers and journalists to parse the data for patterns and analyze user behavior.

And there's also some stuff Citizen doesn't make available to users and site visitors in this data dump.

The list appears to include videos that have been marked for removal from public consumption on the app by Citizen's content moderation team, with some including the tag "Moderator Blocked Stream," according to the hacker and Motherboard's viewing of the files. These videos are still accessible if visited with the direct link included in the scrape.

Not exactly a confidence booster, especially when the app's founder wants Citizen to become a crucial part of the law enforcement experience, if not actually law enforcement itself. But a combination of PR blunders and data breaches sounds about par for the (government) course, so maybe this is just Citizen inadvertently laying the groundwork for its move into the public sector.

Filed Under: data breach, leaks, private law enforcement, snitching, vigilante
Companies: citizen

Private Security Company Thinks It Should Be Able To Take People To Jail Just Like Real Cops

from the Uber-but-for-vigilantes dept

A snitch app called Citizen is angling for the position of Local Law Enforcement®. Going a step further than hotbeds of bigotry like Ring's Neighbors or Facebook-but-for-racism Nextdoor, Citizen is actually trying to create a private law enforcement agency that provides "security" and other services for app users.

A marauding cop-like patrol vehicle emblazoned with the Citizen logo (and some branding for another private security company) was spotted roaming Los Angeles last week. The desire to create a private cutout in public law enforcement space was confirmed by current and former Citizen employees, as well as documents shared with Motherboard and Joseph Cox.

It's not just theoretical. It appears some employees of this private company really want to convert Citizen into a law enforcement agency. (Supporters of this move may also contain members of the Los Angeles Police Department, which called Citizen's move towards patrolling the streets a "game changer.") Then there's this new twist, which indicates Citizen's partner in patrolling -- Los Angeles Professional Security Services -- really would prefer to be an actual law enforcement agency, rather than the private security company it actually is.

In a self-described “documentary” on the Los Angeles Professional Security YouTube, the company's CEO and founder James Caspari explains after detaining two tresspassers that the company wants the power to make arrests and take people to jail.

“We’re going to waste police resources because we can’t drive them to the police station,” he said. “The security guard manual says we have to wait and a peace officer has to take them. That’s just a waste. If we’ve already cleared it... why can’t we just take ‘em to jail?”

Flow my tears, the fake policeman said. Why? WHY?? Because you're a goddamn rent-a-cop. You're not the real thing. You don't get to start depriving people of freedom just because you're dressed in black cop-adjacent garb and employed by a private security firm. No one has granted you the right to arrest people because that's limited to publicly-funded government agencies that are (in theory) more accountable to taxpayers than a private company that only answers to paying customers.

"Private security has zero authority on a public space," he later laments.

Go be a cop then. If it's killing you that you can't violate rights as a private citizen, go get an actual cop job where you can violate rights on the taxpayers' dime. Sure, this seems a bit backwards but that's how it works. The government gets to do certain things with the implicit consent of the governed. Los Angeles citizens have not agreed to allowing private citizens to start throwing other private citizens into faux cop cars in order to take them to jail. What standard is LAPS applying to itself when it affects an arrest? There are rules in place, backed by the Constitution. And, while these rules may be violated with alarming frequency by government agencies, they're still rules. Private companies don't have to adhere to the Constitution. And that's why they shouldn't be getting into the business of violating the rights of others. (And, before certain commenters start trying to turn this statement into something about social media, no one's rights are violated when a company refuses to provide you a platform for expressing yourself.)

Going from bad to arguably worse, the CEO of a private security firm actually believes it's capable of responding to mental health calls with its staff of people who apparently couldn't cut it as real cops or first responders.

Caspari explains in the video that LAPS believes it can remove trespassers and respond to mental health calls. “We are in a position to respond in force to effectively anywhere in the city to remove any negative element that a client of ours is threatened with,” Caspari said in the video.

And even in its own video, which it had the chance to edit before publishing it, the private security company's employees are given the "what even the fuck" treatment by the partners Citizen and LAPS really want to have on board: the Los Angeles Police Department.

After searching an abandoned building, LAPS employees cuff the two people they find there and wait for the LAPD to arrive. Caspari explains this is all cool and legal: a "private person arrest" supported by California law. After lamenting the "waste of time" that is waiting for actual law enforcement to show up, he's greeted with LAPD officers wondering why the private security firm is patrolling abandoned buildings that appear to be outside of its contractual obligations with its customers.

At one point, the LAPD does turn up. A seemingly surprised LAPD officer asks Caspari, "Is that your normal protocol, you guys just go search the building?"

"On your own, or? Just curious, I've never dealt with you guys before," the LAPD officer continues.

It's a legitimate question. If the private security company wasn't asked by the owners (and "abandoned" suggests no real owner exits) to patrol the building, why the hell are they entering it? At that point, the security personnel are just as guilty of trespassing as the people they detained.

Since there are no good answers to that question, the CEO moves on to complain the LAPD doesn't have enough resources to harass the homeless, leaving people "pushing two shopping carts down the road" free to annoy Caspari.

If nothing else, Caspari has the right mindset for law enforcement. The people who should be rounded up first are hanging out in abandoned buildings or irritating the locals with their homelessness. Nothing in the video suggests the security firm is stumbling across serious or violent criminal activity that's not being handled by the LAPD. Instead, the CEO complains his company has its hands tied, unable to remove homeless people, trespassers, and the mentally ill from the street without having to bring the LAPD into it.

If the LAPD has to use its resources to handle more serious crime and leave this sort of "crime" unaddressed, good. But that's not an invitation for private companies to fill this perceived void. Providing security for paying clients is fine, but wanting to be a cop just so you can round up a bunch of non-threatening, non-violent people makes you worse than the actual cops. This is just a bunch of people cosplaying and wishing their cardboard props were real. And it's going to do serious damage to Los Angeles residents if companies like this continue to believe they should have the right to violate the rights of others.

Filed Under: arrests, law enforcement, private cops, snitching, vigilante
Companies: citizen, la professional security services

Ohio Government Asks Companies To Snitch On Employees, Gets Hit With Auto-Generated Bogus 'Tips' Instead

from the defeating-a-fraud-portal-with-fraudulent-submissions dept

Asking citizens to snitch on other citizens never seems to work out very well. The federal government has been doing it for years, maintaining "See Something, Say Something" hotlines that have mostly collected tips from people concerned about what their browner neighbors are doing. The same thing happens in the private sector. Ring's proprietary app -- Neighbors -- collects the same sort of garbage, empowering bigots to feel like they're acting on behalf of the common good.

With lockdown orders in effect and social distancing rules in place in several cities and states around the country, local governments are asking residents to pitch in with enforcement efforts by reporting those who are breaking the rules. New York City opened a tip line for reports of social distancing violators and collected a bunch of Hitler-related memes, videos of the mayor going to the gym, extended middle fingers, and dick pics instead.

The state of Ohio is asking for the same trouble. Its unemployment fraud portal is supposed to collect reports from businesses about employees of theirs that are collecting unemployment rather than coming into work. Some employees are opting out of potential infection when employers haven't shown the willingness to protect them by enforcing social distancing rules and/or providing them with personal protective equipment.

The state is now going to have to sift through a whole lot of algorithmically-generated crap to find genuine reports of work shirkers, thanks to the efforts of one anonymous coder.

The script, which began circulating on social media earlier this week, automatically fills out a “fraud reporting” form on the state of Ohio’s unemployment insurance website. State officials created the form to encourage companies to snitch on workers who are refusing to work under unsafe conditions, drawing outrage from workers and labor rights advocates. The script’s creator says the goal is to overwhelm the site with a flood of fake submissions, making it harder to process claims and thus deny people their benefits.

Flooding government websites with garbage data isn't the ideal solution but this will possibly make it more difficult for businesses to punish employees they're putting in harm's way by refusing to protect them from potential infection. The downside is this may also delay processing of legitimate claims from people who've been laid off. But if claims continue to be paid while investigations are still ongoing, it's probably a net win for employees who'd rather not roll the dice on dying while the pandemic runs its course.

The state is now aware of the scripted submissions and has deployed a new CAPTCHA that's a bit more difficult to defeat with a script. But the coder is already working on a way to bypass it so the flooding should resume momentarily. Unfortunately, there's no way to personalize submissions with dick pics or Hitler memes, but it should at least slow the roll of vindictive employers who'd rather see their employees punished than protected.

Filed Under: covid-19, lockdown, ohio, pandemic, safety, snitching, tipline, unemployment, workers

GCHQ Follows NSA Into Paranoia -- Just As Julian Assange Predicted

from the cognitive-decline dept

One of the knock-on effects of Snowden's leaks is that the NSA is terrified there might be more whistleblowers, and has taken extreme action in an attempt to reduce the risk of that happening by stripping 100,000 people of their security clearances. In other words, it no longer trusts huge swathes of the people it works with -- hardly a healthy situation. Now it seems that GCHQ has succumbed to a similar paranoia about its employees:

GCHQ is sponsoring ways of identifying disgruntled employees and those who might go on to be a security threat through their use of language in things like office emails.

The article in the Gloucestershire Echo -- the English county where GCHQ is located -- explains how potential whistleblowers will be identified:

"research will investigate the use of techniques from the field of natural language processing to detect the early indicators of an insider’s threat."

That means changes in the way a person communicates can give a clue that they are unhappy and perhaps prepared to do something to harm the organisation.

Of course, what this also means is that people working at GCHQ will become more self-conscious, start to watch their words, and probably think much more carefully about how they share their insights and analyses. That will inevitably lead to a loss of spontaneity, and of efficiency; the more GCHQ starts hunting down potential whistleblowers, the more it is likely to diminish its own effectiveness.

What's interesting about this development on both sides of the Atlantic is that it was predicted as far back as 2006:

The more secretive or unjust an organization is, the more leaks induce fear and paranoia in its leadership and planning coterie. This must result in minimization of efficient internal communications mechanisms (an increase in cognitive "secrecy tax") and consequent system-wide cognitive decline resulting in decreased ability to hold onto power as the environment demands adaption.

Those words were written by a certain Julian Assange before he became (in)famous. Say what you will about him, you have to given him credit for being spot-on here -- and well ahead of his time.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: gchq, julian assange, nsa, paranoia, snitching