Slashdot Mirror
EFF Offers an Introduction To Traitorware
theodp writes "The EFF's Eva Galperin offers a brief primer on Traitorware, devices that act behind your back to betray your privacy. 'Your digital camera may embed metadata into photographs with the camera's serial number or your location,' writes Galperin. 'Your printer may be incorporating a secret code on every page it prints which could be used to identify the printer and potentially the person who used it. If Apple puts a particularly creepy patent it has recently applied for into use, you can look forward to a day when your iPhone may record your voice, take a picture of your location, record your heartbeat, and send that information back to the mothership.' She concludes: 'EFF will be there to fight it [Traitorware]. We believe that your software and devices should not be a tool for gathering your personal data without your explicit consent.'"
THERE IS NO GREATER POWER in the world today than that wielded by the manipulators of public opinion in America. No king or pope of old, no conquering general or high priest ever disposed of a power even remotely approach- ing that of the few dozen men who control America’s mass media of news and entertainment.Their power is not distant and impersonal; it reaches into every home in America, and it works its will during nearly every waking hour. It is the power that shapes and molds the mind of virtually every citizen, young or old, rich or poor, simple or sophisticated.
The mass media form for us our image of the world and then tell us what to think about that image. Essentially ev- erything we know—or think we know—about events out- side our own neighborhood or circle of acquaintances comes to us via our daily newspaper, our weekly news magazine, our radio, or our television.
It is not just the heavy-handed suppression of certain news stories from our newspapers or the blatant propagan- dizing of history-distorting TV “docudramas” that charac- terizes the opinion-manipulating techniques of the media masters. They exercise both subtlety and thoroughness in their management of the news and the entertainment that they present to us.
For example, the way in which the news is covered: which items are emphasized and which are played down; the reporter’s choice of words, tone of voice, and facial ex- pressions; the wording of headlines; the choice of illustra- tions—all of these things subliminally and yet profoundly affect the way in which we interpret what we see or hear.
On top of this, of course, the columnists and editors remove any remaining doubt from our minds as to just what we are to think about it all. Employing carefully developed psychological techniques, they guide our thought and opinion so that we can be in tune with the “in” crowd, the “beautiful people,” the “smart money.” They let us know exactly what our attitudes should be toward various types of people and behavior by placing those people or that behavior in the context of a TV drama or situation comedy and having the other TV characters react in the Politically Correct way.
Read more
Most of us use these devices for completely mundane purposes. If a company is able to aggregate this information and transform it into something that benefits my experiences using the wisdom of crowds, for example, more power to them.
People want to be able to do what they want with devices they purchase. Isn't it inconsistent to deny this freedom to the companies that sell us these devices?
Traitorware (TM), Pat. Pending. Pay up sucker! FTW!
What one fool can do, another can. (Ancient Simian Proverb)
Right, but most of the conspiracy dudes I met were just trying to ease their own lifes over the paranoia they spread.
Don't you think that Betrayalware would be a better term? Anyway, I feel safer already.
To protect yourself, put some tape over the camera and microphone and leave the phone at home.
For justice, we must go to Don Corleone
Even well-intentioned software can backfire: Greek designer who issued “Anonymous” press release caught by metadata
This is typically done by commercial colour laser printers,such as those made by Xerox, Konika Minolta, Ricoh, and so on. The code's printed in yellow toner - which isn't normally noticeable but becomes infuriatingly visible if you use these machines to print light coloured backgrounds - for example, a business card with a silver/light grey background tone. I don't know about Konika and Ricoh, but with the Xerox machines the code can lead right back to you pretty easily.
That said, the Xerox machines do some other interesting things as well - for example, they'll refuse to copy UK banknotes from the glass (presumably they identify the UV markers in the notes? amongst others. I assume this is either to reduce their liability if their machines were used that way, or due to a legal statute in one of their markets? Either way, interesting behaviour.
without your explicit consent
Yup, there's the real issue. They can bury a one-sentence fragment within 52 pages of EULA that gives them "explicit consent." Someone will notice, it'll get a story posted on Slashdot, but still, only maybe one or two out of every several thousand will resist purchasing the next iPhone 5GSXT Pro-Air.
The root of the issue is the backtalk and walls of text used to placate users into 'agreeing' without understanding what rights they're sundering.
There's a spot in User Info for World of Warcraft account names? Really?
If your heart rate is elevated or you're palms are sweating, and you're close to an airport/school/gov office building/whatever, you might be planning an attack, why not just be on the safe side and have you come down with the nice men in black down to the local station for questioning?
Turn yourself in, before your own personal (not private) polygraph does!
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
EFFing A!
No, no sig. Really.
ThePromenader
not that our devices embed information; but how that information is used. For example, having a geo location and serial number on every picture can aid in searching for images as well automating workflow (based on specific sensor characteristics). For me, that is good. Sending that info to the "mothership"" (sic), without my knowledge or permission, is bad because they have no reason to need that data; other than to sell it or use it for marketing.
I'd like to see companies that collect date require a more informed consent than burying it in a 50 page TOS agreement; and perhaps notification the first time teh data is sent.
I'm a consultant - I convert gibberish into cash-flow.
Is there a list of this kind of products? When I buy a camera or a printer I'd like to know which ones hide serial numbers or the like in the images they produce. EFF should maintain such a list, I think.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
How Much Information Does Your GPS Store About Where You Have Been? So, is Max Speed on your GPS a bug or a feature?
but with ATT low download cap / high data costs $10 a GIG will apple force that?
what about over seas up to $100 or more in data fees per location?
Dont attribute to malice what can be adequately explained by stupidity. Sometimes a software can be well intentioned, see a place where a lot of maybe useful information could be place and no look further on that, putting that in. Sometimes in some context that added information could be useful and intended, sometimes not, and you have not enough flexibility to decide by yourself when enable or disable that action.
Could the smtp protocol (and so every software that implements it) be considered traitorware? If you want to send an anonymous message it adds from which IP was sent, how different would be that from cameras that automatically adds gps coordinates in photos?
In the last term, a line between malice in this and what is not should be drawn, and will be very broad with a lot of things in the gray area, but would be good to have a list of what cleary is in the wrong side of it. And if well couldnt call traitorware all that is in the field of what sends somehow away information that could hurt your privacy, awareness of what they send and what exactly implies in that topic to use them, sometimes even in the manuals they warn which private information could be disclosed, well, that it be even the ones that don't disclose that.
http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml
I don't care. Life is better with data. I would actually pay for a phone that records my heartbeat and location and communicates it to a trusted 3rd party. You know what, it might save my life.
"EFF will be there to fight it [Traitorware]. We believe that your software and devices should not be a tool for gathering your personal data without your explicit consent.'"
This sounds a lot like spyware. Why do we need a new word?
Apple's iPhones know where you are when you use the maps and Apple can gather that data and use it to launch missiles at you! Adobe Photoshop can use the GPS data encoded into your photos and send that info to the CIA who will visit those places and scrawl lewd graffiti about your sexuality in all the nearby bathrooms, thus ruining your reputation in the locality and preventing you from being elected to political office!
This would be a lot more of a story if they actually cited some real misuse of data instead of just making claims about the evils that could hypothetically be committed using data that is otherwise kinda useful for the end user. I mean, seriously, it can collect biometric data for identification and store it if it fails as a way to identify who tried to use a device? How is that not something I want my devices to do to identify thieves and people trying to break the security of my systems? No, I don't want some company collecting biometric info on me and using it to track me for advertising or policing purposes, but unless there's actual evidence of such abuse, well it's not much of a story.
It is very hard to commit a crime without leaving some kind of trace. If you use a phone or email or a credit card or you buy bomb making materials somewhere with security video, you will be caught eventually.
An example of the extremes you have to go to, to get away with serious crime over the long term would be the Unabomber. The FBI worked on his case over many years:
"This team made every possible forensic examination of recovered components of the explosives and studied the lives of victims in minute detail. These efforts proved of little use in identifying the suspect, who built his bombs essentially from "scrap" materials available almost anywhere."
http://en.wikipedia.org/wiki/Ted_Kaczynski
Eventually the thing that tripped him up was that his family recognized him because of the way his manifesto was written.
The lesson is that unless you hide in the back woods and refrain from buying anything at all, you will eventually leave traces. Also, don't write a manifesto ;-)
I read the article, and see nothing in the so-called "traitorware" that is objectionable.
I *like* cameras that incorporates metadata. This protects me from lawsuits and proves that the picture is mine and can be used however I want and as often I want. Because I can prove that the photo is mine through the metadata I have an easy way to defend myself in copyright and infringement lawsuits. For me the metadata is a selling feature and a benefit.
Printers that include tags on the paper that can be traced back to the person doing the printing I can also understand. People misuse printers to print out pedophilia (you are scum, and hope you are caught), counterfeiting (I like being able to use money, and hope you are caught), and threatening letters (my sister got several, and I hope you are caught). I just can't get that excited about anyone being able to trace what I print back to me. I can't think of a situation where I would care.
I don't own an IPhone (Droid), but I *like* the idea that it can send my location and heartbeat back to Apple. I'd have liked this on my laptop that had gotten stolen. I'd just call the police, and send Apple the police report. It would make tracking the device actually feasible, and maybe get some of these thieves to be arrested. Cars to some degree have this (called OnStar) and it's a big selling point. I refuse to get concerned about Apple wanting to listen to my heartbeat. Now if they would be so kind to implant the phone, monitor continuously, and notify medical help (and tell them where I am) if the heartbeat becomes arrhythmic and/or stops I would really appreciate that (heart problems is the leading cause of death).
How is this so-called "traitorware" an issue?
Who decides what is right and wrong? In your world it certainly isn't you :)
That's the problem.
You won't be given the choice. You either buy it and accept their right to take your data, or you don't get to buy the product.
Market forces won't solve the problem because business knows the value of the data to them. The company which allows you the clear option not to have your data taken from you will be at a competitive disadvantage and will not last long.
This has to be sorted out in legislation which requires companies to offer the option.
Most politicians couldn't care less about your privacy so it won't happen unless you threaten them with loss of office. Let them know what you think.
Bad thing #1: Locking down devices. Right now, people like the Dev Team jailbreak stuff within a month or two of release. However, eventually hardware chips will get added that are as hard if not harder than baseband modules to crack. Perhaps chips that "supervise" the OS, and if it runs something out of some strict parameters, the device gets shut down until taken to a $AUTHORIZED_STORE and fixed there.
Neutral thing #2: Phones do a lot. They acquire a lot of knowledge about the carrier.
Bad thing #3: Info by #2 is sent back home to carriers.
Bad thing #4: A combined push by LEOs and our *IAAs to find more info about people to start criminal or civil proceedings with ease. Remember, it wasn't that long ago that suing users in the thousands for having a song available, or snarfing a video clip was not thought of.
Bad thing #5: Ad providers being such a strong force. They don't just show disinterest in stopping malware payloads from being delivered through their networks, they want to add new vectors for infection using Phorm-like injectors. They will happily sell any information they get to all and sundry who have the cash.
Bad thing #6: The "piracy" bugaboo. This is a major excuse used for device lockdown.
Bad thing #7: No interest in anti-monopoly regulation.
Bad thing #8: Blacklists are in common use in the industry. For example, if someone gets banned from one casino in Las Vegas, they get banned from all of them.
Now, the day of convergence happens. All this stuff winds up merging. Joe User now buys a smartphone after all these converge:
Day 1: Joe goes out on a date with a co-worker to discuss business. His device notices that it is near other devices, transmits the GPS info to an ad agency. Joe's wife has a search tool that uses info gleaned from ad agencies to monitor where Joe is 24/7 even though his stuff isn't connected. She gives him a tongue lashing when he gets home.
Day 2: Joe visits a MMA place to see about casual sparring. The phone transmits the location, and insurance companies pick it up. They kick Joe off the health insurance because he is engaging in too risky pursuits.
Day 3: Joe posts a private rant on his favorite social network of choice about his job from his home computer. The social network has a top notch privacy policy and has no advertisers at all. However, Joe's phone has an app that quietly slurps up his posts, even though they are posted by another device and sends them to an ad agency. His work subscribes to an employee monitoring system which sends relevant posts if they have the company mentioned. His boss gets handed the rant, and Joe gets fired.
Day 4: Joe decides to go buy a dime bag because he has no job, an estranged wife, and no health insurance. He drives to a part of town that isn't too bad, but where the "upper" level distributers hang out. On the way back, Joe gets pulled over, his car searched and seized, and he ends up in jail. The local PD uses the ad agencies which keep track of all GPS settings of cars in the area, and has pattern matching. Any traffic pattern that is suspect gets an automatic traffic stop and the dog brought out.
Day 5: Joe's wife decides to file a divorce because she wants to move to someone who is making money. She gets someone to check the phone ad agencies and give her the goods on Joe. She serves him divorce papers via E-mail, and because the ad providers know when someone received the message, the E-mail stands up in court as a proper service, just as a visit from the constable.
Day 6: Joe is afraid of monitoring, so tries to flash a ROM without the 24/7/365 monitoring. The device auto-bricks, and he has to take it into an authorized store, pay $300 for them to flash a replacement ROM onto it. Essentially do a fancy version of RSD-Lite. Joe then uses a better utility that prevents the phone from bricking. However because it downloads a utility like su or Cydia, the cellular provider notices the communication between
You are indeed being ripped off in the USA got your data charges.
I pay £15.00 (approx $23) per month for 15Gbytes here in the UK.
IMHO, everyone is being ripped off on International Roaming.
You have no idea where the collected data goes and what inferences will be made from it. Since corporations don't care about your freedoms of speech, assembly, and other freedoms, there's no good reason to assume that the collected data won't eventually serve malevolent ends. Furthermore, the data is often collected without explicit announcement that it is being collected. The data is often distributed to others without explicitly getting consent on a case-by-case basis so the end user has an opportunity to decide that they trust one party but not another. It's very easy to let those who promote convenience and flashy presentation take away your freedoms; it's hard to regain your freedom after you've lost it. The solution, therefore, is to not lose your freedoms in the first place.
Digital Citizen
Let's see.....tweaking my cardio-enabled phone to....wait for it.....
WAIT FOR IT.....
"BWWWEEEEEEEEE......BWWWWEEEEEEE....BWWWWWEEEEEEEEE...."
Got it! Spock's heart rate while lying on McCoy's magical medical bed in the original Star Trek.
Take THAT you (red) blood-sucking corporate parasites!!!
Good for aesthetics... ...apparently also good for preventing you from quickly disabling the phone once stolen...
It might take an unpracticed hand well over 5 mins of prying to get into the case before the battery can be pulled (assuming you did not want to destroy the device in the process)... you can upload a lot of data on a high speed network in that time... Apple will spin this as a feature which enables preservation of your important data prior to a remote wipe, of course it also has other uses...
'Your printer may be incorporating a secret code on every page it prints which could be used to identify the printer and potentially the person who used it.'
Which is precisely the audit trail your boss is looking for.
The same guy who buys the high end color printer that can produce a plausible counterfeit bill.
Most research show that people can't read more then a 10-point list shown on a single page. That is the size those documents should be for maximum protection of the consumer.
I wanted a personal colour laser printer for myself, nothing flash, but better than 600x600, but I decided against as I had read in a few places that the colour lasers imprint shomehow on the page to identify the printer. I think we're fairly safe with monochrome personal laser printers - so far. Don't suggest inkjets, they are horrendously bad value for money.
Take Nobody's Word For It.
Last month was my last check to the EFF. It appears they are firmly entrenched in the world of paranoid conspiracy theory now.
LTR Patent FTW..
At least the missiles they'll fire at you won't be made using itunes. Since its against the license agreement.
not that our devices embed information; but how that information is used. For example, having a geo location and serial number on every picture can aid in searching for images as well automating workflow (based on specific sensor characteristics). For me, that is good. Sending that info to the "mothership"" (sic), without my knowledge or permission, is bad because they have no reason to need that data; other than to sell it or use it for marketing.
No need to demonstrate the latest research
No, not really. Its invasive and wrong.
---- Booth was a patriot ----
In the state I live in, for example, oral sex is a felony even between man and wife (old law meant to prosecute gays in parks, but they didn't make the distinction in law) is a felony and anyone on the street without $200 CASH (no, your plastic doesn't count) and ID (only certain things count) is at least a misdemeanor. They obviously don't enforce these much, it's a handy catch-all for a cop who is sure there's something wrong and needs to arrest you to find out what else he can get on you. In fact, there are an endless list of such laws.
Now imagine a government afraid that their country will overthrow them, or merely riot in the streets, as in Greece or France, when the people figure out what a screwing they've gotten, and who wants to remain in power at any cost.
Bingo -- perfect answer, your device makes you guilty of just about any of these trash laws, on demand, and we simply jail you for that before any demonstration or "movement" can get to critical mass.....
This will not only be allowed, at some point it will be mandated, watch and see. Lucky, no one really needs these fancy bits of tech, they are just candy for anyone who grew up before anyone had them, and most people using them instead of having a life just look silly to us. So get off my lawn.
Why guess when you can know? Measure!
Record your location? Sure, if it's a smartphone with GPS. For standalone cameras, GPS is not exactly a common feature. There are about two models of pocket digital camera on the market that have GPS, and not very many SLRs with it either ... go look. Those that have it make no secret of it; it's actually a big marketing point for people who want to record where they've been taking pictures.
As for smartphone models, I don't know about the Apple or Windows offerings, but Android's camera app exposes it as an option right on the main screen, next to the flash and focus settings ... and I'm pretty sure it defaults to off. People turn this on because they actively want it.
Rather than scaring people about what their devices might be recording, it would be a lot more useful to tell people how to find out what tags are on their photos. For instance, the Linux command line program "exiftags" will tell you this kind of stuff: (Picked from a random image file I had lying around on my laptop.)
Don't forget the Black Box recording in modern cars that rat you out to police, insurance companies, and the car companies themselves on items that are none of their business such as how fast you drive, and how long before the collision it was that you braked. You certainly didn't knowingly agree to this in buying your last car, yet it's common for your opponents to be able to get this data after an accident, insurance claim, even a vehicle warranty issue. THIS SHOULD NOT BE ALLOWED WITHOUT YOUR EXPLICIT CONSENT.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Sure you may have this pile of data about me but you don't know me. Until you respect me enough to ask for my information and give me something in return you can go pound sand. Google is a perfect example of giving something in return. They give you a bunch of free stuff (Gmail, Earth, docs etc) in return for "targeted advertising". I'm sure they are collecting a fair amount of data about me but I don't care because they are giving something back. If you're just gonna surreptitiously spy on me and steal my data without giving something in return then screw you. There is no marketable "service" here. It's just spying and I'm not buying it. The sad thing is, Steve Jobs doesn't care. He knows that most people don't care about privacy much less recognize it as a profitable commodity. I Currently have an Iphone and was impressed that you can turn location services on or off for any applications that use it. I guess I'm going low tech on my next phone
"We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
...you can look forward to a day when your iPhone may record your voice, take a picture of your location, record your heartbeat, and send that information back to the mothership...
Look forward?
I thought it was able to do these things already, and they were marketed as features.
Does a GPS work on a jet? Is it allowable (I believe they only receive, not send). If so, you could probably get some pretty ridiculous max speeds on those.
For those reasons as well, I doubt it would usable as evidence unless you've also got a log of a recent clear-time, and a clear chain of possession since that time (who says you had the GPS the whole time, and for that matter that it was functioning properly).
I propose Finkware . "Traitorware" has too damned many syllables.
-kgj
or rather, parents trying to explain to kids why sigining up to $SOCIALNEWTORKINGSITE (just like all their friends are doing) is a Bad Idea?
Whichever EFF drone came up with this name needs a serious sit down with the dictionary. Whichever EFF muckamuck approved this press release most likely needed either a little more or a little less attention from mommy & daddy.
"We believe that your software and devices should not be a tool for gathering your personal data without your explicit consent.'"
Uh, they already have your "explicit" consent. It's buried in line 4,724 of the EULA that you never read. Don't feel bad, nobody reads those damn things anyway...
Can you say Acxiom? I knew you could.
C'mon dude it is Christmas, don't kill my buzz yet.
Woe be on to them, all who rise against poor people, shall perish in a the end. Buju Banton
If you are worried about you freedom of speech, assembly, etc., you have a problem with the government, not companies. After all, if there is a legal way to censor speech, government will find a way to do it one way or another, be it with the help of businesses or something else. Instead of hunting down companies that facilitate government abuses, I would say it is better to ensure government can't abuse you in the first place.
Has anybody positive proof that this kind of hidden software is NOT already running in every (non - tampered with) iPhone?
Not only that, it is being preserved for a later date when something can be squeezed from all that "useless" and "trivial" information.''
Just because you can't think of how it could be used against you now, doesn't mean 20 years from now the collection will still be meaningless.
Nineteen_Eighty-Four was only a mere shadow of where we are going as far as privacy is concerned.
I recall a science fiction story written in the 1940s or 1950s (sorry, don't recall the title, couldn't find online) about a device that prefigured the modern calendar/reminder application, based on a wire recorder (the predecessor of the tape recorder), that gradually was improved to become an electronic adviser (prefiguring the modern smartphone), and was given the name 'poo-bah' after the character "Poo-bah, the Lord High Everything Else" in the Gilbert and Sullivan play The Mikado.
The Poo-bah was a big hit in society, and soon everyone had one. It started out as a voice interface, but eventually was improved to have a neural implant. Then the devices were given wireless networking capabilities and artificial intelligence. Soon they Poo-bahs were communicating automatically with each other, and gradually began taking over everyone's minds and creating a Hive Mind. Considering the story was written before tape recorders had even become well known (else, I presume, they would have been used in the story instead of wire recorders), it's amazing how much of the smart phone's capabilities were prefigured in this story.
I wish I could recall the name of the story, but in any case, we're on our way. :)
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
embedding the exif data with serial numbers is kind of a good thing - for one if your camera is stolen or lost you would be able to hopefully search for the exif profile online to see if anyone used and posted it - sometimes things go too far, that is you should be able to kill any functions outside of metadata embeds (for legal reasons more than anything, as someone who works in the legal field, removing of metadata actually puts you more at risk than scrubbing it) like location and time sending or usage stats.