soloActivist

The unwarranted surveillance policies that get enshrined into law and all the illegal snooping by the gov seems to trace to anti-terror legislation and anti-terror backroom initiatives. I have to wonder, is this all attributed to Israel? If the US and other Israel allies had quit supporting Israel during their oppression of Palestinians, would there be a notable terror threat that could then be the cause for action (for unwarranted snooping) under the anti-terror façade? Would bankers had been converted into police had it not been for Israel’s oppression of Palestine?

Is this why we will lose cash in the future?

Have any privacy orgs calculated how many terror incidents stem from a consequence of supporting Israel? This could even count the white supremacist nutters who attack mosques in retaliation.

What would be a more effective anti-terror policy?:

• Snoop on everyone in every possible way. Wiretaps, forced banking, making bankers into cops, video surveillance everywhere with facial recognition.. etc.

or

• Stop supporting Israel.

All links for this story are shit -- Cloudflare or paywalls. So I linked the archive and will dump the text below. Note the difference between my title and the original. I think mine is more accurate. The AG seems to view feature phones as a tool for criminals. But also says having no phone is suspect as well, so the original title is also correct.

Georgia AG claims not having a phone makes you a criminal

That’s dangerous for constitutional rights
SAMANTHA HAMILTON
FEBRUARY 12, 2024 6:52 PM

The ubiquity of smartphones is causing some to pine for simpler times, when we didn’t have the entire history of humankind’s knowledge at our fingertips on devices that tracked our every move. There’s a growing trend, particularly among young people, to use non-smartphones, or “basic phones.” The reasons range from aesthetic to financial to concern for mental health. But according to Georgia Attorney General Chris Carr, having a basic phone, or a phone with no data on it, or no phone at all in the year 2024, is evidence of criminal intent. The AG’s position poses grave dangers for all Georgians’ constitutional rights.

Last month, Deputy Attorney General John Fowler argued in state court that mere possession of a basic cellphone indicates criminal intent to commit conspiracy under Georgia’s racketeer influenced and corrupt organizations statute, better known as RICO.

His accusation was directed at 19-year-old Ayla King, one of 61 people indicted last summer on RICO charges linked to protests in the South River Forest where the $109 million Atlanta Public Safety Training Center, nicknamed “Cop City” by its opponents, is slated to be built. The RICO charges against King and the 60 other RICO defendants have been widely criticized as a political prosecution running contrary to the First Amendment. King is the first of these defendants to stand trial.

During the Jan. 8 hearing in Fulton County Superior Court, Fowler argued that a cellphone in King’s possession on the day of their arrest, which he characterized as a “burner phone,” should be admissible as evidence of wrongdoing, even though it contained no data. He went even further to suggest that not possessing a cellphone at all also indicates criminal intent. Judge Kimberly Adams agreed to admit evidence of King’s cellphone.

Civil liberty groups are decrying the AG’s argument and court’s action as violations of constitutional rights under the First Amendment and Fourth Amendment. In an open letter to Attorney General Carr, the groups wrote, “It is alarming that prosecutors sworn to uphold the Constitution would even make such arguments—let alone that a sitting judge would seriously entertain them, and allow a phone to be searched and potentially admitted into evidence without any indication that it was used for illegal purposes.”

The Supreme Court recognized in the 2014 case Riley v. California that cellphones carry enough personal information—photos, text messages, calendar entries, internet history, and more—to reconstruct a person’s life using smartphone data alone. “Prior to the digital age, people did not typically carry a cache of sensitive personal information with them as they went about their day,” the Court noted. “Now it is the person who is not carrying a cellphone, with all that it contains, who is the exception.”

On the dark side of smartphones’ interconnectivity is their susceptibility to surveillance. In 2022, it was reported that the U.S. Department of Justice had purchased for testing a version of the Phantom spyware from NSO Group, an Israeli firm which sold its surveillance technology to governments like Mexico and Saudi Arabia to spy on journalists and political dissidents. Phantom could be used to hack into the encrypted data of any smartphone located anywhere in the world, without the hacker ever touching the phone and without the phone’s user ever knowing. The U.S. federal government denied using Phantom in any criminal investigation, but concerns about surveillance in the U.S. have led some folks to obtain basic phones.

Flip phones have made a comeback, and the potential for invasion of privacy is one of the reasons why. I’m not talking about the recent wave of smartphones that flip open. I’m talking about early 2000s-era basic phones, whose smartest feature was the game Snake or, if you were lucky, the ability to set your favorite song as your ringtone.

Folks are returning to basic phones—or in the case of Gen Z, turning for the first time—out of recognition that doom scrolling on a smartphone for hours each day is not good for mental health. For some older adults, basic phones, which offer few features beyond calling and texting, are preferable to smartphones for their simplicity. There are lots of reasons why someone might have a basic phone—not to mention they’re cheaper and more durable than a lot of smartphones.

Using simple phones that have little data on them is a legitimate, and common, practice for journalists, whistleblowers, human rights activists, and other people seeking to protect their identities or those of others from surveillance by the government or malicious actors. The Committee to Protect Journalists recommends that journalists cycle through “low-cost burner phones every few months” to maintain their safety and that of their sources. Even athletes competing in the 2022 Beijing Olympics were advised to use burner phones in light of the overreaching state surveillance in China.

Using a burner phone is not evidence of criminal intent—it’s a reasonable response to the threat of surveillance and government overreach. While burner phones are not immune from location tracking via cell towers, the fact that they contain much less data than a smartphone can make them a more secure form of communication.

How deeply invasive of privacy rights will the AG’s logic extend? Will the prosecution argue that using a virtual private network (VPN) is evidence of criminal intent? What about communicating via encrypted messaging apps, like Signal? The First Amendment protects the right to anonymous speech, and the use of privacy protection measures like VPNs and Signal has become commonplace in today’s world. The AG has already asserted in the RICO indictment that anonymous speech communicated online constitutes a conspiracy, but if the AG argues that using VPNs and Signal is evidence of criminal intent, he would be going even further by claiming that the very tools which make people feel safe to communicate online are themselves evidence of criminal intent, thereby assuming criminality before the speech has even taken place.

The position the AG has taken in Ayla King’s case has the potential to make all of us suspects. If you have a smartphone with data on it, the information on the phone can be used as evidence against you. And if you have a phone with no data on it or no phone at all, that can be used as evidence against you.

The state’s use of the absence of evidence as affirmative evidence is an unsettling development, and one that seems desperate. Is it—and perhaps the RICO charges themselves—a sign of prosecutorial weakness in a case intended to silence criticism and criminalize First Amendment expression?

(update) possible awareness campaign action: Would it be worthwhile for people who do not carry a smartphone to write to the Georgia AG to say they don’t carry a smartphone? The idea being to improve the awareness of the AG.

take action

cross-posted from: https://links.hackliberty.org/post/2667522

Apparently some company I do business with shared my data with another corp without me knowing, then that corp who I did not know had my data was breached.

WTF?

Then the breached corp who could not competently secure the data in the first place offers victims a gratis credit monitoring services (read: offers to let yet another dodgy corp also have people’s sensitive info thus creating yet another breach point). Then the service they hired as a “benefit” to victims outsources to another corp and breach point: Cloudflare.

WTF?

So to be clear, the biggest privacy abuser on the web is being used to MitM a sensitive channel between a breach victim and a credit monitoring service who uses a configuration that blocks tor (thus neglecting data minimization and forcing data breach victims to reveal even more sensitive info to two more corporate actors, one of whom has proven to be untrustworthy with private info).

I am now waiting for someone to say “smile for the camera, you’ve been punk’d!”.

(update)
Then the lawyers representing data breach victims want you to give them your e-mail address so they can put Microsoft Outlook in the loop. WTF? The shit show of incompetence has no limit.

The link is Cloudflare-free, popup-free and reachable to Tor users.

(edit) Some interesting factors--

from the article:

For a period of over 2 years, Uber transferred those data to Uber's headquarters in the US, without using transfer tools. Because of this, the protection of personal data was not sufficient. The Court of Justice of the EU invalidated the EU-US Privacy Shield in 2020.

Yes but strangely & sadly the US benefits from an adequacy decision, which IIRC happened after 2020. This means the US is officially construed as having privacy protections on par with Europe. As perverse as that sounds, no doubt Uber’s lawyers will argue that point.

The Dutch DPA started the investigation on Uber after more than 170 French drivers complained to the French human rights interest group the Ligue des droits de l’Homme (LDH), which subsequently submitted a complaint to the French DPA.

Wow! I wonder what triggered so many drivers to consult a human rights group. I mean, consider that Uber users and drivers are all happy to run a closed-source Google-gated app.. this is not a demographic who cares about privacy. So what triggered 170 complaints? I wonder if the Dutch DPA would have taken any action had there not been 170 cross-border complainants.

The French DPA gives some interesting insight. Info to attempt to satisfy access requests were in English, not French, which breaks the accessibility rule. The French article gives more a feeling of not 170 proactive complaints, but maybe the human rights org complained on behalf of 170 drivers. I am quite curious from an activist point of view if 170 drivers proactively initiated a complaint.

The fourth breach is interesting:

by not explicitly mentioning the right to data portability in their privacy statement.

Is data portability even useful for Uber drivers in France? I’ve never used Uber (fuck Google), but I imagine drivers have feedback about how well they perform and maybe they want to port that data to an Uber competitor.. but there is no Uber competitor in France, is there? Is Lyft in France?

I normally grab a #youtube video via #invidious onion instances this way:

yt-dlp --proxy http://127.0.0.1:8118 -f 18 http://ng27owmagn5amdm7l5s3rsqxwscl5ynppnis5dqcasogkyxcfqn7psid.onion/watch?v="$videoID"

Now it leads to:

ERROR: [youtube] $videoID: Sign in to confirm you’re not a bot. This helps protect our community. Learn more

There used to be a huge number of Invidious instances. Now the official list is down to like ½ dozen.

This email provider gives onion email addresses:

pflujznptk5lmuf6xwadfqy6nffykdvahfbljh7liljailjbxrgvhfid.onion

Take care when creating the username to pull down the domain list and choose the onion domain. That address you get can then be used to receive messages. Unlike other onion email providers, this is possibly the only provider who offers addresses with no clearnet variations. So if a recipient figures out the clearnet domain it apparently cannot be used to reach you. This forces Google and MS out of the loop.

It’s narrowly useful for some situations where you are forced to provide an email address against your will (which is increasingly a problem with European governments). Though of course there are situations where it will not work, such as if it’s a part of a procedure that requires confirmation codes.

Warning: be wary of the fact that this ESP’s clearnet site is on Cloudflare. Just don’t use the clearnet site and keep CF out of the loop.

I have lots of whistles to blow. Things where if I expose them then the report itself will be instantly attributable to me by insiders who can correlate details. That’s often worth the risks if the corporate baddy who can ID the whistle blower is in a GDPR region (they have to keep it to themselves.. cannot doxx in the EU, Brazil, or California, IIUC).

But risk heightens when many such reports are attributable under the same handle. Defensive corps can learn more about their adversary (me) through reports against other shitty corps due to the aggregation under one handle.

So each report should really be under a unique one-time-use handle (or no handle at all). Lemmy nodes have made it increasingly painful to create burner accounts (CAPTCHA, interviews, fussy email domain criteria, waiting for approval followed by denial). It’s understandable that unpaid charitable admins need to resist abusers.

Couldn’t this be solved by allowing anonymous posts? The anonymous post would be untrusted and hidden from normal view. Something like Spamassassin could score it. If the score is favorable enough it could go to a moderation queue where a registered account (not just mods) could vote it up or down if the voting account has a certain reputation level, so that an anonymous msg could then possibly reach a stage of general publication.

It could even be someone up voting their own msg. E.g. if soloActivist is has established a history of civil conduct and thus has a reputation fit for voting, soloActivist could rightfully vote on their own anonymous posts that were submitted when logged-out. The (pseudo)anonymous posts would only be attributable to soloActivist by the admin (I think).

A spammer blasting their firehose of sewage could be mitigated by a tar pit -- one msg at a time policy, so you cannot submit an anonymous msg until SA finishes scoring the previous msg. SA could be artificially slowed down as volume increases.

As it stands, I just don’t report a lot of things because it’s not worth the effort that the current design imposes.

(cross-posting is broken on links.hackliberty.org, so the following is manually copied from the original post)

When your bank/CU/brokerage demands that you login to their portal to update KYC info soloActivist to [email protected] ·

In the past I have only seen PayPal spontaneously demand at arbitrary/unexpected moments that I jump their their hoops -- to login and give them more info about me. I reluctantly did what they wanted, and they kept my account frozen and kept my money anyway.

So I’ve been boycotting PayPal ever since. Not worth it for to work hard to find out why they kept my account frozen and to work hard to twist their arm to so that I can give them my business.

Now an actual financial institution is trying something similar. They are not as hostile as PayPal was (they did not pre-emptively freeze my account until I dance for them), but they sent an email demanding that I login and update my employment information (even though it has not changed). Presumably they will eventually freeze my account if I do not dance for them to satisfy their spontaneous demand.

I just wonder how many FIs are pulling this shit. And what are people doing about it? Normally I would walk.. pull my money out and go elsewhere. But the FI that is pushing KYC harassment has a lot of power because they offer some features I need that I cannot get elsewhere, and I have some stocks through them, which makes it costly/non-trivial to bounce.

I feel like we should be keeping a public database on FIs who pull this shit, so new customers can be made aware of who to avoid.

cross-posted from: https://links.hackliberty.org/post/125466

My credit card issuer apparently never gets to know what I purchased at stores, cafes, & restaurants -- and rightfully so. The statement just shows the shop name, location, and amount.

Exceptionally, if I purchase airfare the bank statement reveals disclosures:

• airline who sold the ticket
• carrier
• passenger name
• ticket number
• city pairs

So that’s a disturbing over-share. In some cases the airline is a European flag carrier, so IIUC the GDPR applies, correct? Doesn’t this violate the data minimization principle?

Airlines no longer accept cash, which is also quite disturbing (and illegal in jurisdictions where legal tender must be accepted when presented for PoS transactions).

Has anyone switched to using a travel agent just to be able to pay cash for airfare?

UPDATE

A relatively convincing theory has been suggested in this other cross-posted community:

https://links.hackliberty.org/comment/414338

Apparently it’s because credit cards offer travel insurance & airlines have incentive to have another insurer involved. Would be useful if this were documented somewhere in a less refutable form.

There is a common theme pushed by fanatics of capitalism that never dies: that a profit-driven commercial project ensures higher quality products than products under non-profit projects. Some hard-right people I know never miss the chance to use the phrase “good enough for government work” to convey this idea.

I’m not looking to preach to the choir here, but rather to establish a thread of scenarios that correspond to quality for the purpose of countering inaccurate narratives. This is the thread to share your stories.

In my day job I’m paid to write code. Then I go home write code I was not paid for. My best work is done without pay.

Commercial software development

When I have to satisfy an employer, they don’t want quality code. They want fast code. They want band-aid fixes. The corporate structure is too myopic to optimize for quality.

Non-commercial software development

Free software developers have zero schedule pressure. They are not forced to haphazardly rush some sloppy work into an integration in order to meet a deadline that was promised to a customer by a manager who was pressured to give an overly optimistic timeline due to a competitive bidding process. #FOSS devs are free to gold-plate all they want. And because it’s a labor of love and not labor for a paycheck, FOSS devs naturally take more pride in their work.

I’m often not proud of the commercial software I was forced to write by a corporation fixated on the bottom line. When I’m consistently pressured to write poor quality code for a profit-driven project, I hit a breaking point and leave the company. I’ve left 3 employers for this reason.

Commercial software from a user PoV

Whenever I encounter a bug in commercial software there is almost never a publicly accessible bug tracker and it’s rare that the vendor has the slightest interest in passing along my bug report to the devs. The devs are unreachable by design (cost!). I’m just one user so my UX is unimportant. Obviously when I cannot even communicate a bug to a commercial vendor, I am wholly at the mercy of their testers eventually rediscovering the same bug I found, which is unlikely in complex circumstances.

Non-commercial software from a user PoV

Almost every FOSS app has a bug tracker, forum, or IRC channel where bugs can be reported and treated. I once wrote a feature request whereby the unpaid FOSS developer implemented my feature request and sent me a patch the same day I reported it. It was the best service I ever encountered and certainly impossible in the COTS software world for anyone who is not a multi-millionaire.

cross-posted from: https://links.hackliberty.org/post/285435

When a private sector company blocks Tor, I simply boycott. No private entity is so important that I cannot live well enough without them. But when a public service blocks Tor, that’s a problem because we are increasingly forced to use the online services of the public sector who have gone down the path of assuming offline people do not exist.

They simply block Tor without discussion. It’s not even clear who at what level makes these decisions.. could even be an IT admin at the bottom of the org chart. They don’t even say they’re blocking Tor. They don’t even give Tor users a block message that admits that they block Tor. They don’t disclose in their privacy policies that they exclude Tor.

Just a 403 error. That’s all we get. As if it needs no justification. Why is the Tor community so readily willing to play the pushover? Even the Tor project itself will not stand up for their own supporters.

The lack of justification is damaging because it essentially sends the message: “you Tor-using privacy seekers are such scum we don’t even have to explain why you are outcast. We don’t even have to ask permission to exclude you from participating in society” This reinforces the myth that Tor users are criminals and encourages non-criminal Tor users to abandon Tor, thus shrinking the Tor userbase. The civilized world has evolved to a point of realizing the injustice of #collectivePunishment. At best this is a case of punishing many because of a few. I say “at best” because I’m skeptical that a bad actor provokes the arbitrary denial of service.

When the question is publicly asked “why did service X start blocking Tor” answers always come as speculation from people who don’t really know, who say they were probably attacked.

cross-posted from: https://links.hackliberty.org/post/303031

These are the steps I take against companies who block Tor (e.g. a grocery store, bank, DNS provider.. whoever you do business with who have started using Cloudflare):

1. GDPR art.17 request to delete my email address & any other electronic means to reach me, but nothing else.
2. Wait 30 days for them to comply.
3. GDPR art.13 & 14 request to disclose all entities personal data was shared with + art.15 request for all my data (if I am interested) + art.17 request to erase all records. These requests are sent together along with criticisms for their lack of respect for privacy and human rights and shaming for treating humans like robots (if that’s the case).

The reason for step 1 & 2 is to neuter the data controller’s option to respond electronically so they are forced to pay postage. It’s a good idea as well because they would otherwise likely use Microsoft for email and you obviously don’t want to feed MS. It may be feasible to skip steps 1 & 2 by withdrawing consent to use the email address (untested).

A few people doing this won’t make a dent but there is a threshold by which a critical mass of requests would offset their (likely uncalculated) cost savings by arbitrarily marginalizing the Tor community. It’s a way to send a message that cannot be ignored.