Always On Microphones are Always On

Reader Steve T. sent me a link to story confirming my decision to not own smart speakers. A woman going by the name my.data.not.yours on TikTok (I guess this is the new hip surveillance social media network) sent a request to Amazon for all of the data the company had on her. The result? Exactly what you would expect (I sanitize the TikTok link embedded in the source so I’ll apologize here if it doesn’t work):

TikToker my.data.not.yours explained: “I requested all the data Amazon has on me and here’s what I found.”

She revealed that she has three Amazon smart speakers.

Two are Amazon Dot speakers and one is an Echo device.

Her home also contains smart bulbs.

She said: “When I downloaded the ZIP file these are all the folders it came with.”

The TikToker then clicked on the audio file and revealed thousands of short voice clips that she claims Amazon has collected from her smart speakers.

Smart speakers like the ones provided by Amazon have an always on microphone to listen for voice commands. The problem isn’t necessarily the always on microphone but the fact that most smart speakers don’t perform on-site audio analysis (or only perform very limited on-site analysis). Instead they record audio and send it to an off-site server for processing. Why is the audio moved off-site? Ostensibly it’s because an embedded device like a smart speaker doesn’t have the same processing power as a data center full of computers. Though I suspect that gaining access to valuable information like household conversations has more to do with the data being moved off-site than the accuracy of the audio analysis.

The next question one might ask is, why is the data being stored? This is why I suspect moving the data off-site has more to do with gaining access to valuable information. Once the audio has been analyzed and the commands to be executed transmitted back to the smart speaker, the audio recording could be deleted. my.data.not.yours discovered that the audio isn’t deleted or at least not all of the audio is deleted. But even if Amazon promised to delete all of the audio sent to its servers, there would be no way for you as an end user to verify whether the company actually followed through. Once the data leaves your network, you lose control over it.

The problem with Amazon’s smart speakers is exacerbated by their proprietary nature. While Amazon provides the source code necessary to comply with the licenses of the open source components it uses, much of the stack involved with its smart speakers is proprietary. This means you have no insight into what your Amazon smart speaker is actually doing. You have a black box and promises from Amazon that it isn’t doing any shady shit. That’s not much of a guarantee. Especially when dealing with a device that is designed to listen to everything you say.

Gun Control Continues to Fail

I’ve stated many times on this blog that gun control is futile because it’s impossible to control the production of simple mechanical devices. Guns aren’t like semiconductors. Today (however, this will change in the future) manufacturing semiconductors requires highly specialized equipment and knowledge. Guns on the other hand require only the simplest tools and materials to build. The knowledge isn’t specialized either. Books on the topic of gunsmithing are readily available and the information is easily accessible online.

Whenever I brought up these points advocates for gun control (and even some opponents of gun control) claimed that I was full of shit. To them I submit the following:

The proliferation of homemade “ghost guns” has skyrocketed in Los Angeles, contributing to more than 100 violent crimes this year, the Los Angeles Police Department said in a report released Friday.

Detectives have linked the untraceable weapons to 24 killings, eight attempted homicides and dozens of assaults and armed robberies since January, according to the report.

And police expect the problem to get worse, the report said.

During the first half of this year, the department confiscated 863 ghost guns, a nearly 300% increase over the 217 it seized during the same period last year, according to the report. Since 2017, the report said, the department has seen a 400% increase in seizures. That sharp jump suggests the number of ghost guns on the streets and such seizures “will continue to grow exponentially,” the authors of the report wrote.

This is nothing new. Just ask Brazil. But this is a good story to show that gun control can’t even succeed in a city with extremely restrictive gun control laws located in a state that also has extremely restrictive gun control laws. If people in Los Angeles can’t be stopped from manufacturing firearms, there’s no hope of any government entity controlling it elsewhere.

Nothing I said here is specific to firearms. Anytime a government attempts to outlaw a technology it only leads to the creation of a black market. The only difference between a legal and illegal technology is that manufacturing, selling, and buying an illegal technology carries additional risks. These risks are reflected in the higher prices charged by manufacturers and the amount of effort put into hiding them from authorities (whereas little if any effort is ever put into hiding legal technologies from authorities so it’s actually easier for authorities to track them). I’m sure law enforcement agencies and the mainstream media will make this into a big issue over the next few years. Their efforts will be wasted though because there’s nothing government can do to stop this.

One VPN Provider to Rule Them All

When somebody first develops an interest in privacy, the first piece of advice they usually come across is to use a virtual private network (VPN). Because their interest in privacy is newly developed, they usually have little knowledge beyond that they “need a VPN.” So they do a Google (again, their interest in privacy is new) search for VPN and find a number of review sites and providers. Being a smart consumer they read the review sites and choose a provider that consistently receives good reviews. What the poor bastard doesn’t know is that many of those review sites and providers are owned by the same company (a company, I will add, that is shady as fuck):

Kape Technologies, a former malware distributor that operates in Israel, has now acquired four different VPN services and a collection of VPN “review” websites that rank Kape’s VPN holdings at the top of their recommendations. This report examines the controversial history of Kape Technologies and its rapid expansion into the VPN industry.

If you’re not familiar with Kape Technologies, the linked report provides a good overview. If you want a TL;DR, Kape Technologies has a history of distributing malware and now owns ExpressVPN, CyberGhost, Private Internet Access, and Zenmate. Because of Kape Technologies’ history, I would advise against using one of its VPN providers. It’s not impossible for a company to turn over a new leaf, but with other options available (at least until Kape buys them all), why take chances?

If you’re a person with a newfound interest in privacy and looking for recommendations, I unfortunately don’t have any good recommendations for review sites. The handful of review sites that I used to trust have either disappeared or been bought by VPN providers (which by itself doesn’t necessary make a review site untrustworthy, but I’m always wary of such conflicts of interest).

As far as VPN providers go, I use Mullvad and I like it. It supports WireGuard (my preferred VPN protocol), doesn’t ask for any personally identifiable information when signing up for an account, accepts anonymous forms of payment (including straight cash mailed in an envelope), and seems determined to remain independent (at least for now).

It’s a Tracking Device, Not a Smartphone

I like to refer smartphones as voluntary tracking devices. Cellular technology provides your location to the network provide as a side effect. Smartphones can also leak your location through other means. But location isn’t the only type of information collected by smartphones. Android has a sordid reputation when it comes to data collection. Part of this is because Google’s primary business is collecting information to sell to advertisers. Another part is that handset manufacturers can bake additional data collection into their Android devices. Another part is that Android lacked granular application permissions until more recent versions, which allowed application developers to collect more information.

Apple on the other hand has enjoyed a much better reputation. Part of this is because Apple’s primary business model was selling hardware (now its primary business model is selling services). But Apple also invested a lot in securing its platform. iOS provided users more granular control over what applications could access earlier than Android. It also included a lot of privacy enhancements. However, Apple’s reputation isn’t as deserved as one might think. Research shows that iOS collects a lot of information:

“Both iOS and Google Android share data with Apple/Google on average every 4.5 [minutes],” a research paper published last week by Trinity College in Dublin says. “The ‘essential’ data collection is extensive, and likely at odds with reasonable user expectations.”

Much of this data collection takes place after the phone is first turned on, before the user logs into an Apple or Google account, and even when all optional data-sharing settings are disabled.

“Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this,” the paper adds. “However, Google collects a notably larger volume of handset data than Apple.”

I can’t say that this surprises me. Apple is a publicly traded company, which means its executives are beholden to share holders interested almost exclusively in increasing the price of their shares. That means Apple’s executives needs to constantly increase the company’s revenue. User information is incredibly valuable. Mark Zuckerberg made a multi-billion dollar company out of collective user information. So it was unrealistic to expect Apple to leave that kind of potential revenue on the table. Even if Apple isn’t currently selling the information, it can start at any time. Moreover, if it has the information, it can be obtained by state agents via a warrant.

This brings up an obvious question. What smartphone should individuals concerned about privacy get? Unfortunately, Android and iOS are the two biggest players in the smartphone market. They are also the only two players readily available to consumers who aren’t tech savvy. GrapheneOS is an example of an Android version that offers better privacy than the stock versions found on most devices. But using it requires buying a supported Pixel and flashing GrapheneOS to it yourself. There are also phones that run mainline Linux such as the PinePhone and Librem 5. The problem with those devices is the state of the available software. Mainline Linux distributions designed for those phones are still in development and likely won’t meet the needs of most consumers.

Right now the market looks grim if you want a smartphone, are concerned about privacy, and aren’t tech savvy enough to flash third-party firmware to your phone.