I Spy With My Digital Eye

Transcript

Veronica B. : Okay Google, tell me a secret.

Google: Here’s a secret, I’m not actually a person. Shh.

Veronica B. : Alexa, what is spying?

Alexa: Espionage is the obtaining of information considered secret or confidential without the permission of the holder of the information.

Veronica B. : Okay Google, are you spying on me?

Google: Me? I don’t know.

Veronica B. : Alexa, I don’t feel comfortable.

Alexa: Hmm, sorry. I don’t know that one.

Veronica B. : In a world where we face unknown risks of having our conversations heard and captured by corporations or government or other like-minded spies, how can I be assured that what I tell you and what you hear isn’t going to inevitably erode my privacy and make me a target of surveillance whether or not I’m even remotely guilty of anything.

Google: I heard you like spies.

Veronica B. : It used to be hard to spy on someone. Spies had to wear disguises, follow people, steal top secret files and go-go-Gadget their way out of trouble.

Alexa: I only send audio back to Amazon when I hear you say the wake word.

Veronica B. : But the gadgets, they’re in our homes now, and the spies? They’re following the trail we leave behind online. They’re looking at us through our laptop cameras. They’re even watching us in the streets of our smart cities, so you’ve got to wonder, how does that change the spy game? I’m Belmont. Veronica Belmont, and this is IRL. Online life is real life, an original podcast from Mozilla. In earlier episodes of IRL, I talked about hacking, security and data privacy. If you missed those, go check them out. In this episode, I’m going to keep us moving along this theme. We’re going to try to understand the risks of surveillance and learn how complicit we may be in creating that risk, because your right to privacy is essential. It’s the backbone of a free democracy. Where should we start?

Alexa: Our next guest is Cindy Blackstock .

Veronica B. : When we think of surveillance, we naturally think of government or law enforcement spying on suspects. Surveillance has prevented or solved countless crimes and terrorist attacks. When it works, it works, but there’s also the dark side of government spying, like when innocent citizens become suspects simply because they have unpopular opinions or reveal something that embarrasses the government, like Dr. Cindy Blackstock . She suspected the Canadian government discriminated against indigenous children by underfunding their social services. She filed a complaint with the Canadian Human Rights Tribunal and that turned into a nine year legal battle. During that time, government officials began a secret surveillance campaign. She only grew suspicious after being denied a meeting at a government office.

Cindy B. : I was one of the last to enter the meeting room and he said “Who are you?” I said, “I’m Cindy Blackstock ” and he said, “We’ll meet with you at another time.” I was stunned and shocked. I was the only person in that room that was left behind in a waiting area and I looked across from me and there was a security guard with his arms crossed, facing me and guarding me as I was reading the newspaper, and I thought, “What is it about me, a social worker who doesn’t even have a criminal record, let alone a parking ticket, why do I get that response from Canada?”

Veronica B. : As she sat there, alone, she started wondering what else might be going on and it occurred to her that, thanks to a federal privacy act, she could try and figure it out.

Cindy B. : I filed for any documents the department would have about me, and a year and a half later, that DBD arrives in the mail and I thought it’d be a quick view, and I saw one document after another document. Email exchanges, copies of my emails. There was pictures off of my Facebook page. They had screenshots, but they were also following my personal movements. Not only was there copies of different types of talks I was at. There was notes of a talk I did in the middle of the desert of Australia and they weren’t just following me. They were following other people in my circle, and so your natural instinct is to want to kind of restrain yourself, to become silent, and I absolutely rejected that.

Veronica B. : Once again, Cindy found herself in another legal battle against the federal government. She believed the surveillance violated her privacy rights. Fortunately for Cindy, the Human Rights Tribunal who heard her case agreed.

Cindy B. : The privacy commissioner found Canada’s collection of information about me, my personal information, to be a breach of the privacy act. Government of Canada never got a warrant in this case.

Veronica B. : Now, if you’re thinking this might be an isolated case, I’m a stop you right there.

Mailyn Fidler : I think sadly, as somebody who studies surveillance, it’s not a surprising story. This case of Cindy is pretty typical in terms of who governments tend to surveil.

Veronica B. : That’s Mailyn Fidler . She’s a fellow at the Berkman Klein Center for Internet and Society at Harvard.

Mailyn Fidler : A lot of people assume that those who are under surveillance are quite deserving of that surveillance. That is not true.

Veronica B. : Traditionally we think of surveillance as something an intelligence agency or a police officer does. How has the internet changed that?

Mailyn Fidler : It’s opened up a whole world for a wider range of actors, so one of the key examples was during the Dakota access pipeline protest, the company running the pipeline, energy transfer partners, actually employed a surveillance firm to surveil the protestors. With the government, you have freedom of information access law. With companies, the only way that we found out about this was through an internal leaker from the surveillance firm who gave these documents to a journalist.

Veronica B. : What bugs you most about all of this?

Mailyn Fidler : The growing complacency I sense from folks, and one of the places that we really see this is with young kids and teenagers who are used to having parents monitor their phones or their schools monitor their phones, and so when they move into the adult world, many of them are used to this kind of surveillance from benign actors, but that means they’re much less likely to challenge it when it’s coming from someone it probably shouldn’t come from, and that really worries me.

Veronica B. : Great point. When I was a kid, my parents let me run around all summer long. They had no idea where I was. I could only imagine what that’s like now. Actually, British kids might be the ones developing a strange tolerance for surveillance. Parents, too, because everyone seems caught up in the UK spynet. The British security industry association figures there are nearly six million CCTV cameras in the UK. That’s one camera for every 11 people.

Olivia C. : I think everyone’s become slightly accustomed to the fact that there’s a camera on every street corner, and it’s always been necessary in order to keep our country safe.

Veronica B. : Olivia Cappuccini lives in London. She made a documentary called The Haystack, and it’s about a sweeping new surveillance law that passed in 2016. Officially it’s called the Investigatory Powers Act. Some people call it “the snooper’s charter.” The stated goal is to prevent terrorism, of course, but the result is that it leads to the bulk collection of personal data of potentially all British citizens.

Olivia C. : What’s changed quite dramatically is that the data that is collected, and by that, I mean people’s conversations, their emails and obviously all of the stuff that you provide to corporations who work directly with government agencies, they’re able to hold that for now up to a year. It allows more time, from their point of view, to retroactively go back and try and fight crime or from a civil liberties [inaudible 00:08:33] activist point of view, it allows more time for abuse.

Veronica B. : That’s terrifying, especially in light of all the connected devices we have in our homes these days. Are people in the UK thinking about that?

Olivia C. : No. I mean, I have to say one of the main reasons we made the documentary is because no one of my generation, younger generation as well, who are obviously on multiple devices for hours and hours a day, acknowledge how their information is stored, or if they do, the story is that apparently it’s necessary and all of it’s disregarded. It’s only used to fight against terrorism.

Veronica B. : How much do you notice those cameras pointing at you?

Olivia C. : A lot. In fact I’ve put stickers on my laptop, on my desktop screen, just because now that I’ve explored this in some depth, you never know if someone’s watching. That sounds really bad.

Veronica B. : The biggest whistleblower of them all, Edward Snowden, describes the snooper’s charter as the “most extreme surveillance in the history of Western democracy.” This is IRL, an original podcast from Mozilla, because all my life is real life. I’m Veronica Belmont. I don’t know, thinking through all this surveillance stuff, does it make you yearn to go back to when we were young and just wanted to play with toys? Accept now even our playthings could be watching us. In July, the United States Federal Bureau of Investigation released a warning about internet connected toys. They say they are a risk to your family’s privacy and safety. I wanted to know more so I asked IRL producer David Swanson to look into it, and that’s how David, team player that he is, ended up playing with dolls all week.

David Swanson: Yeah, sort of. I definitely attended an imaginary birthday party, but I’d like to think of it more as an investigation, because it would seem that our toys are actually spying on us.

Veronica B. : That sounds like something out of a science fiction novel that Cory Doctorow would write.

David Swanson: Yeah, totally, right? But the creepy fact is, is that because toys are now connected to the internet, it’s actually absolutely possible for this to happen. I brought some friends into the studio today to help show you what I mean. First, there’s this little fellow here. I named him Terrence.

Terrence: Hello, Veronica. How are you today?

Veronica B. : Hello, Terrence. Aren’t you just the cutest little spy I ever did see?

David Swanson: For people listening, Terrence is a fluffy little white unicorn with pink hooves and purple hair and a little yellow horn on top of his head.

Terrence: The horn is for making wishes.

David Swanson: He’s what’s called the Cloud Pet. Cloud Pets come with a built in microphone, a speaker and a bluetooth chip.

Terrence: So, when you install an app on your phone, you can record a message, and I’ll play it for your kid.

David Swanson: Yep, that’s right, Terrence, so with your app, which you could protect with a password as short as one single character.

Veronica B. : What, like your password could just be the letter “A?”

David Swanson: Which is basically useless, but then your recorded audio, it goes to a server in the cloud on the internet.

Veronica B. : Ah, and then I assume a password protects you on the web as well?

David Swanson: Well, that’s the thing.

Troy Hunt: The entire database of the customers and all of the interactions they have and all of the references to the recordings themselves were left in a database that had no password on it and was facing the internet.

David Swanson: This is Troy Hunt, by the way. He’s a cybersecurity expert. A real person, definitely not a cloud pet.

Veronica B. : Okay, so if I follow Troy, the Cloud Pet database, the one in the cloud with all the files, it had no master password. It was just sitting out there in the open.

David Swanson: Yeah, and sure enough, the hackers, they found it, and the database actually contained the personal info of well over half a million users, so email addresses, passwords, profile photos, you name it. Troy says something like 2.2 million audio recordings from kids and parents were in the database too.

Veronica B. : Oh man, yeah, that’s a huge problem.

David Swanson: The problem’s not just the database. Security experts, they went one step further and they experimented with the Cloud Pets themselves.

Troy Hunt: One of the things that the researchers found that you could do is that once you had proximity to the toy, you could remotely trigger the recording functionality, connect to it from your own phone and turn the device literally into a listening device, and if I was sort of sitting here thinking people all over the world had access to listen to the voice messages that my kids had left me while speaking to a teddy bear, I’d feel kind of violated.

Veronica B. : Yeah, and rightfully so. I mean, just the thought of this makes me feel absolutely sick to my stomach.

David Swanson: Yeah, it’s super invasive, but Cloud Pets, they’re not the only toys that are a potential surveillance nightmare.

Terrence: We’re not?

Veronica B. : Oh no, who else did you bring with you?

David Swanson: I want you to say hello to my friend Cayla.

Cayla: My name is Cayla. I’m so happy to meet you.

David Swanson: Cayla’s this little blond haired, blue eyed doll. At least the model that I have anyway. She’s about 18 inches tall. You ask her questions. She answers them and she can ask you stuff too.

Cayla: I’m happy because my sister helped me with my homework today. I think we should play.

Veronica B. : My dolls definitely could not do that, but that doesn’t really explain to me how Cayla is a spy.

Troy Hunt: Well, if we look at the simple mechanics of the doll, it has a microphone in it. It is instantly connected. It has all the components that you would need to turn it into a listening device and there’s always the potential that it could actually be used in ways that it wasn’t designed to.

Veronica B. : What are families supposed to do with these toys?

Troy Hunt: Well, for Terrence and the Cloud Pets, the company wiped the customer info from the affected database. They also said that the voice recordings weren’t actually affected by the breach.

Terrence: They also sent users a link to create a new and more secure password.

David Swanson: You got that right, my little unicorn buddy. Maybe people don’t actually need to do anything. It depends on how comfortable they are using a Cloud Pet after hearing about the breach.

Veronica B. : And how about Cayla?

David Swanson: If you have a Cayla doll, the best advice is to keep her turned off if you’re not playing with it, unless you’re in Germany. Under German law, Cayla’s considered a concealed surveillance device, and that violates their privacy regulations, so technically it is against the law to own one and could actually lead to a $25,000 fine.

Veronica B. : That’s extreme.

David Swanson: The company that distributes the doll in Germany, they think so too, and they’re challenging the ban, but I should be clear, while the German government really does think that Cayla is a problem, they did say that they’re not actually going to fine people for having one. They just want the dolls gone.

Veronica B. : What if parents want to keep the doll?

David Swanson: They can keep the doll so long as they somehow disable the bluetooth chip. I’m not sure how you would actually do that, or they destroy the doll completely, so if you want a broken, useless Cayla doll for some reason, you could actually do that.

Veronica B. : It makes sense that the internet of toys shares the same security problems as the internet of things. Who thought jacking kids toy into it would be a good idea?

Troy Hunt: It’s sort of the manifestation of one of our fears with the internet of things, and what this is showing us is that every time we add internet to things, we sort of need to try and look at a worst case scenario and then ask ourselves how much sense it actually makes to have these devices in our home.

Veronica B. : Alright David, thank you very much for playing with creepy dolls for me.

David Swanson: Okay, fine, fine, I was playing with dolls, but you know what? It was fun.

Veronica B. : At this point, I should say that I’m not anti-internet of things. I have a few IOT devices in my own home, so just because a couple of toys can be hacked and turned into spy gadgets, that doesn’t mean the future of IOT isn’t promising.

Scott Heiferman: I find it very interesting that just as my kids are learning to talk, computers are learning to listen.

Veronica B. : Scott Heiferman’s been thinking about how home assistants change the way we live with technology. He’s the founder and CEO of Meetup. He likes having an Alexa device because it reduces the time he spends on his phone around his kids. What he’s less keen on, though, is how his kids have come to adopt Alexa into their lives.

Scott Heiferman: My three year old boy, he’s like half-joking. He’s trying to learn how to dress himself, so he’ll be all tangled in a shirt and then he’ll walk over and say, “Alexa, how do you put a shirt on?” But I think that they really are trying to process, what is this thing that is talking to them that answers their questions and is listening to them. If the most important part of being human is to be heard, here’s this technology that hears them and is responding to them. I’ll go out of my way sometimes to remind them, “Alexa doesn’t love you.” My kids love their stuffed animals, but I don’t want them to love Alexa.

Veronica B. : Like Scott points out, it may be that as we get more and more used to having these devices around, we get used to having devices watching and listening to everything we do. It’s something that gets under Cory Doctorow’s skin. Alexa, who is Cory Doctorow?

Alexa: Cory Efram Doctorow is a Canadian British blogger, journalist and science fiction author who serves as co-editor of the blog “Boing Boing.”

Veronica B. : That’s right. Cory also thinks a lot about surveillance and tech, and no, Cory does not have a Google home or Amazon Echo.

Cory Doctorow: A home assistant gives me the creeps for a couple of reasons. One is that information security is hard to do. The other is that we’ve stacked the deck against good engineering practice in designing those home assistants. The companies that make those systems, they have almost no liability in the event that you get harmed by a breach from them.

Veronica B. : What’s an example of something happening to a regular, everyday person that showcases how our surveillance culture is far more, I guess, real than we may realize?

Cory Doctorow: I mean, I guess a pretty egregious one is Cassidy Wolf who was a Miss Teen USA and her browser had a defect in it and that defect allowed someone who had installed what’s called drive by malware on a website and this guy, he got incidental nude images of Cassidy Wolf, who was a minor child at the time, and he said, “I now have your social media passwords and I have these pictures of you naked, standing in front of your computer, when you were getting dressed in the morning. I’m going to dump them all onto your social media unless you perform live sex acts on camera,” and they caught this guy. He had over a hundred victims all over the world including other minor children that he’d been sexually blackmailing.

Veronica B. : That is appalling.

Cory Doctorow: Yeah, and this is the thing, is I think a lot of the times, when we try to threat model privacy, we say, like, “Who would try to investigate me and get into my personal business?” We do so on the assumption that people who attack us are like ninjas who are looking for specific high value targets, and the reality is that these cyber weapons are often in the hands of dumb dumbs who are looking for targets of opportunity.

Veronica B. : Dumb dumbs aside, it’s like you said, the repercussions of something going bad are so minimal, the companies making these devices can’t be bothered to bolster our security and privacy against unwanted snooping.

Cory Doctorow: That’s what’s happening with privacy. We have outsourced costs, we have privatized gains, and then to make things even worse, states depend on private actors doing surveillance so that they can raid that data in order to spy on all of us, something that they’ve decided is just normal, natural, proportional and indeed essential to the preservation of the modern state.

Veronica B. : If that’s the case, then, how long before we realize we should or can do something about it?

Cory Doctorow: That’s the 50 bazillion dollar question. I like to think of this idea of peak indifference. That’s not the moment at which the problem reaches its peak, it’s when the number of people who know that there’s a problem only starts going up from then on. Once you hit peak indifference, the job that you get is really to convince all those people who’ve just had their lives ruined by the problem, that that problem was not the natural, unforeseeable consequence of normal activities, that it reflects a depraved indifference by named individuals who have profited handsomely from your misery, and here are their phone numbers and here is their address and here are some pitchforks and here are some torches, right? That’s a totally different job, and it’s the job I think we’re getting up to now. That’s why with every one of these breaches, with every election of a strongman government, we see more and more people downloading privacy tools, switching to private modes in browsers and taking more steps to preserve and protect their privacy, and more and more people are aware of the idea that allowing the good guys to spy on you is not a good idea because eventually they’ll be replaced by or impersonated by the bad guys.

Veronica B. : Peak indifference. Are you there yet? Well, if you do count yourself among the ones who do want to do something about this, there’s a few things you can do right away. First, the most obvious one, destroy all the things. Remember how Germany suggested owners of the My Friend Cayla dolls should disable or destroy their toy? Well, we took them up on it.

Derek: We’re just at the maker labs here in downtown Vancouver.

Veronica B. : Derek is the founder and lead fabricator there, and with his help …

Speaker 14: We should put on some safety equipment first.

Veronica B. : We got Cayla to meet her maker.

Derek: Yeah, let’s definitely put on some eyewear.

Veronica B. : This is a ridiculous thing that we did. First, we put the toy doll under an industrial press. Next, we ran My Friend Cayla doll through a table saw. Like I said, ridiculous. This is not how you fix things.

Speaker 14: We could definitely take a sledge hammer.

Derek: Nothing in there. It looks like that we very adequately destroyed this doll. I don’t think that she is a surveillance issue any longer, what do you think?

Speaker 14: Definitely not.

Veronica B. : Goodbye, Cayla. I hardly knew you. Look, I’m not saying all these toys and gadgets are built with a spy switch that just needs to be flicked on. What I am saying, though, is that as we get used to things that can listen and can watch, we need to remember that it doesn’t take much to turn a safe gadget into an unsafe one. If you want one, go ahead and get a smart device at home. The best ones can be incredibly useful. Apple devices have a super high bar for security and both Google and Amazon’s privacy policies confirm that they will not share your info with anyone. Just decide if that assurance is enough for you, or ask, okay Google, are you spying on America?

Google: Your security comes first in everything Google does. It’s important Google keeps your data private and safe and puts you in control.

Veronica B. : It’s also okay to think that bulk surveillance for national security is necessary. We can have faith in our institutions, but once your information is out there, the chances it will be abused go way up, especially if you try to challenge the status quo. Like Cindy Blackstock , the Dakota pipeline protesters, Black Lives Matter, anti-fracking protesters in the UK and anti-coal protesters in Australia, in our interconnected internet world, it’s easier to become targets of unwarranted surveillance. Pragmatically, there are some simple things you can do to protect yourself from prying eyes. Cory Doctorow recommends the surveillance self defense kit put out by the Electronic Frontier Foundation. It includes tips like how to encrypt your online footprint. Oh, and put tape over your laptop camera. Olivia London does it. Facebook’s Mark Zuckerberg does it. So does former FBI director James Comey, and frankly so do I after talking to Cory. In fact, Mozilla has these clever little plastic covers that you can use for this. Want one? We’ll send them to the first 50 peeps to share this podcast on Twitter. Just use the hashtag “IRL podcast” so we know how to find you. You’ll find the self defense guide and more in the show notes to this episode on our website, IRLpodcast.org. IRL is an original podcast from Mozilla, the nonprofit behind the Firefox browser. I’m Veronica Belmont. I’ll see you online until we catch up again IRL. Okay Google, say something funny.

Google: This might make you life. Why do fish live in saltwater? Because pepper water makes them sneeze.

Veronica B. : Oh, that was so bad and so funny. This is right up my alley. This is exactly the humor I like.