How Can Technical Solutions Expose Mass Surveillance?
An Anonymous Coward writes:
There's an incredible amount of surveillance across much of the USA. Many governments and some businesses are paying tens of thousands of dollars each year for license plate readers. Those records are sent to a centralized database and often shared nationally with police. Flock is the most well known camera vendor, but there are plenty of others like Motorola Solutions. It makes headlines when a city council decides they no longer want Flock cameras, but the vast majority of local governments seem to want and defend the surveillance. They all insist the abuse happens elsewhere, but it would never be tolerated in their own police force. Yeah, right.
We also install our own mass surveillance like Ring and Nest video doorbells and even indoor cameras. I walked a couple of miles through a suburban residential area a few days ago and wouldn't be surprised if I was recorded by over 100 doorbell cameras. One even had an automated female voice tell me that I was being recorded because I was on the sidewalk in front of their house. I was initially taken aback by that creepy voice, but now I think it might be less insidious than the other cameras that didn't announce their presence. Although doorbell cameras are easy to spot, I wonder how many other cameras were lurking in the shadows and also recording me on the sidewalk. And how many of the cameras used facial recognition that could be used to track me?
One of the most common defenses of the cameras is that if you're not doing anything wrong, you've nothing to hide. The irony is the same people parroting this fallacious BS often try very hard to hide their surveillance. What's good for the geese ought to be good for the Flock of ganders. If you're not doing anything nefarious with your cameras, then why do feel the need to hide them and be secretive about how you're using them?
Let's talk about how to expose the surveillance. I see three obvious ways: 1) document misuse of Flock camera searches, 2) create a reliable and searchable database of Flock and similar cameras, and 3) make it easier for people to know when they're being recorded by other cameras like Ring and Nest doorbells.
Flock Searches
Sites like haveibeenflocked.com aggregate data from public record requests for Flock searches by cops. Although the database is incomplete and should be used with caution, it's very useful. You can easily download a JSON file of Flock searches and analyze them. The catch is that governments often redact data in public record requests, do so inconsistently, and this often leads to there being multiple records in the database for the same search.
Because other fields are redacted inconsistently, I've generally treated the combination of the searching agency and the timestamp of the search as a de facto primary key. If that's identical between two records, then they should be merged into one one. I suspect it's extremely rare for any police agency to perform two Flock searches at exactly the same time down to the second, so I believe the chance of me missing searches because of this is negligible. This is in addition to the aggregation already done by haveibeenflocked.com. If there are better ideas for this, I'd like to hear them.
If you're going to confront a city council about abuse, you probably want it to be obvious and incontrovertible. Some police departments routinely use vague reasons for a search like "investigation" or "invest", but they don't say what type of investigation. It could be a murder investigation, but they could just as easily be investigating No Kings protesters. There are also many instances of Flock cameras are used to investigate low-level offenses.
Some police agencies also have a high usage of one or two characters as the reason for searches. If a cop enters "a" as the reason for a search, that seems to be an abuse. But I've also seen where the same cop conducts numerous searches that have the same license plate hash, and they'll enter something like "stolen" as the reason for some of the searches and "a" as the reason for other nearly identical searches. Now, "stolen" is also vague because you don't know if it's about stolen vehicle, other stolen property, or even stolen money. But a cop might say that it's too tedious to even type "stolen" for each search, so they get lazy and just type a single letter. This is an abuse, but is it indisputable enough to change the minds in a city council that ardently defends the surveillance?
I'm looking for ideas about how to better analyze the data and identify abuses that are so blatant that even the most stubborn city council can't deny that there's a problem.
Detecting the Flock
Flock cameras used to be detectable because they advertised themselves over Wi-Fi and BLE with names like "Flock-1234567890" or "Penguin-1234567890", but they started removing the "Flock-" and "Penguin-" prefixes. However, the data fragments being advertised still gave away that it was a Flock camera. Specifically, the 0xFF fragment began with 0xC809, and 09C8 is the manufacturer ID for Xuntong. Because this is almost exclusively associated with Flock, that's pretty much a giveaway. In my experience, this is detectable as a pedestrian at a range of 20-30 meters. However, within the past couple of weeks, only one of the four Flock cameras I've walked up to actually announces itself over BLE. Flock seems to be turning off the BLE advertisements to better conceal their cameras.
I believe BLE was used for maintenance, but this is now being done with Wi-Fi signals. My understanding is that Flock cameras now transmit probe requests that can still reveal their presence, and this is functionally for the same purpose. It's easy to put a card into promiscuous mode and listen for probe requests. However, lots of devices send probe requests. How someone can determine that the requests came from a Flock camera instead of someone's phone or computer searching for Wi-Fi networks? There are vendor-specific payloads and lots of other data in the frame headers, so might any of this be useful to show that it's a Flock camera doing the probing? For now, detection seems to be mostly based on the orginazionally unique identifier of the Wi-Fi MAC address, which is the first three octets of the address, that is present in the Wi-Fi probe requests.
Although Flock cameras seem to get the most attention, there are other vendors like Motorola Solutions, and they're no less a threat to liberty and privacy. Are there any similar ways to detect their cameras using BLE or Wi-Fi signals? This matters, especially because maps on sites like deflock rely on crowdsourced data that is incomplete and can be poisoned by bad actors.
Detecting Ring and Nest Surveillance
If a building owner is going to record me walking on a public sidewalk, I'd like to be able to detect their surveillance and know I'm being recorded. If they're going to watch me, it's only fair that I watch their surveillance.
There won't be BLE advertisements, but there are side channel vulnerabilities that could alert a person they're being recorded. If motion is detected, this triggers a burst of packets [.PDF] that can be detected by analyzing the traffic. This should cease once the person moves beyond the camera's field of view for a few seconds. If you walk past the camera a few times and find that one spot consistently triggers a bunch of packets, it's probably the edge of the camera's field of view.
If you're just out for a walk and don't like being watched, it seems like the sudden burst of packets from a MAC address that's used in Amazon or Google devices might be a good indicator that you're being recorded. But other devices might have similar MAC addresses such as a Fire TV Stick or a Kindle Fire tablet. Are there other ways to distinguish that the particular device is likely to be a camera? Again, is there anything in the frame headers that might be useful here?
As for mapping out the edges of the surveillance, this exposes why most of these consumer-grade cameras are security theater. I obviously disagree with trespassing to map out someone's security cameras on their own privacy, especially if you're doing this with the goal of committing another crime besides trespassing. But a skilled criminal could sit in a car and watch you doing yard work or kids playing on your lawn, mapping out what locations trigger your cameras. Wi-Fi traffic patterns could even allow an intruder to infer if you're at home or not so they know when to break in. Unlike Wi-Fi jamming and deauth attacks, this is completely passive. It could be mitigated by sending a consistent amount of traffic regardless of whether the camera is recording or not, but cheap consumer-grade cameras don't do this, and it's usually to conserve battery life. It's security theater, invading the privacy of law-abiding pedestrians and likely the camera system's owner while remaining highly vulnerable to actual intruders. It provides a false sense of security and harms innocent pedestrians while being highly vulnerable to side channel attacks and perhaps even increasing the risk of crime.
Disclaimer: I strongly oppose implementing any of the ideas I've described to assist in criminal activity. Don't do this. But I also believe that government use of mass surveillance or things like facial recognition in consumer-grade cameras is illegal.
Read more of this story at SoylentNews.