‘Erosion of Our Privacy’: Giving Biometric Data to Tech Firms Can’t Enhance Security
CC BY 2.0 / Mehmet Pinarci / DNA strandDNA strand
Subscribe
A number of incidents of technology companies getting worrisome control over the biometric data of users, such as photo IDs and even DNA, have hit US headlines in recent days.
Two experts told Sputnik that while they’re often sold as ways to enhance security, surrendering such data actually makes us less safe.
Police Browse Ancestry Research Database
In one US media report, it was revealed that GEDmatch, a database for a DNA-based ancestry research company, had been sharing its data with law enforcement agencies even when the users had checked a box opting out of their data being accessible by police.
Software engineer and a technology and security analyst Patricia Gorki told Radio Sputnik on Wednesday it was a “criminal breach of privacy’ and of contract for the company to do so, pointing out that even though it has led to the apprehending of criminals like the Golden State Killer, this trend represents a worrisome erosion of Americans’ right to privacy under the Fourth Amendment.
“So this case of the police using the GEDmatch database is a violation of the terms of service. And this is not a civil offense or a criminal offense, it's really a breach of contract,” she said. “Which brings up these interesting questions of: here we have millions of people uploading the most sensitive data that they have possible - their own DNA - into the database of a private company who's created an entire portal and system for law enforcement and for police. And it's not just local police or state police, but also the FBI and other government agencies. And the changes that they made, the reason why they're even able to search specifically for people who've opted out - it's called a ‘loophole’, but in some ways, this really should be a criminal breach of privacy.”
“When we upload our information into a system, we anticipate being able to use it for research, for learning more about ourselves, learning more about the world. But what this is really doing is creating a police database that cops all over the country can use to search and really violate our rights.”
“We shouldn't” be celebrating the ability of law enforcement to cast such a wide net as these DNA databases allow them to, Gorki said.
“For every individual case that's highlighted as a triumph of some criminal going behind bars, what's really not being exposed is just that: the violation of [the rights of] how-many-millions of people in this country and around the world. And in a lot of ways there's a parallel here to the mass surveillance by the US government was revealed 10-or-so years ago when Snowden came out with the documents that he leaked showing how the US government spies on entire populations, pulling up all of our email data, all of our phone call data. People know instinctively that this is wrong, but when it's under the guise of a private company, suddenly there is more of a disconnect where it's harder to see the damages. But this is a very real invasion of privacy,” Gorki explained.
“It's hard to say exactly just how DNA data could be used in in these different ways, but in terms of drawing connections, finding relationships between people and families or the ultimate base of networks, and as the US government in particular, through its different efforts to build up networks of people and identify the social networks, which is something that Facebook* does quite well, then you're really able to understand who are people around, what are their characteristics, what are the families that are there. But this is really paving the way for the continued normalization of the erosion of our privacy. And especially when we think about the fact that at the moment, our phone calls can be handed over to the US government, our emails.”
“And not just handed over, these companies actually have built-in backdoors to the government - Facebook. Google. And we know from recent memory how one woman in Texas is being prosecuted - her and her daughter - for seeking an abortion, for the right to have to have direction over her life. And that was pulled out from her Facebook Messenger account. And so we can be sure that this DNA data to draw connections with other people will be looped in with other data as well.”
When asked about the potential for new legislation or regulation to rein in the potential for abuse of users’ data by private companies, Gorki pointed out that “regulation depends on the regulators.”
“We know that those who are the ones who are writing the laws have passed such laws as the Patriot Act. Our entire web browsing history - that was a recent addition in 2020 - can be viewed and words subpoenaed by the US government. There are many different ways that this kind of access could be limited. In a responsible society, where we actually had a Justice Department that really worked for the people, then yes, there could be ways to make sure that every single request was monitored and reviewed and approved,” she said.
“But instead, what we have is actually this carte blanche access to all of our data by the same police officers that brutalize Black people in the streets, by the same security agencies that target Muslim people.”
“And so the regulations themselves, you know, - it's important to push, of course, for privacy laws, many of which are actually on the books, and those could be enforced and should be enforced. And if anything, what should happen is that people should go to jail for exposing this level of sensitive information. But that's not going to happen now, while we have the likes of anti-privacy hawks like Biden and others in the government.”
Another story in the media has been revelations that X, formerly known as Twitter, reportedly plans to require some users to submit a photo ID alongside a selfie photo to have one’s identity verified by an artificial intelligence program. The data will reportedly be handled by a company connected to Israel’s security apparatus.
X Might Use Israeli AI to Verify Photo IDs
Technologist Chris Garaffa, who is also co-host of the Covert Action Bulletin podcast, told Radio Sputnik that in addition to handing over user data to a company connected to a notorious security agency, the Shin Bet, X’s purported verification plan also contains the potential for massive identity theft by malicious actors.
“We don't know if this is going to be a feature. What we do know is that a researcher named Nima Owji found this by poking around the Twitter app,” Garaffa explained. “There are a lot of researchers out there who do this: they download the app, they poke around it. You know, you're just trying to find things in the app, or they go through technical processes to find pictures, or strings of text. They're looking to find, you know, what are the cool new features coming out or what are the terrifying new ones that are being tested. And this is one of those terrifying potential new features.”
“What it would mean is that if you're on Twitter or X and you want to verify your account, you may be required to post a selfie and a photo of your ID to the service. Now, it wouldn't be posted publicly on your feed of course, but instead it would actually be sent to a third party company,” they said. “This company is AU10TIX. I believe they're going for ‘authentics’ or something like that and how they are spelling their name, but they call themselves an ‘identity verification company.’ And we should understand who this company is: they were formerly part of a company called ICTS International. Eye Suits is a Dutch company that was founded in 1982. It was actually founded by members of Shin Bet, which is the Israeli security agency, and also security staff at El-Al Airlines - of course, El-Al being an Israeli airline. They started AU10TIX as a subsidiary, they then moved on and it’s now kind of its own company, but still very closely tied, of course, to the Israeli defense industry and surveillance industry.”
“So what you would have to do to verify yourself is upload a selfie along with a photo that contains your ID in it. And this company based in Israel gets that photo. They have AI technology, they call it ‘cutting-edge AI and machine learning technology’, and they say that they can verify your ID in four to eight seconds, but they also would have human fallbacks if needed, which of course would probably take a little bit longer. So the idea of needing to upload your ID to a private company in the US that then sends that photo of your ID to another company that's tied to the Israeli surveillance industry - which will then hold your image, by the way, for 30 days. They say that they will delete the images that they're sent after 30 days. Really should actually be very scary to anyone.”
“From what we know, this would be potentially optional for Blue users, so, subscribers to Twitter. That's what a Community Note that's currently on a tweet says. But again, we've had no confirmation from Elon Musk or Linda Yaccarino, the CEO of Twitter, of what actually this is what this is about,” Garaffa told Sputnik.
“There's a history, though, that we should talk about, about the idea of having social media sites force people to verify their identity. Facebook at one point played around with it, and even today, if your Facebook account gets taken over or they think you're committing suspicious activity, you may be asked to upload your ID to Facebook in order to verify and unlock your account. Unfortunately, this could be very, very dangerous for many people in particular, you know, human rights workers who rely on social media, activists, sex workers are often, you know, targets of state repression or private repression by corporations or whoever, you know, it is they're they're working to expose. And so the idea of forcing any kind of identity verification on social media sites right now like this should really be chilling for anyone who's looking at it.”
Garaffa noted it was also “a really huge opportunity for scammers” because of the already-well-known experience of users being locked out of their accounts by Meta*, being required to submit an ID to the company to regain access, and never hearing back.
“I mean, go on Twitter or even Instagram and just say, ‘Oh, my Facebook account got hacked,’ and you know, within minutes at the most you will have responses and direct messages saying, ‘oh, contact this person, they helped me unlock my account.’ Those are all scams. No third party, random Instagram user with 500 followers - that they probably paid for - is going to be able to unlock your Facebook account if Facebook isn't doing it for you. But, they can ask you for money, they can ask you for personal details. They can ask you for a photo of your ID. And if you believe that X or Twitter or whatever or Facebook are, you know, that this is a legitimate part of their process, then people can be tricked into believing that, yeah, I should go send this random person on Instagram with ‘Facebook Community Support’ misspelled in their username - And I've seen this happen, you know - I'll send them a photo of my ID, which then leads to identity theft. So all around [they’re] really not thinking about how this is going to negatively impact people.”
*Meta and its subsidiaries Facebook and Instagram have been banned in Russia for extremist activities