Transatlantic Cable podcast, episode 104

Jeff and Dave discuss Five Eyes looking to weaken encryption, possible social media changes, Amazon Rings used for surveillance, and more.

Kaspersky Lab podcast: Five Eyes for weak encryption, possible changes to social media, Amazon Ring working for government, Equifax breach

Welcome to the 104th installment of the Kaspersky Transatlantic Cable podcast. This week, we take a look at some important stories that you may have missed.

We start with a meeting of the Five Eyes nations. While there, the government representatives pushed for more back doors in encryption — because of criminals. Is this a good thing or a bad thing?

Following that story, we head to the US, where a law proposed to Congress would ban such addictive properties of social networks as infinite feeds and autoplaying videos. Sticking with the law, we look at challenges from privacy groups about Amazon’s Ring doorbell and its role in surveillance — that is, surveillance performed by law enforcement. We close out the week’s podcast looking at the latest in the Equifax breach.

If you enjoy the podcast, consider subscribing and sharing with your friends who need more regular updates on security. For the full text of the stories, please visit the links below:

Jeff: So this first story this week is really interesting, because it’s the first one in a while, I feel like, that we’ve had the Five Eyes group together and talking about one of the government’s favorite things, and that’s building back doors in encrypted applications.

Dave: Yeah, we have spoken about this a couple of times in the past, you know, I sometimes feel we have quite a few sort of jokey stories on the podcast, and then we get hit by something like this. This is quite a serious story. So the Five Eyes group, which is I believe, Australia, Canada, New Zealand, the United Kingdom, and the United States. So a group of countries which information share kind of spy intelligence stuff, I’m no expert on the whole thing. They are basically saying that companies that use encryption, so that’s pretty much every company, should build specific back doors into messenger apps and specific tools so that they can listen in.

Jeff: The third party paragraph of this story really just bothers me a lot that says, “The Five Eyes are united that tech firms should not develop their systems and services, including end to end encryption in ways that empower criminals to put vulnerable people at risk.” Now, and this is from Priti Patel from the UK. And I think when you look at this, you know, this quote, I know got a lot of negative connotations to it in the press. But to me, when you read this, the definition of the word criminal is the part that I feel governments abuse the most, in mass surveillance. And that’s what the problem is with removing this type of trying to put this up a back door and encryption, which at the end of the day really isn’t encryption at all if you start to put that in there, right?

Dave: Yeah, well, it’s not just criminals, it’s criminals and terrorists. If you say criminals or terrorists, you can basically just —

Jeff: That’s where you start to get up on that MAGA bandwagon. Yeah, get there. But you know, I think the South Park thing. “They’re taking our jobs!” Like, you think about those type of things, that that’s where it comes up to you like, you almost feel like this is set in a South Park episode, like this is something that would come out of Eric Cartman’s mouth.

Dave: Yeah, definitely. And the thing that frustrates me a little bit is we hear this rhetoric every few months, I’m pretty sure we spoke about this similar sort of story — either Five Eyes or the US or the UK minister saying pretty much the same thing that we need to build back doors. In fact, it might have been the story we were talking about where the UK had built a way of becoming ghost participants inside WhatsApp chats.

Jeff: We’ve talked about that on this podcast, yes.

Dave: And we hear the same thing coming through. I understand the position, you know, that criminals do use these tools. But at the same time, maths is maths. There’s not there’s not a kind of middle ground.

Jeff: Math is hard.

Dave: Yeah. It works or it doesn’t. So that’s the whole point of encryption, if it’s broke, if there’s a backdoor encryption for it, it’s no longer encrypted.

Jeff: I think the problem with this is, and I understand the government wanting certain things, and I see in the story where it talks about things like pedophilia being something that’s marked by the companies and something that they’re willing to kind of talk about, because nobody likes that stuff. And if you are one of those people, you’re sick. There, I said it. I said it for both of us, Dave, but I think when you look at these types of things, it’s just this whole story just gives me the heebie jeebies looking at it, because you know, living in the US, the government has abused their surveillance program, there is no if, ands, or buts about it in terms of the way that they’ve listened to the US citizens on things. It’s been abuse. And I think you’ve seen that it’s not just a personal opinion of mine, you’ve seen it in actual court cases against the groups and the government actually telling the NSA, you have to pull back your spying program on US citizens. So, what’s to say that this wouldn’t happen again? And to be honest with you, I think, looking at this type of thing, I would feel horrible using any type of application that we rely on for end-to-end encryption that agreed to this type of back door.

Dave: Yeah, I think a lot of ministers and countries that are trying to lobby for this sort of breaking of encryption don’t understand a lot of the time what they mean when they’re talking about it, you know, that they say that they need to build back doors. Like it’s a simple thing, right? Like, oh, you just need to press a button and we can get in through the side — it’s not how it works. And I think there’s a fundamental gap where, you know, tech companies are trying to not just tech companies, but cybersecurity specialists, and all these different people in groups are trying to explain what encryption is. And why it’s important.

Jeff: Government people didn’t always get elected to have their biggest tech smarts. They’re usually career politicians whose biggest asset is their mouth, talking about things and getting policies passed, and their politics, if you will. And you know, I think with all this another thing to say about this, too, and I think this has been an argument against the back doors in the past is, you know, outside of abuse of these type of things, getting aside from the math because, listen, Dave, we both went to school for literature and language. We didn’t go to school for math. It’s —

Dave: I’ll tell you something, Jeff, I failed math twice.

Jeff: Me too. I got a D in college. Because I brought I brought the guy at 12 packs at my final and because you couldn’t fail because you could if you show up every class you got enough to get a D. So even though I was gonna fail, I showed up. Hat tip to Seton Hall University. The reason that we work so closely with Svetlana, you know, our analyst, she’s good at math. But I think, you know, when you start looking at these things, I think the other problem is, it’s not just that of the abuse. But when you come to this type of thing. Let’s be honest here. How good have some countries been with their known exploits of things like Windows? Okay, yeah. So if you can’t keep your exploits to yourself, and get them leaked out, how can you be trusted with the backdoor that people are using, which I think WhatsApp is the most popular messaging app out there. And then you add Facebook Messenger on top of that, which is just WhatsApp and Facebook, pretty much minus some of the encryption, you start to have a giant customer base that now can be surveilled on. And let’s not forget here, at the same time that the UK and the US are kind of pointing fingers at places. They also have Facebook and Cambridge Analytica in their crosshairs of political discourse. So when you start looking at that, at one hand, you want to vilify a company that doesn’t work around but at the same time, you want your own work around, so —

Dave: Yeah, they want a cake and eat it, basically.

Jeff: I’m glad you said that one. Because I was thinking about the Fig Newton commercial.

Dave: I don’t know that one.

Jeff: I’ll send you a link later. But it’s a US thing they use the queen of England’s kind of with the whole have “your cake and eat it too,” and it shows now you can have your cake and eat it too. And this is like a commercial from the 80s, so I’m definitely dating myself. But I think with this one, I think we can agree on this one. This is bad for business. And, you know, these countries saying it, too, like, you start to look at it like the groups in here. Every one of these five countries has protected classes of people, and they do have people like journalists or victims of domestic abuse, they really want to have things that are hidden conversations. And they don’t want people snooping in because it is for safety reasons, right?

Dave: Yeah, I mean, we all have something to hide. Yeah, one doesn’t have to be illegal activity.

Jeff: My real question is, would all these politicians want people to be able to read what’s in their messages?

Dave: Yeah, this is this is the argument, isn’t it? And the answer will be no, but …

Jeff: I bet you there’s some dick pics in there.

Dave: [laughs] Let’s keep it PG. Let’s keep it PG. Let’s jump over to the next story because we are fast running out of time, actually, Jeff. The next story is, well, still talking about governments and the US government in particular, something about the US could ban social media apps from using psychological tricks like infinite scrolling and autoplay. I like this story. The problem is I don’t think he’s gonna go anywhere.

Jeff: On one hand, I see the point that they’re making from it, that a Republican governor, like a Republican representative is making this makes it even more interesting, given that they’ve been more pro to some of these things. But I think when you especially they’re pro to businesses, and the problem here is a lot of these things. They’re talking about the battle social media addiction, which we do know is, you know, a categorized issue now with people. But I think when you look at some of these things, the problem I see with this is you’re fundamentally changing the way some of these platforms work. So even with this bill going through, you’re probably talking about 10 years before anything happens, because this is going to get caught up in courts, because think about this one. Autoplay, what does Facebook used to make its money on videos? Autoplay. Then you start to go through here. Now you look at another one, infinite scroll or autorefill. How does YouTube get people to listen to it? Like, for example, I use YouTube instead of using something like Spotify.

Dave: Yeah, I suppose I do like where he’s coming from. And it’s good that, you know, we’re having this discussion and it is being talked about in government. The problem is, and probably the closest example I can compare it to is TV, right. There’s no regulation. No, there’s no regulation around TV.

Jeff: Commercials.

Dave: I mean, that’s regulated to a sense. But …

Jeff: … it’s also part of the government to in type of regulation. Like in the US, we got the FTC, the FCC, look at all these types of things.

Dave: Yeah. But what I’m alluding to, is the fact that you can just binge watch TV all day, there’s no like, feature stopping you from, from watching TV all day, which means you’d be you know, exposed to hundreds of ads all day, and there’s nothing, there’s no rules to stop you doing that. Whereas he’s proposing that basically, that would stop,

Jeff: On one level, I’m wondering

Dave: how social media works.

Jeff: I’m also wondering on some level, if some of these companies have this have been briefed on this before this going out there? Because like, look at Facebook now. It’s testing taking away the likes and like the hearts and some of the markets on Instagram. Because then it doesn’t do the social proof. It does. Is it a badging system, it isn’t something that can start to add to the way that people look. So, let’s see. Let’s see what happens with that. I don’t see this ever coming into law. It’s a good conversation. But will it become law? Probably not. And, you know, keeping on the laws and government surveillance and types of things, this next story is really interesting, because it’s talking about police getting criticized by antisurveillance campaigns based upon Amazon’s Ring.

Dave: Yeah, this is a disturbing story, but it depends which side of the fence you’re on already. So, Ring has partnered with something like 200 police forces in the States. As far as I’m aware, this isn’t happening over in the UK at all. But over in the States.

Jeff: What do you guys need extra surveillance for?

Dave: Oh, we’ve got CCTV everywhere, right? Yeah, we don’t need that sort of stuff. So over in the States, the police access people’s Ring video surveillance, and I think they can kind of go back in time and see what’s going on. They don’t need a warrant. This is the thing which has concerned a lot of people they don’t need a warrant. All they need is agreement from the owner of that particular Ring doorbell for them to be able to get on and look at the video footage.

Jeff: Let me guess, it’s hidden in the EULA.

Dave: Yes, it is. So on the one hand, we’re talking about the two different sides of the fence. On the one hand, is this a good way for police forces to have extra evidence in bringing people to justice? Any sort of things like that? Or is it a kind of under-the-floor way of getting a surveillance state? How you see that depends on sort of how you approach this sort of topic. If you are very privacy conscious, you will probably see this is being a bad thing. Right?

Jeff: Yeah, I think when you look at this, it’s really one of those things that, who would have ever thought that we would have brought the police state on ourselves. You know, everybody talks about like 1984, The Village, video surveillance around the clock and believing it’s the government, you look at something like Singapore, you look at something like London, but now in the States, you got people adding them to their front their front doors.

Dave: Yeah, willingly.

Jeff: I think it’s — again, not only is IoT an issue for security, but now you’re looking at something where you’re giving up your privacy. And I think, you know, you start to look at this stuff. And you know, on one hand, you’ve got Amazon listening to your recordings on Alexa. Now you’ve got an Amazon-based doorbell viewing people that might be committing crimes. Keyword there is might be. And what is the government going to do with these, again? How long is this until it’s an abuse of power? And how long of this does something like say, you know, neighborhood has 20 cameras around the neighborhood? Do the police use this as something instead of doing a routine patrol? Again, it’s just hypotheticals getting along the — I took the side of the super privacy people there, but also, you know, add to the part that this is kind of creepy when you think about it to an extent of where are we going as a society?

Dave: Yeah, I mean, it’s a question of, are police forces using technology as a way to get away from, you know, just real policing, having boots on the ground, so to speak, and having police officers driving around and making sure everyone’s okay. That’s the argument. Should we be policing ourselves, which, in a sense, Ring caught the ring? The Ring app is a way for video surveillance en masse? I’m sort of on the fence. I do sort of understand police wasn’t trying to be creepy about it. They genuinely want to just stop criminals. Yeah, they’re not they’re not here to perv on people or anything weird.

Jeff: But now you’re saying it’s good to have a back door?

Dave: Yeah, that’s where you stumped me. And that’s where I come undone with this argument.

Jeff: I know. It’s too extreme.

Dave: What? Yeah, it is. But I think that’s the that’s the problem that police forces and governments around the world having to grapple with.

Jeff: The laws haven’t kept up with technology is what the problem is.

Dave: Yeah, yeah. And I don’t know what’s going to happen, the end result. But honestly, if the governments win and add back doors, that is not good for anybody.

Jeff: And this is kind of a backdoor guessing if you think about it, and another way. And I know that this, I think their argument is probably these are like bank ATMs and things like that when people try to catch somebody through a dragnet and see where somebody’s been to. The only problem is, instead of it being, you know, a business that has something that could be pointing at a public space, you’re talking about a private home, that not only does this capture people going into a business, which is a public place, now you’re going into a private residence, which do you really want that?

Dave: Yeah. And also on the story as well, I know, I know, we’re going to jump over to the next story. And the story is where they just talk about the fact that Ring is also quietly testing face recognition, object recognition, and it’s all being done, through the Ring,

Jeff: Why wouldn’t you? Their boxes are getting there on time with QR codes on the side of them. Oh, did I say that out loud? So, the next story is something that we talked about last week, US folks, Equifax, back in the news, not in a good way. Because I know everybody’s been seeing the spot, where you can get 125 bucks, if you were put into there. Don’t click on that. Because the thing is, this all goes up to a maximum they would have to pay out if people didn’t want the service. And you might not get the $125 bucks at all, you might get a much lower payout, because so many people have started to subscribe to this and what the trade-off is of that $125 bucks is you get giving away the credit monitoring for a 10 year period.

Dave: Yeah, it’s like a big pool, right?

Jeff: Yeah, it’s a big pool with this dumpster fire of a breach Equifax continues to be burning in their level of incompetence.

Dave: Yeah. But I think the thing is that the FTC and also Equifax weren’t expecting as many people to claim, so they’ve had this inundation of people claiming —

Jeff: — No. That is such a BS perspective.

Dave: I know. I’m just copying what the thing —

Jeff: — is. I know. Listen, next thing you know, they take security very seriously. So we can all read through PR BS when it comes through, sorry PR colleagues, but you know, at the same time, they have really crapped the bed this whole time. There’s — I’m really trying to keep PG words here — but it’s such an infuriating thing seeing it is that you know, a lot of people jump this area say, Hey, I got 125 bucks easy like these are people were like, Well, what does my credit monitor matter? I don’t get much anyway. I have no money, blah, blah, get the 125 bucks for free? Yes, not really for free. And also like these terms and conditions are like a EULA. Any type of these things. You’re not looking at the big picture. And, you know, people looking to get that quick cash grab aren’t looking at the end result of “Hey, this really isn’t what it seems.” And that’s what I feel bad about. Because like the problem is, Equifax made the settlement but in a sense, it’s a settlement that isn’t there to protect the end consumer, it’s there to protect their financial bottom line.

Dave: Yeah, exactly. And, you know, the end of the day, they’re not looking out for you. No, the telling thing is because it’s a pool of money, the more people who jump into the pool, the less they get. At the end of the article, he actually says that you could if the maximum amount of people jumped into this big pool of money and took everything out. You could get $1.

Jeff: Listen, the last time I was in something that messed up, like for a class action lawsuit was with Red Bull, and I got a 12 pack of Red Bull for it. Like that’s much better than $1 Oh, yeah. And that’s because somebody, that’s because somebody sued them because it said, Red Bull really doesn’t give you wings and like that, like, that’s stupid In comparison, the people’s PID being breached at a giant level, from a company who’s supposed to be a credit monitoring firm. That’s one of the people that’s tied to the US government in ways so sorry, not sorry, you guys really just did a sleazy type of setup.

Dave: Yeah, they did. So I think the best thing here for people is there is actually more money becoming available. And the only thing I would say is, Hold your horses claiming if you do want to claim to the money, if you want to claim for the free credit monitoring thing, then you know, go for it. There’s nothing stopping you. But there is more money being made available. So I would say that probably the best thing to do is just hold your horses and wait and then at a later date claim the cash. So that’s the probably the best thing to do at the moment.

Jeff: Yeah, I think you know, let’s see what happens with it. I’m sure we’ll talk about this. Just, you know, it’s like the Billy Joel song. [sings We didn’t start the fire … ] So guys, on that note, you leave with my angelic voice singing a rendition of Billy Joel’s “We Didn’t Start the Fire.” And this week’s edition of the Kaspersky Transatlantic Cable podcast has come to a close. If you like what you heard, and it’s your first time here, please subscribe. If you’ve been with us a while, thanks again for subscribing. Feel free to leave us a positive review on your favorite podcast network. And if you think we got something wrong, or there’s a story that we should cover, hit us up @Kaspersky on Twitter. And also see you guys next week and keep your safety in mind.

[Automated transcription lightly edited]

Tips