Hatemail 2020-09-17: Cambridge Analytica-Style Data Collection

In April, our team started investigating Phunware, a company that provides “mobile application, location tracking, and advertising software.” Our interest in Phunware stemmed from reporting from The Intercept that the company was collecting voter data on behalf of the Trump campaign. We began researching the company, wondering if it was this election’s iteration of Cambridge Analytica-style data collection.

Our reverse engineering of the Phunware software development kit (called SDK) revealed that Phunware is conducting an extreme amount of device-level data collection on behalf of their customers, who range from politically-aligned organizations to major American hospital networks. You may view a list of Android apps we identified as having the SDK embedded at this link.

We are concerned by anyone — company or campaign — possessing such intimate data, like the name of your home wifi, and making decisions that will exploit such knowledge. Our findings will be further detailed in a major publication this week.

In the snippet below, an example of the data observed in a network traffic capture of an HTTP POST request to https://analytics-api.phunware.com/v1.0/events:

{
	"schemaVersion": "1.2",
	"type": "MAAS_CORE",
	"action": "SESSION_START",
	"sessionId": "ec7de3b1-5b56-4dcc-8769-de761e85c532",
	"timezone": "PST",
	"app": {
		"applicationId": "324",
		"ver": "2.5"
	},
	"device": {
		"userAgent": "Dalvik\/2.1.0 (Linux; U; Android 6.0; Android SDK built for x86 Build\/MASTER)",
		"id": "f03df07e4f0f3f47",
		"lang": "English",
		"macAddress": "02:00:00:00:00:00",
		"make": "unknown",
		"model": "Android SDK built for x86",
		"os": "android",
		"osv": "6.0",
		"osApiLevel": "23",
		"ipAddress": "10.0.2.15",
		"carrier": "Android",
		"connection": "MOBILE",
		"SSID": {
			"SSID": "<unknown ssid>",
			"SSIDDATA": ""
		}
	},
	"custom": {
		"appVersionCode": 301,
		"appAccessKey": "f0fa71c438244d90b353be85c5dfe46f5872e422",
		"screenSize": "1440px X 2392px",
		"screenDensity": "",
		"screenDpi": "560.0",
		"openGLVersion": "196608",
		"sensors": ["Goldfish 3-axis Accelerometer", "Goldfish 3-axis Magnetic field sensor", "Goldfish Orientation sensor", "Goldfish Temperature sensor", "Goldfish Proximity sensor", "Goldfish Light sensor", "Goldfish Pressure sensor", "Goldfish Humidity sensor"]
	},
	"timestamp": "2020-04-27T02:03:46Z"
}

Wednesday, Oct 7, 2020, and Wednesday, October 14, 2020

NYS Permanent Commission on Access to Justice, in partnership with Cornell Tech and NYSTech, is running a conference that brings together leaders and technologists from legal aid providers, private law firms, law schools, corporations, and the Judiciary. [RSVP on Eventbrite]

Databases, Data Collection, and Stalkerware

• [The New Yorker] The Trump Campaign’s 2020 mobile app, developed by the software company Phunware, is collecting an enormous amount of user data reminiscent of Cambridge Analytica’s activities during the 2016 election. The MIT Technology Review called the app “a voter surveillance tool of extraordinary power.”
• [CNET] [TechCrunch] Yesterday, Google announced a new policy intended to limit the misuse of stalkerware apps (which are increasingly being used in domestic abuse cases but are often presented as child-monitoring apps) on the Google Play store. In July, Google rolled out a policy meant to crack down on spyware advertisements on its platform, though an investigation by TechCrunch in August revealed several stalkerware apps were still advertising on Google.
• [ArsTechnica] [Market Watch] In the U.K. Google is facing a $3.2 billion lawsuit brought on by tech advocacy group Foxglove and privacy advocate Duncan McCann on behalf of more than five million British children under 13 and their parents. The lawsuit alleges that YouTube knowingly violated children’s privacy laws.
• [The Register] A U.S. academic at Fulbright University Vietnam published a paper over the weekend that claims a Chinese company named Shenzhen Zhenhua compiled information on 2.4 million people for a database containing intel on influential people outside China.

Data, content, and the risks of disclosure

• [Human Rights Watch] Last week, Human Rights Watch released a 42-page report on how social media content removal policies can actually impede investigations into war crimes by erasing critical evidence. The report acknowledges the importance of promptly removing hateful content, but notes that social media companies “are not currently archiving this material in a manner that is accessible for investigators and researchers to help hold perpetrators to account.”
• [Yahoo] [CNBC] Chinese officials would prefer to see the popular app TikTok shut down rather than force ByteDance (the app’s Chinese parent company) to sell, according to reporting by Yahoo. Earlier this week, ByteDance reached a deal with Oracle in which it would maintain majority ownership. The deal has been met with political opposition.
• [Mango.pdf.zone] This blog by Alex Hope (@mangopdf) captures an incredible first-hand experience in finding a unique security vulnerability and responsibly disclosing it to those who it affects, and with hilarious consequences. Takeaway: never post a picture of your boarding pass...

On Our Radar…

• [Texas Tribune] [The Intercept] Following the bombshell report and whistleblower complaint that medical staff at a Georgia ICE detention camp were over performing hysterectomies on detainees, additional information has since emerged about a separate complaint that alleges ICE officers were sexually assaulting detainees in camera blind spots. A key witness in the latter case has since been deported by ICE.
• [USA Today] Two Malaysian citizens and five Chinese citizens were recently charged by the Justice Department for targeting more than 100 entities in a global hacking campaign. The two Malaysian defendants were arrested on Sunday in Malaysia, while the five Chinese defendants remain at large and are believed to be currently located in China.
• [NJ.com] [Logically] A large QAnon conspiracy theory website shut down after the owner’s identity (New Jersey resident Jason Gelinas) was revealed in a report published last week by the technology company and fact-checking site Logically.

Hate speech website: Stormfront

Who hosts: Cloudflare, Limestone Networks Inc

One of the internet’s oldest hate sites is stormfront[.]org. Boasting hundreds of thousands of members, it has long been examined by groups like SPLC and ADL as having a direct influence on inspiring violent hate crimes. While Stormfront uses Cloudflare to protect their site and hide their true infrastructure, we have observed at least part of their hosting infrastructure to be run by Limestone Network on IP 192.169.81[.]69.