Sunday, October 14, 2018

"It is a threat to the privacy of every American."

Thomas Brewster writes in Forbes,

On a June day last year, a skinny, dreadlocked 29-year-old rapper known as Tony Da Boss lay in bed in a redbrick apartment on a tree-lined street in Charlotte, North Carolina. It was not the kind of place you’d associate with a million-dollar criminal conspiracy. But Da Boss (real name Damonte Withers) was a leader of the FreeBandz Gang, an amateur hip-hop crew of twentysomethings who were into much more nefarious activities than laying down tracks.

There were warning signs that things were going to get real. Alerts on Da Boss’ iPhone warned that his Google Nest surveillance cameras with views into and outside the apartment had picked up movement. Outside, a full cast of law enforcement personnel from the Secret Service, the U.S. Postal Inspection Service and the local police department were primed to swoop in.

Inside, they found piles of marijuana and multiple firearms. More intriguing, there were bundles of cash alongside fake-ID-card printers, 36 credit card blanks and reams of printouts containing American citizens’ personal data. Investigators spotted the Nest cameras and would soon make the first publicly known federal government demand for customer information and surveillance footage from Google’s smart home division.

From January to June 2018, seven members of Da Boss’ gang pleaded guilty to various identity theft charges. In total they had caused about $1.2 million in damage, using stolen identities to buy luxury cars and iPhones and to lease apartments in Charlotte. Both they and their crimes would have been quickly forgotten as garden variety larceny were it not for the way they stole those identities.

Cops alleged Da Boss and his co-conspirators had access to the Holy Grail for any Internet-age scam artist: a surveillance technology that police and debt collectors use to track most of the United States’ 325 million inhabitants via their Social Security numbers, license plates, address histories, names and dates of birth. The mass-monitoring tech, called TLO, is a product of the Chicago-based credit reporting giant TransUnion, which last year had revenues of nearly $1.9 billion. One brochure for the service promises access to a startling amount of personal data drawn from myriad sources: more than 350 million Social Security numbers of dead and living Americans, 225 million employment histories and four billion address records. Add to that billions of vehicle registrations and call records and you have one of the largest commercial surveillance databases in existence.

It’s used not just by cops but also by debt collectors and private companies carrying out background checks. Private investigators use it to track cheating spouses. But in the wrong hands it can be used to steal the identity of almost anyone in America. And Da Boss and his crew got access to it.

Writing in support of the court order to use the Nest camera footage in its investigation, U.S. Postal Service investigator Randall Berkland said TLO allowed users to research virtually anyone in the United States. Berkland would know: He’d used the tool extensively to investigate several crimes. And, he added, “Users would have unlimited access and resources to commit identity theft and fraud.”

...It’s unclear if their Nest cameras were bought with illicit funds. But the purchase backfired. Just as the crooks turned the turbo-powered TLO software on its head, cops used the Nests against their owners. In June last year, Postal Service investigator Berkland obtained a warrant ordering Google to hand over all the data related to those cameras. The company complied, shipping surveillance footage back, along with personal details of its owners. It’s the first known case in the United States in which a federal law enforcement agency has demanded information from a Nest provider, and it has obvious implications for anyone who has purchased a smart home appliance that contains a camera or a microphone. The DOJ declined to comment.

...The various members of Da Boss’ gang pleaded guilty in July and are awaiting sentencing. It’s the first publicly known fraudulent use of TLO, but it has happened before. TransUnion says that while breaches like the one perpetrated by the FreeBandz Gang members are rare, it wasn’t the first time criminals have gained access to its databases. TransUnion declined to provide any specific detail on other incidents.

Average citizens have little recourse. There’s no easy way to have their information removed from TLO. “As long as such a database exists,” says the EFF’s Quintin, “it is a threat to the privacy of every American.”
Read more here.

No comments: