this post was submitted on 15 Oct 2024
132 points (95.2% liked)

News

23301 readers
3695 users here now

Welcome to the News community!

Rules:

1. Be civil


Attack the argument, not the person. No racism/sexism/bigotry. Good faith argumentation only. This includes accusing another user of being a bot or paid actor. Trolling is uncivil and is grounds for removal and/or a community ban. Do not respond to rule-breaking content; report it and move on.


2. All posts should contain a source (url) that is as reliable and unbiased as possible and must only contain one link.


Obvious right or left wing sources will be removed at the mods discretion. We have an actively updated blocklist, which you can see here: https://lemmy.world/post/2246130 if you feel like any website is missing, contact the mods. Supporting links can be added in comments or posted seperately but not to the post body.


3. No bots, spam or self-promotion.


Only approved bots, which follow the guidelines for bots set by the instance, are allowed.


4. Post titles should be the same as the article used as source.


Posts which titles don’t match the source won’t be removed, but the autoMod will notify you, and if your title misrepresents the original article, the post will be deleted. If the site changed their headline, the bot might still contact you, just ignore it, we won’t delete your post.


5. Only recent news is allowed.


Posts must be news from the most recent 30 days.


6. All posts must be news articles.


No opinion pieces, Listicles, editorials or celebrity gossip is allowed. All posts will be judged on a case-by-case basis.


7. No duplicate posts.


If a source you used was already posted by someone else, the autoMod will leave a message. Please remove your post if the autoMod is correct. If the post that matches your post is very old, we refer you to rule 5.


8. Misinformation is prohibited.


Misinformation / propaganda is strictly prohibited. Any comment or post containing or linking to misinformation will be removed. If you feel that your post has been removed in error, credible sources must be provided.


9. No link shorteners.


The auto mod will contact you if a link shortener is detected, please delete your post if they are right.


10. Don't copy entire article in your post body


For copyright reasons, you are not allowed to copy an entire article into your post body. This is an instance wide rule, that is strictly enforced in this community.

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] FreshLight@sh.itjust.works 18 points 1 month ago* (last edited 1 month ago) (8 children)

Here's part 1 of the article

Just after 9 pm on an August night in 2020, Kimberly Thompson and Brian James pulled the car into a driveway in Akron, Ohio, and stepped out into a barrage of gunfire. They were shot in the legs, rushed to a hospital, and survived. But Thompson’s 20-month-old grandson, Tyree Halsell, who was still sitting in the car, was shot in the head and mortally wounded.

In the aftermath, Akron police collected video footage from the neighborhood and asked for the public’s help with identifying two men who’d been seen approaching the victims, firing, then fleeing in a truck. Within months, detectives narrowed in on a suspect, Phillip Mendoza, and obtained a search warrant for his cell phone location data from Sprint, according to court records. They also served a geofence warrant on Google, seeking information on devices whose GPS, Wi-Fi, or Bluetooth records placed them near the scene of the shooting. Neither warrant turned up any evidence locating Mendoza or his devices on the 1200 block of Fifth Avenue, where the shooting occurred, that night.

The investigation stalled until August 2022, when Akron police received a three-page report containing the evidence they’d been seeking. It came from a little-known Canadian company called Global Intelligence, which for the past several years has been selling an extraordinary service to police departments across the United States.

Global Intelligence claims that, using only open source data—public information that doesn’t require a warrant—and a suite of more than 700 algorithms, its Cybercheck system allegedly can geolocate an individual in real time or at a specific time in the past by detecting the wireless networks and access points the person’s “cyber profile” has interacted with. The company’s founder, Adam Mosher, has testified under oath that the process is entirely automated, requiring no human intervention from the time an investigator enters basic details about a case into the Cybercheck portal until the time the system produces a report identifying a suspect and their location.

If the technology works as advertised, then Global Intelligence is selling police departments previously unknown surveillance capabilities for as little as $309 a case that rival the open source tools used by national spy agencies. But a WIRED review of investigations involving Cybercheck from California to New York, based on hundreds of pages of court filings, testimony, interviews, and police records, suggests Cybercheck is a much less effective tool—one that has provided evidence in high-profile cases that was either demonstrably incorrect or couldn’t be verified by any other means.

Open source intelligence experts allege to WIRED that much of the information Cybercheck provides in its reports to law enforcement would be impossible to obtain using only open source data. Indeed, over the past several months, Global Intelligence’s work in Ohio has faded away, with prosecutors ultimately deciding not to use Cybercheck reports as evidence in several murder cases, including Mendoza’s.

“Either they’re somehow doing the Minority Report now, or somehow it’s just BS,” says Stephen Coulthart, director of the Open Source Intelligence Laboratory at the State University of New York at Albany, who reviewed Cybercheck reports and transcripts of Mosher’s testimony at WIRED’s request. Cases Pending

During a November 2022 trial, Mosher testified that 345 different law enforcement agencies had used Cybercheck to conduct approximately 24,000 searches since 2017. WIRED identified more than a dozen cases involving Cybercheck, including 13 in which prosecutors intended to use Cybercheck reports as evidence at trial.

Two of the cases in which courts allowed Cybercheck reports to be admitted as trial evidence resulted in murder convictions.

The agencies we found using Cybercheck ranged from small suburban police departments to county sheriffs and state police. The alleged crimes ranged from those related to child sexual abuse material to drive-by shootings, as well as cold cases that have haunted communities for decades. Last year, for example, the New York State Police arrested a man for murder after receiving evidence from Cybercheck that allegedly placed his cell phone at key locations on the night of the homicide, roughly 20 years ago, according to the indictment. The case is scheduled to go to trial in 2025.

While Mosher has testified on numerous occasions about Cybercheck, his explanations of what data sources the algorithms draw on and how they reach their conclusions do not fully explain Cybercheck’s ability to produce its reports. Global Intelligence did not answer WIRED’s questions about who designed Cybercheck’s algorithms or what data the company used to train them. When asked how the tool could determine that a person’s cyber profile had pinged a particular wireless network—oftentimes years after the incident occurred—an unnamed Global Intelligence employee wrote in an email: “There is no specific single source of information with regard to wireless network interactions.” Accuracy Ratings

In 2022, more than two years after Halsell was shot and killed in Akron, Cybercheck produced a report for police that claimed Mendoza’s cyber profile had pinged two wireless internet devices located near 1228 Fifth Avenue after 9 pm. A cyber profile, from what Mosher has testified, is the amalgamation of names, aliases, emails, phone numbers, IP addresses, Google IDs, and other online identifiers that combine to create a person’s unique digital fingerprint.

Summit County prosecutors charged Mendoza with murder. But when Mendoza’s defense attorney, Donald Malarcik, dug into the Cybercheck report, he found a problem. The police department employee who entered the information into Cybercheck’s system had allegedly made a mistake: They had asked the system whether it could locate Mendoza at the scene on August 20, 2020. The shooting occurred on August 2. Cybercheck had nonetheless claimed to locate Mendoza at 1228 Fifth Avenue with 93.13 percent accuracy, even though it was on the wrong day. Stranger still to Malarcik, at some point after delivering the first report, Cybercheck produced another report. It was identical in all respects to the first report—from the MAC addresses, which are unique IDs assigned to networked devices, to the time of day when Mendoza’s cyber profile allegedly pinged them, and the accuracy rating—except it had the correct date of the shooting.

The warrants served to Sprint and Google hadn’t produced any evidence that Mendoza’s devices or accounts were at the scene. But according to Cybercheck's entirely automated algorithms, Mendoza’s cyber profile had not only been at 1228 Fifth Avenue at the time of the shooting, it had also been at the exact same location, at the exact same time of day, for the same amount of time, pinging the same wireless networks, 18 days later.

The unnamed Cybercheck employee who responded to WIRED’s questions says the company stands by the accuracy of both reports in the Mendoza case. “It is not uncommon to have the same cyber profile with the same device at a location on a different date,” they wrote.

[–] FreshLight@sh.itjust.works 15 points 1 month ago (7 children)

Here's part 2

Malarcik filed a motion where he asked the prosecutor to provide Cybercheck’s software in another case for which a report had been generated. He also subpoenaed Mosher, and hired a digital forensics expert in an attempt to review the code and the two Cybercheck reports about Mendoza. He tells WIRED that all that experts in a separate case allegedly saw were a couple hundred lines of code that created a program for searching public websites for information about a subject—nothing like the 1 million lines of code and more than 700 algorithms Mosher has testified about in pre-trial hearings.

“It was the equivalent of what you would do on a Google search,” Malarcik alleges. “What we didn’t see is the secret sauce, which [Mosher] claims is the machine learning that takes these data points and turns it into intelligence that takes a cyber profile and says it was at this location. That’s what he’s never disclosed to us.”

Mosher and Global Intelligence did not respond to WIRED’s questions about Malarcik’s claims.

Malarcik requested the court hold what is known as a Daubert hearing to determine whether Mosher’s testimony about Cybercheck’s findings was credible enough to be admitted as evidence in Mendoza’s trial. Two days before the hearing date, Summit County prosecutors decided to not use Cybercheck as evidence. Since then, the prosecutor’s office has withdrawn Cybercheck reports in three other cases, involving four men accused of murder, in which they potentially could have been presented as evidence, according to Malarcik and court records. In early August, Mendoza pleaded guilty and was sentenced to serve at least 15 years of a 15-to-20.5-year sentence.

“In the cases we had with Cybercheck that went to trial, there were those aspects that Cybercheck found that the boots-on-the-ground detectives also found,” Brad Gessner, the Summit County prosecutor’s chief counsel, tells WIRED. “Those things matched.”

In total, the office has used, or intended to use, Cybercheck reports in 10 cases brought to them by the Akron Police Department, Gessner said. The Akron Beacon Journal and NBC News were the first to report about the county’s use of the tool.

The Summit County Sheriff’s Office confirmed to the Akron Beacon Journal this month that it is investigating whether Mosher lied under oath but provided no other details.

In other cases—murder trials for Salah Mahdi and Adarus Black—defense attorneys didn’t challenge the use of Cybercheck and the trials resulted in convictions. Both convictions were upheld by an appeals court.

Since then, judges overseeing the murder trials of Javion Rankin, Deair Wray, Demonte Carr, and Demetrius Carr have ruled that Cybercheck cannot be admitted as evidence unless Global Intelligence grants the defendants access to its source code. However, the Summit County Prosecutor’s Office appealed several of those rulings, and in September an Ohio appeals court ruled that the trial court erred in excluding the Cybercheck reports as evidence for reasons unrelated to the technology’s effectiveness.

In other jurisdictions, WIRED found, prosecutors have also decided not to use Cybercheck reports, or have dropped charges against defendants after defense attorneys scrutinized the findings and Mosher’s testimony.

In 2021, Midland County, Texas sheriff’s deputies were investigating the murder of a woman whose burned body had been found in a roadside field. Deputies had arrested the woman’s ex-boyfriend, Sergio Cerna, on unrelated charges.

When they searched his phone, according to an affidavit, they found text messages in which he threatened the victim, including texts that read, “Your car is going to be burned down then you will be next.” But they couldn’t find evidence that placed Cerna near the scene of the crime.

The sheriff’s office asked Cybercheck for help and received a report claiming that the algorithms had determined, with 97.25 percent accuracy, that Cerna’s cyber profile had pinged a wireless LaserJet printer near the crime scene the day the victim’s body was found. Prosecutors wanted to use the report as evidence at Cerna’s trial, but his defense requested a Daubert hearing. Halfway through the hearing and before the defense could cross-examine Mosher, assistant district attorney Lisa Borden decided not to use Mosher’s testimony or the Cybercheck report at trial.

“We would have needed to be able to authenticate that data,” she tells WIRED, but by the time of the Daubert hearing, the printer that Cybercheck had identified in its report couldn’t be located. That was the first, and only, Daubert hearing that Cybercheck has been subjected to in the country, according to court records and Global Intelligence.

A Midland County jury convicted Cerna in March and sentenced him to life in prison. Cerna’s attorney said he would appeal the conviction.

[–] Baleine@jlai.lu 9 points 1 month ago (1 children)

Since when do phones ping printers ?? Why is it "public information"

[–] Monument@lemmy.sdf.org 9 points 1 month ago* (last edited 1 month ago) (1 children)

Info dump incoming!

Basically, your phone is a big ol’ slut.

I’m not as well versed with WiFi, but phones are set up to be very friendly with Bluetooth. Every Bluetooth device your phone sees, it says hello to. Most phones these days don’t really disable Bluetooth (they just limit its active use), or they disable it for a limited time period.

This is ostensibly fine, since Bluetooth supposedly identifies itself with a MAC address that isn’t necessarily tied to your identity. Unless you connect to something with Bluetooth that knows your identity, like a smart speaker, or have given Bluetooth permissions to any apps you’re logged into.

BLE positioning with sensors utilizes BLE-enabled sensors that are deployed in fixed positions throughout an indoor space. These sensors passively detect and locate transmissions from BLE smartphones, asset tracking tags, beacons, personnel badges, wearables and other Bluetooth devices based on the received signal strength of the transmitting device. This location data is then sent to the central indoor positioning system (IPS) or real-time location system (RTLS). The location engine analyzes the data and uses multilateration algorithms to determine the location of the transmitting device. Those coordinates can be used to visualize the location of a device or asset on an indoor map of your space or leveraged for other uses depending on the specific location-aware application.
Some random website - inpixon.com

That’s not to say that every place you go is deploying BLE beacons to know you spent 20 minutes looking at candy when you were supposed to be making a quick run to get milk, but it’s possible that is occurring. And if it is occurring, it’s likely they’re working with some sort of data broker to deanonymize your data. Or at the very least, making their own inferences - using that loyalty card and a BLE beacon to know that the loyalty info put into a register corresponds to your MAC address.
What’s not likely, however, is that this data is public. Your data has value, so they don’t want to let it go for free, plus if the general public knew they could be tracked almost anywhere, there might be enough outcry for lawmakers to adopt better consumer privacy laws.

Editing to add: Even if you aren’t being precisely tracked within a retail location, a single ping on a Bluetooth device is enough to establish that your phone was within 30-50 feet of the device, which is apparently all the police need to send you to jail for 20 years.

I hope you’ve enjoyed your tour of this info dump. Tin foil hats are on sale at the gift shop!

[–] Baleine@jlai.lu 3 points 1 month ago (1 children)

Thanks for the clarification, does this also work with wifi ?

[–] Monument@lemmy.sdf.org 5 points 1 month ago (1 children)

~~That’s where I know I don’t know enough to respond.~~

Well, crap. I just looked it up. Looks like phones will send out your MAC address when looking for WiFi networks to connect to, and they more or less always search for WiFi, unless currently connected to WiFi.

So - yeah. Same issues with Bluetooth.

And some newer consumer routers do all sorts of funky things under the hood in the name of security, which includes sending information about traffic back to their corporate home base. That could easily also include MAC addresses of passing devices. (Or telling the manufacturer every site you visit. Very fun now that the latest trend in routers is to require cloud connections and accounts, so your identity with them is ‘known’.)

[–] theterrasque@infosec.pub 3 points 1 month ago* (last edited 1 month ago)

Most phones these days use randomized MACs

https://www.guidingtech.com/what-is-mac-randomization-and-how-to-use-it-on-your-devices/

Not sure if that is for BT too, but looks like there is some support for it in the standards

https://novelbits.io/how-to-protect-the-privacy-of-your-bluetooth-low-energy-device/

https://novelbits.io/bluetooth-address-privacy-ble/

The recommendation per the Bluetooth specification is to have it change every 15 minutes (this is evident in all iOS devices).

So seems like it is implemented on some phones at least

https://www.bluetooth.com/blog/bluetooth-technology-protecting-your-privacy/

From 2015. So this seems to be a solved problem for a decade now

load more comments (5 replies)
load more comments (5 replies)