The Australian Federal Police (AFP) has revealed it was able to decrypt messages sent on a supposedly secure messaging app that was seeded into the organised crime community and promoted as providing snoop-proof comms.
The app was secretly built by the FBI, allowing law enforcement authorities to tune into conversations between about 9,000 users scattered around Earth.
Results in Australia alone have included over 500 warrants executed, 200-plus arrests, the seizure of AU$45m and 3.7 tonnes of drugs, and the prevention of a credible threat to murder a family of five. Over 4,000 AFP officers were involved in raids overnight, Australian time. Europol and the FBI will detail their use of the app in the coming hours.
The existence of the app — part of Operation Ironside — was revealed at a press conference in Australia today, where AFP commissioner Reece Kershaw detailed that informal beer-based meetings between members of the AFP and the FBI cooked up the idea of creating a backdoored app. The idea built on previous such efforts such as the Phantom Secure platform.
The app, called AN0M, was seeded into the organised crime community. The app could only run on mobile phones that could not make calls or send emails and could only communicate with other AN0M-equipped phones. The app required payment of a monthly fee.
“We were able to see every handset that was handed out and attribute it to individuals,” Kershaw said.
“Criminals needed to know a criminal to get a device,” said the AFP’s announcement of the operation. “The devices organically circulated and grew in popularity among criminals, who were confident of the legitimacy of the app because high-profile organised crime figures vouched for its integrity.”
But the software had a backdoor. Commissioner Kershaw said the organisation he leads “provided a technical capability to decrypt the messages,” and that as a result the force, the FBI, and Europol were able to observe communications among criminals in plain text.
“All they talk about is drugs and violence,” Kershaw said. “There was no attempt to hide behind any kind of codified information.” Intercepts included comments about planned murders and information about where and when speedboats would appear to shift contraband.
Kershaw said the surveillance enabled by the app is legal under the terms of Australia’s Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018. Law enforcement agencies in other jurisdictions also had legal cover for their use of the software.
However, some of those authorities were set to expire. That, and an operational decision to end the operation due to the opportunity to act on intelligence gathered using AN0M, led to today’s disclosures.
AN0M gave us insights we never had before
“The use of encrypted apps represents significant challenges,” Kershaw said. “AN0M gave us insights we never had before.”
The commissioner acknowledged that criminals will now adjust their behaviour as a result of this news, but suggested the AFP is working to develop similar capabilities. “This was a small platform. We know there are bigger ones. We will ensure we have the technology to disrupt criminals.”
FBI International Operations Division legal attaché for Australia, Anthony Russo, offered similar comments, saying “Criminals should be on notice that law enforcement are resolute to continue to evolve our capabilities.”
Kershaw somewhat smugly suggested that organised crime will take a while to bounce back from this operation, as intercepts of AN0M messages and conversations suggest that arrests made before the app was revealed have sparked internecine warfare and revenge plots. ®
Google’s effort to build a “Privacy Sandbox” – a set of technologies for delivering personalized ads online without the tracking problems presented by cookie-based advertising – continues to struggle with its promise of privacy.
The Privacy Sandbox consists of a set of web technology proposals with bird-themed names intended to aim interest-based ads at groups rather than individuals.
Much of this ad-related data processing is intended to occur within the browsers of internet users, to keep personal information from being spirited away to remote servers where it might be misused.
So, simply put, the aim is to ensure decisions made on which ads you’ll see, based on your interests, take place in your browser rather than in some backend systems processing your data.
Google launched the initiative in 2019 after competing browser makers began blocking third-party cookies – the traditional way to deliver targeted ads and track internet users – and government regulators around the globe began tightening privacy rules.
The ad biz initially hoped that it would be able to develop a replacement for cookie-based ad targeting by the end of 2021.
But after last month concluding the trial of its flawed FLoC – Federated Learning of Cohorts – to send the spec back for further refinement and pushing back its timeline for replacing third-party cookies with Privacy Sandbox specs, Google now acknowledges that its purportedly privacy-protective remarketing proposal FLEDGE – First Locally-Executed Decision over Groups Experiment – also needs a tweak to prevent the technology from being used to track people online.
On Wednesday, John Mooring, senior software engineer at Microsoft, opened an issue in the GitHub repository for Turtledove (now known as FLEDGE) to describe a conceptual attack that would allow someone to craft code on webpages to use FLEDGE to track people across different websites.
That runs contrary to its very purpose. FLEDGE is supposed to enable remarketing – for example, a web store using a visitor’s interest in a book to present an ad for that book on a third-party website – without tracking the visitor through a personal identifier.
Michael Kleber, the Google mathematician overseeing the construction of Privacy Sandbox specs, acknowledged that the sample code could be abused to create an identifier in situations where there’s no ad competition.
“This is indeed the natural fingerprinting concern associated with the one-bit leak, which FLEDGE will need to protect against in some way,” he said, suggesting technical interventions and abuse detection as possible paths to resolve the privacy leak. “We certainly need some approach to this problem before the removal of third-party cookies in Chrome.”
In an email to The Register, Dr Lukasz Olejnik, independent privacy researcher and consultant, emphasized the need to ensure that the Privacy Sandbox does not leak from the outset.
It will all be futile if the candidates for replacements are not having an adequate privacy level on their own
“Among the goals of Privacy Sandbox is to make advertising more civilized, specifically privacy-proofed,” said Olejnik. “To achieve this overarching goal, plenty of changes must be introduced. But it will all be futile if the candidates for replacements are not having an adequate privacy level on their own. This is why the APIs would need to be really well designed, and specifications crystal-clear, considering broad privacy threat models.”
The problem as Olejnik sees it is that the privacy characteristics of the technology being proposed are not yet well understood. And given the timeline for this technology and revenue that depends on it – the global digital ad spend this year is expected to reach $455bn – he argues data privacy leaks need to be identified in advance so they can be adequately dealt with.
“This particular risk – the so-called one-bit leak issue – has been known since 2020,” Olejnik said. “I expect that a solution to this problem will be found in the fusion of API design (i.e. Turtledove and Fenced Frames), implementation level, and the auditing manner – active search for potential misuses.
“But this particular issue indeed looks serious – a new and claimed privacy-friendly solution should not be introduced while being aware of such a design issue. In this sense, it’s a show-stopper, but one that is hopefully possible to duly address in time.” ®
The Government and Enterprise Ireland are providing two funds to regional Irish businesses in a bid to help them transition to a greener, digital economy.
The Government has today (29 July ) announced it will provide €10m in funding through Enterprise Ireland to projects supporting digitalisation and the transition to a green economy.
The Regional Enterprise Transition Scheme, worth €9.5m, will provide grant funding to regional and community-based projects focused on helping enterprises to adapt to the changing economic landscape due to Covid-19 and Brexit.
Leo Clancy, CEO, Enterprise Ireland said: “The Regional Enterprise Transition Scheme is aimed at supporting regional development and the regional business eco-system, helping to create and sustain jobs in the regions impacted by Covid-19.”
Grants of up to €1.8m or 80pc of project cost are available to businesses. The projects should aim to address the impact of Covid-19 and improve the capability and competitiveness of regional enterprises.
The call for the Regional Enterprise Transition Scheme will close on 8 September 2021. The successful projects will be announced in October and all funding will be provided to the successful applicants before the end of the year.
A separate funding scheme, the €500,000 Feasibility Study fund, will provide financial support to early-stage regional enterprise development projects.
Launching the funding schemes, Minister of State for Trade Promotion, Digital and Company Regulation, Robert Troy TD said the funds would “help stimulate transformational regional projects to support enterprises embrace the opportunities of digitalisation, the green economy as well as navigate the changed landscape arising from Covid-19.”
Minister of State for Business, Employment and Retail, Damien English TD commented at the launch that the funds would help “build Covid-19 and Brexit resilience and enable applicants to support enterprises and SMEs to respond to recent economic and market challenges which also includes the transition to a low carbon economy, digital transformation and smart specialisation.”
The Feasibility Fund is open to new projects, with grants available of up to €50,000 or 50pc of project cost and will allow promoters to test their project concept and deliver virtual or site-based solutions to their target audience.
Applications for the Feasibility Fund close on 1st October 2021.
For more information and details on how to apply for the funds, see here and here.
Chief executives are being warned to “think twice before they tweet” after the boss of takeaway company Just Eat Takeaway was told his Twitter spat with Uber threatened to undermine the firm’s reputation.
Jitse Groen this week became the latest in a growing list of chief executives to be rebuked by customers, investors and even regulators over ill-judged tweets.
Cat Rock Capital Management, an activist investor which has a 4.7% stake in Just Eat, highlighted Groen’s Twitter battle with Uber boss Dara Khosrowshahi as an example of outbursts that damaged the brand. The investor said Groen’s tweets had partly led to the firm being “deeply undervalued and vulnerable to takeover bids at far below its intrinsic value”.
Earlier this year Groen had a rant at financial analysts on Twitter, claiming that “some can’t even do basic maths”. He tweeted that he was “amazed how bad these analysts have become … All of them mix up definitions. It’s unbelievable.”
Brand and marketing expert Mark Borkowski said Groen’s case highlighted the difficulty executives face when trying to engage with customers on the platform.
“Everyone sees Twitter as a huge marketing opportunity that can drive a business forward, and it really can,” Borkowski said. “But these bosses must stop and think twice before they tweet, as just one misjudged tweet can send their share price plunging.”
Possibly the most expensive tweets ever sent were posted by Elon Musk, the maverick boss of electric car company Tesla, in 2018. The US Securities and Exchange Commission fined Musk and Tesla $20m each after he tweeted that he had “funding secured” to take the company private at $420 a share. The regulator said the tweet, which sent Tesla’s share price up by as much as 13%, violated securities law. As part of the settlement, Musk was ordered to step down as Tesla’s chairman.
Musk’s tweets continued to anger some investors. Pirc, an influential adviser to shareholders including the UK’s local authority pension funds, last year recommended that investors voted against Musk’s re-election to the Tesla board because his tweets posed “a serious risk of reputational harm to the company and its shareholders”.
“Twitter is all about personality,” Borkowski said. “While Musk’s tweets can be very controversial, they fit with his brand. Twitter is perfect for renegades, mavericks and disruptor brands. It’s much harder for well-established brands with solid reputations, if something goes wrong for them they risk damage to their hard-earned brand.
“People now think that to run a successful business, you have to be on social media and every brand has to have a Twitter account,” he said. “The chief executives see that the bosses of their rivals have a Twitter profile, and they feel they have to have one too.”
Borkowski said some bosses have been very successful at building a presence and personality on Twitter, and using their platforms to promote social issues such as LGBTQ+ rights and the Black Lives Matter movement (as well as promote their brand and products).
James Timpson, the chief executive of cobbler Timpson, this week celebrated passing 100,000 followers on his account on which he weaves photos of his colleagues working in shops with posts tackling tax avoidance and prisoner reform.
This week, he responded to Boris Johnson’s proposal to create “fluorescent-jacketed chain gangs” of people found guilty of antisocial behaviour with a tweet suggesting offenders should be helped into work instead.
Tim Cook, the chief executive of Apple, has won praise for using Twitter to successfully pressure the governor of Indiana into revising proposed legislation that had threatened to allow discrimination against gay people on religious grounds.
Researchers at Harvard Business School and Duke University said Cook “effectively framed the debate using social media at a time when opinions were being formed and the impact went beyond the political”.
Borkowski suggested that before chief executives tweet they should “consider whether they have the personality and temperament to get the tone right each time”.
“There is nothing more inelegant than a chief executive going after rivals publicly on Twitter,” he said.
It was exactly that sort of behaviour that Cat Rock had accused Groen of undertaking. When Uber Eats announced earlier this year that it would take on Just Eat in Germany, Groen lashed out in a tweet directed at Khosrowshahi, accusing him of “trying to depress our share price”.
Khosrowshahi replied that perhaps Groen should “pay a little less attention to your short term stock price and more attention to your Tech and Ops”. That sparked Groen to reply “thank you for the advice, and then if I may .. Start paying taxes, minimum wage and social security premiums before giving a founder advice on how he should run his business”.
Alex Captain, Cat Rock’s founder, said: “The response should not happen on Twitter. It should happen on a credible forum with the facts, data, and analysis that the company has at its disposal.”
A Just Eat spokesperson said: “Just Eat Takeaway.com has a regular dialogue with all its shareholders and we take all their views very seriously.”