Hackers claim to have compromised Gravy Analytics, the parent company of Venntel which has sold masses of smartphone location data to the U.S. government.  The hackers said they have stolen a massive amount of data, including customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples’ precise movements, and they are threatening to publish the data publicly.

The news is a crystalizing moment for the location data industry. For years, companies have harvested location information from smartphones, either through ordinary apps or the advertising ecosystem, and then built products based on that data or sold it to others. In many cases, those customers include the U.S. government, with arms of the military, DHS, the IRS, and FBI using it for various purposes. But collecting that data presents an attractive target to hackers.

“A location data broker like Gravy Analytics getting hacked is the nightmare scenario all privacy advocates have feared and warned about. The potential harms for individuals is haunting, and if all the bulk location data of Americans ends up being sold on underground markets, this will create countless deanonymization risks and tracking concerns for high risk individuals and organizations,” Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, and who has followed the location data industry closely, told 404 Media. “This may be the first major breach of a bulk location data provider, but it won't be the last.”

In a message posted to two Gravy websites, the hackers wrote that “Personal data of millions users is affected,” according to screenshots posted on Russian cybercrime forum XSS. The forum is typically not publicly accessible but a source with access provided 404 Media with the screenshots and sample data posted by the hackers. “Company have 24h to answer or we will start to publish data,” the message continues.

The samples of data posted by the hackers include the apparent historical location of smartphones. The files contain precise latitude and longitude coordinates of the phone, and the time at which the phone was there. Some screenshots indicate what country the data has been collected from. One alphabetically ordered list mentions Mexico, Morocco, Netherlands, North Korea, Pakistan, and “Palestinian State (proposed).” That is only a snapshot of where Gravy sourced data from; one file includes location data relating to phones in Russia, and U.S. agencies have previously used such data as part of immigration operations on the country's border. (Gravy provides some of its data to subsidiary Venntel, which then works directly with those and other agencies).

Another screenshot shows classifiers that Gravy has added to collected data, such as “LIKELY_DRIVING.”

A file called “users” included in a sample of data posted by the hackers includes multiple well known companies such as Gannett, Uber, Comcast, Apple, LexisNexis, Equifax, and many more. It also specifically mentions Babel Street, which is another U.S. government contractor. This corroborates 404 Media’s earlier reporting on where Babel Street sourced its location data from, at least in part. 404 Media and a group of other outlets previously showed how Babel Street’s Locate X tool can be used to track visitors to out-of-state abortion clinics.

Demonstrating the depth of the alleged compromise, other screenshots posted by the hackers indicate access into Gravy’s infrastructure, including root access on a Gravy-associated Ubuntu server, control over Gravy’s domains, and access to Amazon S3 buckets which are often used to store massive amounts of data. In another posted message, the hackers claimed to have access since 2018.

At the time of writing, Gravy’s website is down. Usually that website redirects to Unacast, which acquired Gravy in 2023. Unacast executives did not respond to multiple requests for comment.

“For years, this data has been sold to corporate and government interests but it's never been widely available to all the threat actors targeting Western users. This type of data has been used to track visits to abortion clinics, sensitive government locations, and locations which could identify sensitive protected qualities of people like their sexual orientation,” Edwards continued. “This data could tell a threat actor where you take your kids to school, where you work, and where you spend leisure time. It's long overdue for Congress to pass a comprehensive federal privacy bill that puts safeguards on the collection of this type of sensitive data.”

In December, the FTC announced sweeping action against Gravy and Venntel, saying in a proposed order they will be banned from selling, disclosing, or using sensitive location data, except in “limited circumstances” involving national security or law enforcement. The FTC also demanded the companies delete all historic location data. The agency alleged that Gravy and Venntel violated the FTC Act by “unfairly selling sensitive consumer location data, and by collecting and using consumers’ location data without obtaining verifiable user consent for commercial and government uses.”

This piece has been updated to include a paragraph about the FTC's recent actions against Gravy and Venntel.

Meta’s HR team is deleting internal employee criticism of new board member, UFC president and CEO Dana White, at the same time that CEO Mark Zuckerberg announced to the world that Meta will “get back to our roots around free expression,” 404 Media has learned. Some employee posts questioning why criticism of White is being deleted are also being deleted. 

Monday, Zuckerberg made a post on a platform for Meta employees called Workplace announcing that Meta is adding Dana White, John Elkann, and Charlie Songhurst to the company’s board of directors (Zuckerberg’s post on Workplace was identical to his public announcement). Employee response to this was mixed, according to screenshots of the thread obtained by 404 Media. Some posted positive or joking comments: “Major W,” one employee posted. “We hire Connor [McGregor] next for after work sparring?,” another said. “Joe Rogan may be next,” a third said. A fourth simply said “LOL.”

But other employees criticized the decision and raised the point that there is video of White slapping his wife in a nightclub; White was not arrested and was not suspended from UFC for the domestic violence incident. McGregor, one of the most famous UFC fighters of all time, was held liable for sexual assault and was ordered by a civil court to pay $260,000 to a woman who accused him of raping her in 2018. McGregor is appealing the decision. 

“Kind of disheartening to see people in the comments celebrating a man who is on video assaulting his wife and another who was recently convicted of rape,” one employee commented, referring to White and McGregor. “I can kind of excuse individuals for being unaware, but Meta surely did their due diligence on White and concluded that what he did is fine. I feel like I’m on another planet,” another employee commented. “We have completely lost the plot,” a third said. 

Several posts critical of White were deleted by Meta’s “Internal Community Relations team” as violating a set of rules called the “Community Engagement Expectations,” which govern internal employee communications. In the thread, the Internal Community Relations team member explained why they were deleting content: “I’m posting a comment here with a reminder about the CEE, as multiple comments have been flagged by the community for review. It’s important that we maintain a respectful work environment where people can do their best work. We need to keep in mind that the CEE applies to how we communicate with and about members of our community—including members of our Board. Insulting, criticizing, or antagonizing our colleagues or Board members is not aligned with the CEE.” In 2022, Meta banned employees from discussing “very disruptive” topics.

One employee posted “Why do critical comments of this announcement keep getting deleted?” 

“LOL my comment got CEE’d too. Good stuff,” a second posted. A third said “I think it’s particularly fascinating that none of the comments I have seen disappear contained any specifically prohibited content under the CEE and must have fallen under ‘disruptive content’ - and if any criticism of company decisions falls under the ‘disruptive content’ bucket, the future of the company is looking bleak.” 

Tracy Clayton, a Meta spokesperson, told 404 Media that no changes to the CEE have been made and stressed that some criticism has been left up. “There are also several comments that have expressed criticism that didn’t violate the CEE that remain up,” Clayton said. “Our CEE is very nuanced and it’s not a one-size-fits-all.”

The hypersensitive moderation of employees internally criticizing major public figures is particularly notable given that Tuesday morning, Mark Zuckerberg announced that Meta would get rid of many of its content moderation rules on its platforms. “It’s time to get back to our roots around free expression and giving people voice on our platforms. Here’s what we’re going to do,” Zuckerberg posted. “Replace fact-checkers with Community Notes, starting in the US. Simplify our content policies and remove restrictions on topics like immigration and gender that are out of touch with mainstream discourse.” Joel Kaplan, Meta’s new President of Global Affairs and the former Republican political operative who served in the George W. Bush administration, posted about the changes internally on Workplace, saying the policies were intended to foster “more speech and fewer mistakes.” 

One employee brought up this apparent disparity: “Given Zuck’s message this morning on decreasing content moderation on our platforms, is that also going to apply internally?” 

The rules for employees, the internal content moderator responded, are different than the rules for the public: “The CEE, which is focused on mitigating the potential for disruption and allowing us the space to work, ensuring a respectful work environment, and protecting company information, is different from our external content policies.”

“Curious to know if we can expect a similar shift to ‘more speech’ in internal Workplace posts/groups,” another employee asked. “CEE is quite chilling,” another said. “Basically any large scope critical post I make gets at least one message from ICR [Internal Community Relations].”

In a comment that has not yet been deleted, an employee posted “since my other comment was taken down, I’m just gonna let everyone know that I for one love my wife and daughter, and to top it off I also respect other people.”

“Our CEE has nothing to do with the announcements made today, internal and external moderation are separate, and I’ll repeat that it would be inaccurate to report that we’re loosening restrictions externally, while tightening internally,” Tracy Clayton, a Meta spokesperson, told 404 Media. “It’s important to note here that these comments were as you see there ‘flagged by the community for review.’ Further background our CEE is designed to help minimize disruption, so employees can focus and remain productive.”

Some Motorola automated license plate reader surveillance cameras are live-streaming video and car data to the unsecured internet where anyone can watch and scrape them, a security researcher has found. In a proof-of-concept, a privacy advocate then developed a tool that automatically scans the exposed footage for license plates, and dumps that information into a spreadsheet, allowing someone to track the movements of others in real time.

Matt Brown of Brown Fine Security made a series of YouTube videos showing vulnerabilities in a Motorola Reaper HD ALPR that he bought on eBay. As we have reported previously, these ALPRs are deployed all over the United States by cities and police departments. Brown initially found that it is possible to view the video and data that these cameras are collecting if you join the private networks that they are operating on. But then he found that many of them are misconfigured to stream to the open internet rather than a private network.

“My initial videos were showing that if you’re on the same network, you can access the video stream without authentication,” Brown told 404 Media in a video chat. “But then I asked the question: What if somebody misconfigured this and instead of it being on a private network, some of these found their way onto the public internet?” 

In his most recent video, Brown shows that many of these cameras are indeed misconfigured to stream both video as well as the data they are collecting to the open internet and whose IP addresses can be found using the Internet of Things search engine Censys. The streams can be watched without any sort of login.

In many cases, they are streaming color video as well as infrared black-and-white video of the streets they are surveilling, and are broadcasting that data, including license plate information, onto the internet in real time. 

0:00

/0:12

1×

Will Freeman, the creator of DeFlock, an open-source map of ALPRs in the United States, said that people in the DeFlock community have found many ALPRs that are streaming to the open internet. Freeman built a proof of concept script that takes data from unencrypted Motorola ALPR streams, decodes that data, and adds timestamped information about specific car movements into a spreadsheet. A spreadsheet he sent me shows a car’s make, model, color, and license plate number associated with the specific time that they drove past an unencrypted ALPR near Chicago. So far, roughly 170 unencrypted ALPR streams have been found.

“Let’s say 10 of them are in a city at strategic locations. If you connect to all 10 of them, you’d be able to track regular movements of people,” Freeman said. 

Freeman told 404 Media that this fact is more evidence that the proliferation of ALPRs around the United States and the world represents a significant privacy risk, and Freeman has been a strong advocate against the widespread adoption of ALPRs. 

“I’ve always thought these things were concerning, but this just goes to show that law enforcement agencies and the companies that provide ALPRs are no different than any other data company and can’t be trusted with this information,” Freeman told 404 Media. “So when a police department says there’s nothing to worry about unless you’re a criminal, there definitely is. Here’s evidence of a ton of cameras operated by law enforcement freely streaming sensitive data they’re collecting on us. My hometown is mostly Motorola [ALPRs], so someone could simply write a script that maps vehicles to times and precise locations.”

A Motorola Solutions spokesperson told 404 Media that the company is working on a firmware update that “will introduce additional security hardening.”

“Motorola Solutions designs, develops and deploys our products to prioritize data security and protect the confidentiality, integrity and availability of data,” the spokesperson said. “The ReaperHD camera is a legacy device, sales of which were discontinued in June 2022. Findings in the recent YouTube videos do not pose a risk to customers using their devices in accordance with our recommended configurations. Some customer-modified network configurations potentially exposed certain IP addresses. We are working directly with these customers to restore their system configurations consistent with our recommendations and industry best practices. Our next firmware update will introduce additional security hardening.”

This is not the first time that ALPRs have been found to be streaming directly to the unsecured internet. In 2015, the Electronic Frontier Foundation and researchers at the University of Arizona found hundreds of exposed ALPR streams. In 2019, an ALPR vendor for the Department of Homeland Security was hacked and license plates and images of travelers were leaked onto the dark web. Last year, the U.S. government’s Cybersecurity and Infrastructure Security Agency put out a warning saying that Motorola’s Vigilant ALPR cameras were remotely exploitable. 

Brown said that, although not all Motorola ALPRs are streaming to the internet, the security problems he found are deeply concerning and it’s not likely that ALPR security is something that’s going to suddenly be fixed.

“Let’s say the police or Motorola were like ‘Oh crap, we shouldn’t have put those on the public internet.’ They can clean that up,” he said. “But you still have a super vulnerable device that if you gain access to their network you can see the data. When you deploy the technology into the field, attacks always get easier, they don’t get harder.”

The incoming Trump administration plans to deprive children of undocumented immigrants of birthright citizenship. As I explained in a recent article in Just Security, this would be a blatant violation of the Citizenship Clause of the Fourteenth Amendment, which grants citizenship to anyone "born … in the United States and subject to the jurisdiction thereof." There is no exception for children of illegal migrants. Legal scholars Amanda Frost (Univ. of Virginia) and Paul Gowder (Northwestern), have recently published excellent articles on the same topic: Frost in the Atlantic (there is a paywall), and Gowder in the UnPopulist. They effectively refute the various specious rationales offered for claims that children of undocumented immigrants aren't entitled to birthright citizenship because they are not "subject to the jurisdiction" of the US.

Among other things, they poke holes in the idea that these children aren't entitled to citizenship because their parents' entry into the US did not have "consent." I would add that nothing in the Citizenship Clause requires "consent," and that no real-world government genuinely enjoys the consent of the people it rules. Moreover, to the extent we care about consent, depriving children who have no other home of the right to live in the US would itself be an egregious nonconsensual exercise of government power.

In my Just Security article, I pointed out that denying birthright citizenship to the undocumented would in various ways go against the central objective of the Citizenship Clause which was to ensure citizenship rights for blacks denied them by the Supreme Court's ruling in the notorious Dred Scott case. Frost highlights another way in which this would be true:

In a recent law-review article, the legal scholars Gabriel Chin and Paul Finkelman explained that for decades, Africans were illegally brought to the United States as slaves even after Congress outlawed the international slave trade in 1808, making them the "illegal aliens" of their day. The nation was well aware of that problem. Government efforts to shut down the slave trade and deport illegally imported enslaved people were widely reported throughout the years leading up to the Civil War. Yet no one credible, then or now, would argue that the children of those slaves were to be excluded from the citizenship clause—a constitutional provision intended to overrule Dred Scott v. Sandford by giving U.S. citizenship to the 4.5 million Black people then living in the United States.

If children of people who entered the US illegally are not entitled to birthright citizenship, that logic would have applied to the children of illegally transported slaves.

There are many more good points in both articles. People interested in this issue should read both.

The post More on Birthright Citizenship and Undocumented Immigrants appeared first on Reason.com.

Instagram has begun testing a feature in which Meta’s AI will automatically generate images of users in various situations and put them into that user’s feed. One Redditor posted over the weekend that they were scrolling through Instagram and were presented an AI-generated slideshow of themselves standing in front of “an endless maze of mirrors,” for example. 

“Used Meta AI to edit a selfie, now Instagram is using my face on ads targeted at me,” the person posted. The user was shown a slideshow of AI-generated images in which an AI version of himself is standing in front of an endless “mirror maze.” “Imagined for you: Mirror maze,” the “location of the post reads.”

“Imagine yourself reflecting on life in an endless maze of mirrors where you’re the main focus,” the caption of the AI images say. The Reddit user told 404 Media that at one point he had uploaded selfies of himself into Instagram’s “Imagine” feature, which is Meta’s AI image generation feature. 

People on Reddit initially did not even believe that these were real, with people posting things like "it's a fake story," and "I doubt that this is true," "this is a straight up lie lol," and "why would they do this?" The Redditor has repeatedly had to explain that, yes, this did happen. "I don’t really have a reason to fake this, I posted screenshots on another thread," he said. 404 Media sent the link to the Reddit post directly to Meta who confirmed that it is real, but not an "ad."

“Once you access that feature and upload a selfie to edit, you’ll start seeing these ads pop up with auto-generated images with your likeness,” the Redditor told 404 Media. 

A Meta spokesperson told 404 Media that the images are not “ads,” but are a new feature that Meta announced in September and has begun testing live. Meta AI has an “Imagine Yourself” feature in which you upload several selfies and take photos of yourself from different angles. You can then ask the AI to do things like “imagine me as an astronaut.” Once this feature is enabled, Meta’s AI will in some cases begin to automatically generate images of you in random scenarios that it thinks are aligned with your interests.

“We’re testing new Meta AI-generated content in your Facebook and Instagram feeds, so you may see images from Meta AI created just for you (based on your interests or current trends),” an announcement post from September read. “You can tap a suggested prompt to take that content in a new direction or swipe to Imagine new content in real time.” Examples Meta showed at the time were images of users as astronauts and video game characters. The Meta spokesperson said that these images will only appear if you go through the “Imagine Yourself” onboarding process, which I went through to test it here:

 “Meta may show AI images of you in places like Feed,” it says. “Only you can see them.”

I have not yet received any AI-generated images of myself in my timeline.

The Reddit post, which was upvoted to the top of r/ABoringDystopia, is the first example of an automatically generated AI image of a person being put into that person’s Instagram feed that I’ve seen so far. It came on the same weekend that Meta’s AI-generated profiles went viral and were ultimately deleted from the platform. Meta continues to believe that people want to be shown more and more AI-generated content and is finding new ways to fill people’s feeds with AI. Now, it seems, some of that AI-generated content will feature AI versions of users themselves.

We previously reported that using Snapchat’s AI selfie feature gives the company permission to use AI versions of you in advertisements.

MANILA - The Philippines has deployed air and sea assets of its military and coast guard in its exclusive economic zone to monitor China's largest coast guard vessel, calling the ship's presence an act of Chinese "intimidation, coercion and aggression".