Zach Campbell and Chris Jones have an important new story up at the Intercept, which if the Twitterverse reaction is any guide, hasn’t gotten remotely the attention it warrants. Perhaps it is because the Twitterati, which has a heavy representation of journalists, also skews strongly towards those who favor convenience over privacy.
The newest example of further intrusion into homes, which were once fancied as castles, as in well protected, is home surveillance cameras in all sorts of Internet of Things appliances, particularly kitchen items. Sadly, the latest perp is Bosch, which is not only good at upscale equipment, but is also good at cameras, so the refusniks (as in ones who are not keen about the risk of being snooped upon if you visit a friend at home for a coffee or dinner) can’t hide behind the hope that Bosch won’t be very good at this new mission.
Here is the unholy alliance: Bosch, the maker of cameras and video analytics, has is surveillance cameras connect to its apps store, Azena, which sells various video analytics tools. Bosch undertakes only basic checks of app security and execution.
But a big cause for concern with the Bosch-funded exercise, known as Azena, is that it managing to make Google look like a paragon of virtue. Bosch aspires to Google-level dominance of spy cameras….while being less attentive to security. From the Intercept:
Apps currently available in the Azena store offer ethnicity detection, gender recognition, face recognition, emotion analysis, and suspicious behavior detection, among other things, despite well-documented concerns about the discriminatory and intrusive nature of such technologies.
Unlike its parent company, Azena doesn’t produce cameras or develop video analytics tools. Instead, it provides a platform for companies and individual developers to distribute their own applications and takes a cut of the sales — much like the Apple and Google app stores, but for surveillance software. According to [Azena CEO Hartmut] Schaper, Google’s app store is the direct inspiration for Azena: Within just a few years of releasing the Android operating system, Schaper noted, Google had revolutionized how smartphones were used and achieved domination over the market. With their new surveillance app store, Azena and Bosch hope to do the same.
Shaper anticipates that the spy camera market will soon have only a very few operating systems and points to signs that Bosch/Azena will be one of the winners, such has having over 100 apps now and launching “the first face mask detection app within two weeks of the COVID-19 pandemic beginning.”
Here’s where it gets messy:
Applications for video analytics can broadly be divided into two categories, explained Gemma Galdon Clavell, a technologist and director of the Eticas Foundation. The more basic applications involve identifying people, objects, barriers like doors or fences, and locations, then sending an alarm when certain conditions apply: someone passing an object to another person, leaving a bag on a train platform, or entering a restricted area.
It’s the second category — applications that allegedly detect emotions, potential aggression, suspicious behavior, or criminality — that Galdon Clavell said can be impossible to do accurately and is often based on junk science. “Identifying a person in a space where they shouldn’t be — that works. But that’s very low-tech.” With the more advanced applications, she said, developers often promise more than they deliver: “From what I’ve seen, it basically doesn’t work.”
“When you move from protecting closed-off areas to actually doing movement detection and wanting to derive behavior or suspicion from how you move or what you do,” Galdon Clavell said, “then you enter a really problematic area. Because what constitutes normal behavior?”
In fact, the Intercept authors then get Azena staffers to fall right into that trap:.
Brent Jacot, a senior business development manager at Azena, gave an example of how this might work during a 2020 webinar. Imagine you have a camera app that is good at measuring demographics such as age or gender, Jacot said, and you connect it to another app that controls a gate. “You want to, say, open a gate only if they’re above the age of 18. Then you can take the data from this one app and feed it into the next and create this logical chain to make a whole new use case.”
Help me. In this age of gender fluidity, there’s already too much risk of making bad calls, before getting to active deception using clothes, makeup, wigs, beards, fat suits…And identifying age correctly? Prisons are full of men who had sex with underage teens they thought were adults….and those are only the ones who got caught.
Azena uses a modified version of Android. One might assume that piggybacking on a presumably well-hardened OS would provide a lot of safety. Not necessarily:
Internet of Things devices often run old software that users don’t think to update, explained Christoph Hebeisen, head of security intelligence research at the mobile security firm Lookout. “That’s why routers get hacked, that’s why security cameras get hacked, and often in very large numbers.”
There are also cases where human error is at fault: Last March, after locating a username and password that were publicly accessible on the internet, a hacking group said it gained access to tens of thousands of cameras produced by the California-based security startup Verkada, some of which were hooked up to video analytics software.
The hackers were able to view footage from prisons, hospitals, factories, police departments, and schools, among other places. A member of the group that claimed responsibility told Bloomberg that the breach exposed “just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so.”
On many platforms, including Android, when developers patch a potential vulnerability, they publish a notice in the form of a Common Vulnerability and Exposures list. Azena, Hebeisen said, appears to be years behind on patching CVEs: Its current operating system only addresses Android CVEs as late as 2019, judging from the webpage where it summarizes system updates.
There’s a great deal more of the Intercept poking holes in Azena’s security practices and the company offering not terribly convincing defenses. I urge you to read it if Internet security or the Internet of Things is important to you.
One bit of good news is that Azena and any other operator that was mainly engaged in security posturing is likely to run hard into regulators in Europe, sooner rather than later. Recall that EU privacy laws make ours look like a joke. And this Intercept article was published jointly with Der Spiegel, which pretty much guarantees official notice. However, the story explains that the regulations may behind the technology, and they also may not hold distributors like apps stores sufficiently liable.
The story concludes:
Echoing this concern, Jay Stanley, a senior policy analyst at the American Civil Liberties Union, said that the technology is not yet able to live up to its claims. Emotion detection technology is like selling “snake oil.” But the implications are still concerning. “Things like emotion detection are an easy sell for many people,” Stanley said. “You have all these cameras around your building and [developers] think, for example, who wouldn’t want to get a notification if there was an extremely angry person in the area?”
But Stanley is just as worried about the rapid expansion of simple applications of video analytics. “There’s a real concern here that even on the most effective end of the spectrum, where a video analytics system is trying to detect just the raw physical motion or attributes or objects,” he said, “every time you hand a backpack to a friend or something like that, an alarm gets set off and you get approached.”
“That’s going to have a real chilling effect. We’re going to come to feel like we’re being watched 24/7, and every time we engage in anything that is at all out of the ordinary, we’re going to wonder whether it’ll trip some alarm,” Stanley said.
“That’s no way to live. And yet, it’s right around the corner.”
The horse is probably too far outside the barn for conservatives to be deployed, even charitably assuming they could be directed productively. One huge obsession on the right wing is kiddie porn. Lots of surveillance cameras in homes = lots video of children, who at least some of the time will be underdressed and undressed. Predictably lousy IoT security = ample opportunity to grab lots of footage and harvest the most salacious bits. Welcome a cottage industry of kiddie porn producers who don’t even have to go to the risk of sex trafficking or other abuses to find child stars. Admittedly, the home camera version will (hopefully) all be soft porn. But that will be satisfying for some, plus Photoshop is getting better and better all the time….
But in the US, no one has a expectation of privacy in public. How many have the energy to occasionally mess up their profile with a good fake nose or even expertly applied natural makeup. I also wonder about mere football mouthguards, since they cover the upper lips, force the mouth further open (mildly distorting face length) and push out the area above the lip, changing some of the below the nose markers.
The problem is the overwhelming majority of people don’t have then energy to fight. But worse, some actively enable this technology by adopting it themselves. Maybe we need to get doctors to remind patients that sitting is bad, and even getting up now and then to change TV stations and fiddle with the lights is much healthier that extreme couch potato-dom.
1 So say at a party, Alexa recognizes ten voices. It knows two are the hosts and tags the rest as Voice 1, Voice 2, etc.
Then the NSA finds Voice 1 at other places…in a doctors’ lounge where the staff uses Alexa to manage the playlist. In a hotel that has Alexa in the room unless you ask for it to be removed. On YouTube as a presenter at a conference.