7 December 2017

The Surveillance Operative Lurking In The Living Room


The holiday shopping season is here once again. And this year, surveillance and espionage products have made it to the top of a surprising number of wish lists in the guise of digital home assistants. The devices already have brought microphones into as many rooms of our houses as we're willing to allow. Now, many of them come equipped with cameras as well. Despite concerns about the threat to privacy that earlier generations of the devices have posed - one product from Amazon's Alexa line carried the unfortunate name of Dox - enhanced video capability appears to be the next big thing in digital home assistants.

In the grand scheme of things, the jump from audio to video is a marginal advancement in the gadgets' ability to collect information. But for those thinking about following the products to their next frontier, this is a good opportunity to explore the relationship between service and surveillance and to take sober stock of the risks inherent with home assistant devices.

A Tried-and-True Tactic

As the next generation of home assistants hits the market, the line between service and surveillance is becoming fuzzier. The issue isn't unique to electronic devices, though. Service has long provided an ideal cover for surveillance. A plausible purpose is essential to conducting surveillance without raising suspicion. Posing as a tourist, student, businessperson or jogger provides a reasonable explanation for why someone might be taking pictures of a sensitive building, requesting sensitive information, attending a conference or running on the treadmill next to you at the gym. Far more often than not, the tourist, student, businessperson or jogger is just what they appear to be. But depending on where you are, the person in question could also be an operative conducting surveillance, perhaps for a law enforcement or government-backed intelligence operation, or perhaps as part of a criminal venture or a terrorist plot.

Arguably the most common example of service as a cover for surveillance is the guard force that host countries typically deploy to protect embassies. In June 2016, a member of the Russian Federal Security Services guarding the U.S. Embassy in Moscow blew his cover when he tackled a U.S. diplomat trying to enter the building. (The diplomat, likewise, was probably using his post at the embassy to conceal his role with an intelligence agency.) Another service often used as cover for surveillance is that of the minder. Acting as a tour guide, escort or part of a protective detail, a minder helps keep tabs on foreign visitors. North Korea, for instance, is notorious for sending English-speaking security agents along with tourist groups to guide and monitor their activity.

Most examples of service as a form of surveillance are subtler, however. One of the classic covers for action is a maintenance worker who enters your home or workplace under the pretense of repairing or checking on a problem. I witnessed this tactic firsthand while I was living in Southeast Asia: Technicians working for the building where I lived would visit my apartment almost every week to look into some real or imagined malfunction. Air conditioning maintenance was the most common excuse, but members of the staff also claimed variously that lightbulbs were out, drains were clogged or the tile grout in the bathroom needed resealing. Half the time the problems they were reportedly investigating didn't even exist. Still, the alleged issues gave them a pretext to enter my apartment and offered them a good cover to conduct comprehensive surveillance, if that was indeed their objective.

Alexa, Gather Intelligence

Similarly, consumer electronics such as digital home assistants give the companies that market them a covert way to surveil their customers. The devices, after all, are capable of collecting vast amounts of data through tried-and-true intelligence tradecraft. Just as state-backed intelligence agencies gather information to serve their strategic, military and industrial interests, companies gather information to hone their marketing and boost sales. The ends may be different, but the means are more or less the same.

Digital home assistants make no secret of the fact that they offer surveillance as a service. In their case, though, the intention behind the surveillance is mostly innocuous. The better these systems are at anticipating our needs, the more consumers will buy them, and the more companies such as Amazon, Google and Apple Inc. will profit. Although their intended purpose is benign, however, home assistant devices could be exploited for other aims. As the events of the past several years have demonstrated time and again, electronic data channels get crossed and corrupted as interests compete for access to information. Consider the legal standoff that unfolded in the wake of the 2015 San Bernardino attack when the FBI insisted that Apple break the encryption on one assailant's iPhone. Outside the United States, some governments have even purchased software tailor-made to let them to access and monitor their citizens' smartphones. Criminals, too, have come up with myriad schemes to get their hands on data from personal electronic devices. Home assistants are no different; in fact, their level of access makes them all the more attractive to intelligence collectors.

A Trove of Mundane, but Valuable, Information

A common retort to this warning is that so long as you watch what you say or do in the presence of a digital home assistant, then you have nothing to worry about. That argument, however, fails to account for the value of surveillance in detecting everyday patterns and routines. More and more assailants are using online intelligence collection to plan and execute physical attacks. By gaining access to a home assistant device, a criminal could determine when a family will be out of town - or even just out of the house - and use that information to commit a burglary. Alternatively, a thief could take advantage of a household's purchasing habits to mask fraudulent credit card charges. Hackers managed to steal $81 million from Bangladesh's central bank last year by following a similar strategy: The attackers mimicked the normal communication patterns between the bank and its affiliates to arrange the illicit transfers. Even the most mundane details of a household's operations could be paydirt for a scheming criminal.

By outlining the risks lurking in digital home assistants, I don't intend to condemn the technology or to incite paranoia. The underlying threats that these gadgets present are nothing new; the 24/7 microphone and video access home assistants offer merely amplify them. Service is a good cover for action when conducting surveillance, whether electronically or in person. Nevertheless, as home assistant devices make their way into more homes, it's important to recognize that their advancing capabilities cut both ways. A powerful tool can easily become a potent weapon in the wrong hands. As essential as good cyber hygiene is for our laptops and smartphones, it's even more crucial for our digital home assistants.

"The Surveillance Operative Lurking in the Living Room" is republished with permission of Stratfor.

No comments: