Written By: Dr. Fateh-ud-din B. Mehmood
Gone are the days of traditional spying because the spy couple Julius and Ethel Rosenberg, Mata Hari, Major John André, Virginia Hall, Shi Pei Pu and all top 100 spies in the history of espionage together cannot collect even a fraction of the intelligence that today’s digital platforms can (and do) gather every minute.
Most of these software, apps and services are either available free of cost or we happily opt to use the bought or pirated versions. It is said that "if you are not paying for it, you're not the customer; you're the product being sold". This is an open secret that these service providers or apps collect and sell our browsing history, location data, trends, software usage details to advertising companies or to the players that pretend to be advertising companies.
Espionage is not a new term or technique at all. The technique has been in use for thousands of years and it is documented that even the monarchs (pharaohs) of early ancient Egypt (around 3000 BC) employed agents of espionage to root out the fickle subjects conspiring against the dynasty or to locate the tribes that could be conquered and enslaved. Joshua and Caleb are also well-known and well-admired in history for their spy work, sent by Moses to spy on Canaan. Sun Tzu in Chinese and Chandragupta Maurya in Indian history are also popular for putting emphasis on spying and intelligence gathering.
But gone are the days of traditional spying because the spy couple Julius and Ethel Rosenberg, Mata Hari, Major John André, Virginia Hall, Shi Pei Pu and all top 100 spies in the history of espionage together cannot collect even a fraction of the intelligence that today’s digital platforms can (and do) gather every minute. No, I am not talking about the notorious spyware such as FinFisher, Galileo RCS or CIA's Vault7 that WikiLeaks have made infamous over the past decade. The subject of our attention are the common household digital platforms like Microsoft Windows, Google, Facebook and Apple that we cannot imagine to live without in the modern age.
When I was in school, the only electrical or electronic ‘gadgets’ we used to have and could afford were electric bulbs and ceiling fans. Although, some of our well-off neighbors also had black and white television sets whom all the neighboring children used to visit every night to watch PTV dramas. The clock kept ticking and times changed. The current period in human history that we are living in is unarguably called the digital age or information age owing to the prolific use of technology in almost all aspects of human activity such that digital interaction is one of the major characteristics of human activity and it is also characterized by the shift from traditional industry to information technology.
Nowadays, every single person I see has at least one smartphone running Google’s Android or Apple’s iOS, a Facebook ID (or even multiple), an email account, a variety of instant messaging apps such as Skype, WhatsApp, Viber, IMO, WeChat and many other free accounts and free apps to access various internet services. Every single house I visit has a plethora of electronic devices from computers to tablets to smart TVs to smart homes with hundreds of apps to support daily activities. I have not come across a single office that is still based on old-school papers and has not shifted to the information technology to some extent, if not fully. All the government, private, multinationals, financial, education, law enforcement or military offices today have at least Microsoft Windows and Office suite (genuine or pirated). This paradigm shift has increased the speed and breadth of knowledge turnover within the society and economy.
Most of these softwares, apps and services are either available free of cost or we happily opt to use the bought or pirated versions. It is said that "if you are not paying for it, you're not the customer; you're the product being sold". This is an open secret that these service providers or apps collect and sell our browsing history, location data, trends, software usage details to advertising companies or to the players that pretend to be advertising companies. Most of us have no idea what information Microsoft and Google collect about us, or when Facebook app turns our camera and microphone on because during installation of the apps we merrily give them permission to access our microphone, camera, contacts, SMS, photos, etc.
A friend of mine who is a government officer proudly told me that in his office he has strictly precluded all pirated and shady softwares, ensured timely updates on the operating systems and other softwares, installed and updated antivirus software regularly and enforced the policy to not download any attachments in addition to using complex passwords because they have confidential documents and matters to work on. My question was: “Does it really ensure you are not spied on? What if those legitimate software and apps are collecting all the confidential information with your consent?”
It is important to talk about how and what all the big names including Microsoft, Apple, Google, Facebook, etc. collect data and information from us which ‘legally’ does not even fall under spying because the definition of traditional espionage or spying is “to gather confidential information without the permission of the holder of the information" while in this case we allow them to take our data and information in the End-User-License-Agreement (EULA) or app permissions. We also do not have a choice because unless we give them permission to access information we cannot install and use that service, app or software.
Let’s have a look at the numbers of software and their users worldwide; Google has over 2 billion users with Android while Microsoft has claimed over 1.5 billion users for Windows. Apple's iOS and macOS combined claims to have over 1 billion users. Facebook has surpassed the figure of 2 billion monthly active users and their WhatsApp monthly users figure is around 1.5 billion as well. Gmail has claimed to have more than 1 billion monthly active users and there are tens of instant messaging (IM) apps that have crossed 100 million users. As this article has a length limitation, it is not possible to cover all the service providers’ information collection (not legally spying) details in one article; we will start with the mostly used software in office or business environments, which is undoubtedly Microsoft Windows. However, the intention is not to blame a particular company/software operating system but to create general awareness about the loss of privacy and possible data theft by using the modern gadgets particularly free downloadable apps. Therefore, the general conclusions in the article are applicable to all such companies/software operating systems.
Finally, we will access, transfer, disclose, and preserve personal data, including your content (such as the content of your emails in Outlook.com, or files in private folders on OneDrive), when we have a good faith belief that doing so is necessary to:
1. comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies;
2. protect our customers, for example to prevent spam or attempts to defraud users of our products, or to help prevent the loss of life or serious injury of anyone;
3. operate and maintain the security of our products, including to prevent or stop an attack on our computer systems or networks; or
4. protect the rights or property of Microsoft, including enforcing the terms governing the use of the services–however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer's private content ourselves, but we may refer the matter to law enforcement.
Here, we must keep in mind that “such as” is not a synonym to “limited to” and “applicable laws” are of any government especially where the data resides or in other words where the data centers are.
It is also worthy to read what Microsoft’s statement is about internet browsers:
“Some browsers have incorporated "Do Not Track" (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked.” but... “Microsoft services do not currently respond to browser DNT signals.”
That, in simple words, means we will take your data no matter what you do and how much you want to protect your privacy.
When Microsoft started its Customer Experience Improvement Program (CEIP) in 2006 and the core purpose of CEIP was to “collect information about how our customers use Microsoft programs”, I, with my other co-researchers in information security become curious to know what data Microsoft is taking and we started to sniff and analyze the data and packets using network sniffer and packet analyzers such as Wireshark (back then it was called Ethereal) and the results were shocking2. Although Microsoft mostly uses SSL on port 443 to establish an encrypted link between the device and their server ensuring that all data passed between the server and device remain encrypted yet some connections use port 80 and clear text.
That was the Windows XP age and the information collection techniques and the size of data amplified exponentially over the period of a decade by the time Microsoft Windows 10 was launched. According to ZDNet, Windows 10 is now running on 500 million "monthly active devices"3. And, undeniably Windows 10 is the foremost pre-eminent operating system from data collection point of view that our digital age has ever experienced. You must be curious by now that what exactly Microsoft can and does collect (steal) from you. It collects almost each and every thing you can imagine through Cortana, telemetry and other features.
Apart from the PC usage and crash data, Microsoft collects and stores your location not only through the built-in GPS sensor but also through a user’s Internet Protocol (IP) address’ geolocation, which is the mapping of an IP address to the geographic location of the internet from the connected device.
Speech recognition is a convenient way to prevent typing stress and aid those with Carpel Tunnel Syndrome (CTS) by giving the user ability to speak while the program identifies your words and phrases and converts them to a text but for Microsoft this is a way to record and save the spoken words and phrases in your voice.
Microsoft can collect the entire content of a device’s memory (RAM) in the name of diagnostics. One may ask what’s the harm in it. If you don’t know yet, let me tell you that your computer’s RAM stores not only the current state of your computer but also your passwords. What’s more, being a researcher in digital forensic and cyber security, I can tell you that the RAM’s physical dump is also the place where we always look for the decryption keys to decrypt the encrypted data. So, if you have entered the decryption credentials to access the encrypted data, those keys might be lying in the RAM. You thought the 2048-bit encryption had saved your top-secret and confidential data? Voila! Microsoft has got it or any other software that one has been using.
Application/software history allows Microsoft to collect the data about both Microsoft software e.g., MS Word, MS Excel, MS PowerPoint and non-Microsoft software as well such as. [Oh, you want to know what non-Microsoft software data Microsoft can collect? Every piece of software you install and run on top of Windows.] As far as non-Microsoft software data is concerned, Microsoft can collect every piece of software a user installs and run on windows.
Windows 10 also comes with a personal assistant called Cortana that is always there, always listening, always ready to serve ‘you’ (or Microsoft). Your computer’s microphone is always actively listening to you, to your surroundings and might be sending the data for profiling. Your secret meeting with the red bulb on your office door is no more a secret to Microsoft, its partners and government agencies with “applicable laws” have the right to get that data, if a Windows device was turned-on in that meeting room.
A picture is worth a thousand words. Cameras have changed the world for us dramatically as well as for the espionage industry. Everything you or your device’s camera sees, can be seen by Microsoft and government agencies, too.
Microsoft also collects data on “Speech, Inking & Typing”. Do you think the keystroke logging through traditional spyware key-loggers is required anymore when agencies can receive much more than the mere keystroke data easily from Microsoft?
Usually, we consider contacts, call history, messaging, e-mails, calendar, tasks, etc. our personal data but according to Microsoft privacy statements this personal content is also Microsoft’s business and they are free to collect every byte of it in addition to the account information that we have with Microsoft such as Hotmail, Skype, MSN, Windows Live, Outlook, etc. with all the services we use including OneDrive.
If you are using Microsoft’s Edge (internet browser) you’re giving away your bookmarks, complete browsing history and even your passwords (if you saved them in the browser) for the advertisers, Microsoft partners and government agencies.
Now the question arises, how does Microsoft keep half a billion devices’ data from mixing up? Windows 10 assigns a Globally Unique Identifier (GUID) to each computer using the MAC address and other identifiers to save the data it collects from that particular device. Another question comes to mind, where is this collected data saved? The logical answer is that the data is saved to the nearest geographical data center. Microsoft already had a few global data centers spread over the planet but a year after Microsoft hired an Indian professional Satya Nadella as the Chief Executive, the company has opened three additional data centers in India, to be exact, in Pune, Mumbai and Chennai to provide faster services to the clients of this region. Every data center must comply with the local laws, regulations and government requirements and so do the Microsoft’s new data centers in India. The Ministry of Electronics and Information Technology (MeitY) for the Government of India announced that Microsoft is one of the first global cloud service providers to achieve MeitY’s provisional accreditation4. What data and access Microsoft has agreed to give to the Indian government to achieve the accreditation is unknown but keeping Indian mass surveillance projects and Indian National Cyber Coordination Centre (NCCC) we can safely assume that Microsoft would have to ‘lawfully’ provide data to these agencies in order to comply with local laws5.
Microsoft can surely deny they do not take this much data but they have also explicitly denied explanation of what data they take despite the thousands of security researchers’ requests. Microsoft, bi-annually publishes a Law Enforcement Requests Transparency Report that shows the number of legal demands for customer data that they receive from law enforcement agencies around the world. Only from January to July 2017, the total number of requests Microsoft received from law-enforcement agencies worldwide was 25,367 that include 44,831 accounts/users specified in requests. We must keep in mind that they clearly state on their website that “this report only covers law enforcement requests”, NOT the big brother’s requests6. And now that the U.S. government has passed the Cybersecurity Information Sharing Act (CISA) two years ago, companies have zero liability when handling your personal data that they collect, not even under the Freedom of Information Act (FOIA). The goal of CISA was purely to encourage companies to provide whatever data the government agencies want without declaring it anywhere and in return the companies got liability protections for sharing users’ data in the name of ‘cyber-threat information sharing’7.
If, after reading this dreadful information, you are thinking about how to prevent Microsoft and other operating systems from spying (oh sorry, technically that is not spying because you signed the EULA and read the privacy statements – let’s call it information collection as these operating systems force us to call it), actually, you cannot prevent this. Although, in response to public demands Microsoft gave some controls in Windows 10 anniversary update to disable the data collection but even turning off all the buttons won’t prevent them from stealing your data.
An experiment was carried out in which Windows 10 was installed on a computer and all the information collection buttons were set to ‘disable’ and a tool Disable Win Tracking was also installed to stop Windows 10 spying features but still the network sniffer results showed that Windows 10 was trying to communicate with Microsoft servers and send data8.
To remedy this privacy breach we can opt one approach and that is to blacklist those particular Microsoft IP addresses in the routers because blocking known domains and IP addresses in the Windows host files or in Windows firewall will still allow Windows 10 to reset and unblock them.
Second approach that can be taken is at the government level. A good example is that of France ordering Microsoft to stop tracking Windows 10 users and the data protection authority which gave Microsoft three months to comply with French privacy laws. I don’t know how long will our government/judiciary take to issue such orders, if at all.
Third proposed approach is to replace Windows with open source Linux, which, unlike Windows, is an open source operating system and we can analyze every single line of the code including its kernel. We can develop Pakistan’s own version of Linux to cater our needs and support the local languages.
(To be continued....)
The writer is an Information Security and Digital Forensic professional, a researcher and an entrepreneur.
1. Microsoft Privacy Statement
3. Windows 10 is now running on 500 million "monthly active devices."
4. Microsoft Cloud achieves Gov. of India’s provisional accreditation... in rare company
5. Mass surveillance in India
6. Law Enforcement Requests Transparency Report | Microsoft
7. Cybersecurity Information Sharing Act (CISA)