
An Amateur Rap Crew Stole Surveillance Tech that Tracks Almost Every American - kawera
https://www.forbes.com/sites/thomasbrewster/2018/10/12/how-an-amateur-rap-crew-stole-surveillance-tech-that-tracks-almost-every-american/#33f5c0cd50f1
======
giancarlostoro
I remember a comment here on HN about how identity theft is the wrong name.
Your wife and dog dont stop recognizing you. It is financial fraud and it
really should be the entire responsibility of creditors to fix. The second you
report it you should be able to have it sorted or be fully capable of suing
them for defamation of your identity e.g. claiming you went on a credit card
binge when you did not... We need an overhaul on privacy and our credit
system. I am even much more concerned about the latter since it affects
peoples lives much more dangerously.

~~~
zkms
> a surveillance technology that police and debt collectors use to track most
> of the United States’ 325 million inhabitants via their Social Security
> numbers, license plates, address histories, names and dates of birth. The
> mass-monitoring tech, called TLO, is a product of the Chicago-based credit
> reporting giant TransUnion, which last year had revenues of nearly $1.9
> billion. One brochure for the service promises access to a startling amount
> of personal data drawn from myriad sources: more than 350 million Social
> Security numbers of dead and living Americans, 225 million employment
> histories and four billion address records. Add to that billions of vehicle
> registrations and call records and you have one of the largest commercial
> surveillance databases in existence.

> It’s used not just by cops but also by debt collectors and private companies
> carrying out background checks. Private investigators use it to track
> cheating spouses.

Honestly that this database exists at all is a serious problem in itself.

~~~
narag
In my country such a database has existed for a long time. It's the national
id database. It's controlled by national police. Everyone of us owns an eight
digits number. As for me: identity is a _right_ , not some secret that I want
to hide. What doesn't make sense is that people are afraid of USA government
having much needed data, while private organizations have them already.

~~~
d6e
How does your country handle authentication? The real problem is that in the
United States, social security numbers and birthdates are used as private
information for authorization with all the various financial and health
institutions. I'm less afraid of them being public and mostly afraid of the
fact that all these institutions treat that information as private.

~~~
rtuulik
Different country, but similar system here. Every person gets assigned a 11
digit personal id number at birth. That id-code then gets used as a
identifier. If you sign up for something, you just give them that number, and
it will work as a unique identifier, they will know exactly that you are THAT
John Smith, not that different John Smith For something simple, like signing
up for the grocery store customer card, it is enough to just say your name and
number, for bigger things, like opening a bank account, you have to show your
ID-card or passport. For remote authentication, you use the ID-card for secure
Internet banking, signing contracts digitally, voting, etc

~~~
amaccuish
Estonia?

~~~
rtuulik
Yes, Estonia. :) Was it the voting over the Internet that gave it away? I
think that we and Switzerland are only countries that do that atm.

------
gcb0
"Though it was designed to hunt child predators"

it is amazing that people still fall for that.

------
alphabettsy
This shouldn’t exist. The fact that some company I’d never do business with
can have basically every single data-point about my life without my permission
is the stuff of dystopian nightmare novels, but here we are.

~~~
r00fus
Legislation signed in the late 90s that allowed companies to copyright and
sell databases about things they did not own (i.e. Our personal data/habits)
was a big death knell for common sense.

~~~
ioddly
What's the name of that legislation? Just curious.

~~~
MrMorden
Directive 96/9/EC, perhaps?

[https://eur-lex.europa.eu/lexUriServ/LexUriServ.do?uri=CELEX...](https://eur-
lex.europa.eu/lexUriServ/LexUriServ.do?uri=CELEX:31996L0009:EN:HTML)

------
fipple
Weird framing as a “rap crew.” This was a sophisticated organized criminal
enterprise whose members liked to record some music on the side.

~~~
hnzix
_> Weird framing as a “rap crew.”_

Studio time is expensive. Puffy, 50cent, Jay-Z all used drug profits to
kickstart their music careers.

~~~
eponeponepon
I'm not sure it would've been mentioned quite so often if these guys had also
been a barbershop quartet in their spare time.

~~~
heartbreak
They each talk extensively about it themselves. It’s not others belittling
their careers.

> When I was talking Instagram, last thing you wanted was your picture
> snapped.

------
d--b
We need more of this. People think privacy is not an issue because “they got
nothing to hide”. But the real privacy problem is that data about you that
falls into the wrong hands is very dangerous.

And it’s not only identity theft. It’s making burglary easier if someone knows
when I’m on vacation. It’s making kidnapping easier if someone knows where my
kids go to school. It’s easier to lure me into some scam if someone knows What
I am into...

------
elipsey
How quintessentially American, to persuade us to finally secure our industrial
surveillance systems because "gangs" will steal them.

~~~
dfee
Just wait ‘til you hear about the rest of the world.

------
olivermarks
'There were warning signs that things were going to get
real'...'rappers'...odd framing of an article that is essentially about theft
of personal information from databases with inadequate security and oversight
run by giant corporations who know everything about us

~~~
macawfish
Blame it on the rappers

------
bogomipz
I think the contrast of these two passages are quite telling:

>"Barnett says she and Asher worked together to ensure there was no abuse of
TLO. Onsite visits would be made to clients, who would undergo a strict
vetting process. Only those who passed muster were given a login, Walters
says. “We were very selective.”

and

>"It’s used not just by cops but also by debt collectors and private companies
carrying out background checks. Private investigators use it to track cheating
spouses."

So giving access to debt collectors and PIs investigating cheating spouses is
selective? I'm guessing the selection criteria is simply whether the customer
has the $1,500 a month.

The other interesting part I thought was the levels of data weaponization
going on:

>"Just as the crooks turned the turbo-powered TLO software on its head, cops
used the Nests against their owners. In June last year, Postal Service
investigator Berkland obtained a warrant ordering Google to hand over all the
data related to those cameras. The company complied, shipping surveillance
footage back, along with personal details of its owners."

Both sides in this piece seem to be thugs. TLO just appears to be a
gatekeeper, they get to decide which thugs are the "good guys."

------
krishicks
> “He was, in my humble opinion, a technology genius, a computer math genius,”
> says Martha Walters Barnett, a former TLO chief privacy officer. “He was
> among the first to acknowledge … that insignificant, unrelated pieces of
> data, when put together in the right way, could become a powerful tool.”

Hmm.

David Burnham published The Rise of the Computer State (ISBN-10: 0394514378)
in 1983. In the "Data Bases" chapter, he writes about how transactional data
(when you swipe a credit card, when you pay a bill) that used to exist on
paper only was then starting to be stored in databases by different companies
which, with the rise of cheap and fast networking, could then be quickly and
easily combined in previously unfeasible ways. He specifically calls out
credit reporting agencies TRW and Equifax, and warns that "the astounding
power of these records is not appreciated by the public, the courts or
Congress."

It's a fantastic book, and I highly recommend it.

~~~
gcb0
his other publications
[https://dl.acm.org/author_page.cfm?id=81100305105&coll=DL&dl...](https://dl.acm.org/author_page.cfm?id=81100305105&coll=DL&dl=ACM&trk=0)

------
downandout
I wish the article weren’t so light on details about the purchasing of license
plate reader data. Does anyone know who is supplying this data? I suppose it’s
possible that they went to every 7-11 in the country and asked them if they
can buy a feed of their external cameras, but that seems haphazard at best. Is
there some central clearinghouse where private security camera feeds are being
aggregated? I can’t think of an upside for any business to participate in such
a thing.

~~~
sfont
I remember seeing it mentioned a few times that tow truck/repo operations
collect license plate images in their area.

This was best article I could find talking about that:
[https://abc7.com/news/repo-industry-collecting-data-on-
you/3...](https://abc7.com/news/repo-industry-collecting-data-on-you/379656/)

------
mjmj
I’ve been through the process of signing up and acquiring access to TLO. I
called them up and stated I wanted access, I’m a real estate developer and
simply wanted to cold call landlords. They said they’d sign me up but I
couldn’t specifically use it for unsolicited calls, I said ok and then still
proceeded with my account creation.

Scheduled a required on site visit, where an very unfriendly Russian woman
came into my apartment and checked that the following was in place 1) My
computer had a password 2) I had a locking file cabinet 3) my office door
locked 4) I had a business license 5) Paper shredder worked 6) dedicated
office with no bed (I setup a mock office in my guest room and slide my guest
bed into my master room moments before she arrived) also she didn’t catch that
neither the lock on my file cabinet nor my office pocket door actually locked)

TLDR: Nearly anyone without a criminal record owns a computer, a business
license and a bedroom can get an account.

We sat in the living room and signed some papers and that was it. I signed in
and was amazed, TLO data is very accurate and up to date. It’ll even show
people on various government watch lists, registered sex offenders, etc. The
only thing it’s bad at were email addresses, at least for my target audience
they were almost always wrong. Phone numbers have confidence percentages next
to them. I would get very surprised calls when cold calling people like that.
Some people run very profitable enterprises in that manner.

There are also FB groups of PI and ‘skip tracers’ and you can fairly easily
befriend and ask to pull records for you for a price as to not have to sign up
for TLO. Although this is expressly against their TOS.

------
INTPenis
This was inevitable. I don't think they're overly sophisticated, they were
just att he right place at the right time.

Because when you have this "tool" that is used by anything from postal workers
to private investigators to bring up info on millions of citizens then
obviously it's a matter of time before it ends up in the wrong hands.

------
hnaccy
We should seek to reduce the asymmetry, currently only our masters and their
minions get to watch us.

If networked dash cams and home security cameras become common there should be
crowd sourced public tracking of every LEO, politician, etc.

~~~
hyperdunc
Let's go a fit further. We know that power corrupts and therefore the powerful
often cannot be trusted.

So the power a person/institution has should be be inversely proportional to
the amount of privacy they enjoy. We can start by only voting in politicians
that wear personal cameras a la 'The Circle'. (Some police already do this
while on duty.)

Of course the irony is it would take a kind of power to make this happen.

~~~
angry_octet
C.f. Aeon Flux S03E01 "Utopia or Deuteranopia?" where our autocratic hero
Trevor Goodchild institutes a program of radical transparency.

[https://youtu.be/f5Au5Z_NbOY](https://youtu.be/f5Au5Z_NbOY) (Forgive the
Content ID jamming.)

------
ObsoleteNerd
Systems like this make it seem so futile to care about online privacy.

Not that I'll ever stop trying, but still. It's hard to compete with this
level of power/surveillance/etc.

~~~
qrbLPHiKpiux
You have to concentrate on anonymity instead of privacy.

------
codezero
They briefly touched on how this company also buys up all the public images of
license plates and sells it as a location log for any license plate you want
to find.

------
Latteland
We should outlaw all tracking for car licenses and cell phones. I am not naive
enough to think this would pass Congress but it should. Otherwise there is
basically ubiquitous surveillance of everyone available to everyone who looks.

~~~
megablast
Not for car plates, cars are killers and should be tracked everywhere. 40,000
people are killed due to cars every single year in the US, a million around
the world. They are worse than guns.

~~~
mdpopescu
Do you have any sort of evidence that tracking them prevented / reduced those
deaths?

------
exabrial
The headline reads exactly like the plotline of the last fast and furious
movie

------
archi42
I expected them to have stolen physical stuff, like a GSM sniffer or stuff
like that. This is more like _Wannabee Gangstas Gained Illicit Access to
Database that Tracks Almost Every American_.

------
gumby
TIL the government can get access to nest cams.

~~~
qrbLPHiKpiux
Technically, and legally, speaking, the GUBment can get access to any data if
it isn't air-gaped and encrypted.

------
pmorici
Is there any way to see what information TLO has collected on you similar to
how some people search websites let you look yourself up and request removal
of your personal information? I couldn't find anything on their site.

~~~
maaaats
Suddenly GDPR is not so bad, eh?

~~~
laurentl
This whole thing is a poster child for GDPR.

Step 1: hi TLO, what information do you have on me? Step 2: right, delete all
of it.

------
w_t_payne
And this is (close to) the crux of the issue. How can we prevent malicious
actors from abusing our numerous and diverse surveillance technologies (law
enforcement; ad-tech; pretty much every 'smart' device) whilst also allowing
authorised, regulated, controlled, legitimate uses. (And is it worth it?).

What processes and assurances are enough? (Formal methods, I'm looking at
you).

------
rch
There were a few quotes in the article from EFF people, but I thought the EFF
was more ambivalent about private companies like TransUnion selling access to
data like this. Am I incorrect or are they only critical due to the potential
for abuse by law enforcement?

~~~
thrmsforbfast
The EFF is run by/employs/takes advice from a lot of people, who probably
don't all agree with one another:

[https://www.eff.org/about/board](https://www.eff.org/about/board)

[https://www.eff.org/about/special-counsel](https://www.eff.org/about/special-
counsel)

[https://www.eff.org/about/advisoryboard](https://www.eff.org/about/advisoryboard)

------
nyolfen
this is absolutely begging for regulation

~~~
Reelin
Entertainingly, this is already regulated in an inconsistent manner in some
states. In Virginia, for example, the government has some fairly broad
restrictions on collection and retention of personal data, but to the best of
my knowledge no civil counterpart exists. See this recent case on the matter:

[https://www.aclu.org/blog/privacy-technology/location-
tracki...](https://www.aclu.org/blog/privacy-technology/location-
tracking/virginia-supreme-court-sees-through-police-claim-license)

In fact, they're so worried about government abuse there that another bill
seeking to severely limit retention of license plate reader data passed both
the house and senate before being vetoed by the governor over "public safety
concerns".

Article about it: [https://arstechnica.com/tech-policy/2015/03/virginia-
passes-...](https://arstechnica.com/tech-policy/2015/03/virginia-passes-
shortest-limit-in-us-on-keeping-license-plate-reader-data/)

Bill details: [http://lis.virginia.gov/cgi-
bin/legp604.exe?151+sum+SB965](http://lis.virginia.gov/cgi-
bin/legp604.exe?151+sum+SB965)

Best quote ever:

> Senator: "I wasn't a criminal suspect, so why are they taking pictures of
> me?"

------
Cort3z
1984

