Amazon Sues Pirate Streaming Boxes, but Stocks ‘Piracy’ Tutorials?

Amazon and further associates of the Alliance for Creativity and Entertainment have declared ’war’ on pirate streaming devices and add-ons. While legal warnings are issued left and right, the Amazon store is ironically still catered with books that describe to newcomers how to install some of the same add-ons Amazon is tackling.

Previous summer saw the rise of a new anti-piracy scheme, which has Image result for streaming boxesalready garnered a few headlines.

A coalition of the big Hollywood studios, Amazon, Netflix and several other media houses teamed up, establishing the Alliance for Creativity and Entertainment (ACE).

Their ultimate goal is defeating piracy, with pirate streaming bundles as the prime target.

In the months that ensued, various third-party Kodi add-on developers got threatening letters in the mail and topping that ACE filed lawsuits against three sellers of alleged pirate streaming boxes.

Their show of force hasn’t gone under the radar. It prompted some developers and vendors to back off or quit entirely. Simultaneously, fully-loaded boxes are now harder to obtain at ACE member Amazon, which has taken down tens of thousands of listings.

These boxes, which come with a built-in media player and also pirate add-ons, were not always that difficult to find though.

The truth is, Dragon Box, which Amazon and other members are suing was previously stocked on Amazon. This might be the reason why the company argued in its justification that it had “Amazon’s implied authorization to promote and sell the device.”

Apparently, these Dragon Boxes have now been removed from Amazon’s stock, but it’s still possible to find variously alleged piracy inducing items there today.

For starters, hundreds if not thousands of low-cost media players are there for sale. While they may be legal, Amazon member reviews show, sometimes with screenshots, ways they can be quickly set up to operate pirate add-ons.

Arguably, 24/7 moderation is required. After all, people may also purchase a PC on Amazon and suggest people to bookmark The Pirate Bay. Maybe we’re hairsplitting.

The widespread availability of “Kodi tutorials” is perhaps a bigger headache. While Kodi is legal, some of the books elaborately explain how to add “pirate” add-ons. The same devices Amazon is suing Tickbox, Set TV, and Dragon Box over.

A guide states referencing Set TV particularly “Do you want to install Area 51 IPTV or Set TV on your Kodi and Amazon Fire TV Stick or Fire TV?” Additionally saying “Do you want to install Supremacy, Dogs Bollock, Covenant, Genesis Reborn and Neptune Rising?”

Another book provides help on “How To Install Kodi And The Latest Downloads On Any Firestick” stating the add-on Exodus, among others. Exodus was famously featured as a “pirate” add-on by the MPA.

Other books are discussing how to install an extensive range of add-ons with a “pirate” reputation; Covenant included which is particularly stressed in the ACE lawsuits as a lousy actor.

As far as records go, none of these add-ons have been ruled illegal in court. But, it is evident that Amazon itself sees these as pirate devices.

It places Amazon in an awkward spot, as on the one hand, it is suing vendors who sell devices that come with the Covenant add-on, but on the other, it sells books that show people ways to set this up themselves.

Amazon has to sort itself out.

EU Advocate General: Right to Private Life Shouldn’t Obstruct Copyright Enforcement

In the EU, rights to private and family life are respected. However, EU Advocate General Szpunar in his new publication has made it clear that people cannot misuse their powers. They cannot share copyrighted content without permission from the copyright holders.

On May 8, 2010, German citizen Michael Strotzer was operating an Internet connection from where an audiobook was made obtainable on a peer-to-peer network.Image result for copyright eu

Bastei Lubbe AG, a German company, owned the copyrights to that content and had not granted Strotzer permission to share it online. Therefore, on October 28, 2010, Bastei Lübbe lettered to Strotzer with a demand for him to cease infringing their copyrights.

But, when the letter did not work, Bastei Lübbe took Strotzer to court in Germany to be compensated for the alleged damages caused.

Strotzer denied the copyright infringement claims by saying that his home network was secure and he wasn’t the one who did it. Additionally, he stated that his parents had access to his system.

But, neither did they have the audiobook on their computer nor use file-sharing networks. Furthermore, he said that their computer had been shut down at the time when the audiobook was shared online.

The court dismissed the case by saying that that the copyright infringement could not be directly attributed to Strotzer since his parents could also have shared the audiobook. Answering back, Bastei Lübbe filed an appeal with the Regional Court of First Instance in Munich.

The Court felt Michael Strotzer was responsible for the infringement as no third party involvement was evident from his statement.

The law of the case, however, made it complicated. Previously, the Federal Court ruled that the copyright holder should prove the infringement. It also said that the Internet connection owner is the likely committer if no-one was using at the time of the violation.

On that note, the connection owner should reveal the identity of those people who used it if he is not the one.

But, under Article 7 of the EU Charter of Fundamental Rights which safeguards the right to respect for a citizen’s private and family life, it was argued that the owner of the connection is not required to give more information if a family member has had access to his network.

Keeping this in mind, the Munich court referred the case to the Court of Justice of the European Union (CJEU) for guidance. Advocate General Szpunar published his opinion on June 6 in 21 different languages (except English) but thanks to lawyer Eleonora Rosati, there are findings.

But, if national law foresees such beliefs to ensure the protection of copyright, this shall be applied logically to guarantee effective copyright protection.

Meaning, if a country (in this case Germany) has national that lower the burdens of proof to help protect copyright law (something which is not mandatory under EU law), it does not necessarily mean that rightsholders cannot enforce their rights even if it conflicts with the right to respect for private family life.

When cases are taken to the CJEU, the judgment and future decisions of the Court often contain language which aims to balance what are usually seen as conflicting rights. In this case, it’s opined that the right to family life should not be used as an excuse to avoid liability in a matter where the rights of another party have been infringed.

The opinion of the Advocate General is not final, but the CJEU typically takes such advice.

“No Logs” IPVanish Releases Logs To Homeland Security

IPVanish is a highly respected US-based company that has always declared to have a strict no logs policy. It appears to be a lie.
Keep in mind that the logs go back to an incident that took place in June 2016, and IPVanish was then acquired by a company that maintains that no records are stored.

The Zero Logs Claim

Looking at the Internet Archive Wayback Machine, it can be clearly seen that both before and after the incident, IPVanish asserted that no logs were kept at all: “IPVanish does not collect or log any traffic or use of its Virtual Private Network service.”

The Incident

On 4 May 2016, a  US Department of Homeland Security investigator was talking undercover to a suspect who posted some links to child pornography. The special agent traced the IP address which linked the suspect back to Highwinds Network Group, a CDN company which launched in the Usenet industry and which owned IPVanish at the time.

Upon getting a non-lawfully binding summons, Highwinds confirmed that the IP address was theirs, but said that it would not be able to help with the investigation because:
“To protect customer data, we do not log any usage information. Therefore, we do not have any information regarding the referenced IP.”

This lacks consistency with the upcoming part of the court affidavit used for the subsequent trial.
“Highwinds Network Group suggested the HSI submit second summons requesting subscriber information more detailed in nature.”

Homeland Security Investigations (HSI) complied and was rewarded with a set of detailed connection logs that evidently identified the suspect.

It’s proof that IPVanish were indeed keeping logs contrary to “zero logs” policy claim. It gets murkier as Highwands seemed to have freely cooperated with HSI in handing them over.

Trust Expectations

Mr. Gevirtz is a genuinely despicable human being and its good news he was caught. But users want VPNs to provide privacy for legal reasons and expect them to uphold the privacy claims they make. The most important being no logs.

A Different Company Owns IPVanish Now

The whole issue is made more difficult by the fact that StackPath acquired Highwinds (and therefore IPVanish) in February 2017. Replying back to a Reddit discussion on the matter, Stackpath CEO, Lance Crosby, made the following post: “IPVanish has always marketed itself as a “no logging” VPN. At the time of the acquisition 2/6/17, the StackPath team and a third party performed due diligence on the platform. No logs existed, no logging systems existed and no previous/current/ future intent to save logs existed. The same is true today. We can only surmise, this was a one time directed order from authorities. We cannot find any history of logging at any level.”

Image result for jeremy palmer
                     Jeremy Palmer

IPVanish’s Vice President of Product & Marketing, Jeremy Palmer agreed with the statement.

The problem lies in the fact that even though a different company now owns it, many of the senior IPVanish staff have been with the company for years.

The United States of Surveillance 

Back in 2013, NSA whistleblower Edward Snowden revealed the mind-boggling scope and ambition of United States’ mass surveillance program. It represents a case of “collect it all,” and even though much digital ink has been spilled on the issue, no real progress has come of it.

America has no mandatory data retention laws, but it looks like US government flexing its muscles always gets what it wants.

This was what might have happened with IPVanish.

Is IPVanish Trustable?

Maybe PureVPN and Hide My Ass have similarly been nabbed lying about the logs they keep. Until a method to independently audit providers’ no logs claims is set up, the only way to know for sure if a VPN service is trustworthy about its logging policy is when it proves those claims in court.

But what you can about is that a VPN will protect your privacy much more than your ISP will. In IPVanish’s case, the fact that a different company runs it now provides something of a get-out clause to the actions of its past management.

But, then again, many senior staff members were also senior staff members when it took place. And anyway it’s America.

 

Google Blacklists Millions Of Pirate URLs Rendering Them “Unlisted”

Google keeps a rapidly extending list of copyright-infringing URLs which they haven’t listed yet. This blacklist makes sure that these links are never put forward to the search engine. Appreciatively, a new update in the transparency report allows us to know how many non-registered links every takedown notice includes, which is astonishingly high in some cases.

Over the years, Google has had to deal with a continuous rise in takedown requests which target pirate sites in search results.Image result for pirate bay

The total number of ‘discarded’ URLs just touched 3.5 billion, and millions more are added daily.

Although that is not new, the thing that is new is Google sharing some further insight into the nature of these requests.

Fact is, millions, if not hundreds of millions, of the links copyright holders target, have never shown up in Google’s search index.

Earlier in the year Caleb Donaldson, Google copyright counsel, disclosed that the company had started to block non-listed links ‘prophylactically.’ Meaning, Google blocks URLs prior to them appearing in the search results, as some sort of piracy vaccine.

Donaldson stated “Google has critically expanded notice and takedown in another important way: We accept notices for URLs that are not even in our index in the first place. That way, we can collect information even about pages and domains we have not yet crawled.”

Additionally, he said “We process these URLs as we do the others. Once one of these not-in-index URLs is approved for takedown, we prophylactically block it from appearing in our Search results.”

Regrettably, Google gave no easy way to see how many links in a request were not listed, but that has now been rectified.

The previous week or so Google added a new signal to its DMCA transparency report showing how many of the submitted URLs in a notice are not listed yet. In some cases, it is most of them.

For example, Mexican branch on the anti-piracy group APDIF is one of the most active DMCA reporters and has requested Google to eliminate over a million URLs last week alone.

Given below are links where the majority of them appear to be non-indexed links.

Google now reporting non-listed takedown requests

These URLs are not removed well because they weren’t listed. Stated earlier by Google, they are kept on a separate blocklist instead, which denies them from being added hereafter.

Apart from APDIF, Rivendell is also an active sender with a high rate of non-listed links, often well over 50%.

It turns out to be a rather usual tactic. Big time players like Fox, Walt Disney, NBC Universal, BPI, and the RIAA, all send non-listed links with varying degrees.

While not all reporting agencies have such high percentages as APDIF, it is clear that millions of non-listed pirate URLs are added to the preventive blocklist every month.

Technically, the DMCA takedown procedure is meant for links and content which really exist on a server, but maybe Google wants to take it a step further themselves.

Sony Hands Out Precautionary World Cup Copyright Warnings

Sony Entertainment Network runs many TV channels, like Sony ESPN, which possess the rights to broadcast the 2018 FIFA World Cup. Sony has started sending out precautionary warnings to illegal streaming sites. The letter forewarns the unauthorized streaming of matches while threatening civil and criminal action.

In the past, an event like the fast-approaching FIFA World Cup wouldn’t have been notoriously affected by piracy. Image result for punctured football

Most people like to watch on the go, so services like BitTorrent that offer occurred content weren’t all that appealing.

Nowadays, however, there are hundreds of unlicensed platforms totally capable of transmitting live content, meaning that the World Cup is within the grasp of anyone with an average Internet connection.

Knowing this, anti-piracy companies are probably going to be working overtime during the World to make sure that live streams are taken down as soon as matches start. Whether they will be triumphant remains to be seen, but for the Sony Entertainment Network, the fight has already begun.

Sony in the current week has been sending out deterrent warnings to pirate sites via Indian anti-piracy firm Markscan. The company warns of grave consequences if sites don’t obey their warnings. Sony has claimed TV, radio, mobile, and broadband broadcasting rights to the World Cup in India, Bangladesh, Bhutan, Maldives, Nepal, Pakistan, and Sri Lanka.

Markscan letter reads “[Our] Client will be showing the matches live and content related to FIFA 2018 in various languages across the following channels comprising of Sony Entertainment Network which are designated to the official broadcasters of FIFA 2018.”

Markscan listed 10 channels that will be broadcasting content, with Sony ESPN included, a combined effort between the two companies in India.

It went on by saying “By way of the present caution notice issued to you, we caution you and your website, not to indulge in any broadcasting, rebroadcasting, making available for viewing and/or communicating to the public, the FIFA 2018 matches and any content associated thereof, without obtaining permission/authorization from our client.”

Markscan further said that the site in interrogation will be overseen for any acts of infringement and should any take place it shall be compelled to “initiate legal proceedings (civil and/or criminal) should you engage in violation of our Client’s rights despite the present notice.”

Owing to the sheer volume of legal services the World Cup will be made available on, it’s literally impossible to stop all unauthorized streams. In fact, due to the massive number of unlicensed sites around today, it’s probably going to be one of the most-pirated live sports tournaments of all time.

This means that despite the best preventive measures, any takedowns will prove a trivial amount.

 

24 Million Americans With No Broadband As Net Neutrality Rages On

The United States is one of the wealthiest countries in the world but still has some 24 million people with no broadband coverage. This is an issue that is buried beneath all the net neutrality outrage. It may not be a “spicy” topic, but for these 24 million folks, the economic benefits that come from the high-speed internet are just a fantasy.

The Millions Left Stranded

With politics becoming more divisive than ever, underlying issues such as access to the internet are being clouded by the ideological clashes taking place across the country.

Has The Issue Been Drowned?

The announcements are clogged with personality issues regarding politicians or other controversial issues. Susan Boser, the Democratic candidate, striving to oust Republican House Member Glenn Thompson in Pennsylvania recently stated: If you were to ask people what issues they’re voting on, first and foremost they would say ‘pro-Trump or anti-Trump. Next would be guns and abortion, then the needs of the area, which are jobs and the opioid epidemic.”

So, in other words, internet access is buried between the stories pushed by the mainstream media.

Where Have The Elected Officials Gone?

There is a saying that all politics is local. By that argument, internet access should be an important topic on a candidate’s agendas as the mid-term elections are being contested this autumn. But the reality is grim. Christopher Mitchell, the director of Community Broadband Networks for the Institute for Local Self-Reliance, said so.

Politicians of both parties lack the desire for better broadband coverage. This could be their downfall as local politics should dominate House races.

Tides Maybe Turning

However, Boser believes the tide may be turning.

“When I talk about the needs of the area, I’m focused on (the) local economy, and the first solution is broadband. Everybody’s head is nodding; I’m getting very, very strong support for it. I had a woman come up to me after a town hall and say, ‘You had me at broadband.’”

Perhaps, the bad news surrounding net neutrality presents a small ray of hope. Ultimately, wasn’t it the mantra of the politicians that warred against net neutrality that it prevented investment by the broadband companies?

To fix the problem, there has to be a massive investment in infrastructure. Private companies cannot do it alone. It will need the support of the politicians and local officials as well.

Steps should be taken to mobilize voters reminding them of the relationship between the ballot box and their Wi-Fi connection.

YouTube Can Be Liable For Copyright Infringing Videos, Court Rules

In an opening order, a court in Vienna, Austria, has decreed that YouTube can be held responsible for users’ copyright infringements. The video service platform is not seen as an impartial intermediary and ought to do more to prevent infringing uploads. The judgment, which is not yet lawfully enacted, is a victory for local television channel Puls 4 but YouTube hints that, if it stands, the company will naturally appeal.

YouTube is known to be a hotbed for creators. Simultaneously, however, it’s also repeatedly used to upload copyrighted material without permission.Image result for youtube

While copyright holders can give takedown notices to eliminate infringing material, an initial ruling by the Commercial Court in Vienna has determined it will not suffice.

The ruling follows on the back of a complaint from local television channel Puls 4. Following a thorough review of YouTube’s functionalities, the Court finalized that YouTube has a responsibility to prevent third parties from uploading infringing content.

Defending itself, YouTube reasoned that it’s a neutral hosting provider under the terms of the E-Commerce Act.

But, the Commercial Court disagreed, saying that YouTube takes various motivated actions to organize and optimize how videos are shown. These actions make YouTube more than a neutral hosting server.

“Through the connections, sorting, filtering and linking, in particular by creating tables of contents according to predefined categories, determining the surfing behavior of users and creating a tailor-made surfing proposal, offering help etc, YouTube leaves on the role of a neutral intermediary and therefore cannot claim the host provider privilege,” the Court declared.

Consequently, YouTube will have to take measure to make sure that no copyright-infringing videos are uploaded hereafter. It sounds similar to the upload filters which are part of the EU’s planned copyright amendment.

As per Puls 4, the Court’s decision has “the potential to revolutionize the Internet.” Although limited to copyright infringement and YouTube, the company says that it could be widened to different areas and services as well.

Markus Breitenecker, Managing Director of Puls, said “The media, who call themselves social networks, will have to recognize that they must also take responsibility for the content through which they earn many millions. This is a real gamechanger”.

YouTube answered back by telling Austrian press that the judgment will be “examined in detail”.

A spokesman said, “We are keeping all options open, including an appeal.”
“YouTube takes copyright protection very seriously and provides rights owners with tools and resources to protect and exploit their content.”

The present ruling is yet to be legally binding, meaning there is more to come from this case.

Mozilla Firefox Account Protection With Two-Step Authentication

Mozilla has publicized that it now supports two-step authentication for Firefox accounts (also known as two factor or 2FA).

“Starting on 5/23/2018, we are beginning a phased rollout to allow Firefox Accounts users to opt into two-step authentication. If you enable this feature, then in addition to your password, an additional security code will be required to log in.”

Mozilla has selected the Time-based One-Time Password (TOTP) authentication standard as its medium. TOTP codes are generated in verification apps like Authy, Duo, Google Authenticator, or open source andOTP.

Single-use recovery codes are supported in case something happens to your phone.

2FA is highly recommended for Firefox users who rely on the browser’s built-in password manager to improve the overall security of their accounts.

What is 2FA?

One-factor authentication is your username and password. Two-factor authentication is an additional identification, your phone in this case.

It is highly unlikely that a hacker gets access to both your phone and username/password. 2FA, therefore, is a significant advantage.

Protecting Your Firefox Account Using 2FA

The process given below is similar to whatever app or platform you use. If you use andOTP, an externally linked page offers advice from its developer on setting it up.

*Note: Android’s security policy prevents taking screenshots of the andOTP app in action.

1. Enable 2FA in Firefox

Go to Options -> Firefox Account -> Manage Account -> Two-step authentication -> Enable.

Mozilla is rolling out 2FA gradually, so you may not see this option right away. No problem, just click this link in Firefox to enable it.

2. You will get a QR code to scan into your authenticator app. In andOTP click on the + icon to the bottom tight -> Scan-QR code. You will get a Security code that you must enter into Firefox. Then hit “Confirm.”

3. Yoo-hoo! You are ready. You will get confirmation that 2FA is enabled (and receive a confirmation email from Mozilla).

You will get some one-time recovery codes. You can enter each once to save you from generating new codes in your authenticator app. Keep them secured! You will get some unique recovery codes. You can enter each once to save you from generating new codes in your authenticator app. Keep them secured!

4. Any time you sign into your Firefox Account be it the same device or new device you will be prompted to give a security code after you have entered your username and password.

Simply open your authenticator app, glance at the Firefox Accounts entry, and enter the code within the allotted time. Easy!

Closing

Two-factor authentication makes your Firefox account more secure, and it doesn’t require much time to setup.

 

 

 

Facebook Wants Access to Your Nude Photos to “Protect You”!

In a somewhat strange proposal, Facebook wants you to send it sexually explicit photos of yourself to prevent revenge porn.

“It’s demeaning and devastating when someone’s intimate images are shared without their permission, and we want to do everything we can to help victims of this abuse. We’re now partnering with safety organizations on a way for people to securely submit photos they fear will be shared without their consent so we can block them from being uploaded to Facebook, Instagram, and Messenger.”

The idea was already trialed in Australia and is being rolled out in the UK this week. Facebook says that the US and Canada also will be included in the trial program, which goes something like this:

• If you find a revenge photo of yourself on the internet, then you can send a copy of it to Facebook.

• The picture will be reviewed by “one of a handful of specifically trained members of our Community Operations Safety Team”. This team member will create a unique fingerprint of the photo known as a hash.

• This hash is stored in a database. If anyone else uploads the same image to Facebook, Instagram and Messenger (i.e., an image that has the same unique hash “fingerprint”) then it will be recognized and automatically removed.

Users can also pro-actively send photos they dread being posted as revenge porn.

The idea sounds reasonable at the beginning but has two significant issues.

It is Unconvincing

The data from Australia’s trials has not been publicized yet, but Facebook stresses similar schemes have had success at checking the spread of terrorist propaganda and child abuse images.

The problem lies in the fact that hashes are very particular to the data being hashed. Guardian reports the hashes are good enough not to “get fooled by simple alterations such as color tweaks, watermarks or crops.” But there are doubts.

The fact that even the tiniest change to the input data will create a non-identical hash is the cornerstone of internet security: hashes are used to ensure the integrity and authentication of data.

Even if true, it would still be quite easy to modify an image adequately to “fool” Facebook’s hash detection software. There are numerous combinations of changes that could render hashing ineffective.

Other problems include distribution as by the time you discover revenge porn of yourself on the internet; it will probably have been shared already ruining your life.

The proactive uploading of images can work if you have possession of the comprising images. But in most revenge porn scenarios, this just isn’t the case.

Facebook Scandal! Remind You of Something?

Facebook’s total business model is based around finding as much information as it can about you to target even more personalized ads at you.

We are talking about a company that was recently in the news for a privacy disaster and this week a new court summoning for reading messages, tracking peoples’ location, and accessing photos on phones. The gathering of data from users without their consent is something well documented, but it is the collection of data about people who have never signed up to Facebook that make it outright creepy.

This scheme is contradictory in itself because of what Facebook is!

If you have concerns about or have been a victim of revenge porn, then you should contact an organization such as one of those listed below:

National Network to End Domestic Violence (NNEDV) (US)

Cyber Civil Rights Initiative (US)

Revenge Porn Helpline (UK)

Office of the eSafety Commissioner (Australia)

YWCA Canada(Canada)

 

SS7 Cell Network Extensively Exploited by “Nefarious Actors”

“I don’t think most Americans realize how insecure US telephone networks are. If more consumers knew how easy it is for bad guys to track or hack their mobile phones, they would demand the FCC, and wireless companies do something about it. These aren’t just hypotheticals.”

The above statement was made last week by Senator Ron Wyden (D-Ore.) after getting a letter from the Department of Homeland Security warning that “nefarious actors may have exploited” worldwide cellular networks “to target the communications of American citizens.”

Wyden on Tuesday explained the issue in a separate letter to Ajit Pai, chairman of the Federal Communications Commission (FCC) responsible for regulating interstate communications:

“Hackers can exploit SS7 flaws to track Americans, intercept their calls and texts, and hack their phones to steal financial information, know when they are at home or away, and otherwise prey on unsuspecting consumers. Moreover, according to multiple news reports, SS7 spying products are widely available to both criminal and foreign governments.”

Disturbingly, the letter reveals that:

“This threat is not merely hypothetical – malicious attackers are already exploiting SS7 vulnerabilities. One of the major wireless carriers informed my office that it reported an SS7 data breach, in which customer data was accessed, to law enforcement.”

There is no clarity whether the warning refers to state-sponsored entities acting for political gain or criminal hackers for financial benefit. It is also unclear who the wireless carrier is and the extent of the breach.

What is SS7?

Signaling System No. 7 (SS7) is a set of signaling protocols that provide the backbone for all mobile phone communication everywhere in the world. It enables phone networks to communicate among themselves to connect users and pass messages between systems, ensure correct billing, and to grant users to roam on other networks.

Image result for ss7

 

SS7 system, first developed in the 1970s is old in technological terms. Critically, no-one at the time thought of building any security measures into it.

It was known to be insecure at least 2008 onwards, and the situation has worsened in recent years. Previously there were only a few mobile networks, and now there are literally thousands worldwide. The industry made no changes as the risks were accepted to be purely theoretical.

This altered in 2014 when vulnerabilities in SS7 enabled hackers to record a somewhat embarrassing secret unencrypted phone conversation between the US ambassador to Ukraine, Geoffrey Pyatt, and US Assistant Secretary of State, Victoria Nuland, in which Pyatt was highly critical of the EU.

It was believed that using encrypted messaging apps such as WhatsApp, Facebook Messenger, Google Hangouts, and Viber, would secure communications.

However, in 2016, a security researcher showcased how hackers with access to the SS7 network could spoof users’ identities and set up fake accounts which would grant them access to messages belonging to users of many messaging apps that rely on phone numbers to authenticate users.

In 2017 O2 Telefonica in Germany confirmed that criminals used the SS7 network to bypass SMS-based two-factor authentication (2FA) to steal money from bank accounts.

Action Time?

Wyden lettered to the FCC urging the regulator to address the problem accurately and to compile a list of SS7 violations known to have happened over the last five years.

This is not the first instance for a call-to-action as in 2016, US congressman Ted Lieu (D-Calif.) made a similar plea, calling for an oversight committee investigation into SS7:

“The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring US government officials. … The vulnerability has serious ramifications not only for individual privacy but also for American innovation, competitiveness, and national security. Many innovations in digital security – such as multi-factor authentication using text messages – may be rendered useless.”

The investigation took place, but the FCC working group responsible for it mainly comprised of telecoms industry lobbyists and not a single academic expert.

The SS7 -Spies Love It!

Initial concerns over the SS7 network was tracking; now there are fears of personal data being accessed from just about every phone user in the world.

As said earlier, it can be used to intercept encrypted communications and 2FA security measures.

According to the Washington Post, “American, Chinese, Israeli and Russian intelligence agencies are the most active users of SS7 surveillance.”

Just this month news came out that US police can find the location of any phone in the country in seconds thanks to SS7. Worse still, barely days after this revelation came to light it was reported that this information was quite easy for hackers to access.

SS7 is a double-edged sword because security companies around the world thrive selling SS7 hacking tools to governments, police forces, and criminals with even benefitting from it. Brian Collins, chief executive of AdaptiveMobile Security, told the Washington Post about this.

Even with the knowledge of SS7 being a threat to US national security, it appears that the US government is least bothered about the problem. The driving factor could be that of SS7’s mass-surveillance capabilities which are too precious to kill off.