Secret tech lets governments collect masses of data from your apps

A large number of apps on smart phones store data in the cloud. Law enforcement can access these vast troves of data from devices and from popular apps with the push of a button using cloud extraction technology. 

Mobile phones remain the most frequently used and most important digital source for law enforcement investigations. Yet it is not just what is physically stored on the phone that law enforcement are after, but what can be accessed from it, primarily data stored in the Cloud. 

Cellebrite, a prominent vendor of surveillance technology used to extract data from mobile phones, notes in its Annual Trend Survey that in approximately half of all investigations, cloud data ‘appears’ and that ‘[t]ypically, this data involves social media or application data that does not reside on the physical device.’

Cloud storage, data which is stored on third-party servers and typically used by device and application manufacturers to back up data, is increasingly used for social media, internet-connected devices and apps. This opens the door to a huge amount of personal information. Extraction companies claim they can obtain data from the most popular cloud services including WhatsApp, iCloud, Google, Facebook, Twitter and even the users actual voice from Amazon Alexa. 

Even if you use end to end encrypted messaging, if you back up your WhatsApp messages to the Cloud, they are accessible to law enforcement if they use extraction technology. 

Despite the huge amounts of data stored in the cloud, there is limited public understanding. Privacy International commissioned a poll from YouGov, which found that in the UK of those polled: 
* 45.6% of people have not thought about where data created by apps on their phone is stored.
* 44.3% of people do not know or think that apps on their phone use cloud stoage. 
* 47% of people when asked whether they understood what the term 'cloud computing' means responded 'not well'. 

Once law enforcement have a users' credentials, not only can they obtain their data, they can easily and secretly track a user's online behaviour such as their posts, likes, events and connections using their cloud-based accounts, even after they have returned the phone. They could even impersonate the individual.

As a result, Privacy International is demanding that 17 tech companies specifically targeted by extraction surveillance companies to outline their position.

Camilla Graham Wood, solicitor at Privacy International states:

"We are only just starting to gain a modicum of transparency around law enforcement use of mobile phone extraction, yet there are new concerning technologies on the horizon such as cloud extraction, about which very little is known.

Cloud extraction technologies give law enforement the ability to access eye-watering amounts of highly sensitive personal data, not only about individuals, but also their friends, colleagues and acquaintances. Concerningly, such technology also allows authorities to deploy facial recognition tech across people's media as well as the ability to conduct continual monitoring of an individual's social media without them ever knowing.

Much of this data is uploaded to the cloud, often without our knowledge, by the big tech companies. This risks making our personal data more vulnerable, not more secure. There is an urgent need for the companies who we entrust with our data to ensure they protect it from the tech which can be operated by unskilled operatives at the push of a button.

It is a matter of urgency that law enforcement act with a greater degree of transparency in relation to the new forms of surveillance they are using, and that laws which are designed to protect against abuses are updated."

……………………………………………………………………………………………………………

Notes to Editors

Privacy International have conducted detailed research into cloud analytics including the companies selling this technology, the types of apps and data that can be extracted and that companies offer facial and emotional recognition tools to analyse extracted data. 

The full report can be read here: https://privacyinternational.org/long-read/3300/cloud-extraction-technology-secret-tech-lets-government-agencies-collect-masses-data

PDF version here: https://privacyinternational.org/sites/default/files/2019-12/3.12.2019%20Cloud%20Analytics%20LONG%20READ%20FINAL.pdf

Letters to the companies can be found here: https://privacyinternational.org/news-analysis/3302/big-tech-companies-must-protect-customer-data-legal-backdoors

YouGov research can be found here: https://privacyinternational.org/news-analysis/3321/awareness-about-cloud-computing-and-where-apps-store-data-uk

For more information contact camilla@privacyinternational.org 

About Privacy International

- Privacy International (PI) is a registered charity that works at the intersection of modern technologies and rights. PI is based in London and works internationally.

- We shine a light on overreaching state and corporate surveillance, with a focus on the sophisticated technologies and weak laws that enable serious incursions into privacy. We investigate, litigate, advocate, and educate, all with one aim - for people everywhere to have greater security and freedom through greater personal privacy.

- We work with experts all over the world to build the global privacy movement.