A new report from Privacy International paints a picture of a largely opaque, unaccountable system of surveillance technology used by government agencies online. So-called “cloud extraction” tools are largely unknown to the public and subject to relatively low levels of oversight, but are used regularly to analyze and extract private data from all of the major cloud services.
This new application of surveillance technology is concerning in its scope, and in terms of issues of consent. A search of a device is no longer a one-time event when these tools are used; the party being searched may now also be having any or all of their cloud accounts accessed, and may be subject to ongoing monitoring and repeated searches.
What is cloud extraction?
Cloud extraction works by lifting authentication tokens off of a mobile device or computer that government agencies have physical access to, for example during a search of a suspect.
Authentication tokens for various cloud services can remain active for weeks at a time, and in some cases are permanent. If the investigating agency can extract these tokens, they do not need to coerce the subject into giving up login information; if they already have login information, they can maintain ongoing access even if the subject later changes their password. This also allows them to circumvent most two-factor authentication (2FA) measures.
Cloud extraction tools such as GTEX, Cellebrite, UFED and KeyScout will automatically comb computers and devices for login credentials saved to cookies, browsers and other applications. These tools can not only snap up existing tokens, but in some cases also create new tokens from what they find.
What kind of data is accessed?
Cloud extraction tools can open the doors to files stored with nearly all of the major cloud services: Google Drive, Dropbox, Facebook, Slack, various web-based email services and more. These tools can also mine data from voice assistants such as Google Home and Alexa, and fitness trackers such as FitBit. But this goes far beyond simple access to files.
As the report points out, getting access to a Google account in this way also allows investigators to potentially track searches, location history, browser history, instant messaging records and more. Anything visible to the account holder when logged in is also available to the investigator – including encrypted messages.
Some of these cloud extraction services have also added facial recognition and matching capabilities. At least one tool, from Oxygen Forensics, claims to offer emotion recognition as part of the services.
This type of surveillance technology allows investigators to not just access a huge amount of existing information, but also to surreptitiously track targets on an ongoing basis. They can repeatedly access the cloud accounts to check on location data, new calls, new messages, and videos and pictures that the subject takes among other possibilities. Most subjects will not be aware that they are being tracked in this manner after the initial physical search occurs.
Troubling surveillance technology
In a U.K. poll commissioned by Privacy International, about half of users of mobile phones in the country are not aware of where their cloud data is stored, and nearly half believe that their mobile apps are not generating data that is stored in the cloud. About the same amount feel that they do not have a good understanding of how cloud based systems work.
Most people are likely not aware that these agencies have this level of surveillance technology or that it is legal for them to use it in this way. If they consent to a search of their device, they may not be aware of the extent of the cloud data they are granting access to or that they are effectively giving permission to continual tracking of their private online activity.
Camilla Graham Wood, solicitor at Privacy International states:
“We are only just starting to gain a modicum of transparency around law enforcement use of mobile phone extraction, yet there are new concerning technologies on the horizon such as cloud extraction, about which very little is known.
“Cloud extraction technologies give law enforcement the ability to access eye-watering amounts of highly sensitive personal data, not only about individuals, but also their friends, colleagues and acquaintances. Concerningly, such technology also allows authorities to deploy facial recognition tech across people’s media as well as the ability to conduct continual monitoring of an individual’s social media without them ever knowing.
“Much of this data is uploaded to the cloud, often without our knowledge, by the big tech companies. This risks making our personal data more vulnerable, not more secure. There is an urgent need for the companies who we entrust with our data to ensure they protect it from the tech which can be operated by unskilled operatives at the push of a button.
It is a matter of urgency that law enforcement act with a greater degree of transparency in relation to the new forms of surveillance they are using, and that laws which are designed to protect against abuses are updated.”
The cloud extraction firms offer this surveillance technology internationally and are located all over the world: for example Oxygen Forensics is based in the United States, Cellebrite is based in Israel, and Elcomsoft is headquartered in Moscow.
Privacy International has requested that 17 of the largest tech companies that this surveillance technology claims to have access to, such as Google and Facebook, to take a public position on its use. The group is advocating for greater transparency and legal safeguards, urging UK citizens to contact their local law enforcement agencies and ask about their cloud extraction technology and policies.