A “friendlier” front for racist extremism has spread rapidly across the US in recent months, as active club channels network on Telegram's encrypted messaging app.

On Monday evening, Gabrielle Hanson, a pro-MAGA mayoral candidate in Tennessee, walked through the parking lot of Franklin City Hall, on her way to debate her opponent, incumbent Ken Moore, in what was meant to be little more than a typical campaign stop in the small city of Franklin just south of Nashville.

What made this scene so different was the fact that Hanson was flanked by members of the Tennessee Active Club, an openly neo-Nazi hate group. One of the men escorting Hanson into the building was Sean Kauffmann, the reported leader of the group whom the Southern Poverty Law Center says has been part of the white supremacist movement for years, and was photographed giving a Nazi salute at a Black Lives Matter rally.

The group stood outside the building as the event took place, and they told a local reporter that they were there to provide security for Hanson, claiming that “credible threats” had been made against her. The Franklin Police Department tells WIRED that they have no information about threats against Hanson. Instead, the police department is investigating death threats made against local journalists by Kauffmann’s group in their Telegram channel just hours after the campaign event ended.

The threats, which included anti-Semitic slurs and references to white supremacist literature, featured the image of one reporter’s home after one follower asked: “Who is this person? Where can I find them so I can beat the shit out of them?”

Active clubs are a decentralized network of groups that have recently become the new, so-called friendlier face of the white supremacist movement, by promoting physical fitness and brotherhood while hiding their true nature. The movement has experienced explosive growth in recent months. For researchers who have been tracking the rise of this movement, the use of Telegram to disseminate threats like those in Franklin highlights the crucial role the encrypted messaging app has played in helping these groups recruit, organize, and spread hate speech to a huge following.

“The way that active clubs go about their organizing is resonating with folks on Telegram, where there is a ready-made audience of people who have already written off politics, and they have come to a point in their lives where they think white genocide is real, and they see the active club, in their minds, out there doing something about it,” Jeff Tischauser, senior researcher with the Southern Poverty Law Center, tells WIRED. “I see Telegram as a leading pipeline into the creation of active clubs, because that's just where a lot of the rhetoric and the content and the propaganda of active clubs exist.”

****Got a Tip?****

**Are you a current or former member of an active club? We’d like to hear from you. Using a nonwork phone or computer, contact David Gilbert at** **david.gilbert@wired.com****.**

“You Better Run”

The first threat made by the Tennessee Active Club’s Telegram channel was aimed at Phil Williams, chief investigative reporter for NewsChannel 5 WTVF, who has written extensively about Hanson’s campaign in recent months—including reports on Hanson’s prior arrest for promoting prostitution. (She says she took a plea deal.) Williams has also exposed the hypocrisy of Hanson and her campaign. As an alderman, Hanson attempted to block a permit for a Pride festival in Franklin; Williams reported that she supported her husband’s participation in the 2008 Chicago Pride parade while wearing a pair of Speedos.

After Williams posted pictures of the Tennessee Active Club at the candidate forum on Monday night, the group’s Telegram channel shared a post calling Williams a “lying sack of shit for the international jew media” before warning that the “Day of the Rope is real and it’s approaching quicker than they can prepare for.”

The post concluded: “You better run … run … run.”

“Day of the Rope” is a reference taken from the 1978 white supremacist book, _The Turner Diaries._ The concept in recent years has become shorthand for attacks on journalists, politicians, and others who oppose the white supremacist revolution.

Williams did not respond to WIRED’s request for comment on the threats but did address them on X (formerly Twitter) on Tuesday evening. “This is a story that is important to this community. I will not be deterred from continuing to do my job,” Williams wrote, adding: “Truth will prevail!”

The group also threatened Holly McCall, the editor of the Tennessee Lookout, a nonprofit outlet covering local government, after she posted a comment on X mocking the appearance of some members of the Tennessee Active Club present on Monday night.

The group responded on Telegram writing, “That’s our cyber division Holly.” In a comment under the group’s post, a follower wrote: “Who is this person? Where can I find them so I can beat the shit out of them? So they know I am in fact active and lurking.”

The group then posted a picture of McCall’s house taken from what appears to be her husband’s Facebook account. WIRED confirmed that the picture was McCall’s home.

McCall declined WIRED’s request to comment on the threats. In a post on X on Tuesday evening, she wrote: “I hadn't planned to publicly comment, but yup, I'm the Holly these guys want to beat the shit out of.”

At least some of these threats were flagged to the Franklin Police Department. Milissa Reierson, communications manager for the city of Franklin, told WIRED she cannot comment on specific investigations, but she said they are “monitoring the events from \[Monday\] night,” adding that the city “takes any threat seriously.”

Hanson, an extreme right-wing candidate who spread conspiracy theories about the Covenant School shooting in Nashville in March, did not respond to WIRED’s request for comment. She claimed in a Facebook post that she did not hire or ask the Tennessee Active Club to provide protection for her, adding: “I am not, nor have I ever been associated with any white supremacy or Nazi-affiliated group.”

However, within minutes of posting this statement on Facebook, her Instagram account shared a screenshot taken directly from the Tennessee Active Club Telegram channel. The post makes baseless claims that her opponent was a member of antifa, the loose-knit network of anti-fascist activists, even though he’s a lifelong Republican politician in his 70s. The Telegram posts also said, “You don’t want us showing up” and “remember there is no political solution.”

Hanson is also the listed realtor of the Lewis Country Store, a gas station on the outskirts of Nashville owned by self-described “literal Nazi” Brad Lewis, where the members of the Tennessee Active Club train together with other white supremacist groups.

“A Prepackaged Brand”

Active clubs emerged in late 2020. They’re the brainchild of Robert Rundo, an American white supremacist who is alleged to have cofounded the Rise Above Movement, a combat-ready group with ties to street fighting gangs. Rundo was extradited to the US earlier this year after being arrested in Romania on anti-riot act charges related to violent clashes with anti-fascist protesters in Los Angeles in 2017. (Rundo was charged with the same crime in 2017, but the charges were dismissed before being reinvestigated.)

Rundo was inspired by similar groups he observed while in Europe, and he views the active club movement as part of a “White Supremacy 3.0” strategy, which attempts to move away from the overtly violent and Nazi-infused movements of the past to present a friendlier public face of white supremacy.

Emphasizing physical fitness among active club members, Rundo has stated that his aim is to create a stand-by militia of trained and capable right-wing extremists who can be activated when the need for coordinated violent action on a larger scale arises.

“I definitely do believe that in the future there needs to be a mass movement, a mass organization, but when it comes for that, do you really want a bunch of guys coming strictly from the online world to come join a mass movement without having any experience or skills?” Rundo said in a video posted online just weeks before he was arrested in March. “Active clubs are a great local way to start guys off as they come from the online world into the real world, to learn actual skills.”

While initial takeup of the active club idea was relatively slow, there has been explosive growth in the movement’s numbers this year, research shows. In April 2023, a report from the Accelerationism Research Consortium, a group of researchers, academics, and journalists who track the spread of accelerationism, found that there were 30 active clubs operating in 17 different states. By August, research conducted by Alexander Ritzmann for the Counter Extremism Project (CEP), a nonprofit that tracks extremist groups, found that there were 46 clubs operating in 34 different states—a 50 percent increase in the number of clubs and a 100 percent increase in the geographical spread in the space of just five months.

Because the network is decentralized, with each local group operating relatively independently, it allows anyone who wants to start an active club to do so very quickly. And Telegram is playing a central role in that explosive growth.

"A couple of guys who are motivated by racial animus or anti-Semitic hatred, they can go on Telegram, message a leader or an administrator of an active club channel, and the administrator will help this new group create the branding,” Tischauser says. “It’s basically a template that anybody can access if they have that political ideology. It's like a prepackaged brand that anybody could access.”

Spreading Hate

The number of members who partake in real-world activities with active clubs—everything from mixed martial arts training to handing out flyers and harassing LGBTQ events— is small, with each cell having on average between five and 25 members. But the number of people following these groups on Telegram is many times larger. Some of the groups have thousands of followers, and almost all typically have hundreds of followers.

A number of those followers will be researchers, law enforcement officers, and journalists. But there are also a huge number of people who are monitoring these groups because they already have an interest in the ideas being discussed.

“Telegram is the place where the active clubs are the most active. It is an essential component for the circulation not just of their ideology, but of their marketing,” Tischauser says. He points out that all the groups expect members to purchase branded gear from the Will2Rise website, an activewear brand established by Rundo that _Rolling Stone_ described as “the Lululemon for fascists.”

Telegram is also a hugely powerful recruiting tool, giving this movement a platform free of censorship or restrictions to spread its message to a much larger audience than it would have on other mainstream platforms.

“Alt-tech platforms—and Telegram is really one of the biggest examples of this—provide these hate groups with a ready-made audience of people that already subscribe to this very hateful ideology,” Tischauser says.

The vast majority of the Telegram channels identified as belonging to the clubs listed in the CEP report are public, available for everyone to see. The transparency is part of Rundo’s White Supremacy 3.0 strategy where he urges groups to only post positive content about training of the sense of brotherhood that the clubs claim to inspire, while avoiding violent threats and Nazi symbolism. But some groups do not appear to be subscribing to Rundo’s ideals—chief among them, the Tennessee Active Club.

“I don't think they got that memo,” Tischauser says. “They've always been posting Nazi stuff and glorifying Hitler, being very rabidly anti-Semitic. They showed up to at least two cities in Tennessee and they were flying the swastika, while Sean Kauffman, the leader, is seen giving the Heil Hitler hand gesture.”

Telegram tells WIRED that it is investigating the threats made in the Tennessee Active Club channel. “Telegram is a platform that supports the right to peaceful free speech, but calls to violence are explicitly forbidden on our platform,” Remi Vaughn, a spokesperson for the messaging app, wrote in a statement. “Our moderators proactively monitor public parts of the platform and accept user reports in order to remove content that breaches our terms of service.”

For everything we know about the growth and spread of active clubs on Telegram, there is an entire world that is off-limits to journalists and researchers, where members of these clubs coordinate and network in secret. A local anti-fascist activist in Tennessee, who is closely monitoring some of these nonpublic channels and requested anonymity due to threats to their safety from the groups they are tracking, confirmed to WIRED the existence of the secret chats, which they say are used to coordinate actions both locally and nationally.

While active clubs effectively operate independently—a deliberate decision, taken so that the movement can continue even if one group is deactivated—there still appears to be a level of national coordination happening, even while Rundo is in custody awaiting trial. This coordination was seen in August 2023 when a white nationalist fight club event took place in Southern California featuring members from multiple active clubs across the United States, including the Tennessee club, as well as members of other hate groups like Blood Tribe and Patriot Front.

“There's some national leadership within the active clubs who are talking with each other, maybe it's at the chapter leader level, where they're talking and they're organizing these events and then mobilizing folks to come out, which takes a lot of resources and logistics,” Tischauser says. “So there has to be some kind of structure there.”

Tischauser says he sees little preventing the active club movement from continuing to grow rapidly. He says he has already seen a number of new clubs emerge since the CEP report was published last month—and that’s a real concern because, as Ritzmann bluntly states in his report: “If Active Clubs are allowed to continue to operate and multiply, the likelihood for targeted political violence and terrorism by their members against supposed enemies of the ‘white race’ (e.g., Jews, people of color, Muslims, and LGTBQI+ people) will increase.”

White Supremacist Active Clubs Are Breeding on Telegram

At least a million data points from 23andMe accounts appear to have been exposed on BreachForums. While the scale of the campaign is unknown, 23andMe says it's working to verify the data.

The genetic testing company 23andMe confirmed on Friday that data from a subset of its users has been compromised. The company said its systems were not breached and that attackers gathered the data by guessing the login credentials of a group of users and then scraping more people’s information from a feature known as DNA Relatives. Users opt into sharing their information through DNA Relatives for others to see. 

Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained 1 million data points exclusively about Ashkenazi Jews. There also seem to be hundreds of thousands of users of Chinese descent impacted by the leak. On Wednesday, the actor began selling what it claims are 23andMe profiles for between $1 and $10 per account, depending on the scale of the purchase. The data includes things like a display name, sex, birth year, and some details about genetic ancestry results, like that someone is, say, of “broadly European” or “broadly Arabian” descent. It may also include some more specific geographic ancestry information. The information does not appear to include actual, raw genetic data.

The company emphasized in a statement that it does not see evidence that its systems have been breached. It also encouraged users to use strong, unique passwords and enable two-factor authentication to keep attackers from compromising their individual accounts using login credentials exposed in other data breaches.

“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” the company said in a statement. “We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.” 

The company has not been clear on whether it has validated the data the threat actor leaked, noting that its investigation is ongoing and that it currently has “preliminary results.” A spokesperson for the company told WIRED that the leaked information is consistent with a situation in which some user accounts were exposed and then leveraged to scrape data visible in DNA Relatives. But when pressed on the details of whether the data has been validated, the spokesperson said that verifying the data is pending and that the company cannot currently confirm whether the leaked information is real.

This point is significant both for everyone whose information may have been compromised and because the data posted by the actor claims to include “celebrities.” Entries for technologists Mark Zuckerberg, Elon Musk, and Sergey Brin are all visible in the sample data, including “Profile ID,” “Account ID,” name, sex, birth year, current location, and fields known as “ydna” and “ndna.” It is unclear if the data for these entries is legitimate or was inserted. For example, Musk and Brin appear to have the same profile and account IDs in the leak.

The technique of using credentials exposed in other data breaches to infiltrate accounts where those logins have been reused is known as “credential stuffing” and is a widely used account compromise technique.

“Credential stuffing never really went away and a lot of it just comes down to the fact that humans reuse their passwords—that's what makes it possible,” says Ronnie Tokazowski, a longtime digital scams researcher. “And the fact that it's claiming to target a Jewish population or celebrities—it’s not shocking. It reflects the underbelly of the internet.”

The full picture of why the data was stolen, how much more the attackers have, and whether it is actually focused entirely on Ashkenazim is still unclear.

“When data is shared relating to ethic, national, political or other groups, sometimes it's because those groups have been specifically targeted, but sometimes it's because the person sharing the data thinks it'll make reputation-boosting headlines,” says Brett Callow, a threat analyst at security firm Emsisoft. 

Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping.

“This incident really highlights the risks associated with DNA databases,” Callow says. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”

_Update 7:00 pm ET, October 6 to note that data from hundreds of thousands of 23andMe users of Chinese descent seems to have also been exposed in the incident._

23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews

Location-enabled tech designed to make our lives easier is often exploited by domestic abusers. Refuge, a UK nonprofit, helps women to leave abusive relationships, secure their devices, and stay safe.

Pick up any piece of tech and Emma Pickering knows how it can be used to abuse, harass, and stalk women. Amazon’s Ring home doorbell cameras can monitor when someone leaves the house and who is visiting them. Until recently, Netflix showed the IP addresses where users were logged in, allowing their location to be tracked. Workout apps and websites such as Strava show where and when people are exercising. And abusers often slip small GPS trackers or audio recorders into women’s belongings or attach them to their cars.

“Perpetrators buy them in bulk, and they’ll buy probably 60 very cheaply; they’re very small and discrete,” says Pickering, who works at Refuge, the UK’s largest domestic abuse organization, where she heads a team that helps women secure their devices. Pickering says that in one case “over 200” recording devices were found in a woman’s home.

Refuge launched its Technology-Facilitated Abuse and Economic Empowerment Team in 2017, amid a surge of abusers weaponizing apps, devices, and online services to harm women. The charity helps women and their children leave abusive relationships, providing emergency accommodation, legal help, financial aid, and more. Almost every case now involves technology in some form, Pickering says, and the issue is so serious that every person the organization places into a refuge goes through a tech assessment to secure their accounts. The tech abuse team, which is made up of 11 people, is the only one of its kind in the UK and just one of a handful of similar organizations around the world.

Technology-facilitated abuse can range from harassment via phone call or text message to logging into someone’s social media and email accounts without their permission, which allows abusers to read, delete or send messages. In more extreme cases, they might install “stalkerware” on victims’ phones to monitor every tap and scroll. Nonconsensual image-sharing, commonly known as “revenge porn,” and economic abuse, where money and banking apps may be controlled by an abuser, are also frequent. In August, a report from MPs in the UK concluded that tech abuse is becoming “increasingly common.”

Pickering says her team primarily focuses on helping people in the more severe cases. “Firstly, we need to establish if it’s safe to speak to them on their device,” she says. If it isn’t, Refuge will send women a burner phone and then set them up with a new email address, using the encrypted email service Proton Mail, before sending them extra information. It’s the start of a meticulous process—known as an “attack assessment” by the team—to secure accounts and devices.

“We go through everything,” Pickering says. Refuge will ask the person they are helping to list every device and online account they and any children have. These can easily number into the hundreds. “Within the home, if they’ve fled the relationship, we also need to check anything they’ve left behind to unsync from any devices or accounts that they could still be using back home.” This will include products like Google Home Hubs, and Amazon’s Ring doorbells and Alexa, and it requires checking who set up the devices and is the administrator of the accounts, as well as which names phone contracts are in. From there, a safety plan is created, Pickering says. This can include going through the accounts and checking settings for who has access to them, removing devices connected to accounts, using secure passwords, and setting up measures such as two-factor authentication. On average, Pickering says, it can take three weeks to get through the entire process, although more complex cases take much longer.

“I don’t think people realize how serious it is, the consequences for perpetrators to have access to this information, to see that there’s evidence in someone’s phone that they’re planning to leave a relationship, read emails about financial settlements, child contact orders—it puts someone at really significant risk,” Pickering says. Even for those in nonabusive relationships, the charity has created a digital breakup tool with cybersecurity firm Avast to detail the process of separating everything from delivery apps to gaming accounts from former partners.

While the technology itself isn’t usually the problem—it’s how abusers use it to harass their victims that creates the issues—Pickering says tech companies don’t put enough thought into how their services can be used maliciously. They also don’t put enough effort into preventing such abuses. They’re not “considering having features built in that can mitigate these risks,” she says.

For instance, Apple launched its small AirTag GPS tracker without many safety features, and dozens of people have subsequently reported being tracked by the devices. (The company has made some improvements and is now working with other tracker manufacturers to make it easier to identify trackers someone has placed on your belongings). One of the biggest issues currently, Pickering says, is satellite navigation systems within cars. “My car, for instance, if I drive it somewhere, it’s connected to an app, and I don’t know how many people are on my app, it doesn’t give me notifications,” she says. There are also boundary settings that can alert a vehicle’s owner if it travels beyond a specific set of locations.

Aside from designing products better, tech companies need to make it easier for people to understand the settings on their phone and digital accounts. “Many people come to us and their confidence around tech is very limited,” Pickering says. “We have to do a lot of work with them initially to make them feel comfortable.”

While tech abuse is rising, Pickering aims to increase understanding around the problem and tackle some of the issues at its roots. “We’ve got a really big ambition to train the police,” she says, adding that officers often don’t know what to look for in cases of tech abuse and may not take issues seriously. The Refuge team has already worked with one tech company, which she says she cannot name due to an NDA, to advise on safety. “Amazon and Google could work with us,” Pickering says. “And we could help make sure that their products are developed with safety in mind.”

_This article first appeared in the November/December 2023 issue of WIRED UK._

The Team Helping Women Fight Digital Domestic Abuse

New research has found that some streaming devices and dozens of Android and iOS apps are secretly being used for fraud and other cybercrime.

When you buy a TV streaming box, there are certain things you wouldn’t expect it to do. It shouldn’t secretly be laced with malware or start communicating with servers in China when it’s powered up. It definitely should not be acting as a node in an organized crime scheme making millions of dollars through fraud. However, that’s been the reality for thousands of unknowing people who own cheap Android TV devices.

In January, security researcher Daniel Milisic discovered that a cheap Android TV streaming box called the T95 was infected with malware right out of the box, with multiple other researchers confirming the findings. But it was just the tip of the iceberg. Today, cybersecurity firm Human Security is revealing new details about the scope of the infected devices and the hidden, interconnected web of fraud schemes linked to the streaming boxes.

Human Security researchers found seven Android TV boxes and one tablet with the backdoors installed, and they’ve seen signs of 200 different models of Android devices that may be impacted, according to a report shared exclusively with WIRED. The devices are in homes, businesses, and schools across the US. Meanwhile, Human Security says it has also taken down advertising fraud linked to the scheme, which likely helped pay for the operation.

“They’re like a Swiss Army knife of doing bad things on the internet,” says Gavin Reid, the CISO at Human Security who leads the company’s Satori Threat Intelligence and Research team. “This is a truly distributed way of doing fraud.” Reid says the company has shared details of facilities where the devices may have been manufactured with law enforcement agencies.

Human Security’s research is divided into two areas: Badbox, which involves the compromised Android devices and the ways they are involved in fraud and cybercrime. And the second, dubbed Peachpit, is a related ad fraud operation involving at least 39 Android and iOS apps. Google says it has removed the apps following Human Security’s research, while Apple says it has found issues in several of the apps reported to it.

First, Badbox. Cheap Android streaming boxes, usually costing less than $50, are sold online and in brick-and-mortar shops. These set-top boxes often are unbranded or sold under different names, partly obscuring their source. In the second half of 2022, Human Security says in its report, its researchers spotted an Android app that appeared to be linked to inauthentic traffic and connected to the domain flyermobi.com. When Milisic posted his initial findings about the T95 Android box in January, the research also pointed to the flyermobi domain. The team at Human purchased the box and multiple others, and started diving in.

In total the researchers confirmed eight devices with backdoors installed—seven TV boxes, the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and a tablet J5-W. (Some of these have also been identified by other security researchers looking into the issue in recent months). The company’s report, which has data scientist Marion Habiby as its lead author, says Human Security spotted at least 74,000 Android devices showing signs of a Badbox infection around the world—including some in schools across the US.

The TV devices are built in China. Somewhere before they reach the hands of resellers—researchers don’t exactly know where—a firmware backdoor is added to them. This backdoor, which is based on the Triada malware first spotted by security firm Kaspersky in 2016, modifies one element of the Android operating system, allowing itself to access apps installed on the devices. Then it phones home. “Unbeknownst to the user, when you plug this thing in, it goes to a command and control (C2) in China and downloads an instruction set and starts doing a bunch of bad stuff,” Reid says.

Human Security tracked multiple types of fraud linked to the compromised devices. This includes advertising fraud; residential proxy services, where the group behind the scheme sell access to your home network; the creation of fake Gmail and WhatsApp accounts using the connections; and remote code installation. Those behind the scheme were selling access to residential networks commercially, the company’s report says, claiming to have access to more than 10 million home IP addresses and 7 million mobile IP addresses.

The findings tally with those of other researchers and ongoing investigations. Fyodor Yarochkin, a senior threat researcher at security firm Trend Micro, says the company has seen two Chinese threat groups that have used backdoored Android devices—one it has researched deeply, the other is the one Human Security looked at. “The infection of devices is quite similar,” Yarochkin says.

Trend Micro has found a “front end company” for the group it investigated in China, Yarochkin says. “They were claiming that they have over 20 million devices infected worldwide, with up to 2 million devices being online at any point of time,” he says. Based on Trend Micro’s network data, Yarochkin believes these figures to be credible. “There was a tablet in one of the museums somewhere in Europe,” Yarochkin says, adding he believes it is possible that swaths of Android systems may have been impacted, including in cars. “It’s easy for them to infiltrate the supply chain,” he says. “And for manufacturers, it's really difficult to detect.”

Then there’s what Human Security calls Peachpit. This is an app-based fraud element, which has been present on both the TV boxes as well as Android phones and iPhones, Reid says. The company identified 39 Android, iOS, and TV box apps that were involved. “These are template-based applications—not very high quality,” says Joao Santos, a security researcher at the company. Apps about developing six-pack abs and logging the amount of water a person drinks were included.

The apps performed a range of fraudulent behavior, including hidden advertisements, spoofed web traffic, and malvertising. The research says that while those behind Peachpit appear different from those behind Badbox, it is likely they are working together in some way. “They have this SDK that did the ad fraud part, and we found a version of this SDK that matches the name of the module that was being dropped on the Badbox,” Santos says, referring to a software development kit. “That was another level of connection that we found.”

Human Security’s research says the ads involved were making 4 billion ad requests per day, with 121,000 Android devices impacted and 159,000 iOS devices impacted. There had been 15 million downloads in total for the Android apps, the researchers calculate. (The Badbox backdoor was found only on Android, not on any iOS devices.) Reid says that based on the data the company has, which isn’t a complete picture due to the complexity of the ad industry, those behind the scheme could have easily earned $2 million in one month alone.

Google spokesperson Ed Fernandez confirms the 20 Android apps reported by Human Security have been removed from the Play Store. “The off-brand devices discovered to be Badbox-infected were not Play Protect–certified Android devices,” Fernandez says, referring to Google’s security testing system for Android devices. “If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results.” The company has a list of certified Android TV partners. Apple spokesperson Archelle Thelemaque says that it found five of the apps Human reported breaching its guidelines, and the developers were given 14 days to make them follow the rules. Four of them have done so, as of publication.

Toward the end of 2022 and in the first part of this year, Reid says, Human Security took action against the advertising fraud elements of Badbox and Peachpit. According to data shared by the company, the amount of fraudulent ad requests from the schemes taking place now has completely dropped off. But the attackers adapted to the disruption in real time. Santos says when the countermeasures were first deployed, those behind the schemes started by sending out an update to obfuscate what they were doing. Then, he says, those behind Badbox took down the C2 servers powering the firmware backdoor.

While the attackers have been slowed, the boxes are still in people’s homes and on their networks. And unless someone has technical skills, the malware is very hard to remove. “You can think of these Badboxes as kind of like sleeper cells. They're just sitting there waiting for instruction sets,” Reid says. Ultimately, for people buying TV streaming boxes, the advice is to buy branded devices, where the manufacturer is clear and trusted. As Reid says, “Friends don't let friends plug in weird IoT devices into their home networks.”

Your Cheap Android TV Streaming Box May Have a Dangerous Backdoor

Elon Musk’s brain-chip startup conducted years of tests at UC Davis, a public university. A WIRED investigation reveals how Neuralink and the university keep the grisly images of test subjects hidden.

The tan macaque with the hairless pink face could do little more than sit and shiver as her brain began to swell. The California National Primate Center staff observing her via livestream knew the signs. Whatever had been done had left her with a “severe neurological defect,” and it was time to put the monkey to sleep. But the client protested; the Neuralink scientist whose experiment left the 7-year-old monkey’s brain mutilated wanted to wait another day. And so they did.

As the attending staff sat back and observed, the monkey seized and vomited. Her pupils reacted less and less to the light. Her right leg went limp, and she could no longer support the weight of her 15-pound body without gripping the bars of her cage. One attendant moved a heat lamp beside her to try to stop her shaking. Sometimes she would wake and scratch at her throat, retching and gasping for air, before collapsing again, exhausted.

An autopsy would later reveal that the mounting pressure inside her skull had deformed and ruptured her brain. A toxic adhesive around the Neuralink implant bolted to her skull had leaked internally. The resulting inflammation had caused painful pressure on a part of the brain producing cerebrospinal fluid, the slick, translucent substance in which the brain sits normally buoyant. The hind quarter of her brain visibly poked out of the base of her skull.

Elon Musk says no primates died as a result of Neuralink’s implants. A WIRED investigation now reveals the grisly specifics of their deaths as US authorities have been asked to investigate Musk’s claims.

On September 13, 2018, she was euthanized, records obtained by WIRED show. This episode, regulators later acknowledged, was a violation of the US Animal Welfare Act; a federal law meant to set minimally acceptable standards for the handling, housing, and feeding of research animals. There would be no consequences, however. Between 2016 and 2021, the United States Department of Agriculture (USDA) enforced the humane treatment of animals through what it called “teachable moments.” Because the center—home to a colony of nearly 5,000 primates run by the University of California–Davis—had proactively reported the violation, it could not be legally cited.

And neither could Neuralink. “If you want to split hairs,” a former employee tells WIRED, “the implant itself did not cause death. We sacrificed her to end her suffering.” The employee, who signed a confidentiality agreement, asked not to be identified.

****Got a Tip?****

Missing from the veterinary records released by the university are hundreds of photographs taken by the primate center’s staff between 2018 and 2020 of Neuralink’s test subjects. Though publicly funded, thus bound by California’s open records law, UC Davis has fought disclosure of the photographs for more than a year. Releasing them, it says, would not serve the public’s interest.

Meanwhile, videos of the experiments have seemingly vanished. Documents obtained by WIRED show that the primate center’s staff wrote about reviewing a “tape” of the aforesaid monkey hours before they stopped her heart. The school has not acknowledged that such a tape exists, and Neuralink, whose partnership with the school ended three years ago, was permitted to store its own footage and remove it from the property when it wished.

“They provided their own computing infrastructure, and they had their own network connection, and they have removed their computing infrastructure from the premises,” the school said in a September 2021 email to the Physicians Committee for Responsible Medicine, which is suing UC Davis for the release of images and videos of Neuralink’s experiments there. “The IT staff at the California National Primate Research Center were in no way involved with any aspects of the creation or storage of Neuralink’s video content,” the school added.

Records show that the school ordered Neuralink to request permission before recording any of the animals. And the school reserved the right to view the footage.

Internal emails reviewed by WIRED show that Neuralink, founded and owned by Elon Musk, had tight control over what UC Davis was allowed to divulge about the experiments. Interviews with sources familiar with the tests shed light on the tensions between the school and outside groups over the public’s right to know about research it’s subsidizing.

The sources say secrecy is given top priority, not merely because of the proprietary research being conducted at the center, but also out of fear that the public will respond poorly—perhaps violently—to images of the macaques being experimented on. Though the school’s protocols work effectively to prevent images of the experiments from getting out, it could not legally keep hidden all the written records of Neuralink’s procedures.

Macaques procured for Neuralink from UC Davis’ colony were trained months and even years before going under the knife, a former Neuralink employee recently told WIRED. But the prospect for survival was abysmal for some, they say, due in part to “poor planning and poor procedure.” Early on, the Neuralink researcher says, the company lacked personnel crucial to the operation. “We didn’t have any surgical techs. We didn’t even have a veterinary pathologist on staff at the time.”

After an animal was “sacrificed,” few if any records were created. The former employee claims Neuralink worked purposely to keep records of its work out of UC Davis’ hands—specifically to shield them from public records requests. The products under development at the center are proprietary and created for profit, the researcher says, not to “further the knowledge of mankind.”

Emails obtained by WIRED through a public records request show Davis’s staff scrambling in February 2018—the earliest days of the partnership—to get Neuralink’s equipment up and running. The university had agreed to provide the firm with a dedicated on-site network with a secure uplink to a remote facility. In one email, a faculty member noted that Neuralink had been warned against “live streaming” or producing any “recording of actual monkeys.” Asked if the same rules would apply after Neuralink’s equipment was set up, another Davis official said once installed “they can do whatever they want.”

Neuralink did not respond to WIRED’s request to comment. UC Davis spokesperson Andy Fell maintains that the university has complied with the California Public Records Act, having supplied the “vast majority of records” requested by the Physicians Committee. “Some requested items were not provided because they are exempt from disclosure under the law for various reasons set out in court filings,” he says. “All animal research at UC Davis, including contract research like that performed by Neuralink, is conducted under the same rules and regulations and overseen by the UC Davis Institutional Animal Care and Use Committee (IACUC),” Fell adds.

UC Davis’ Institutional Animal Care and Use Committee did not respond to a request for comment.

Davis has released hundreds of pages of emails, contractual documents, memos, and other veterinary records detailing the public university’s work for Neuralink between 2018 and 2020. The descriptions of botched surgeries and the suffering of the subjects was enough to provoke media investigations and coax comments of concern from a handful of lawmakers.

Hundreds of files remain under lock and key—including photographs of the neurological damage that resulted from Neuralink’s work with the macaques. The experiments involved drilling a hole roughly the size of a US dime into the monkey’s skulls, placing electrodes inside their brains, and screwing titanium plates to their skulls. UC Davis says the value of the photos of these operations now lies exclusively in “informing future research and clinical practices,” or what it calls “the refinement of surgical techniques.”

In October 2022, the Physicians Committee sued UC Davis—a public institution, funded in part by US taxpayers—in an attempt to gain access to records of Neuralink’s work. The Physicians Committee, which aims to promote alternatives to animal testing, has many detractors in the scientific community. The American Medical Association, which supports the use of animals in biomedical research, is one of the largest.

The Physicians Committee has argued in California state court that the public has the right to know about any suffering resulting from taxpayer-funded animal tests. “Disclosure of the footage is particularly important because Neuralink actively misleads the public about, and downplays the gruesome nature of, the experiments,” Corey Page, an attorney with Evans and Page who is representing the Physicians Committee in the lawsuit, tells WIRED.

The Physicians Committee’s suit against UC Davis, filed in California state court in Yolo County, is ongoing.

As it is a public records law that UC Davis is fighting, its arguments against greater transparency are centered around what’s best for the public. According to the school's attorneys, that means the public should not see images of Neuralink’s work.

One researcher familiar with the photos conceded they are particularly gruesome. “A macaque skull with the flesh torn out of it is not a pretty image,” they say. The school routinely deals with protesters, the source says. As a result, any visual evidence of experiments or animal subjects are tightly controlled. Filming the monkeys without the permission of the facility’s director is forbidden. Davis exercises the right to “pre-review” any media it allows to be captured.

A typical request for a recording at the colony, approved in August 2019, aimed to capture how a monkey’s breathing caused “vibration and movement” in a brain implant. Neuralink’s researchers emphasized in paperwork obtained by WIRED that the subject would “NOT be in focus” herself.

Court records show Davis’s attorneys have argued that the most likely outcome of releasing the photos is that its own pathologists will simply stop taking them. While losing a “useful note‐taking and memory‐jogging” tool, they say, refusing to take photos at the necropsy stage of the experiments may also run afoul of federal regulatory guidelines, enforced by the USDA and the campus’s own “animal use” committee. Compliance with this committee, incidentally, is a prerequisite of the center’s federal funding.

A document known as a Vaughn index relays the school’s specific rationale for withholding more than 370 photos, which may be subject to release under the 1968 California Public Records Act. The index lays out the theory that viewing the images would have such a visceral impact on the public that fears of reprisal among Davis’ researchers would be detrimental to their work ethic.

It centers on the belief that the public is too naive at large to distinguish between scientific inquiry and senseless butchery. In its own words, there is a high risk of “non‐contextual misinterpretation of the photos by persons who are not privy to the contextual facts.”

“The interest in protecting the safety of public employees and ensuring research that benefits the public can proceed without risk of violence clearly outweighs the public's interest in viewing said photographs,” the document says.

The risk of public officials being harassed is a factor addressed by most, if not all, open records laws in the United States, which are traditionally built on a presumption that favors disclosure. In most cases, being a mid- to low-level employee is enough to warrant redaction by default–a rule that is generally observed, as well, by professional news organizations. In veterinary records reviewed by WIRED, Davis has consistently censored the names of all of its staff, including those at director level. The university has even redacted identifying information about the animals, including their names and other identifiable information.

In part, Davis argues that the photos represent what’s called a “deliberative” work product. Public officials are often protected from disclosing information that reflects meditations on policies that have yet to become rule or law. The object is to encourage debate and consideration of all ideas—not just the ones assumed to be good from the start. This privilege, however, does not extend to documents related to policies actually enacted. And the school states clearly that the photos it’s choosing to withhold have been kept only to inform future policy.

History shows there are other consequences to the release of photographs specifically with regards to animal treatment. The creation of the US Animal Welfare Act can be tied to the public’s reaction to evidence of animal abuse published more than 60 years ago in _Life_ magazine. Without being able to see what _Life_ audaciously called “concentration camps for dogs,” it’s difficult to predict just how long it would have been before the United States finally adopted a law to protect animals that are bought, sold, and experimented upon.

Neuralink ended its partnership with UC Davis in September 2020, but the Physicians Committee claims that it continues to employ the same neurosurgeon and many of the staff responsible for the experiments that poisoned, maimed, and ultimately killed at least 12 macaque monkeys.

Last month, the company announced that it is preparing to start human trials after receiving a green light from the US Food and Drug Administration. Since ending its partnership with Davis, Neuralink has brought its testing in-house—far from the prying eyes of journalists, animal welfare groups, and the jurisdiction whose records laws first shed light on its practices.

How Neuralink Keeps Dead Monkey Photos Secret

Victims of the MOVEit breach continue to come forward. But the full scale of the attack is still unknown.

In a field of shocking, opportunistic espionage campaigns and high-profile digital attacks on popular businesses, the biggest hack of 2023 isn’t a single incident, but a juggernaut of related attacks that keeps adding victims to its score. In the coming months, more people, as many as tens of millions, could find out that their sensitive information has been compromised. But more still will likely never learn of the situation or its impact on them.

Since May, mass exploitation of a vulnerability in the widely-used file transfer software MOVEit has allowed cybercriminals to steal data from a dizzying array of businesses and governments, including Shell, British Airways, and the United States Department of Energy. Progress Software, which owns MOVEit, patched the flaw at the end of May, and broad adoption of the fix ultimately halted the rampage. But the “Clop” data extortion gang had already orchestrated a far-reaching smash and grab. And months later, the full extent of the damage is still coming into view.

Last week, Ontario’s government birth registry, BORN Ontario, said that it suffered a MOVEit-related attack earlier this year in which hackers stole sensitive personal data from 3.4 million people, including 2 million babies as well as expectant parents and those seeking fertility care. The compromised health data dates from January 2010 to May 2023. While organizations like BORN continue to disclose a slow trickle of MOVEit incidents, researchers say that the number of suspected attacks—and the total number of people whose data has already been stolen in these incidents—far exceeds what has come to light.

“I don’t think we’re done hearing about this by any means. We’re going to keep seeing that rolling disclosure over probably the next few months,” says Emily Austin, security research manager and senior researcher at the threat intelligence firm Censys. “These companies are completing their investigations—they’re starting to notify customers who might have been affected.”

Austin points out that one of the nuances of the MOVEit situation is that it is a true software supply chain security issue. The vulnerabilities existed in two versions of the MOVEit service: the cloud service known as MOVEit Cloud, and the local version that institutions run themselves on their premises, known as MOVEit Transfer. The latter is where most of the exploitation occurred. But many organizations that had data stolen in MOVEit exploitation attacks weren’t directly using it. Instead, they’d collaborated with a third party or contracted with a vendor that does. Attackers were able to steal whatever data they could grab from vulnerable MOVEit systems, whether the information was from one institution or many.

“An advanced and persistent threat actor used a sophisticated, multi-stage attack to exploit this zero-day vulnerability, and we are committed to playing a collaborative role in the industry-wide effort to combat cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products,” Progress Software said in a statement.

Centralized data repositories like MOVEit have been particularly appealing targets to Clop, which is known for strategically exploiting systems embedded in the software supply chain, including multiple file transfer tools. Earlier this year, Clop claimed it breached more than 100 organizations by abusing the GoAnywhere file transfer tool. The gang also mounted a massive data extortion campaign at the end of 2020 by exploiting flaws in Accellion networking equipment.

The MOVEit incident eclipses them, though, both in the number of victim organizations and individuals whose data was compromised. Antivirus company Emsisoft has been tracking the number of MOVEit victim organizations that have publicly declared they were impacted since May. The researchers have combed individual US state breach notifications, filings with the US Securities and Exchange Commission, public disclosures, and Clop's own disclosure website to tabulate and reconcile the true toll of the attacks.

To date, Emsisoft has concluded that 2,167 organizations have been impacted by the sprawling campaign. The number had been hovering around 1,000 in recent months, but it jumped significantly when the National Student Clearinghouse revealed 890 colleges and universities across the US—including Harvard University and Stanford University—had been impacted by MOVEit breaches. Organizations in the US account for 88.8 percent of known victims, according to Emsisoft, while a smattering of other organizations in Germany, Canada, and the UK have also been exposed by Clop and come forward.

According to Emsisoft’s analysis, around 1,841 organizations have disclosed breaches, but only 189 of them have specified how many individuals were impacted by the incident. From these detailed disclosures, Emsisoft has found that more than 62 million individuals had their data breached as part of Clop’s MOVEit spree. But since there are estimated to be nearly 2,000 organizations that have not revealed how many individuals had personal data affected in their breaches—and since researchers have concluded that there are other impacted organizations that haven’t come forward at all—the true total of people whose data was compromised is likely even larger, possibly on the scale of hundreds of millions of individuals, according to Emsisoft.

“It’s inevitable that there are corporate victims that don’t yet know they’re victims and there are individuals out there who don’t yet know they’ve been impacted,” says Brett Callow, a threat analyst at Emsisoft. “MOVEit is especially significant simply because of the number of victims, who those victims are, the sensitivity of the data that was obtained, and the multitude of ways that data can be used.”

Censys’ Austin says file transfer tools are by their nature a “fantastic target” for cybercriminals. The whole purpose of the tools is to manage and share data, so these services are often trusted with large volumes of sensitive information. BORN Ontario said in a statement last week that the data taken in the breach was from those “seeking pregnancy care and newborns.” This included lab test results, pregnancy risk factors, and procedures. Names, dates of birth, government ID numbers like Social Security numbers, addresses, and more have all been compromised in other MOVEit incidents.

While cybercriminal groups often make headlines for attention-grabbing ransomware or extortion attacks, such as those against casinos, persistent and unrelenting theft, publication, extortion, and trade of people’s sensitive data from sprees like the MOVEit rampage can ruin lives—a cumulative reality that is often overshadowed by individual incidents where profits are on the line. Hacks on schools have revealed details of sexual assaults, child abuse allegations, and suicide attempts, with the Associated Press reporting individuals often don’t know the details have been published. Meanwhile, breaches of mental health service providers have exposed patients’ records.

Callows says that he suspects the slow drip of MOVEit-related disclosures “will rumble on for years.” More broadly, he and Austin emphasize that defenders should prepare for cybercriminals to continue targeting widely-used data management software. As Callow puts it, “MOVEIt isn’t the first file transfer application to be exploited and it likely will not be the last.”

Just last week, MOVEit developer Progress Software disclosed a new set of vulnerabilities in one of its file transfer tools for servers, known as WS\_FTP Server, along with patches for the flaws. The company says that it has not “currently” seen evidence that the bugs are being actively exploited.

The Biggest Hack of 2023 Keeps Getting Bigger

A software company sold a New Jersey police department an algorithm that was right less than 1 percent of the time.

_This article was_ _copublished_ _with_ _The Markup__, a nonprofit, investigative newsroom that challenges technology to serve the public good. Sign up for its newsletters_ _here_.

Crime predictions generated for the police department in Plainfield, New Jersey, rarely lined up with reported crimes, an analysis by The Markup has found, adding new context to the debate over the efficacy of crime prediction software.

Geolitica, known as PredPol until a 2021 rebrand, produces software that ingests data from crime incident reports and produces daily predictions on where and when crimes are most likely to occur.

We examined 23,631 predictions generated by Geolitica between February 25 and December 18, 2018, for the Plainfield Police Department (PD). Each prediction we analyzed from the company’s algorithm indicated that one type of crime was likely to occur in a location not patrolled by Plainfield PD. In the end, the success rate was less than half a percent. Fewer than 100 of the predictions lined up with a crime in the predicted category, that was also later reported to police.

Diving deeper, we looked at predictions specifically for robberies or aggravated assaults that were likely to occur in Plainfield and found a similarly low success rate: 0.6 percent. The pattern was even worse when we looked at burglary predictions, which had a success rate of 0.1 percent.

“Why did we get PredPol? I guess we wanted to be more effective when it came to reducing crime. And having a prediction where we should be would help us to do that. I don't know that it did that,” says captain David Guarino of the Plainfield PD. “I don't believe we really used it that often, if at all. That's why we ended up getting rid of it.”

Guarino noted that concerns about accuracy and the department’s general disinterest in using the software suggested that the money paid for Geolitica’s software could have been better spent elsewhere.

The Reading Police Department in Reading, Iowa, introduced Predpol, now rebranded as Geolitica, in 2013.

Photograph: Susan L. Angstadt/Getty Images

“We do have a mentoring program,” Guarino says. “We could probably put \[the money\] toward that, for the summertime. We used to have about 80 kids.” A contract between the department and Geolitica listed a $20,500 subscription fee for its first annual term, and then $15,500 for a yearlong extension.

We sent our findings and methodology to Geolitica prior to publication. Representatives did not respond to multiple requests for comment.

A report from WIRED last week revealed that Geolitica is ceasing operations at the end of this year. SoundThinking, a law enforcement technology company previously known as ShotSpotter, has hired Geolitica’s engineering team, but not its senior leadership, and is in the process of acquiring some of its intellectual property. Geolitica’s current customers are being transitioned into SoundThinking’s patrol platform.

“We believe that offering our law enforcement partners the ability to deploy their limited staffing resources has tremendous merit and that when fully integrated into Resource Router, these highly complementary assets will create a best-in-class deployment system for agencies of all sizes,” SoundThinking senior vice president Sam Klepper wrote in a statement to The Markup.

Information about the shutdown and customer transition to SoundThinking was not posted on Geolitica’s website or social media accounts. SoundThinking also purchased HunchLab, another predictive policing company, from Azavea in 2018.

Klepper explains that SoundThinking plans on incorporating some of Geolitica’s algorithms into its own existing systems, but “the algorithms mentioned do not include any crime prediction modeling source code at all. SoundThinking did not purchase any of Geolitica's crime prediction technology or source code.”

In 2021, The Markup published an investigation in partnership with Gizmodo showing that Geolitica’s software tended to disproportionately target low-income, Black, and Latino neighborhoods in 38 cities across the country. Our investigation was based on data downloaded in January 2021 from an unprotected cloud storage server linked from a page on the Los Angeles Police Department’s website. That server stored predictions Geolitica had provided to police departments in dozens of cities across the country over nearly three years. Access to that server was later restricted.

Our \[The Markup’s\] investigation stopped short of analyzing precisely how effective Geolitica’s software was at predicting crimes because only two out of 38 police departments provided data on when officers patrolled the predicted areas. Geolitica claims that sending officers to a prediction location would dissuade crimes through police presence alone. It would be impossible to accurately determine how effective the program is without knowing which predictions officers responded to and which ones they did not respond to.

After we requested this information from the 38 departments in our original investigation, only Plainfield provided us with more than one day’s worth of data on officer patrol locations.

We tested Geolitica’s accuracy by comparing the system’s predictions to crime reports, which only capture crimes reported to police, not instances when someone was victimized but elected not to inform law enforcement. The Bureau of Justice Statistics reported that less than half of violent and property crimes were reported to police in 2022. Reporting rates are also inconsistent across demographic groups. The agency found in a 2012 report that Black, Latino, and lower-income crime victims were more likely to report the crime than White people and people from higher-income households.

Plainfield police officers reported visiting 129 of the 23,760 prediction locations provided by Geolitica, according to the data. To conduct our analysis, we filtered out those predictions to sidestep the issue of police presence deterring potential crimes, and compared the rest against a list of crime incident reports obtained through public records requests. Each prediction was assigned to one of the department’s four daily patrol shifts, and each shift lasted 11 hours and 15 minutes. If a crime occurred in that location during the shift period, we counted it as a correct prediction.

The lengths of these prediction windows was a major problem, American University law professor Andrew Ferguson, who authored the book _The Rise of Big Data Policing,_ tells The Markup after being informed of our findings. "The timing piece is a flawed system,” he says. “The precision of it was supposed to be having the officers at the right time at the right place, not ‘during an entire day’s shift, there will be crime.’”

Plainfield officials say they never used the system to direct patrols. Instead, officials say all of the instances when the automated monitoring system tagged police vehicles as having visited a prediction location were coincidental overlaps that naturally occurred as officers regularly traveled across the geographically small, largely suburban community. To account for all possibilities, The Markup ran its analysis with the patrolled prediction locations both included and filtered out, and did not see a significant difference in the results.

Records showed that none of the five arrests that occurred in prediction locations during the time period of our analysis could have conceivably been due to officers responding to a Geolitica prediction, which Guarino also confirmed. Similarly, we asked the other 37 departments in our previous investigation if they could point to any arrests that came as a direct result of a Geolitica prediction, but none could. Representatives from neither the National Association of Criminal Defense Lawyers nor the National District Attorneys Association could recall a case going to trial where the arrest came as a direct result of an algorithmic crime prediction.

Despite Plainfield officials’ assertions that the software wasn’t used to inform where officers went, there is a quote on Geolitica’s website from former Plainfield police officer sergeant Larry Brown hailing the program. “Robbery at a restaurant ... PredPol prediction and robbery was 10 ft. away,” wrote Brown. “I train our 100+ officers on how to patrol PredPol boxes and I love our successes.”

In an email to The Markup, Guarino wrote that he wasn’t familiar with the incident Brown, who retired in 2018, mentioned and didn’t “know how Sgt. Brown came to that conclusion.” Multiple attempts to contact Brown were unsuccessful.

A major problem with Geolitica’s system, as it was used in Plainfield, is that there were a massive number of predictions compared to a relatively small number of crimes. In a 2021 email to The Markup regarding our previous investigation into the company’s algorithm, Geolitica CEO Brian MacDonald wrote that the number of predictions generated in each area was set by the law enforcement agency using the software. The data we received for Plainfield, which has a population of around 54,000, had 80 predictions per day for just a handful of crime types, while the maximum number of crimes of any type reported in a single day was 22 during the analysis period. This volume of predictions sits below the median of 107 daily predictions for the 37 other jurisdictions we analyzed in our original investigation. Some larger cities had far more predictions, like Los Angeles, which averaged just over a thousand daily. But there were cities smaller than Plainfield, like Niles, Illinois, which has around half Plainfield’s population, with a large volume of daily predictions—231, on average.

In her 2019 master’s thesis for the Naval Postgraduate School, Ana Lalley, police chief of Elgin, Illinois, wrote critically about her department’s experience with the software, which left officers unimpressed. “Officers routinely question the prediction method,” she wrote. “Many believe that the awareness of crime trends and patterns they have gained through training and experience help them make predictions on their own that are similar to the software’s predictions.”

Lalley added that when the department brought those concerns to Geolitica, the company warned that the software “may not be particularly effective in communities that have little crime.” Elgin, a Chicago suburb, has about double Plainfield’s population.

“I think that what this shows is just how unreliable so many of the tools sold to police departments are,” says Dillon Reisman, founder of the American Civil Liberties Union of New Jersey’s Automated Injustice Project. “We see that all over New Jersey. There are lots of companies that sell unproven, untested tools that promise to solve all of law enforcement’s needs, and, in the end, all they do is worsen the inequalities of policing and for no benefit to public safety.”

David Weisburd, a criminologist who served as a reviewer on a 2011 academic paper coauthored by two of Geolitica’s founders, recalls approving their ideas around crime modeling at the time, but warns that inaccurate predictions can have their own negative externalities outside of wasting officers’ time.

“Predicting crimes in places where they don’t occur is a destructive issue,” Weisburd says. “The police are a service, but they are a service with potential negative consequences. If you send the police somewhere, bad things could happen there.”

One study found that adolescent Black and Latino boys stopped by police subsequently experienced heightened levels of emotional distress, leading to increased delinquent behavior in the future. Another study found higher rates of use of force in New York City neighborhoods led to a decline in the number of calls to the city’s 311 tip line, which can be used for everything from repairing potholes to getting help understanding a property tax bill.

“To me, the entire benefit of this type of analysis is using it as a starting point to engage police commanders and, when possible, community members in larger dialog to help understand exactly what it is about these causal factors that are leading to hot spots forming,” says Northeastern University professor Eric Piza, who has been a critic of predictive policing technology.

For example, the city of Newark, New Jersey, used risk terrain modeling (RTM) to identify locations with the highest likelihood of aggravated assaults. Developed by Rutgers University researchers, RTM matches crime data with information about land use to identify trends that could be triggering crimes. For example, the analysis in Newark showed that many aggravated assaults were occurring in vacant lots.

The RTM then points to potential environmental solutions that come from across local governments, not just police departments. A local housing organization used that New Jersey data to prioritize lots to develop for new affordable housing that could not only increase housing stock but also reduce crime. Other community groups used the crime-risk information to convert city-owned lots to well-lighted, higher-trafficked green spaces less likely to attract crime.

Newark police are seen at the scene after a fatal shooting on August 17, 2023.

Photograph: Kyle Mazza/Getty Images

Even Geolitica seems to be moving away from its original core functionality of crime predictions and toward pitching itself as a broader platform for managing police department data. Both Geolitica’s patrol management platform, and the one operated by SoundThinking, advertise that they can incorporate elements of risk terrain modeling into their systems.

A pitch presentation, prepared for the police department in San Ramon, California, last year and obtained through a public records request, offered three tiers of service the department could purchase, with only the highest-cost option providing “automated daily patrol guidance.” The lower levels offered services designed to help departments better understand their operations, like creating heat maps showing the frequency of officer patrols in each part of a jurisdiction and allowing the department to independently set their own locations for officers to patrol. San Ramon Police Department records manager Jessica Simonds tells The Markup that the department subscribed to the lowest level, without the automated predictions.

A Geolitica patrol heat map showing the frequency of officer patrols in parts of Elgin, Illinois.

Courtesy of San Ramon Police Department

“The problem with predictive policing is the policing part,” says Ferguson. “The data about where crime occurs and where victimization occurs, that's something that should be studied. But that doesn't mean that the solution is policing. It might mean the solution is figuring out why people are victimized and funding the solution to that.”

Predictive Policing Software Terrible at Predicting Crimes

Checking out this AI chatbot's new features? Make sure to keep these privacy tips in mind during your interactions.

With its most recent update, Google Bard can now sort through your trove of Google Docs, rediscover ancient Gmail messages, and search through every video on YouTube. Before experimenting too much with the new extensions available for Google’s chatbot, it's worth going over the steps you can take to protect your privacy (and the ones you can't).

Google Bard launched in March of this year, one month after OpenAI released ChatGPT to the public. You’re likely familiar with how chatbots are designed to mimic human conversation, but Google’s latest features are designed to give Bard more practical applications and uses.

But when every conversation you have with Bard is tracked, logged, and used again to train the AI, how can you trust it with your data? Here are some tips to protect your prompts and assert some control over what information you give Bard. Then we’ll discuss location data, for which Google sadly provides fewer privacy options.

The default Bard setting is to store every interaction you have with the chatbot for 18 months. In addition to your prompts, Bard stores your approximate location, IP address, and any physical addresses connected to your Google account for work or home. While the default settings are activated, any conversation you have with Bard could be selected for human review.

Want to turn this off? When you’re in the Bard Activity tab, you can stop it from autosaving your prompts and also delete any past interactions. “We give you this choice around Bard Activity, which you can turn on or off, if you want to keep your conversations \[from being\] human-reviewable,” says Jack Krawczyk, a product lead at Google for Bard.

After you turn off Bard Activity, your new chats are not submitted for human review, unless you report a specific interaction to Google. But there’s a catch: If you turn off Bard Activity, then you can’t use any of the chatbot's extensions connecting the AI tool to Gmail, YouTube, and Google Docs.

Yes, you can choose to delete interactions with Bard manually, but the data might not be removed from Google servers until some point later, when the company decides to delete it (if ever). “To help Bard improve while protecting your privacy, we select a subset of conversations and use automated tools to help remove personally identifiable information,” a Google support page reads. The conversations selected for human review are no longer tied to your personal account, and these interactions are stored by Google for up to three years, even if you clear it out of your Bard Activity.

It's also worth noting that any Bard conversation you want to share with friends or coworkers could potentially be indexed by Google Search. At the time of publication, multiple Bard interactions were accessible through Search, from a job hunter requesting advice when applying for a position at YouTube Music to someone asking for 50 different ingredients they could blend into protein powder.

To remove any Bard links you’ve shared, go to **Settings** in the top right corner, select **Your public links**, and click the trash icon to stop online sharing. Google posted on social media that it's taking steps to stop shared chats from being indexed by Search.

This may make you wonder: If I’m using Bard to find my ancient emails, do those conversations remain private? Maybe, maybe not. “With the ability to have Bard summarize and extract content from your Gmail and your Google Docs, we took it a step even further,” says Krawczyk. “Nothing from there is ever eligible. No matter what settings you have turned on. Your email will never be read by another human. Your Google Docs will never be read by another human.” Although no human readers may sound like a bit of relief, it remains unclear how Google uses your data and interactions to train their algorithm or future iterations of the chatbot.

OK, now what about your location data? Are there any tools to limit when Bard keeps track of where you are? In a pop-up, Bard users are given the option whether or not to share their precise location with the chatbot. Even if you opt out of precise location sharing, Bard will still know where you’re at.

“Location data is always collected if you use Bard so that Bard can provide you with a response that is relevant to your query,” reads a Google support page. The chatbot uses your IP address, a tag that reveals your general location, and any personal addresses saved to your Google account. The company claims to anonymize the location data you provide by storing it with at least 1,000 other people’s information in a tracking area that’s 2 miles or larger.

While location tracking may make you uncomfortable, companies keep track of IP addresses to know their users’ locations more commonly than you might realize. For example, Google Search uses your IP address (and other sources) to help answer all those “near me” queries: best takeout near me, used camping gear near me, movie theater tickets near me. Of course, just because it’s common doesn’t make it okay for everyone. Keep that in mind when you use products like Bard.

Even though Google does not provide an easy way for you to opt out of Bard’s location tracking, one method to mask your IP address is to use a virtual private network. These tools are available for your PC as well as your mobile device. To find the best VPN for your particular situation, check out WIRED’s roundup of the best options.

How to Stop Google Bard From Storing Your Data and Location

Every smartphone has an expiration date. Here’s when yours will probably come.

If you're shopping for a smartphone, you're probably weighing how powerful it is, how good the cameras are, and of course how much you're going to have to pay for it—but it's also worth considering how long the handset is going to last you.

A big part of that calculation comes down to the length of time that the phone will get updates. Apple just pushed out iOS 17, a software update that is heading to iPhones including the iPhone XR and the iPhone XS—handsets that launched in 2018.

For five-year-old phones to be getting (mostly) the same software features as the brand new iPhone 15 is something Apple can be proud of and that its users can be grateful for, but this kind of future-proofing isn't standard.

At the time of writing, Google promises Android updates for its Pixel phones for at least three years. For flagship Samsung Galaxy phones, the software update guarantee is for four years, and for the latest Fairphone 5, it's five years.

Pixel phones are covered for three years of software updates.

Courtesy of Google

There's another important time span to consider though, which is the one for security updates. These updates continue to be issued for older phones even after major software updates have finished, so important vulnerabilities can be patched and phones can be kept safe even if they're no longer getting new and improved features.

For Google and Samsung, security updates are provided for five years, while Fairphone is promising at least eight for the Fairphone 5, and possibly as many as 10. Apple doesn't have a fixed approach but tends to issue security updates for a year or two after software updates have finished—after seven years, Apple products are declared obsolete.

You may be planning to upgrade your smartphone before that happens, but not everyone will be—and knowing how long your device is going to be supported with updates from its manufacturer then becomes very important.

If you're struggling to find out this information about a particular gadget, the web can help—and specifically the endoflife.date site, which lists a whole host of hardware devices and software packages. You can see continually updated countdowns for manufacturer support for iPhones, Pixels, Galaxy phones, and more.

When Security Updates End

Software updates keep your phone properly patched up and supplied with the latest new features. In contrast, security updates make sure that a device stays secure and protected against evolving threats even after software updates have stopped. Which then prompts the question: What happens when security updates end?

To begin with, your device isn't going to suddenly stop working and become a useless brick of electronics. Assuming the components inside it are still functioning—which is by no means a given after five or six years—then you can continue to use the device in the same way that you always have.

As time goes on, you might start to notice a problem with some of your apps: Apps will often need the very latest versions of iOS or Android in order to run, and if you're not getting those updates, they may stop working or start misbehaving, or you may find yourself unable to update to the latest versions.

Security is a bigger problem. There will be some legacy protection in terms of the patches you've applied over the lifetime of the device, but your phone is no longer going to be prepared for newer exploits and malware attacks, and that puts your data at risk.

iOS 17 works on the iPhone 15 Pro—and on iPhones from 2018.

Courtesy of Apple

When mobile security vulnerabilities emerge, you'll find that many of them are aimed at older versions of operating systems, versions that don't have all of the necessary defense measures in place. The more time that goes by since the last security update, the bigger the risk you're running by still using your phone.

Apple, Google, and Samsung will often scramble to fix security issues as they're discovered, pushing out updates outside of the regular schedule in order to keep devices protected—and again, your phone is ineligible for these patches, except under rare circumstances, if you've reached the end-of-life stage.

You can choose to keep on using your phone: The usual practices of being careful with apps and websites, turning on two-factor authentication for your accounts, and keeping the lock screen securely locked all still apply, and offer some level of protection. However, your device is at significantly more risk of an attack.

As expensive as it may be, it might be time to think about upgrading your phone so you keep receiving updates—it doesn't have to be a brand-new one to get the latest iOS or Android software. When you do decide to say goodbye to your old handset, be sure to dispose of it responsibly.

How to Tell When Your Phone Will Stop Getting Security Updates

Plus: Stolen US State Department emails, $20 million zero-day flaws, and controversy over the EU’s message-scanning law.

WIRED broke the news on Wednesday that SoundThinking, the company behind the gunshot-detection system ShotSpotter, is acquiring some assets—including patents, customers, and employees—from the firm Geolitica, which developed the notorious predictive policing software PredPol. WIRED also exclusively reported this week that the nonprofit Electronic Privacy Information Center is calling on the US Justice Department to investigate potentially biased deployment of ShotSpotter in predominantly Black neighborhoods.

As the US federal government inches closer to a possible shutdown, we took a look at the sprawling conservative media apparatus and deep bench of right-wing hardliners in Congress that are exploiting their leverage to block a compromise in the House of Representatives.

Satellite imaging from the Conflict Observatory at Yale University is providing harrowing insight and crucial information about the devastation wrought in the city of Khartoum by Sudan’s civil war. Meanwhile, researchers from the cybersecurity firm eQualitie have developed a technique for hiding digital content in satellite TV signals—a method that could be used to circumvent censorship and internet shutdowns around the world. And the productivity data that corporations have increasingly been gathering about their employees using monitoring software could be mined in an additional way to train AI models and eventually automate entire jobs.

Plus, there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

A China-linked hacking group, dubbed BlackTech, is compromising routers in the US and Japan, secretly modifying their firmware and moving around company networks, according to a warning issued by cybersecurity officials this week. The United States Cybersecurity and Infrastructure Security Agency (CISA), the NSA, FBI, and Japan's National Police Agency and cybersecurity office issued the joint alert saying the BlackTech group was “hiding in router firmware.”

The officials said they had seen the Chinese-linked actors using their access to the routers to move from “global subsidiary companies” to the networks of companies’ headquarters in the US and Japan. BlackTech, which has been operating since around 2010, has targeted multiple router types, the officials said, but they highlighted that it compromised Cisco routers using a customized backdoor. “TTPs against routers enable the actors to conceal configuration changes, hide commands, and disable logging while BlackTech actors conduct operations,” the alert says.

Microsoft and US government officials said in July that Chinese government hackers had breached the cloud-based Outlook email systems of about 25 organizations, including the US State Department and Department of Commerce. On Wednesday, an anonymous staffer for Senator Eric Schmitt told Reuters that the State Department incident exposed 60,000 emails from 10 accounts. Nine of the accounts were used by State Department employees focused on East Asia and the Pacific, while one was focused on Europe. The Congressional staffer learned the information in a State Department IT briefing for legislators and shared the details with Reuters via email.

The zero-day market, where new vulnerabilities and the code needed to exploit them are traded for cash, is big business. And it is, maybe, getting more lucrative. Russian zero-day seller Operation Zero this week announced it would increase some of its payments from $200,000 to $20 million. “As always, the end user is a non-NATO country,” the group said, indicating it means Russian private and government organizations.

Unlike bug bounties, where security researchers find flaws in companies’ code and then disclose them to the firms to fix for payments, the zero-day market encourages the trade in flaws that can potentially be exploited by the purchasers. “Full chain exploits for mobile phones are the most expensive products right now and they’re used mostly by government actors," Operation Zero CEO Sergey Zelenyuk told TechCrunch. "When an actor needs a product, sometimes they’re ready to pay as much as possible to possess it before it gets into the hands of other parties.”

The European Union's proposed law to clamp down on child sexual abuse content—by scanning people’s messages and potentially compromising encryption—is one of the continent's most controversial laws of the last decade. This week, a series of revelations from a group of reporters has shown how the law’s main architect was heavily lobbied ahead of proposing the law and that police wanted access to the message data. First, an investigation revealed the close connections between the European Union’s home affairs commissioner, Ylva Johansson, and child protection groups. A second report shows the European police agency Europol pushed to get access to data collected under the proposed law. In response to the investigations, Europe's Committee on Civil Liberties, Justice, and Home Affairs has written to Johansson asking questions about the relationships.

Source

Wired