Citizen Continues Its Push To Become Cops-For-Hire By Leaking Sensitive Data... Twice

from the another-confidence-boosting-PR-debacle dept

The bad news keeps coming for Citizen, the app that really wants to be a cop.

Not only is its desire to become some sort of private party/law enforcement hybrid generating it some bad press, but its prior incarnation as "Vigilante" suggests it has always wanted to be in the business of taking down bad guys, with or without the requisite lawfulness.

The former "Vigilante" proved true to its past moniker following a wildfire in California, promising a $30,000 bounty to any user or employee who took down the bad guy identified by Citizen. Well… misidentified. After calls from CEO Andrew Frame to "GET THE FUCKER," Citizen had to offer up a bunch of apologies for turning an innocent person into a prime suspect.

Coming on the heels of all of this bad news is even more bad news. First off, as Joseph Cox reported late last week, Citizen leaked a bunch of users' COVID-related data following its expansion into contact tracing late year under the name "SafePass."

Crime and neighborhood watch app Citizen, which also launched a COVID-19 contact-tracing feature and broader citywide COVID surveillance program, exposed users' COVID-related data to the public internet, allowing anyone to view specific users' recent self-reported symptoms, test results, and whether their device had recorded any close contacts with other people using the feature. The information is directly linked to a person's username, which often is the person's full name.

Hacker collective Anonymous was able to access the data and pointed Motherboard in its direction. The exposure of this data runs contrary to Citizen's security claims.

The feature's privacy policy says that "We have specific systems to control data access, and all access is logged and regularly audited." The SafePass website says "Data is private and encrypted" and that contact tracing data is deleted after 30 days (some of the data in the exposed cache dates from earlier than 30 days ago).

Citizen fixed its leak shortly thereafter, claiming the exposure only affected a limited number of users. But that set the stage for a larger breach and another successful hacking of Citizen's databases.

A hacktivist has scraped a wealth of data from the crime and neighborhood watch app Citizen and posted it on a dark web site, Motherboard has learned. The data includes a huge amount of data related to 1.7 million "incidents"—events that Citizen informs users about concerning crime or perceived crime in their area—such as the GPS coordinates of where the incident took place, its update history, a clip of the police radio that the incident relates to, and associated images.

Posted with the accompanying slogan of "Fuck snitches, fuck Citizen, fuck Andrew Frame and remember, kids: Cops are not your friends.", the data appears to contain plenty of what's already publicly-available through Citizen's online portal. The difference here is it's all in one place, which makes it much easier for researchers and journalists to parse the data for patterns and analyze user behavior.

And there's also some stuff Citizen doesn't make available to users and site visitors in this data dump.

The list appears to include videos that have been marked for removal from public consumption on the app by Citizen's content moderation team, with some including the tag "Moderator Blocked Stream," according to the hacker and Motherboard's viewing of the files. These videos are still accessible if visited with the direct link included in the scrape.

Not exactly a confidence booster, especially when the app's founder wants Citizen to become a crucial part of the law enforcement experience, if not actually law enforcement itself. But a combination of PR blunders and data breaches sounds about par for the (government) course, so maybe this is just Citizen inadvertently laying the groundwork for its move into the public sector.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data breach, leaks, private law enforcement, snitching, vigilante
Companies: citizen


Reader Comments

Subscribe: RSS

View by: Thread


  • icon
    Bloof (profile), 28 May 2021 @ 1:00pm

    Silly Citizen, if you want to be the cops, you're only meant to 'accidentally' leak information after you've murdered an innocent party and you want the media and the right wing blogosphere to help you to smear their character.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 28 May 2021 @ 1:19pm

    I stand by my earlier assessment...
    TechBros invent the Klan.
    A bunch of idiots running around blaming everything on everyone else & they aren't very bright.
    One has to wonder if anyones asked the PD's in areas served by this shitshow how many false leads have they been fed & have they had to rescue anyone from a posse who got together to get the bad guy they think they heard whistled at a white woman.

    It would be nice if someone with authority actually stepped in, in the name of public safety, and quashed their private police force fantasy's before they manage to lynch someone they misidentified.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 May 2021 @ 2:08pm

      Re:

      So blame the "bunch of idiots," not a platform that has many legitimate uses, including public safety.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 May 2021 @ 3:39pm

        Re: Re:

        So, when Frame offered a bounty for an innocent man, whose safety was in mind? All those false alarms improve safety how? And how is insecure data improving anybody's safety?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 28 May 2021 @ 4:26pm

          Re: Re: Re:

          All those are individuals who abuse Citizen. Section 230 protects Citizen. The people who run the platform are not the platform. Citizen, when properly used, ensures public safety.

          Why are you against public safety? We've (me and the 1000 allies I summon to make a point) already EXPLAINED this to you: go after the shooter, not the gun.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 28 May 2021 @ 8:31pm

            Re: Re: Re: Re:

            I love how you add the conditional "when properly used". So tell me, who judges what is "proper use"? What happens when Citizen acts "improperly"? Who is ultimately held responsible for Citizen's actions? Will it be Frame, or "the shareholders"?

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 29 May 2021 @ 3:02am

              Re: Re: Re: Re: Re:

              The law decides what's proper, just as with copyright and defamation law.

              Google's search engine's primary use is not defamation, nor copyright infringement, just like Citizen's primary function is safety, not abuse of power.

              This site has EXPLAINED this many times: blame the craftsman, not the tool.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 29 May 2021 @ 1:51pm

                Re: Re: Re: Re: Re: Re:

                The "tool", yeah? is run by idiots with an agenda. 230 doesn't protect it from playing fast and loose with customer data, nor does it protect it from actions the platform takes or speech it makes. The First Amendment may or may not cover the expressive bit, depending on circumstances.

                However, 230 and 1A are irrelevant here. This isn't a court case, we are also free to criticize (speech wow) a shitty company. Funny how that works.

                reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 28 May 2021 @ 5:24pm

          Re: Re: Re:

          Wouldn't RipoffReport fall into the same category of easy-to-abuse platforms?

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2021 @ 1:46pm

        Re: Re:

        The platform is the idiots.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 May 2021 @ 2:07pm

    Blame the user, not the platform!

    Citizen is not inherently evil, but individual users might abuse it, so go after THEM, not Citizen!

    Long live Section 230!!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 May 2021 @ 3:35pm

      Re:

      Except it's the company's CEO that's abusing it.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 May 2021 @ 4:28pm

        Re: Re:

        Which means Citizen would need a new CEO, but there is nothing wrong with the app itself.

        Just like there's nothing wrong with Google even though it's known people can weaponize it. This is just a weapon that hackers and lawyers can't control so suddenly they're blaming platforms based on how their users will "obviously" abuse it.

        Let's make Kim Dotcomm the new CEO!

        reply to this | link to this | view in chronology ]

    • identicon
      AnonyOps, 28 May 2021 @ 7:24pm

      Re:

      Is that how IBM got away with tracking the Jewish people during the holocaust, blame the individual victims. How downright fascist of Citizen = Neo-nazis.

      reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        identicon
        Anonymous Coward, 29 May 2021 @ 3:03am

        Re: Re:

        It's how Google gets away with defaming people (blame the publisher, not the search engine that amplifies the defamation 10,000x).

        Techdirt's position against Citizen is inconsistent with its "don't blame the platform" pro-230 stance.

        Not saying either position is correct, just that they are logically inconsistent.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 29 May 2021 @ 11:51am

          Re: Re: Re:

          Where's your citations? You can't just make a claim like that without some very extraordinary proof.

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 29 May 2021 @ 1:54pm

          Re: Re: Re:

          No, there is no logical consistency, you are conflating two different things.

          reply to this | link to this | view in chronology ]

        • identicon
          Rocky, 29 May 2021 @ 2:06pm

          Re: Re: Re:

          1. It's not Google who is defaming people, it's the one who wrote the defaming content.
          2. Citizen isn't a platform in the same sense as a social media platform, it's as much as a platform as an app for ordering pizza is.
          3. The CEO used the Citizen platform to speak, ie. anything he said as a representative of the company means the company is liable for it.
          4. Techdirt's position is entirely logically consistent. If someone equates speech from an officer of a platform with what its users say, it may seem inconsistent but that's only because that person is either presenting a dishonest argument or is too stupid to realize that liability is attributed to the one speaking.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 29 May 2021 @ 8:30pm

            Re: Re: Re: Re:

            1. It's not Citizen who is harming people, it's the ones who abuse the app.

            2. Google isn't a platform in the same sense as a message board, since they aggregate information they purport to be revealing about a person (MyLife just got sued for this btw as a "consumer reporting agency").

            3. The CEO is the bad actor, not the company (which can fire him) or the app (which works the same for any CEO).

            4. That has to do with the security forces summoned by the App, not the App. Again that's misuse by bad actors, not a problem with the app.

            BTW distributor liability recognizes a second, separate harm inflicted by the search engine, which is what 230 immunizes in America but not anywhere else.

            https://www.nytimes.com/2021/01/30/technology/change-my-google-results.html

            This man was harmed by search engines, not the corners of the internet where the original publisher posted. Many people are judgment proof or use burner phones so the original poster can't be sued. Then there are those who are paid to defame others who couldn't operate without Section 230, and reputation blackmail.

            Let someone do this to Masnick and his tune would change overnight.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 31 May 2021 @ 5:38pm

              Re: Re: Re: Re: Re:

              “Let someone do this to Masnick and his tune would change overnight.”

              Bitch please you been banging on that empty threat for years. Come on John boi you think we don’t remember you?

              reply to this | link to this | view in chronology ]

            • icon
              Scary Devil Monastery (profile), 1 Jun 2021 @ 1:46am

              Re: Re: Re: Re: Re:

              "This man was harmed by search engines, not the corners of the internet where the original publisher posted."

              Rubbish. As usual, Baghdad Bob, your argument is all about "oh, if only there was a reality where what people said wasn't possible to find years after the fact"

              Search engines, much like library indexes, displaye in a neutral manner only what is there. If your local library holds a copy of mein kampf or the communist manifesto then the index isn't liable for the contents of those books.

              Nor is the search engine liable for displaying factual information as response to queries.

              Your problem - and everyone elses - isn't with search engines. It's with either individual humans putting up badly curated or defamatory information (grounds for a lawsuit), or with the fact that individuals put up truthful assertions about some crook who finds it harder to run a con in the Information Age.

              We all know which side of the fence you keep falling on.

              reply to this | link to this | view in chronology ]

  • icon
    crazy_diamond (profile), 28 May 2021 @ 8:10pm

    Thanks. Now I have even more evidence to show all my friends who called me a "bad person" because I didn't sign up for all these "totally secure, totally anonymous" Covid tracing apps. My position has always been that they're probably not anonymous, definitely not "secure", and that much of their data will wind up in the sadistic hands of law-infliction. The last point hasn't been proven yet, but if my distrust were a stock, I'd suggest buying (don't get greedy and forget to place a trailing stop).

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 May 2021 @ 11:32pm

    It seems they have backed off for now.

    But on Tuesday, Citizen ended the program, stating it has no plans to launch a similar service elsewhere.

    "This was a small 30-day test that is now complete," a Citizen spokesperson told CBS MoneyWatch. "We have no plans to launch our own private security force and no ongoing relationship with LAPS."

    https://www.cbsnews.com/news/citizen-app-peter-thiel-palantir-security-force/#app

    If people want to waste money on unarmed private security feel free, but private security having guns and k9s is severely problematic.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories
.

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.