Fleming is a system originally developed by the NSO Group in Israel to provide contact-tracing for governments. The idea was to allow them to locate and track people who had subsequently become infected by the Covid-19 virus. By being able to back-trace where they had been and whom they had come into contact with, the system could identify other people who may have also been infected.
It’s a good idea in theory, but a form of unfettered active monitoring that holds the potential for misuse and/or expansion beyond the initial healthcare remit has more questionable uses.
How Does NSO Group’s Fleming Software Work?
Fleming is capable of performing tracking of a target’s mobile device from a distance. The idea is that it can track the movement of the smartphone without collecting personal information in doing so. So far, so good.
While it might not directly identify someone by name when you track a person’s regular movements, nevertheless, it’s possible to learn a lot about them. For instance, they may have a routine of going to their local Starbucks to pick up a coffee latte every workday morning. Hitting the gym might be next on their list. When you track their other social activities too, it’s possible to build up a fairly good picture about who they are, their interests, the people they know, and more.
How the NSO Group Uses IP Addresses to Track Citizens
The internet and how we use it works relies upon IP addresses. When accessing a website, the IP address is provided by the web browser automatically.
What can someone do with your IP? This article from Smartproxy goes into detail, but bad actors can find your current location with a reasonable amount of accuracy. While it won’t always provide specific location data to pinpoint the house or apartment number, it’s often good enough to indicate the block, street, or apartment building. Therefore, when using the web, where you are presently is almost as clear as with the GPS on your phone. Rather troubling!
To get around this kind of intrusion into your privacy, it’s best to use a private proxy; rotating proxies are best. These offer a series of different IP addresses that make it appear that you’re using the web from a different location altogether. Instead of using a fixed IP address, their changing nature means matching web usages to a single IP address or person becomes close to impossible.
An NSO Group Database Was Found Non-encrypted on the Internet
Early in May 2024, a researcher in cybersecurity, Bob Diachenko, found a database of phone data on the internet. It wasn’t encrypted or otherwise protected. And it contained an enormous amount of phone data points.
Spanning a period of time between March and April in 2024, as the pandemic was unfurling, the NSO Group had been busy collecting data points. A data point is a reference, like a ping to a cell tower, that confirms a phone’s location at a certain time.
The code found in the database referred to “targets” plus the longitude and latitude of their phone. 32,000 targets were being tracked, from countries like Bahrain, Israel, Rwanda, the United Arab Emirates, and Saudi Arabia.
Forensic Architecture Looked at the Data
There are tell-tale signs to look for when analyzing data points. While they appear random, they’re not. Clear patterns can be discerned, making it possible to observe when the data is random, dummy information, or something else.
When Forensic Architecture looked at a portion of the database found by Bob Diachenko, it was determined that the data was real. This was because it followed known patterns that made it clear that it was real location information. It also hadn’t been obfuscated, as previously suggested, because this was detectable in the analysis of the dataset.
The takeaway from the Fleming contact tracing system and the subsequent discovery of the database is that our phones – a gadget virtually everyone uses on a daily basis, represent a huge privacy risk. We don’t think twice about the fact our phone is tracking our location, but if this information finds its way into the wrong hands, we could be in danger.
Avoiding the Dangers of Tracing on the Internet
There are several ways to avoid being tracked on the internet.
Web Browser Plugins and Extensions
Using the internet without logging into many sites avoids some degree of tracking during everyday web usage. Browser plugins or extensions like uBlock Origin are also useful to stop many of the tracking scripts on web pages for the sites that you do visit.
Another approach is to use a privacy-focused web browser like Brave that has built-in functionality to prevent trackers and deletes cookies once the session has ended too. Using the Brave browser is easier than trying to find appropriate browser extensions to do what it already does very well.
Both the above suggestions attempt to work around the problem of a fixed IP address at your home or work. By using a rotating anonymous proxy, new IP addresses completely unrelated to your computing or mobile device obfuscate the origin of the web usage. This is a far more efficient and effective approach to improve privacy and will prevent attempts at contact-tracing.
While contact-tracing is a good idea, in theory, it has the potential to be richly abused. Governments can all too easily use it to track their citizens, either through approved apps or with the use of malware on smartphones (something the NSO group also provides through their Pegasus program). Hiding your IP address using an anonymous proxy server is necessary to avoid being traceable in your everyday activities.
For privacy’s sake, it’s best to limit snooping into our private lives. We must do more to avoid being caught in a surveillance net where our private information is collected, our movements monitored, and our lives placed under scrutiny without a valid reason for doing so.