Citizen Continues Its Push To Become Cops-For-Hire By Leaking Sensitive Data… Twice

from the another-confidence-boosting-PR-debacle dept

The bad news keeps coming for Citizen, the app that really wants to be a cop.

Not only is its desire to become some sort of private party/law enforcement hybrid generating it some bad press, but its prior incarnation as “Vigilante” suggests it has always wanted to be in the business of taking down bad guys, with or without the requisite lawfulness.

The former “Vigilante” proved true to its past moniker following a wildfire in California, promising a $30,000 bounty to any user or employee who took down the bad guy identified by Citizen. Well… misidentified. After calls from CEO Andrew Frame to “GET THE FUCKER,” Citizen had to offer up a bunch of apologies for turning an innocent person into a prime suspect.

Coming on the heels of all of this bad news is even more bad news. First off, as Joseph Cox reported late last week, Citizen leaked a bunch of users’ COVID-related data following its expansion into contact tracing late year under the name “SafePass.”

Crime and neighborhood watch app Citizen, which also launched a COVID-19 contact-tracing feature and broader citywide COVID surveillance program, exposed users’ COVID-related data to the public internet, allowing anyone to view specific users’ recent self-reported symptoms, test results, and whether their device had recorded any close contacts with other people using the feature. The information is directly linked to a person’s username, which often is the person’s full name.

Hacker collective Anonymous was able to access the data and pointed Motherboard in its direction. The exposure of this data runs contrary to Citizen’s security claims.

The feature’s privacy policy says that “We have specific systems to control data access, and all access is logged and regularly audited.” The SafePass website says “Data is private and encrypted” and that contact tracing data is deleted after 30 days (some of the data in the exposed cache dates from earlier than 30 days ago).

Citizen fixed its leak shortly thereafter, claiming the exposure only affected a limited number of users. But that set the stage for a larger breach and another successful hacking of Citizen’s databases.

A hacktivist has scraped a wealth of data from the crime and neighborhood watch app Citizen and posted it on a dark web site, Motherboard has learned. The data includes a huge amount of data related to 1.7 million “incidents”—events that Citizen informs users about concerning crime or perceived crime in their area—such as the GPS coordinates of where the incident took place, its update history, a clip of the police radio that the incident relates to, and associated images.

Posted with the accompanying slogan of “Fuck snitches, fuck Citizen, fuck Andrew Frame and remember, kids: Cops are not your friends.”, the data appears to contain plenty of what’s already publicly-available through Citizen’s online portal. The difference here is it’s all in one place, which makes it much easier for researchers and journalists to parse the data for patterns and analyze user behavior.

And there’s also some stuff Citizen doesn’t make available to users and site visitors in this data dump.

The list appears to include videos that have been marked for removal from public consumption on the app by Citizen’s content moderation team, with some including the tag “Moderator Blocked Stream,” according to the hacker and Motherboard’s viewing of the files. These videos are still accessible if visited with the direct link included in the scrape.

Not exactly a confidence booster, especially when the app’s founder wants Citizen to become a crucial part of the law enforcement experience, if not actually law enforcement itself. But a combination of PR blunders and data breaches sounds about par for the (government) course, so maybe this is just Citizen inadvertently laying the groundwork for its move into the public sector.

Filed Under: , , , ,
Companies: citizen

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Citizen Continues Its Push To Become Cops-For-Hire By Leaking Sensitive Data… Twice”

Subscribe: RSS Leave a comment
That Anonymous Coward (profile) says:

I stand by my earlier assessment…
TechBros invent the Klan.
A bunch of idiots running around blaming everything on everyone else & they aren’t very bright.
One has to wonder if anyones asked the PD’s in areas served by this shitshow how many false leads have they been fed & have they had to rescue anyone from a posse who got together to get the bad guy they think they heard whistled at a white woman.

It would be nice if someone with authority actually stepped in, in the name of public safety, and quashed their private police force fantasy’s before they manage to lynch someone they misidentified.

This comment has been flagged by the community. Click here to show it.

Anonymous Coward says:

Re: Re: Re: Re:

All those are individuals who abuse Citizen. Section 230 protects Citizen. The people who run the platform are not the platform. Citizen, when properly used, ensures public safety.

Why are you against public safety? We’ve (me and the 1000 allies I summon to make a point) already EXPLAINED this to you: go after the shooter, not the gun.

This comment has been flagged by the community. Click here to show it.

Anonymous Coward says:

Re: Re: Re:3 Re:

The law decides what’s proper, just as with copyright and defamation law.

Google’s search engine’s primary use is not defamation, nor copyright infringement, just like Citizen’s primary function is safety, not abuse of power.

This site has EXPLAINED this many times: blame the craftsman, not the tool.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: Re: Re:4 Re:

The "tool", yeah? is run by idiots with an agenda. 230 doesn’t protect it from playing fast and loose with customer data, nor does it protect it from actions the platform takes or speech it makes. The First Amendment may or may not cover the expressive bit, depending on circumstances.

However, 230 and 1A are irrelevant here. This isn’t a court case, we are also free to criticize (speech wow) a shitty company. Funny how that works.

Anonymous Coward says:

Re: Re: Re:

Which means Citizen would need a new CEO, but there is nothing wrong with the app itself.

Just like there’s nothing wrong with Google even though it’s known people can weaponize it. This is just a weapon that hackers and lawyers can’t control so suddenly they’re blaming platforms based on how their users will "obviously" abuse it.

Let’s make Kim Dotcomm the new CEO!

This comment has been flagged by the community. Click here to show it.

Anonymous Coward says:

Re: Re: Re:

It’s how Google gets away with defaming people (blame the publisher, not the search engine that amplifies the defamation 10,000x).

Techdirt’s position against Citizen is inconsistent with its "don’t blame the platform" pro-230 stance.

Not saying either position is correct, just that they are logically inconsistent.

This comment has been deemed insightful by the community.
Rocky says:

Re: Re: Re: Re:

  1. It’s not Google who is defaming people, it’s the one who wrote the defaming content.
  2. Citizen isn’t a platform in the same sense as a social media platform, it’s as much as a platform as an app for ordering pizza is.
  3. The CEO used the Citizen platform to speak, ie. anything he said as a representative of the company means the company is liable for it.
  4. Techdirt’s position is entirely logically consistent. If someone equates speech from an officer of a platform with what its users say, it may seem inconsistent but that’s only because that person is either presenting a dishonest argument or is too stupid to realize that liability is attributed to the one speaking.

This comment has been flagged by the community. Click here to show it.

Anonymous Coward says:

Re: Re: Re:2 Re:

  1. It’s not Citizen who is harming people, it’s the ones who abuse the app.
  2. Google isn’t a platform in the same sense as a message board, since they aggregate information they purport to be revealing about a person (MyLife just got sued for this btw as a "consumer reporting agency").
  3. The CEO is the bad actor, not the company (which can fire him) or the app (which works the same for any CEO).
  4. That has to do with the security forces summoned by the App, not the App. Again that’s misuse by bad actors, not a problem with the app.

BTW distributor liability recognizes a second, separate harm inflicted by the search engine, which is what 230 immunizes in America but not anywhere else.

This man was harmed by search engines, not the corners of the internet where the original publisher posted. Many people are judgment proof or use burner phones so the original poster can’t be sued. Then there are those who are paid to defame others who couldn’t operate without Section 230, and reputation blackmail.

Let someone do this to Masnick and his tune would change overnight.

Scary Devil Monastery (profile) says:

Re: Re: Re:3 Re:

"This man was harmed by search engines, not the corners of the internet where the original publisher posted."

Rubbish. As usual, Baghdad Bob, your argument is all about "oh, if only there was a reality where what people said wasn’t possible to find years after the fact"

Search engines, much like library indexes, displaye in a neutral manner only what is there. If your local library holds a copy of mein kampf or the communist manifesto then the index isn’t liable for the contents of those books.

Nor is the search engine liable for displaying factual information as response to queries.

Your problem – and everyone elses – isn’t with search engines. It’s with either individual humans putting up badly curated or defamatory information (grounds for a lawsuit), or with the fact that individuals put up truthful assertions about some crook who finds it harder to run a con in the Information Age.

We all know which side of the fence you keep falling on.

crazy_diamond (profile) says:

Thanks. Now I have even more evidence to show all my friends who called me a "bad person" because I didn’t sign up for all these "totally secure, totally anonymous" Covid tracing apps. My position has always been that they’re probably not anonymous, definitely not "secure", and that much of their data will wind up in the sadistic hands of law-infliction. The last point hasn’t been proven yet, but if my distrust were a stock, I’d suggest buying (don’t get greedy and forget to place a trailing stop).

This comment has been deemed insightful by the community.
Anonymous Coward says:

It seems they have backed off for now.

But on Tuesday, Citizen ended the program, stating it has no plans to launch a similar service elsewhere.

"This was a small 30-day test that is now complete," a Citizen spokesperson told CBS MoneyWatch. "We have no plans to launch our own private security force and no ongoing relationship with LAPS."

If people want to waste money on unarmed private security feel free, but private security having guns and k9s is severely problematic.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...