At this summer's HOPE conference, Joshua Aaron spoke about ICEBlock, his iPhone app that allows users to anonymously report ICE sightings within a 5 mile radius, and to get notifications when others report ICE sightings near them. You can see the full talk, and the lively/infuriating Q&A, here,
It sounds like he’s just a dev who’s in over his head but either doesn’t want anyone to take his baby or doesn’t want people to see his sloppy and possibly insecure code. It’s probably a hack job behind the scenes and he’s not really as sure of its security, so he might be opting for security through obscurity.
But this isn’t really taking up space. Someone else can make a better app. If this guy isn’t the one to really make a useful crowd sourced anti ICE app, that’s not a problem. Let’s get that OS crowd together and work with local groups and make something better. In the meantime, this is a statement.
The problem is that people are falling over themselves to help him and he keeps declining while looking at them like they’re the idiots.
So what’s the complaint here, that he’s being rude? The only thing lost if people build an alternate app rather than being allowed to work on his app is him.
The complaint is: Narcissistic incompetent dev spreads FUD while putting vulnerable people at risk.
The risk appears to be anxiety, not an active threat to their safety. The black box security analysis did not indicate any direct data leakage. We don’t know the app is safe, but we also don’t have any indication it’s doing anything particularly risky.
For the most part, we don’t know what the risks are, because the app is closed-source.
What we do know is that Apple logs the downloads of every account on their platform. That alone is enough to paint a target on the backs of vulnerable people.
We also know that the gov is intercepting notification data, in the form of " which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered. In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification."
You can bypass this data collection by using UnifiedPush on Android. Apple has no such alternative.
These are all things that I, a random internet dumbass with no development experience, knows, but somehow this fool does not, despite being educated over and over.
I appreciate the link about the potential for push harvesting. That was not something I was aware of.
It doesn’t sound like they’re intercepting though, it sounds like they’re asking the platform to provide it. That should require a warrant unless Apple has gone full collaboration, but that does make it insecure to a targeted search. And paired with fake reports could potentially be used to geolocate someone to a rough area with some work.
Though I think if they have enough to compel cooperation from the platform they could also just get cell tower or direct GPS info. I’m not sure this really opens up a new vulnerability separate from the general risk of using a smartphone when the government can produce a warrant (which with the coopting of the judiciary may not be as high a bar as it once was).
Pretty meaningless in the context of our current dictatorship.
Cell towers and GPS info don’t provide any information about what the user is doing on the device.
“They received an ICE block push” isn’t a meaningful piece of information compared to location. It’s already a targeted search. What do you think the government will do with that information?
No, the thing that’s lost is all the vulnerable people using an app filled with vulnerabilities waiting to be exploited by a vindictive government.
If you actually read the post they go into detail about this.
I agree that there should be an alternative, open-source project, though I know I’m not all that qualified to support outside of financially, (which I would).
I disagree that this isn’t taking up space. Notoriety is a huge asset, especially for tools like this that rely on crowd-sourced information. It would be far better, all other things being equal, to start with the user base and name of ICEBlock than to make a competitor and need to promote it enough to get people to use it over ICEBlock. I highly doubt that a competitor will get anywhere close to the same media attention that this got.
I’d bet it’s a LOT more along the lines of the second guess, because it’s now cost his wife her job and has gotten him quite publicly tagged along with it. He’s got a large portion of himself invested in it, and of course it will sting and suck for a bunch of folks to come along and point out, both gently and horribly, knowing OSS folks, all the shortcomings and then make changes.