In the second year of the Reiwa Era, Japan is facing unprecendented change. Along with the arrival of a new Prime Minister, the nation is also being promised a new “Digital Agency” that will cut through the red tape of the old bureaucracy and modernize government for the betterment of its citizens.

But will it truly better the lives of citizens? Or will it only enhance the power of an already powerful government?

One of the policy goals of this “Digital Agency” is to expand the use of the already unpopular MyNumber system, which consolidates the personal and financial information of citizens into a single database under constant government surveillance.

In recent years, we have also seen the creation of Chinese-style Social Credit score systems such as “JScore”, which offer an inescapable Panopticon in exchange for a few paltry virtual points or discount coupons. Though JScore is a private venture, it is already known that Japan’s “Digital Agency” will lean heavily on the private sector. The possibility for the integration of JScore into the MyNumber system is not only possible, but likely.

Finally, the cooperation of certain Japanese agencies… most notably the Cabinet Intelligence Research Office and the Directorate for Signals Intelligence… with foreign intelligence agencies shows that not only is total surveillance of the Japanese internet happening, it is largely done at the behest of foreign powers.

The likelihood that all of these things to be integrated and expanded upon under the “Digital Agency” creates the potential for a total surveillance state under which the citizens’ right to privacy will be violated as never before.

That potential is already in the process of being realized. It was only one year ago that the Japanese Ministry of Internal Affairs and Communications wanted to request Japanese ISPs to actively block websites under the pretense of stopping manga piracy. Now the Ministry has yet another “interesting proposal” to offer.

On May 23rd this year, Japanese wrestler Hana Kimura tragically ended her own life. The media was quick the seize upon the story, making hateful internet comments the sole reason for Hana Kimura’s passing. Popular anger was mobilized, and then exploited to lobby for amendments to laws governing the Disclosure of Sender Identification Information. These laws provide liability protection to service providers and online platforms when requested to disclose personal information of their users in response to lawsuits.
今年の5月23日に、女子プロレスラー木村 花さんは悲しいことに自ら命を絶ってしまいました。マスコミは早急にこの事件に付け込み、木村さんの自殺を全部オンライン中傷コメントのせいにしました。これを口実に世論を利用し、政府が発信者情報開示に関する法律への改正を働き掛けました。この法律は、情報の流通によって権利の侵害があった場合について、プロバイダーの損害賠償責任の制限そして発信者情報を開示する権利を定めます。

Under new proposals, internet service providers and platform operators would be requested to not only maintain logs of user IP addresses and timestamps of user activity, but also to disclose phone numbers used for Two-Factor Authentication. Lawyers in favor of these amendments even speak of automated infrastructure to more quickly and easily harvest phone numbers and other identifying information on request from providers.

Online slander can certainly cause problems and even harm to individuals, but increased surveillance is not an acceptable solution. Indeed, any such surveillance power is likely to be abused under the umbrella of a future “Digital Agency”, with the definition of “slander” expanded to include government critics and independent journalists.

As we have often said in the past, relying on third parties to defend your rights is almost the same as having no rights at all. They only exist as far as your ability to defend them yourself, and the right to privacy is no different. If the Japanese government wishes to collect identifying information from online platforms, then our only choice is to use platforms that cannot provide any identifying information at all.

In the past, we have introduced a variety of software solutions to allow you to protect your own privacy online. This time、in response to the Caller Information Disclosure proposals, we wish to introduce “Session”.

Session is an open-source messaging application which uses decentralised storage servers and an onion routing protocol to send end-to-end encrypted messages with minimal exposure of user metadata. Session works to reduce metadata collection in several ways:
セッション はオープン・ソース、安全なメッセンジャーアプリです。分散型記憶サーバ、そしてオニオンルーティング・プロトコルにより、メタデータの暴露をできる限り防止しながら、終端間暗号化されたメッセージを通信します。

Firstly, Session does not rely on central servers, instead using a decentralised network of thousands of nodes.

Secondly, Session ensures that IP addresses cannot be linked to messages sent or received by users.

Thirdly, Session does not ask or require users to provide a phone number or email address when registering a new account. Instead, it uses cryptographic keys as the basis of an account’s identity.

Session has recently been translated into Japanese, and is available for download on a variety of platforms. Session is also part of a larger project, “Lokinet”, which provides more tools and infrastructure to help you protect your own privacy online. We are currently translating Lokinet documentation into Japanese, in hopes for a Japanese version on final release.

We encourage all Japanese internet users to follow the development of both Session and Lokinet, and begin embracing privacy protecting infrastructure now, before the “Digital Agency” fully rises to power.

アノニマスの見解 Ep.15:”EUNOMIA”又は”私は如何にして心配するのを止めて社会信用システムを愛するようになったか”


Hello everyone. And welcome to another episode of “ANONYMOUS NO KENKAI”. And a very exciting episode it is, because we’ve got an insider leak of some interesting info about a project called “EUNOMIA”, in coordination with the Fediverse’s own “Free Speech Axis”.

Long time viewers of this series might remember Episode 5, where we talked about Mastodon, GNU Social, and Plemora. In particular, you might remember a man by the name of Gargron, also known as Eugen Rochko. He’s going to be important to this story, so you might want to go watch that episode if you don’t know why he’s important.
このシリーズの長年のファンは「マストドン、GNUソーシャル、Plemora」についての第5話を覚えてるかもしれませんね。特に、「Gargron」(別名Eugen Rochko)という男も思い出すかもしれないですね。彼がこの話にとって重要なので、新登録者はぜひ第5話をご覧下さい。

But first, let’s talk about “Fake News”. Fake News is a really big problem these days, if you listen to media and politicians. Spies, extremists, and scammers are all supposedly using the internet to spread fake stories and trick the public into believing the wrong information.

And of course, the same media companies and politicians are ready…eager, even…to offer solutions to the problem. Journalists name and shame online personalities. Silicon Valley companies like Facebook and Twitter routinely engage in purges of “fake news” from their platforms, silencing or even banning accounts that spread it. How exactly they discern fake news from truth remains a mystery, unfortunately…

Some governments, notably China, have taken stronger measures. China’s infamous “social credit” system does a lot of things, but apparently one thing that can reduce your national loyalty score is “spreading fake news”…of course, the Chinese government gets to decide whether news is fake or not. The military government in Thailand, meanwhile, has been very active in using its own “Computer Crime Act” to arrest its critics, claiming they spread “false information”.

But the civilized nations of the Western world insist that they’re different from their totalitarian counterparts. Their campaign against fake news is sincere, and in the best interests of democracy. Interestingly, though, they have little to say about the fake news they participate in creating. Fake news like the Covington High story, where multiple supposedly reputable American news outlets spent days reporting flat-out lies about a group of high school boys, while Twitter looked the other way as outrage mobs led by celebrities harassed and threatened children. Thankfully the truth was livestreamed, but where was their concern for fake news then?

Then there’s the RussiaGate scandal…two years of politicians and media companies insisting that US President Donald Trump was a secret Russian asset, until an investigation disproved it as conspiratorial nonsense. No matter one’s opinion on the man, these are reckless and irresponsible lies.

These are only two examples, but there are more…far too many to go into here. And in none of these cases do the media or politicians admit responsibility. Yet they want to tell us what news is fake or real?

The reality is, no matter where you go, its not uncommon for the authorities to say one thing and do another. And the unilateral solutions they impose always seem to create more problems than they fix.

And that brings us to our main topic, “EUNOMIA”…an EU initiative to create a software solution to solve the fake news problem. …yeah, I think you can see where this is going.

From the European Commission’s own website, they describe EUNOMIA as “a fully decentralised, intermediary-free and open-source solution for addressing three key challenges: which social media user is the original source of a piece of information; how this information has spread and been modified in an information cascade; and how likely it is to be trustworthy…EUNOMIA actively encourages democratic citizen participation in content verification by allowing voting on content trustworthiness and influencing the reputation of content generators and sharers”.

In other words, EUNOMIA is going to keep track of who said what, when, and where. It’ll track who shared that information, and with whom. Finally, it’ll host an online popularity contest to decide who’s telling the truth or not, and brand people with a number score based on the results. I think it should be clear how much of a bad idea that is. It sounds worryingly close to Chinese social credit.

But who cares, right? It’s just the EU, and Facebook and Twitter are already heavily censorsed hellscapes. Well, yeah…about that. Remember when we mentioned Mastodon and Gargron? Guess who’s on the list of contributors to the project…getting paid 63,290 euros to participate? Eugen Rochko, Gargron himself.
でも大した問題ではないでしょう?EUの問題ですし、FacebookやTwitterはすでに監視されてる。いえいえ、実際はその点には面白い話があるのです…動画の冒頭でマストドンとGargronさんについて述べましたよね?6万3千ユーロの引き換えに、誰がEUNOMIAの開発に参加しているのでしょうか?Eugen Rochkoさん、Gargron本人です。

Why would the creator of Mastodon be working on EUNOMIA? Maybe because Mastodon, and the wider Fediverse, is intended to be its testbed. In fact, the EUNOMIA project description itself clearly states that it is “ideal for evaluation on similarly open, decentralised and federated new social media networks”.

To be clear, the Fediverse…a decentralized federation of alternative social media services…is the place where people go to escape the censorship, authoritarianism, and surveillance of mainstream social media. It’s a place where they can speak freely and tell jokes without fear of being banned, or even arrested. What EUNOMIA proposes is to bring in the worst aspects of both mainstream social media and Chinese style social credit. No surprise it’s so unpopular.

Of course, the creators of EUNOMIA are quick to deny this. The project’s own Mastodon-dot-social account says it will “not in any way involve Mastodon social, and…will not involve anyone without their explicit consent”. All well and good, but it’s worth noting that we have no guarantee that this will always be true, or even if it’s true now.

Comparisons to social credit are also denied, since the project claims its purpose is “to assist social media users in determining trustworthiness of information”. In other words, it isn’t a central authority deciding what’s true, it’s just a tool to help other people vote on what they think is true. Personally, I don’t enjoy the idea of crowd-sourced social credit any more than the centralized variety. If anything, the outrage mobs and groupthink we’ve seen on Twitter makes me fear social credit by mob-rule even more.

But aside from that, there’s no escaping the reality that such a system would necessarily entail tracking and analyzing conversations, necessitating a panopticon-like surveillance of discourse across the Fediverse. Even if they claim that participation is voluntary, once the infrastructure is built, how easy would it be to just expand it after the fact? Or for other people to inherit the project and expand it later? This could especially be worrying to Japanese Fediverse instances, as these software tools will likely be localized and imported by certain characters if they prove successful in the EU.

Moreover, the idea of voting or scores to rate trustworthiness implies a system that discourages individuals making their own assessments about the truth, and instead blindly trusting the opinions of the majority. The creation of cliques and groupthink in such a system would be inevitable, and any search for truth would quickly be drowned out.

Apparently I wasn’t the only one who had these concerns, because somebody inside the EUNOMIA project decided to leak chat logs from their internal discussions. And some of the things they have to say only deepen my concerns.

For one, EUNOMIA will likely involve datamining instances via public APIs. No surprise, given datamining firms like SYNYO GmbH are key members of the project. They claim it will be opt-in and anonymized, but given the volume of data they’d likely need to build their models, its hard to believe that promise will last long. As for anonymisation, studies have shown how easy it is to re-identify users from aggregate datasets.
まず第一に、EUNOMIAはインスタンスの公開APIを使ってデータマイニングを行うそうです。「SYNYO GmbH」というデータマイニング企業がプロジェクトに参加するので、驚くほどではない事実です。収集はオプトインのみ、個人情報は匿名化されると言われますが、統計模型を築くために大量のデータが必要だと思います。自主的参加が足りない場合、その約束を守れるのでしょうか?そして匿名化について、データ匿名性を奪うのは意外と簡単だということを調査は示しています。

Secondly, EUNOMIA appears to be using some very questionable sources as reference for their models…namely the New York Times and Facebook. Remember, the NYT was central to spreading both the Covington High lie and the RussiaGate hoax. And Facebook has repeatedly been exposed as a biased actor in the way it controls how information trends on its platform. Hardly credible experts on identifying fake news when they couldn’t even identify their own.
第二に、EUNOMIAは統計模型を築くには信頼性に疑問のある情報源を利用している。特にNew York TimesとFacebook。忘れないてはなりません、New York Timesはコビントン高校とRussiaGateのデマを広めることに最大の影響を与えました。そしてFacebookがトレンディング・トピックを歪曲していることがすでに発覚しました。自分で作ったフェイクニュースを発見できなければ、情報の信用性を究明する資格があるのでしょうか?

Lastly, they internally refer to criticism of the project as “paranoia”, downplaying the validity of concerns and showing a lack of self-reflection, or even an understanding of why the Fediverse reacts negatively to them.

Bottom line, given the people involved, the histories of behaviour, and the attitudes on display, there are a lot of red flags surrounding the EUNOMIA project. What we can do to avoid it or mitigate the damage it may cause isn’t clear, yet. But identifying the threat is a good first step. The leaked info is linked in the description. I’d also like to make a Japanese translation eventually.

Fake News does exist, and it can be a problem, but it’s not going to be solved by an app or an algorithm. Technological solutions cannot fix human problems, and trust scores do nothing to encourage critical thought. If the goal of EUNOMIA is to help people determine trustworthiness without defining it, then objective metrics shouldn’t be involved at all, no matter how democratic the process leading up to them. The only thing that can help social media users to seperate fact from fiction is critical thinking, common sense, and personal responsibility when both producing and consuming information. And if they lack those qualities, then no piece of software is going to save them.

To every member of the Fediverse, the answer is clear; Say No to Eunomia. And Eugen…if you really want to make the Fediverse a better place, consider donating your 63,000 euro bribe to a media literacy program instead.

This was ANONYMOUS NO KENKAI, and until next time…MACHIUKENASAI

アノニマスの見解 Ep.12: 公開ブロックチェーンの落とし穴

Hello everyone, and welcome back to アノニマスの見解. It’s been a while since the last episode. My apologies for the long delay.

Unfortunately, the forces of censorship and surveillance didn’t take a break during this period, and there’s a lot to catch up on.

As you might already know, Site Blocking has taken a turn for the worse, with DoS attacks against alleged pirate sites being proposed in government run study groups. CIRO and the Directorate for Signals Intelligence haven’t gone anywhere, and there’s no shortage of new hardware AND software vulnerabilities that threaten your privacy.

But today, we’re going to talk about something different; cryptocurrencies, and how they related to the idea of financial privacy. But first, some background.

In June of this year, Coincheck, one of Japan’s largest cryptocurrency exchanges, announced that it was suspending all trading in Monero, Zcash, Dash, and Auger… all currencies that are designed around the idea of user privacy. This was after the Financial Services Agency threatened stricter regulation of cryptocurrencies in Japan, strongly implying this was a response to government pressure.

Later that same month, the National Police Agency arrested multiple website operators for putting “Coinhive” into their websites. Coinhive is a distributed program that uses the computing power of website visitors to mine for Monero. But the NPA arrested them for violating a law banning computer viruses, implying they believed Coinhive to be a virus, even though there is no official judgement that this is accurate.

Finally, just last month, the National Police Agency announced their budget for 2019, including 2.7 billion yen to fight cyber threats. In that budget was a plan to purchase a blockchain surveillance system from overseas which would allow the NPA to gain a “bird’s eye view” of all transactions on the blockchains of major cryptocurrencies, including Bitcoin and Ethereum, and possibly others. While no information on this system has been announced, there is a high possibility that this surveillance system will be “Elliptic”, one of the most well-known and popular blockchain surveillance tools.

Based on all of this news, it’s easy to understand that the Japanese government is struggling to assert control over the world of cryptocurrency in Japan. Privacy-focused cryptocurrencies like Monero are attacked, while surveillance tools to watch open blockchains are installed. The media talks about these measures as necessary to fight criminal money laundering. But as we’ve said in previous videos, empowering an authority to protect you doesn’t protect you from the authority itself. And government surveillance over individual finance can create many negative and unintended side effects.

Firstly, it’s important to remember that historically, total surveillance and central control over individual finance was not the norm. Whether through cash or barter, individuals have been able to privately exchange value for centuries. Regulations evolved over time as a means to counter abuse, but total surveillance and control over finance is a relatively recent development. However, many developed nations now favour credit or electronic payment systems over cash. Some countries, like India, have even tried to eliminate cash entirely, though often with disastrous results.

While a cashless society seems convenient, it comes with one very big problem; it takes power away from individuals and gives it to large, centralized institutions. With cash, two individuals can exchange value freely. I can invite my friend over for dinner, give him cash in exchange for something, and nobody can really interfere in our transaction. But with cashless electronic payment, the company running the system can monitor every transaction, and even deny transactions it doesn’t approve of. In a worst case scenario, it could even cut a user off from the system entirely. We saw a vivid example of this in 2010, when multiple banks and credit card companies arbitrarily and simultaneously cut Wikileaks off from donations. The power of centralized financial institutions to crush dissent is very real.

The threat of this power is two-fold; on the one hand, government pressure can have critics arbitrarily cut off from all finance. But on the other hand, the threat of being cut off also discourages dissent, and encourages self-censorship.

This is where cryptocurrencies like Bitcoin enter the picture. Being a peer-to-peer system, cryptocurrencies have no central control. Much like cash, they allow individuals to trade freely with each other. But unlike cash, cryptocurrencies allow these trades to happen at any distance. Two users in different countries can freely exchange value, as long as both are connected to the internet. Certainly there is the possibility of criminal abuse, just as with cash. But it also creates a check against the abuse of centralized power.

However, there is one massive Achille’s Heel to many cryptocurrencies; the public blockchain. The blockchain is a completely public ledger of every transaction on the network. Every detail of every transaction is recorded and shared publicly. This means your wallet address, your IP address, account balance, and every transaction are public knowledge. Not even bank accounts or credit card companies share this much information about their users.

So, while cryptocurrencies allow free exchange of value between individuals, the total panopticon of the public blockchain means the association between individuals can still be policed. Cryptocurrencies still need to be exchanged for cash via exchanges, and if the government can monitor every transaction on the blockchain, they can still order exchanges to cut off users they don’t like. If you donate Bitcoin or Ethereum to an opposition party, or a government critic, your account can be flagged by the authorities. If you use Bitcoin or Ethereum to pay for anything personal or embarassing, this can be used to blackmail you. Knowledge of perfectly legal but private activities can easily become a tool of control.

It’s worth noting, this isn’t only a problem from the government. A total public blockchain means anybody can find all of this information easily. But, with specialized surveillance tools like Elliptic, the speed and scope of government surveillance is a much bigger threat.

So what can we do about it? First, we need to understand that totally public blockchains are bad for individual users. Unfortunately, this means that using Bitcoin or Ethereum will always be a risk. We need to start using, promoting, and fighting to normalize cryptocurrencies that embed privacy into their infrastructure, like Monero, ZCash, Dash, or Augur. If you have cryptocurrency in public blockchains, consider moving some of it to more private cryptocurrencies. And finally, reject centralized corporate control and build markets and businesses that respect the privacy of their users. No one person can change the world alone, but each individual can change the way they do business. And if we all change together, then maybe the world can change with us.

This was アノニマスの見解, and until next time… 待ち受けなさい。


Hello People of Japan.

We are Anonymous.

In March 2018, Chief Cabinet Secretary Yoshihide Suga announced that, to combat the rise in manga piracy, the government was “considering all measures including site blocking”.

In early April, the Japanese government announced, in spite of the clear violation of Article 21 of the Japanese Constitution, that it would seek the cooperation of Japanese ISPs to block suspected pirate sites,

The government’s justification for this is to regard content piracy as a “present danger” under Article 37 of the Penal Code, which states “An act unavoidably performed to avert a present danger to the life, body, liberty or property of oneself or any other person is not punishable”.

Indeed, we can recognize a “present danger” here, but not in the form of manga piracy.

Government censorship, violation of Constitutional law, breach of communications privacy…these “present dangers” are right before us.

We do not speak in favor of piracy sites, nor do we defend them. That is not the reason we are speaking out on this issue.

But justifying government-ordered site blocking under Article 37 of the Penal Code is not only ludicrous, it’s also dangerous.

No matter what impact pirate sites may or may not have on the manga industry, the loss of profits can never be a considered a “present danger” in any way. Widening the definition of Penal Code Article 37 to such a ridiculous degree only invites further abuse, as other information and activities can easily be judged as more harmful than mere copyright infringement, and worth blocking.

The use of Penal Code Article 37 that allowed the blocking of child pornography sites raised concerns about a slippery slope of widening censorship. We were told that this was only a limited exception to Article 21, and there was no need for such fears. And yet now we are witnessing the slippery slope in action.

Even without a binding law, requests for voluntary cooperation to ISPs by the police or government are a form of pressure. The position of power government holds effectively coerces cooperation, making any such requests de-facto demands.

Further, asking ISPs to block access to certain sites encourages them to track the browsing habits of Japanese internet users more generally, which violates privacy of communications and expands the surveillance state.

We strongly condemn any site blocking requests from the government, and urge Japanese ISPs to refuse these requests and defend users’ Article 21 rights to privacy, and against censorship. These are actions we would expect from authoritarian countries like China and North Korea, not a Constitutional Democracy like Japan.

However, merely asking the government and ISPs to stop is not enough. It is necessary for Japanese users to secure their own privacy and freedom from censorship. To make this possible, we strongly recommend the use of Tor or a VPN. We will escalate our work to provide Tor and other VPN software in Japanese, as well as information on how to use this software to bypass site blocking.

We urge all Japanese internet users to begin using Tor and VPNs now. The more people can easily bypass site blocking, the more ineffective government censorship becomes. And as for the politicians who desire to violate their own Constitution in the name of censorship powers….

Please learn how to feel shame.

We are Anonymous.
We are Legion.
We do not forgive.
We do not forget.
Expect Us.

アノニマスの見解 Ep.10: フィッシング・バカ日記

Hello again, Internet. And welcome back to ANONYMOUS NO KENKAI.

Almost exactly one year ago, in March of 2017, we talked about surveillance and the cost of enforcement in Episode 3. At the time, the Japanese government was steamrolling through the Conspiracy Law and giving the Police worrying new powers to spy on the population.

Since then, we’ve heard very little about the Conspiracy Law, or government surveillance in Japan. But no news is not necessarily good news. Covert surveillance being what it is, we often only hear about it when it’s already too late, and rarely through mainstream channels. In fact, there’s reason to believe that the Japanese government is actively involved in monitoring its citizens right now. But as usual, to understand how, we need to look at some other news.

In October of 2017, Kaspersky Labs discovered a new breed of Android malware, which it named “SkyGoFree”. When news about SkyGoFree started appearing in early 2018, it was obvious this was a cut above your common Android trojan. Rather than serving up spam or installing crypto miners, SkyGoFree gave the attacker full control of the device. It could track location, record audio and keystrokes, and exfiltrate all data, including from the clipboard. It even had the ability to use “geofencing”; If GPS data showed the device was inside a target location, the microphone could automatically start recording and send the data to a remote server.

SkyGoFree also had custom payloads that targeted specific Social Media applications, including Facebook, WhatsApp, Viber, and (of particular interest to Japanese users) LINE. It could also secretly connect to malicious wifi hotspots, even if the user had wifi deactivated, making it easier to monitor targets.

Fortunately, SkyGoFree can’t very easily install itself on a target device. The usual method for infection is to direct a target to a fake website that imitates their mobile carrier, then trick them into downloading and installing an infected APK. SkyGoFree victims were almost exclusively found in Italy, so this isn’t a worldwide phenomenon. But the capabilities of this malware suggested it wasn’t some low level criminal operation. SkyGoFree was very likely developed as a Lawful Intercept tool for government and corporate use.

Who made SkyGoFree? That remains unknown, but Kasperky’s analysis of the source code found two things. First, comments were written in Italian. Second, certificates and control servers repeatedly used the word “negg”. Most media outlets talking about SkyGoFree have been careful to avoid making any accusations…it’s good way to get in legal trouble, so that’s understandable. But the fact is, there is an Italian IT company called “Negg International”, which offers cyber-security and mobile app services.
誰がSkyGoFreeを作ったかまだ不明です。でもカスペルスキーによるソースコードの分析に基づいた2つの手掛かりがあります。まず第一に、ソースコードのコメントはイタリア語で書かれました。第二に、「negg」という名前は認証と指令管制サーバーで用いられます。法的責任を恐れ、ほとんどのニュースサイトは非常に用心してSkyGoFreeについて報告していましたが、実は「Negg International」というイタリアのITセキュリティーとモバイルアプリ企業が存在します。

Attribution in cyber-security is notoriously difficult, and while the evidence pointing at Negg is compelling, it could just as easily be a red herring to throw off investigation. However, Italy is no stranger to spyware manufacturers. The now-infamous “Hacking Team” was an Italian company, after all. And after their fall from grace, it’s hardly impossible to imagine others would try to fill the gap.
サイバーセキュリティの世界にあって、責任帰属は非常に難しい問題です。Negg Internationalを示す証拠は有力ですが、真犯人は発覚を避けるための煙幕を作ったという可能性もあります。しかしそうは言っても、イタリアはマルウェア開発企業になじみがあります。評判の悪い「Hacking Team」はイタリアの企業でした。Hacking Teamが信用を失墜した後で、他の企業が市場の隙間を埋めると思ってもおかしくはないでしょう。

Now on to our second story. In March of 2018, The Citizen Lab reported that Egyptian and Turkish ISPs were redirecting non-HTTPS traffic to phishing sites that infected them with FinFisher brand government spyware, as well as cryptomining malware. This redirection was made possible by a piece of equipment called a “middlebox”, which transforms, inspects, filters, or otherwise manipulates traffic that passes through it.
次の話に進みましょう。2018年3月に、Citizen Labという人権団体の報告によると、エジプトとトルコのプロバイダーはユーザの暗号化されていないウェブトラフィックを偽サイトまでリダイレクトし、FinFisherという政府向けスパイウェアまたは仮想通貨マイニングマルウェアを感染させたという新事実が明らかにされました。これは「ミドルボックス」というネットワーク装置によって可能となりました。プロバイダーはミドルボックスを使って通信を傍受し、リクエストに応じて変更を加えることができます。

The middleboxes in question were PacketLogic brand devices, manufactured by a Canadian company, Sandvine (which was merged with an American company, Procera Networks, in 2017). Among other things, PacketLogic middleboxes are capable of something called “deep packet inspection” or “DPI”. This lets them study the contents of user web traffic, and change, redirect, or block it as desired.
問題になっているミドルボックスは「PacketLogic」というブランド名の装置でした。メーカーは「Sandvine」というカナダの企業です(そして2017年にProcera Networksというアメリカの企業と合併されました)。他にも多数の機能がありますが、Packet Logicのミドルボックスにはディープ・パケット・インスペクション(DPI)の機能があります。DPIを利用すれば、プロバイダーが通信の内容を傍受、変更、リダイレクトが可能で、思うがままにブロックすることができます。

Using Sandvine equipment, ISPs in Turkey and Egypt would detect unencrypted web traffic and redirect it to phishing sites, most likely at the request of the government, who could use spyware infected phones to spy on their citizens, and use cryptominers to fund their own black budgets.

So why is this important? What do Italian Android spyware and Turkish ISP middleboxes have to do with surveillance in Japan?

First of all, it’s already known that the Bureau of Public Security was in the market for Italian spyware in 2014. At the time they were buying Hacking Team’s “GALILEO” software, but it’s unknown whether they actually purchased it, or whether they used any other suppliers.
先ずは、2014年に日本の警視庁公安部がイタリアのスパイウェアの購入を希望していたことは既に知られています。あの時に彼らはHacking TeamのGALILEOスパイウェアを買おうとしましたが、結局Hacking Teamまたは他の供給者のスパイウェアを買ったかどうかは知られていません。

Regardless, the fact that they want spyware makes it safe to assume they intend to use it, and that they’ll seek to keep their spyware arsenal up to date. It is well within the mandate of Public Security to monitor anti-war, anti-globalism, and other social movements. The Conspiracy Law only makes it easier for them to do so.

Secondly, the same PacketLogic devices used in Turkey and Egypt also exist in Japan. In July 2015, Procera announced that Softbank would use PacketLogic middleboxes for their LTE network. It’s unknown whether these devices are deployed on other telecom carrier networks, but it’s likely they have similar equipment.
次は、エジプトやトルコに利用されたPacket Logicミドルボックスは日本にも利用されています。2015年7月に、Procera Networksは、ソフトバンクがPacket LogicをLTEネットワークに使用すると発表しました。他のテレコム会社が使うかどうかは知られていませんが、類似の装置は利用されている可能性は少なくないでしょう。

So, to recap: Public Security is responsible for monitoring social movements. Public Security almost certainly uses spyware. At least one Japanese telecom giant uses equipment that can infect smartphone users with spyware. And the Conspiracy Law makes it legal to use spyware on civic groups. Is the Japanese government actually doing this? Maybe. But doo they have the ability to do it? Absolutely.

We said this one year ago, but it bears repeating: if you are part of any social movement in Japan, you cannot afford to assume you are not a target. Even one lapse of judgement with your smartphone can turn you into a walking wiretap. Cyber-security is everyone’s problem, and it only takes one person to compromise the security of an entire group. So if you don’t want to be the weakest link, here’s some advice for you to follow:

Always check the URL of a site you visit, especially if you need to enter passwords or other sensitive data. Phishing sites often use similar-looking URLs, so if you feel something is suspicious, check carefully. Also, make sure the site is using HTTPS. You can usually see a green lock icon next to the URL. If a site that looks like your mobile provider or internet company is pressuring you into downloading an “update” or “virus cleaner”, consider that it might be a trick and do some research first.

If possible, use different devices for your activism and your daily life. If you have a smartphone you use for casual web surfing and social media, do not use it to communicate with your activist group. You’re more likely to visit infected sites or click on links during personal web surfing, so using the same device for both increases your risk considerably. It’s easy to go to a used electronics shop and buy a seperate laptop, phone, or tablet cash and carry. For bonus points, install a non-commercial OS like Qubes, Copperhead, or at least Lineage.

Don’t use the same accounts either. Even if you have to use the same device, using personal e-mail or social media accounts for activism is dangerous for the same reasons. Ideally, you should be using non-commercial open-source services hosted outside the country for things like e-mail and cloud storage.

Using a pocket wifi device is better than using an internal SIM card, or public wifi. Personal pocket wifi gives you more control over when your device is connected or not, as well as how many people are using the connection.

Use Tor or a out-of-country VPN for all online activism. When connecting your devices to the internet, you need to remember that your ISP is probably helping to spy on you. An encrypted tunnel to an out-of-state VPN makes it harder to monitor or tamper with your traffic.

Don’t use Apple products for activism. iCloud may be safe against most criminal hacking attempts (usually), but Apple has been happy to cooperate with government spying requests in China and elsewhere. iPads and iPhones are also harder to modify and change OS on. Android is far from perfect, but at least it gives you more options.

Similarly, don’t use big name social media for activism. Find and use an open source platform that does not rely on the central control of a commercial entity. Like Apple, Facebook, Twitter, and LINE will share your information with the police if ordered to.

Encrypt. Everything. Always. Never ask yourself if it’s necessary. It’s always necessary. It costs you nothing but time, and a little effort in the short term can save you a lot of trouble later on.

And finally, encourage all your members to share the same security practices. You can have the best security in your group, but if everybody else is infected with spyware, it doesn’t matter.

As the world spins deeper and deeper into dystopia, cyber self-defense becomes more and more a crucial life skill. If you get lazy about your security now, you might find it’s far too late when you come to regret it.

This was ANONYMOUS NO KENKAI, and until next time… MACHIUKENASAI.




1. ブラウザーでhttps://riot.imに行って下さい。
2. アップル、アンドロイドのスマホやタブレットのアプリもあり、Windows、Mac、そしてLinux板もあるが、ブラウザーでアクセスするのは一番簡単。「Launch now in your browser」をクリックして下さい。
3. 次のウィンドウに、左の上にある「Register」をクリック。
4. 登録用紙に記入。
・「Default server」は選択されることを確認
5. Riotからの確認メールが届きます。
6. メールの中のリンクをクリック。
7. リンクは新しいウィンドウを開く。チェックボックスをクリックしてCAPTCHAパズルを解く。
8. パズルが解かれたら、Riotアカウントのプロフィールは開く。一番下までスクロールして、「Logged in as」の部分を見つける。「@〇〇〇:matrix.org」はユーザーIDです。
9. そのユーザーIDを我々のメールに送って下さい
10. 招待を待つ。届いたら、クリックして、そして「accept」をクリック。
11. 好みの名前を入力して、「Set」をクリック。
12. 無事にチャットに参加できました。