New Bill Demands ID For All Burner Phone Purchases

CA Democrat Jackie Speier has introduced a bill that would require ID for all pre-paid phone purchases. Titled “Closing the Pre-Paid Mobile Device Security Gap Act of 2016,” the law has some very nasty provisions in it. Let’s take a look.

In order to buy a burner phone, you’d need to provide the following:

(1) Your full name.

(2) Your complete home address.

(3) Your date of birth.

Of course, it’s not enough to simply tell them this information. You need to provide documentation.

(1) A photographic identification card issued by the Federal Government or a State government, or a document considered acceptable for purposes of subparagraph (B), (C), or (D) of section 274A(b)(1) of the Immigration and Nationality Act (8 U.S.C. 1324a(b)(1)).

(2) Any 2 of the following:

(A) A Form W–2 Wage and Tax Statement received from the Internal Revenue Service, provided that such form has been received from the Internal Revenue Service within the prior 18 months.

(B) A Form 1099 Social Security Benefit Statement received from the Social Security Administration, provided that such form has been received from the Social Security Administration within the prior 18 months.

(C) A Form 1099 received from any other agency of the Federal Government other than the Social Security Administration, including the Internal Revenue Service, provided that such form has been received within the prior 18 months.

(D) Any document containing personal identifying information that the Attorney General finds, by regulation, to be acceptable for purposes of this section.

If you’re buying it online, you’ll need to offer a host of information as well:

(1) Valid credit or debit card account information.

(2) Social Security number.

(3) Driver’s license number.

(4) Any other personal identifying information that the Attorney General finds, by regulation, to be necessary for purposes of this section.

What happens if you use fake documents or lie about who you are for the purposes of personal liberty? Well, penalties, of course!

(a) False or misleading statements.—A purchaser who knowingly provides false or misleading information when providing the identifying information and documents required under sections 2 and 3 shall be fined under title 18, United States Code, imprisoned not more than 5 years or, if the offense involves international or domestic terrorism (as defined in section 2331 of such title), imprisoned not more than 8 years, or both. If the matter relates to an offense under chapter 109A, 109B, 110, or 117, or section 1591 of such title, then the term of imprisonment imposed under this section shall be not more than 8 years.

So what happens to your information, once you’ve purchased this phone? Naturally the data is kept by the wireless carrier, the merchant, everyone.

After an authorized reseller has transmitted a sale record to a wireless carrier in accordance with section 5, the wireless carrier shall—

(1) provide a transmission confirmation receipt to the authorized reseller, after the receipt of which the authorized reseller shall dispose promptly of any retained copy of the record; and

(2) retain the transmitted sale record in accordance with the privacy protections of section 222 of the Communications Act of 1934 (47 U.S.C. 222) for a period of 18 months or until the wireless carrier stops or otherwise discontinues providing service to the pre-paid mobile device or SIM card to which the sale record relates. [emphasis added]

Let’s recap. If you want a burner phone—which is your right—this bill would force you to provide all kinds of personal information, keep a record of your purchase, and literally jail you for noncompliance or false statements. The best part? Look at the stated purpose of the bill:

To require purchasers of pre-paid mobile devices or SIM cards to provide identification, and for other purposes. [emphasis added]

What other purposes? Use your imagination.

The noose is tightening every day. It’s long past time to look at alternate ways to communicate. Meatspace, however preferable, is not always an option. You need to learn how to protect yourself and the people you work with. Look into Bitmessage, Antox, VPNs, and other ways to communicate securely.

Encryption works.

Air-gapped Computer Breached

While we’re waiting for me to finish up the next Paranoid PC article, check out this piece I ran into from SANS.  $3,000 worth of equipment is all it takes a researcher to breach a computer that’s not connected to a network and they do not have direct physical access to.

Depending on what you’re doing, even a heavily locked down computer may still be vulnerable to this kind of attack, even a computer like the one we’re building.

The folks we foresee ourselves in conflict with are smart, extremely well funded, and can pretty much act with impunity.  Act wisely.


Researchers Say They Breached Air Gapped Computer (February 16, 2016)

Researchers at Tel Aviv University and Technion Research and Development say they managed to break into an air-gapped computer. The researchers measured radio waves emitted by the computer and with that information, were able to discern a cryptographic key. For the attack to be successful, would-be cyberintruders would need to be within several meters of the targeted device and to have US $3,000 worth of equipment. However, the researchers required only a few seconds of monitoring to gather the information they needed.

[Editor’s Note (Williams): While this isn’t the sort of attack we should expect to see frequently, it is something we need to add it to our threat models (DoD has for years with the TEMPEST program). Many organizations have leased office space and share internal office walls with untrusted parties. If the researchers can penetrate a 15cm wall and get data several meters away with a $3000 rig, imagine what a well-funded adversary can achieve.]

Spying: It Can Happen to Me; It Can Happen to You

It’s easy for learning about privacy and data security to become an intellectual exercise, rather than a practical one. But sometimes we stumble across something that jolts us with just how real it is. This article was one of those things for me. If you’re reading this article, you can rest assured you’re being watched. That means your privacy depends on actions you take today, right now. Not sometime in the future.

Michael Maharrey writes:

“When I talk about NSA spying and mass warrantless surveillance, I’m pretty sure most people react something like this: yeah, it’s bad, but it doesn’t have any direct impact on me. I mean, why would the government ever bother to spy on me? Really, that’s for the bad guys, or the Muslims. It can’t happen to me.”

Spying: It Can Happen to Me; It Can Happen to You

If you’re still wondering why all of this matters, or how it affects you, be advised that if you’ve voted in any general or primary election since 2000, it already happened to you.

Educate. Empower. Resist.

Run Your Own Mail Server

If you read our article on secure email yesterday and still wonder if that’s enough to protect your communications, then perhaps you’ve thought about setting up and hosting your own mail server. While this might sound fairly daunting, the truth is that you don’t have to be a technical guru to pull it off. Mail in a Box is a production-quality project allowing you to set up your own email server. This gives you total control over all facets of its security and any other options. The site has very clear setup instructions and even a video you can follow along.

Keep in mind that you won’t be able to run this at home because computers on most residential networks are blocked from sending mail both on the sending end (e.g. your ISP blocking port 25) and on the receiving end (by blacklists) because residential computers are all too often hijacked to send spam. Your home IP address is also probably dynamic and lacks configurable “reverse DNS.” If any of these apply to you, you’ll need to use a virtual machine in the cloud. You can, however, set it up on that virtual machine.

While we don’t recommend this for the beginner, it’s also not as difficult as you might think. Take a look and see what you think. From the website:

Mail-in-a-Box is based on Ubuntu 14.04 LTS 64-bit and uses very-well-documented shell scripts and a Python management daemon to configure the system. Take a look at the system architecture diagram and security practices.

Development takes place on github at

Note that the goals of this project are to . . .

  • Make deploying a good mail server easy.
  • Promote decentralization, innovation, and privacy on the web.
  • Have automated, auditable, and idempotent system configuration.
  • Not make a totally unhackable, NSA-proof server (but see our security practices).
  • Not make something customizable by power users.

Mail-in-a-Box is dedicated to the public domain using CC0.

There’s another option too, if you’ve got a Raspberry Pi laying around. This guide will literally walk you through booting your Raspberry Pi for the first time, all the way up to getting a secure webserver running. In fact, the guide itself is hosted on a Raspberry Pi. Take a look.

What a Data Breach Means to You

We keep hearing about “data breaches” and “hacks” from various companies. Even government entities are not immune, as far too many have found out in recent months. But what does that actually mean? As long as your credit card, SSN, or mother’s maiden name isn’t taken, is it really that big a deal? The short answer is yes. It matters more than you know—and not just for you or your group, but for your kids. Over at Patrick Henry Society, I break down the latest data breach, which took place at a popular toymaker.

VTech, a company in Hong Kong, might sound familiar because they sell all manner of electronic toys for kids, some of which allow them to chat with parents via an app on the parents’ phone. Many of these toys require an online account to get updates or more software for the toys, and the company encouraged parents to put a headshot of their child on the child’s profile as an avatar. The problem is that VTech got hacked, and almost 5 million accounts were breached. That includes everything from parents’ home addresses, to their kids’ personal information…and the headshot they put on the site.

Put it all together, and he knows who your child is, where he or she lives (and possibly where else she spends her time), how old she is, what she looks like, and when her birthday is. Since he also has your name and location, it’s a quick OSINT job to find anything he wants.

  • Zillow or Redfin will show him photos of the inside layout of your home.

  • LinkedIn will show your employer, and from there it’s a fairly easy jump, combined with other social media, to figure out the general hours you work—which means the general hours you are not with your child.

  • Facebook will net him just about anything he wants. I tell people all the time: Show me 30 days of an average person’s Facebook page, and I can tell you with a fairly high degree of accuracy where they will be at any  given time. More importantly I can tell you where your kids will be, which is what the predator is interested in too.

  • Instagram and Facebook will give him all kinds of photos of your kids. Next time you are about to post a photo of your precious little angel, think about a predator having it, sending it to his sick friends, or posting it on a website for any other predator to download too. (By the way, if you think that making your timeline set to “Friends” keeps those photos safe, think again. I need to write an article showing you how easy it is to look at anyone’s photos, whether you’re friends with them or not.)

That’s by no means an all-inclusive list. That’s literally 5 minutes of internet surfing. This is yet another reason to protect your information. Whether you’re in a group or not, whether you’re engaged in freedom fighting or not, none of that matters. Protect yourself, protect your kids. This weekend we can show you how.