There's a massive difference between having a country spying on it's own citizen versus having an adversarial country doing it. The three-letter agencies would likely not be trying to sabotage or destroy their own country's economy and global standing for one.
It's concerning that someone from the EU is still asking this question. How is there any doubt left in you? Yes, of course both are adversarial countries, and shouldn't be treated all too differently. In the short-term, the US is the bigger threat, as they've shown they're much more willing to use the power they have to cut off access than China.
As someone from the US I would suggest viewing both as adversarial. I don't really trust my own government, but if I was born abroad I would trust them even less.
You absolutely can. We see a huge uproar in European enterprises against US software/vendors/etc. Many companies are halting their cloud migration because they are now worried that the current US government could decide to just pull the plug or something otherwise inane.
Wouldn't having an adversarial country to be spying on you be the better option for you personally? At least privacy wise, not using your machine as some infiltration point, as the country you reside in has many more opportunities to abuse the data
I hear this theory being claimed so much, but I don't see any real evidence for it; we have routers that you can monitor traffic on, we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools. Correct me if I'm wrong, however.
I'm not denying that a lot of data is likely surreptitiously collected, but I'm talking microphone/camera in particular.
Most traffic is encrypted with HTTPS unless you can root every single device you own
we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools.
Complicated smartphone OS, firmware, drivers might have bugs allow overrides of visual indicators.
That is fair. I do not think anyone could feasibly could detect/extract the exact data sent, because of HTTPS.
However I was more thinking of simple things, such as disabling anything that SHOULD be communicating with the Internet and seeing if any constant traffic persists.
Now of course, some very small (e.g plaintext) traffic might be almost undetectable, however that would suggest that most of the data would not be able to be transmitted due to size.
How confident or certain are you of what CSME or PSP or some code in TrustZone is doing? How certain are you that not a single piece of software on your machine, be it in the kernel, userland, drivers, is performing some type of surreptitious communication with CSME or PSP or program running in TrustZone?
Do you know for sure whether PSP or CSME has ever done DMA, or fingerprinted stack/heap allocation patterns and timing, or inspected the contents of your disk (after FDE was done being decrypted, of course), to evaluate whether common packet capture software is installed, or even whether it's currently running?
Detecting spyware is one thing. Detecting surreptitious nation-state spyware that behaves differently when it's being observed is a different challenge entirely.
In my case, I don't currently have any capture software on my main computer at all.
Our routers are Asus, and so I'm able to install tcpdump and log traffic directly without the source device itself knowing anything. This makes it really easy to monitor the traffic of any device, albeit not knowing exactly what it is being sent.
But it is true that I really can't know much more than what tcpdump shows.
I recall there were quite a few experiments where people use certain keywords heavily just to get closely related ads later on. I can totally relate my experience with it as well. Of course it is inconclusive - but if there is an incentive, management of big companies will venture into it. And chinese management is no different from western ones to that matter.
They don't pick the keywords uniformly randomly from a list of all keywords though. They think they randomly picked something that popped up in their mind, but those keywords are either
- stuff they saw online recently — ads or otherwise, which put the keywords in their mind
- or stuff they were already interested in recently
Not hard to imagine targeting algorithms picking up on either of these
You dont see those "coincidental" ads because your phone is listening to you, you see them because your freind showed interest in the product and theirs enough information to infer they talked to you about it. The good news is, your phone isn't listening to you without your consent. The bad news is, because it doesnt need to.
The difference is that the Chinese intelligence agencies abide by Chinese law and don't really pose any kind of threat to American citizens, while the American intelligence agencies engage in unconstitutional schemes (as ruled by a federal judge) to illegally spy on Americans and lie about it to both congress and the American people, murder American citizens, and can, at any moment they want, fabricate evidence to procure no-knock search warrants where a team of armed gunmen will throw flashbang grenades into the homes of journalists and political dissidents in the middle of the night before barging in with assault rifles.
And yet, for reasons that remain beyond me, many Americans remain more fearful of the former than that latter.
Perhaps because foreign governments with a known antagonistic stance would happily sell or hand over your data in order to cause large-scale economic instability via account attacks, political instability via fostering the prosecution of minority groups (as identified by said data)... get creative. Large-scale data on your enemy's citizenry is a new weapon in the modern arsenal, and we haven't seen anyone really try to use it yet, but I suspect the results when they do will be ugly.
Care to elaborate on "known antagonistic stance"? Is there any evidence that China has ever actually performed any of these types of attacks you're discussing?
"Get creative" might work well for fictional writing exercises, but is it such a sound strategy for assigning guilt? Surely you wouldn't like being prosecuted for crimes that someone "got creative" with in accusing you of, no?
The consensus is usually "well the government only targets you when you probably deserve it" whereas china is spying on everyone regardless of your opinion of the actions of the current administration.
To address your last paragraph - it’s not unlikely the latter use all powers to divert attention to the former as it conceals shenanigans of the latter
China and Chinese companies flaunt every single law that at all hinders them, IP law being the typical example. The EU has the Privacy Shield agreement with the USA. Such an agreement with China would be effectively impossible, since even if it existed, they'd simply ignore it. People criticise Five Eyes, and for good reason, but it's existence at least means that intelligence agencies are willing to follow domestic law.
Not to mention the use of the word "Western", which is the kind of bullshit I could write a smaller book about.
How is it any different from western apps listening to you and siphoning all data on your local network to 3 letter agencies?