Hacktivist Targets Citizen, Leaking Crime App’s Scraped Data to the Dark Web

Hacktivist Targets Citizen, Leaking Crime App’s Scraped Data to the Dark Web
Photo: KIRILL KUDRYAVTSEV/AFP, Getty Images

“Fuck snitches, fuck Citizen, fuck Andrew Frame and remember, kids: Cops are not your friends,” someone on the dark web recently wrote. That same person claims to have scraped and leaked data from the aforementioned crime reporting app — including information about some 1.7 million public safety “incidents” recorded and cataloged by the company, Motherboard first reported.

Citizen, whose CEO is the colorfully referenced Mr. Frame, functions as a real-time public safety notification system, alerting users to suspected criminal activity in their geographical area via police scanner information and user-submitted reports. Recently, the company raised some eyebrows when it announced that it will launch its own app-based privatised law enforcement service, thereby basically becoming Omni Consumer Products from Robocop. See our recent coverage for details.

Its ambitions to become a real-life dystopian villain sourced directly from great 1980s science fiction films has clearly not come without some detractors, however. The self-described “hacktivist” who snatched Citizen’s data subsequently leaked it to a website dubbed “The Concerned Citizen’s Citizen Hack” — where viewers can now look up all of the filched information: incident GPS location data, associated police radio audio files, images, event history, and more. Altogether, it gives an unfiltered, aggregated look at the large amounts of info collected by the public safety firm, as well as a window into how the company processes and stores all of that data.

This is really just the latest in a string of various data problems the company has weathered recently. Not only did its CEO recently use bad intel to blame an L.A. homeless man for starting wildfires, but just a few days ago, Motherboard revealed that the company had publicly exposed user data collected via its covid-19 contact tracing feature. The company subsequently patched whatever hole had allowed the data to be visible.

Despite how the “hacktivist” has qualified it, this latest incident isn’t a “hack” per se — as a lot of the data was already publicly accessible to the app’s users. Instead, it resembles many of the other recent large-scale scraping incidents (see: the Facebook, LinkedIn and Parler episodes, for instance), wherein an actor swoops in to grab large amounts of public-facing data, then yanks it out of the application and dumps it into one centralised location — typically some sort of underworld forum.

However, Motherboard has suggested that the data could be useful for “journalists and researchers to gain greater insight into the use and spread of the app around the country” — a potentially good idea, given the fact that Citizen claims to have over 7 million subscribers and is used in some of the nation’s biggest cities.

“It’s like a full log of police activity in multiple U.S. cities,” the hacker told the news outlet, suggesting that it could be used to understand how widely the app is being used and how responsive law enforcement is to it. Motherboard reports:

New York had over 520,000; Los Angeles over 250,000, Philadelphia nearly 120,000. The data also shows Citizen’s use in other cities across the country, including Austin, Atlanta, Dallas, Portland, and Flint. The hacker said the New York scrape dates from January 2018 to May 2021.

When reached for comment, a spokesperson for Citizen called the incident a “non-story” and provided the following statement:

All of this information is publicly available on our website at citizen.com/explore. Our users broadcast these videos to the Citizen community to keep their neighbours safe and informed. Newsrooms across the country use these videos in their broadcasts daily. We are proud of the fact that we moderate every piece of user-generated content on our platform, and our team of moderators work around the clock to hide videos which do not meet our guidelines.

Translation: I’m not owned, I’m not owned, I’m not owned.