The largest web browsers are scrutinizing their dependence on root certificate authority TrustCor Systems after researchers discovered it has links with shady spyware producers and distributors.
TrustCor is an agency that vouches for the legitimacy of websites reached by hundreds of millions of users every day. Web browsers employ hundreds of such root certificate authorities to fulfill a vital role in online data security. But with TrustCor Systems, malicious spyware could have had a backdoor into a critical component of U.S. internet infrastructure.
According to a Washington Post report on research from Joel Readon at the University of Calgary and Serge Egelman of the University of California, Berkeley, TrustCor’s “Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade.”
TrustCor’s products include an email service that has been found to host spyware developed by a Panamanian company. According to The Post, Google has since banned all software containing that spyware code from its app store.
TrustCor also has the same president, agents, and holding-company partners listed in Panamanian records as another company known as Measurement Systems, which has been caught “paying developers to include code in a variety of innocuous apps to record and transmit users’ phone numbers, email addresses and exact locations.” Apps with that code were downloaded over “60 million times, including 10 million downloads of Muslim prayer apps.”
PPSA has reported how the federal government maintains an advanced surveillance network to stalk American Muslims. Who knows what they can do with these data?