A hacktivist has scraped a wealth of data from the crime and neighborhood watch app Citizen and posted it on a dark web site, Motherboard has learned. The data includes a huge amount of data related to 1.7 million "incidents"—events that Citizen informs users about concerning crime or perceived crime in their area—such as the GPS coordinates of where the incident took place, its update history, a clip of the police radio that the incident relates to, and associated images.
On their dark web site, called "The Concerned Citizen's Citizen Hack," the hacker writes "Fuck snitches, fuck Citizen, fuck Andrew Frame and remember, kids: Cops are not your friends." Andrew Frame is the CEO of Citizen; Frame was responsible for putting a $30,000 bounty for information that would lead to the arrest of a person the company mistakenly suspected of starting a recent wildfire, The Verge reported.
Do you work at Citizen? Do you have access to internal Citizen documents? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Much of this information would ordinarily be available to users as part of the normal functioning of the Citizen app. But with the hacker scraping it en masse and releasing it as a series of files to download, the data is qualitatively different from what the Citizen app offers, and allows journalists and researchers to gain greater insight into the use and spread of the app around the country. The scrape is somewhat similar to other recent mass collections and redistributions of public information, such as the Parler scrape that occurred after the January 6 insurrection at the U.S. Capitol.
"It's like a full log of police activity in multiple U.S. cities," the hacker, who said they affiliate themselves with the hacking collective Anonymous, told Motherboard. Citizen incidents are often (but not always) linked to police activity; Citizen produces its own summaries of events by listening to police scanners and pushing alerts about them to Citizen users. Users can also contribute their own videos.
A screenshot of the dark web site. Image: Motherboard
The hacker also provided Motherboard with a count of how many incidents were in each U.S. city. New York had over 520,000; Los Angeles over 250,000, Philadelphia nearly 120,000. The data also shows Citizen's use in other cities across the country, including Austin, Atlanta, Dallas, Portland, and Flint. The hacker said the New York scrape dates from January 2018 to May 2021.
As well as the incident data, the released cache also includes metadata for videos uploaded to Citizen, as well as a large list of URLs to 1.5 million videos stored on Citizen's servers (totaling 70 TB worth of clips), the hacker said. The list appears to include videos that have been marked for removal from public consumption on the app by Citizen's content moderation team, with some including the tag "Moderator Blocked Stream," according to the hacker and Motherboard's viewing of the files. These videos are still accessible if visited with the direct link included in the scrape.
The dark web site is also hosting COVID-related information that Citizen exposed to the open internet. On Tuesday, Motherboard reported that Citizen had mistakenly posted users' self-reported symptoms, tests, and Bluetooth-enabled contact tracing information online. The hacker said that included 490,000 status updates.
In a statement, a Citizen spokesperson told Motherboard "All of this information is publicly available on our website at citizen.com/explore. Our users broadcast these videos to the Citizen community to keep their neighbors safe and informed. Newsrooms across the country use these videos in their broadcasts daily. We are proud of the fact that we moderate every piece of user-generated content on our platform, and our team of moderators work around the clock to hide videos which do not meet our guidelines." Very shortly after Motherboard contacted the company for comment, Citizen made a change to its infrastructure potentially making future scraping efforts harder.
"First ever hacktivism in support of the #BlueLivesMatter movement (and by that we mean the Blue Man Group)," the hacker's site adds.
The hacker said they started by analyzing the Citizen website, and found how the company serves videos. From there, they identified an Amazon S3 bucket where the videos were stored. They said they then used the Citizen app to find an API that let them provide a video filename and receive the related incident identifier in return. They also obtained the incident metadata in bulk with another API, they added. Finally, they found another bucket that let them obtain the identifier of every incident, including those without videos, they said.
Last week Motherboard reported that Citizen is testing an on-demand private security force in Los Angeles, collaborating with private contractors that include Securitas.
Subscribe to our cybersecurity podcast CYBER, here.