At this summer's HOPE conference, Joshua Aaron spoke about ICEBlock, his iPhone app that allows users to anonymously report ICE sightings within a 5 mile radius, and to get notifications when others report ICE sightings near them. You can see the full talk, and the lively/infuriating Q&A, here, starting at 6:12:10.
Thanks to repression from the highest levels of the Trump administration, his app has gone viral and garnered over a million downloads from the App Store. Karoline Leavitt called it "an incitement of further violence against our ICE officers." Tom Homan said, "DOJ needs to look at this and see if they're crossing that line." Kristi Noem called the app "obstruction of justice." Pam Bondi announced "we are looking at it, we are looking at him, and he better watch out, because that's not a protected speech." (Notifying people about ICE sightings is protected speech, no matter what the fascist Attorney General says.) Joshua and his family have been receiving threats.
But unfortunately, despite the app’s goal of protecting people from ICE, its viral success, and the state repression against it, ICEBlock has serious issues:
Most importantly, it wasn’t developed with input from people who actually defend immigrants from deportation. As a result, it doesn’t provide people with what they need to stay safe.
Because ICE sightings in the app aren’t verified in any way, it's likely that most reports in the app aren't actually ICE, even if they’re posted by people who mean well – as I describe below, the vast majority of ICE reports are false positives.
And judging by the App Store reviews, it’s clear that not everyone means well. One review says: “This is a great app for safety information. Unfortunately MAGA is now posting false information on there and making racist comments in the comment section.”
Joshua makes strong claims about the security and privacy of his app without backing any of them up with technical details. Many of his claims are false. He also chose to target only iOS, and not Android, because of a misunderstanding about how Android push notifications work. And even worse, during the Q&A, he made it clear that he didn't understand terms like “warrant canary,” "reverse engineering," or “security through obscurity,” which doesn't inspire confidence.
Privacy promises without the evidence
When I first heard about ICEBlock, I liked the idea, but I – and others in various group chats I'm part of – were skeptical.
Joshua promises that ICE reports are "completely anonymous," that the app doesn't store any personal data, and that it's "impossible to trace reports back to individual users." These are bold claims that he hasn't backed up with evidence. Unlike reputable privacy tools, ICEBlock isn't open source (in the talk, he explicitly rejected the idea of open sourcing it or allowing the security community to help him improve it), and Joshua hasn't published a threat model or technical documentation explaining how his app keeps these promises.
... continue reading