Data protection (Europe, especially Germany) and also privacy and security

[oliverk71]

Hi! Since I talk to officials of universities etc. the question was raised, if there might be potential problems with data protection, privacy and security.

Imagine, a birdnet-pi is put up somewhere in a botanical garden, where people (gardeners) work and customers visit this place. There might be a little chance that they talk and this talk is recorded by birdnet-pi. If a bird is chirping at the same time, the talk may be saved onto a sd card and made public. I know that the chance to record and possibly save human voices is quiet low if you put up the birdnet-pi in an appropriate place, but I need to take these concerns serious. Further, the audios are only 15 seconds long and only saved, if there is a bird recognized. If in purge mode, the data will be overwritten, if not copied, after a while. I do not think, that this is problematic in any way. However, I need to answer questions and I said, if necessary, signs could be used to indicate possible recordings of human voices. ;) And of course, I am interested, if you had similar discussions.

Beside the GPS coordinates, birdweather ID and the recognition data, which is sent to birdweather, is there any other data, which is transferred? These are public, anyway. I don't think so and that's what I told the guys who were asking me.

Security is a concern, too. I don't think that a birdnet-pi is a security risk, if properly embedded (maybe isolated) in the network. But is there possibly a chance that an intruder gets into the network and access other computers in the same network (which usually are vLANs)? Chance should be quiet low. But would it possibly make sense to protect birdnet-pi from brute force attacks by limiting the login attempts for example? I know, this should not be necessary, if only the passwords were long enough and contain letters as well as numbers and symbols.

Last, on German websites, an impressum is necessary. I think, this can be easily solved by editing the html. But maybe there should be a possibility to add "legal stuff" to the website? ;)

[Svardsten53]

This is very interesting. I can confirm that human voices are heard very well on bird sound recordings, even if the persons are some distance away. In Sweden, you have the full right to record video from your property, but you are not allowed to share it publicly if people can be identified. I suppose the same thing applies to audio recordings, so of course this may be a relevant issue.

Network security is also interesting and of course the risks should be minimized as much as possible to avoid intrusion and I guess Patrick can inform more about this.

In the European Union, all websites must be cookie and GDPR compliant, so this is also a relevant issue that should be fairly easy to resolve. More info can be found here: https://gdpr.eu/

[oliverk71]

Oh really? I did not expect that human voices can be heard so well over a distance. I do not think that I need to think about legal stuff in my garden unless someone feels spied on.

But on public places or where people work is something different. Every university has a data security officer. But not every institute cares about GDPR. For instance, zoom is problematic and we do have a better alternative, self hosted jitsi server, but however, many institutes use zoom and not always the EU variant. However, I think it is better, if I can answer questions, if they come up. And today, I was asked twice! I hope, in case of birdnet-pi, it would be sufficient to use signs for customers and maybe ask employees for permission, if the birdnet-pi is near a building with open windows in summer or something.

For impressum and data security guidelines, it would be sufficient to just provide an extra html site and a form to input text. And whoever runs an instance, should take action for data security by himself.

[mcguirepr89]

Hi, Oliver -- great questions! It has been a small dream of mine that someone would see a need to ask these questions (that means that the BirdNET-Pis are getting to be in more public spaces!!! So exciting!!)

Imagine, a birdnet-pi is put up somewhere in a botanical garden, where people (gardeners) work and customers visit this place. There might be a little chance that they talk and this talk is recorded by birdnet-pi. . . .

This concern will definitely need to be addressed locally, as I don't think there is any software approach to protecting privacy for this type of indiscriminate data collection. I think your idea of a disclaimer of some type is best:

• clearly advising passers by that:
  • audio is being recorded for birdsong detection
  • human voices are not intentionally stored
    and
  • someone regularly makes genuine attempts at culling any recordings which may have captured human voices by accident

That is likely that most anyone could do short of post-processing the audio for human voices (HumanNET-Pi . . . 😆 ).

Beside the GPS coordinates, birdweather ID and the recognition data, which is sent to birdweather, is there any other data, which is transferred? These are public, anyway. I don't think so and that's what I told the guys who were asking me.

If a BirdWeather ID is present, then you are correct that the only data sent is the recognition data. Without a BirdWeather ID, no data is transferred over the network with the obvious exception of HTTP requests. More on the security for that below.

But would it possibly make sense to protect birdnet-pi from brute force attacks by limiting the login attempts for example? I know, this should not be necessary, if only the passwords were long enough and contain letters as well as numbers and symbols.

This is something that can be added to Caddy as a module, and may be a very good idea. More on this below.

Last, on German websites, an impressum is necessary. I think, this can be easily solved by editing the html. But maybe there should be a possibility to add "legal stuff" to the website? ;)

I'm not familiar with Impressums nor GDPR, but looking at this the onus will likely be on the BirdNET-Pi system administrator to ensure that going public will comply with those needs. I am happy to help with making that easier for the user (like obtaining SSL certificates has been automated), but would need to know more -- maybe some examples and/or guidelines?

With all of that said, I would like to address a few points that I would consider if I were deploying BirdNET-Pis in public spaces with concerns like those you've mentioned:

Most secure

• Keeping things on a Local Area Network (or vLAN)
• Use custom hostnames for each installation
• Disable/Remove the FTP server sudo apt -y remove --purge ftpd
• Totally disable the web_terminal.service and rely on port 22 SSH access
• Disable SSH password authentication and rely only on SSH keys (<--- KEEP THOSE SAFE)
• Install fail2ban to protect against brute force SSH login attempts
• Encrypt web traffic by forcing HTTPS and redirecting port 80 requests to 443 (by simply adding https:// as the protocol for the BIRDNETPI_URL, even for IP addresses)
• Edit the homepage/views.php and homepage/index.php to use a hard to guess username for Basic Auth
• Edit the /etc/caddy/Caddyfile to use a hard to guess username for Basic Auth

With those settings above, the system is pretty dang secure. Caddy only responds to properly formatted requests to the defined site-block, which prevents it from participating in (responding to) most network-sniffing. When Caddy is configured properly to specify https:// as the protocol, it will redirect ALL requests that are for the un-encrypted port 80 to the encrypted port 443. You can further "lock down" the system by altering the "birdnet_log.service" to only respond to requests from localhost, and then use caddy to reverse_proxy the log through the encrypted port 443, lowering the open port count.

At that point, you have only a few ports open to the network:

• 22 -- SSH
  • With passwords disabled, there will only ever be an encrypted SSH key validation allowed for remote access. This means that even if you know the pi user password, only devices that have their SSH public key in the BirdNET-Pi's .ssh/authorized_keys file will be granted access. With fail2ban enabled, anyone who even tries brute forcing will find their IP address blocked.
• 80 -- HTTP
  • With this always redirected to port 443, it just serves as a means to helping get folks to the correct URL if they don't specify the secure port initially
• 443 -- HTTPS
  • This is always encrypted, and can either use certificates issued from Let'sEncrypt (if you use a Fully Qualified Domain Name for the BIRDNETPI_URL and BIRDNETLOG_URL, or Caddy's self-signed certificates work equally well with the same level of encryption for LANs.
• 8000 IceCast2 mp3 stream
  • This stream is password protected and only authenticates for localhost (though it listens on all interfaces). The password never travels over outside of the BirdNET-Pi's loopback network
• 8080 HTTP/alt
  • This is just another HTTP port handling HTTP requests for the Log -- it really just handles piping the output from a command into a web browser. The server handling that does not respond to any malformed requests, and only accepts a request with no additional paths or queries and the terminal itself cannot accept any input.

That's it! No other ports are available to the network.

Now, if any of that is not configured properly, then there could be some serious security concerns regarding the PHP input forms, as they provide NO validation whatsoever. This means that a malicious user can EASILY do whatever they want to if they had access to your Basic Auth credentials. For instance, inputting malicious PHP in any of the input forms on the Basic Settings or Advanced Settings pages could allow the hacker to submit "<?php shell_exec('sudo rm -drf /');?>" and potentially wipe out the whole system . . . and that's if they're truly not malicious.

I'm happy to go into more depth about any of the above and am interested to learn more about the requirements you might need help meeting in order to host an installation in a public space responsibly.

My best regards as always,
Patrick

[DD4WH]

@CaiusX AP,
I was just about to propose exactly that.

• It is hardcoded in the python script server.py that humans, noise and non_birds confidence scores are set to zero
• would be good, if humans could be excluded in line 170 of that script AND then every extraction, where human confidence score exceeds a defined threshold (maybe try 0.25 for this purpose ?) should be deleted (possibly in the extract_new_birdsounds.sh)

[mcguirepr89]

Hi, @CaiusX and @DD4WH

I'm hoping that this idea is going to work, though I have a different understanding of how the python script is working.

It is my understanding that the human and non-bird sounds get the confidence score of 0 so that no entries are made for that recognition. Though, that simply means the label for the sound won't receive "Human" because there is almost definitely another species that received a higher confidence score than 0 and would therefore get the label. This allows human voices to slip into the bird-recognitions as background noise.

My thinking is that we will need to set the human recognition to always receive a 100% confidence score, so that no other species recognition that could take place at the same time as the human voice could trigger a bird-labeled entry. So any excerpt that contains any human voice (even when there is a VERY confident bird sound happening simultaneously) will always receive the "Human" label and will not trigger a BirdNET-Lite entry but will also prevent another detection from picking up that same excerpt to label as a bird.

Then, at the point where the entry checks for the included and excluded species lists, it can be told never to make an entry for the Human label.

Let me know your thoughts and please accept my best regards as always,
Patrick

[CaiusX]

Hi Patrick

Frank is correct, if you remove Human_Human from line 170 then humans will get recognized.

I'm working on putting in a human cutoff separate to the bird cutoff, so if human is recognized at anything above that, reporting will stop dead for that 3 sec clip.

On the system side we'd need to delete that recording.

The dreaded load shedding has hit again, so no electrical power at the moment. I'll contact you when I'm back online, hopefully today,and maybe we can work together on NoMachine?

Best
AP

[oliverk71]

@mcguirepr89 Thanks for your security advices!

Custom hostnames ... local hostnames, right?
The web terminal has not been very useful for me, so I don't mind. I think SSH using hard to guess usernames and pretty secure passwords and fail2ban should be fully sufficient.

Regarding the PHP injection of malicious code: Wouldn't it be possible to secure it by checking the input string? So whenever (what should not happen, of course) an attacker gets the Auth credentials, he cannot inject malicious code by just entering code into the form.

Https should be used anyway and to enforce it makes sense.

[mcguirepr89]

Hi, @CaiusX --
I hope your offer to work together via NoMachine is still available as I'd like to look at server.py more closely and discuss its operation and what to do with the results. Let me know if tonight still works for you, or if you'd like to arrange something for tomorrow/another day.

My best!

[mcguirepr89]

Hello, all --

I just wanted to provide a brief update on this topic.

@CaiusX has done a wonderful job homing in on creating a Privacy setting. We're still rigorously testing these custom scripts, but the results so far have been promising.

What to expect:
I will be adding an "Advanced Setting" to enable a "Privacy Mode" which will be much more sensitive to Human sounds. It will also force the EXTRACTION_LENGTH to always use 3 seconds to ensure that the audio extraction service does not pad legitimate bird detections with audio collected from a human.

I will continue to keep this discussion thread apprised of progress on this topic.

My best regards as always,
Patrick

[mcguirepr89]

Here is a small change, but a very powerful one in terms of security:
I've altered the installation to only now use 1 custom URL which has allowed the installation to close the GoTTY back doors that would have been available to other users on the network.

Under the hood, GoTTY now only binds to localhost, which Caddy now handles with a reverse_proxy, adding TLS and Basic-Authentication protection :) ;)

[mcguirepr89]

Hello, all!

Note: you need to run the Update tool twice -- see below

Privacy Mode is now available to add to your installations with 2 updates.

The first update will get your new files, and the second update will ensure they're installed correctly. (Most updates don't require doubling down like this, but this does since we're introducing a new birdnet.conf variable)

You'll now notice a "Privacy Mode" toggle in "Tools" > "Settings" > "Advanced Settings":

Note that changing that settings swaps out the running server, which takes about 90 seconds to complete (closing all open files, pausing services, replacing the server with that which you choose, then starting things back up) and I don't have anything to let you know that stuff is working other than this disclaimer and the one that is visible on the "Advanced Settings" page.

When the privacy server is enabled, you'll see it pretty clearly indicated in the log:

[mcguirepr89]

You are right, though, that the second update doesn't change anything in the git history

[oliverk71]

Wait .... something happens ...

[oliverk71]

Cannot connect to website, but the pi is not rebooting, because I am still SSH'd in. Shall I reboot?

[mcguirepr89]

You shouldn't need to reboot? The second update really only does those two things? It would have had to become unresponsive as a coincidence with something else?

I suppose reboot and let me know what you see, but if after the reboot you cannot reach the site, let me know and I'll start doing some digging.

[Svardsten53]

Interesting with the new Privacy Mode feature. I have installed and activated it on my test system. It will be interesting to see if the neighbor's children will still be detected as whooper swans. 😁
That system is closer to the road where cars and people pass and I have definitely had more false positives there than in my other system. The assumption may be far-fetched, but we'll see if the result will be better with Privacy Mode activated.

[oliverk71]

Okay, I rebooted and it seems to be up, because it shows up in the router. But I cannot connect to the website and I cannot connect via SSH anymore.

What else I did? Half an hour before I tried to update birdnetpi, I ran sudo apt update && sudo apt upgrade -y and waited until it's ready.

[mcguirepr89]

That indicates that the system has booted into recovery mode, as it is filtering the SSH port. You MIGHT be able to SSH as root in this instance, since recovery mode uses root, but that seems unlikely.

I'm afraid you may find some complaint from the SD card when you bring the Pi inside to see what is going on. Hopefully a hard power cycle may help (unplugging plugging back in after 10 seconds or so).

I still don't think this is necessarily related to the update -- hopefully, it is, because if it is, I will be able to get you back up and running. If this is a hardware issue that the SD card has corrupted or something, then there won't be much with which I can help aside from a speedy reinstallation :/

[mcguirepr89]

Sure? Because:
Starting Nmap 7.80 ( https://nmap.org/ ) at 2022-04-09 23:01 CEST
Nmap scan report for p5dcb890b.dip0.t-ipconnect.de (93.203.137.11)
Host is up (0.0013s latency).
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp filtered http
443/tcp filtered https

filtered means those ports are behind the router's firewall -- hopefully a reboot will clear that up

[mcguirepr89]

They'll need to report as open:

Nmap scan report for virginia.birdnetpi.com (108.28.101.140)
Host is up (0.0021s latency).
rDNS record for 108.28.101.140: pool-108-28-101-140.washdc.fios.verizon.net
Not shown: 995 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
443/tcp  open  https

[oliverk71]

I am connected via SSH now. This port is open, 80 and 443 closed. You may SSH into it using the IP address 46.89.159.162.
Do you still have the pw?

[mcguirepr89]

I'm sure I can track it down! I'll let you know if I need it

[mcguirepr89]

Another update here:

On April 7th, the Raspberry Pi foundation discontinued the default pi user. This means that I have some adjustments to make to BirdNET-Pi, but that when those adjustments have been made, everyone's system will be that much more secure. With the default pi user, nefarious characters would have been able to assume that at least the pi user account exists and therefore target it -- without that default user account, nefarious characters would need to first discover the existing user account before deciding where to target.

I have some documentation to update as well, but I hope to have this all fixed by the end of the day or tomorrow at the latest.

My best regards as always,
Patrick

[oliverk71]

I am currently doing a clean install. You suggested fail2ban @mcguirepr89. Let me ask: Why is this better than just editing the ssh config file and limiting the login attempts? You also suggested ssh certificates instead of password protection, but I think this is complicated if I want to login from somewhere else from another PC. What about 2FA protection? I've read something about 2FA on the pi and it seems to be a nice way to protect the pi, don't you think?

[unosonic]

If you want to make things secure, don't allow direct access to the Pi, only through trusted infrastructure, eg. a SSH jumphost, a HTTPS-Proxy, VPN/tunnel etc. Of course you would have to make compromises, eg. not login from everywhere, no web terminal etc.