Your data, privacy, surveillance and Social Media

[Hua Guofang]

Electrician fired for refusing to use facial scanning system wins $23,000

25 Dec, 2019 8:24am

Dubby.Henry@nzherald.co.nz

https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=12296541

 

An electrician who was fired after refusing to use a facial scanning sign-in system has won more than $23,000 from his former employer.

Tim Fensom worked for eight months in 2018 as a leading hand electrician for KME Services NZ, a contractor on a building project at Christchurch Hospital Hagley.

But that October KME dismissed him for "serious misconduct" after he twice refused to clock in using a facial scan, citing concerns about how his data would be stored and used.

He has now been awarded $23,286 by the Employment Relations Authority for unjustified dismissal, hurt and humiliation.

In September 2018 KME employees at the construction site were sent a memo that the paper sign-in system was being replaced by biometric data and facial scanning technology.

The system, called Timecloud, would "show KME's commitment to workers' health and safety", the memo said. The scanner "will help us track employees and subcontractors in case of emergencies or site evacuation" in the 62,000sq m building.

Timecloud was to be rolled out within a fortnight, but it was delayed for several weeks while the company answered questions from employees about why it was needed and how their biometric data would be protected.

On October 11 Fensom emailed managing director Tim Lane, saying he fully agreed with the need for accurate timekeeping but was disappointed at how the change was communicated, and was uncomfortable with the use of biometric scans. A swipe card system would be "less invasive", he suggested.

He had been told he would get a "first and final warning" the first day he did not comply, and be removed from site on the second day.

Lane replied that was incorrect, but said refusing to follow health and safety policies would breach Fensom's contract and that could lead to a warning letter.

Employees had already had a chance to raise concerns, Lane said.

Fensom was on holiday when the Timecloud system launched. When he returned on October 29 he told his supervisor he would not use the face scanning system, and signed in on paper instead.

Midafternoon, his supervisor gave him a warning letter, with Lane's name attached. The following morning, Fensom again refused to use the facial recognition system. His supervisor immediately gave him a pre-written termination letter, signed by Lane.

It said his employment had been ended for "serious misconduct", and he was escorted out of the building.

KME failed 'fair and reasonable' employer test

Fensom applied to the Employment Relations Authority for personal grievances for unjustified disadvantage and unjustified dismissal.

KME's actions were not those of a fair and reasonable employer, the ERA said in its finding on December 20.

Fensom had not had a chance to explain himself, and his reasons for refusing to use the system were not genuinely considered.

KME also did not give Fensom a disciplinary meeting or a chance to get advice or support - which was in breach of his contract - and thus both the warning letter and firing were unjustified, the ERA said.

Fensom also found his firing humiliating, the ERA said.

"He was embarrassed having to tell friends and family about his circumstances and, as a result of a lack of income while he looked for work, having to borrow money from them."

KME has been ordered to pay Fensom $11,286, minus tax, for lost wages and $12,000 as compensation for "humiliation and injury to his feelings" by January 31.

 

Worker consultation "failed at the first hurdle"

The ERA said there were "significant problems" with the way KME had brought in the new system.

The company claimed to have consulted workers, as required by law, but the ERA found that consultation was a sham. Lane had purchased the Timecloud system in August, before asking employees for their input.

Employees should be consulted about change affecting them in a way that was "a reality, not a charade", the ERA said. KME's consultation had failed "at the first hurdle".

While Fensom and his colleagues were legally required to follow their employer's health and safety policies, "those obligations did not trump ... KME's [obligations] to first consult them before introducing such policies".

There was also doubt whether KME's health and safety rationale for bringing in face scanning was valid.

The company claimed safety in an emergency was its main concern. While this was a legitimate purpose, workers were not required to clock out when they went to Hagley Park for lunch - suggesting the system would not accurately pinpoint who was on site, the ERA said.

Lane admitted to the ERA the real benefits of the system were to reduce time fraud, because workers could not sign in their colleagues, and for ease of administration.

Privacy concerns not properly addressed

The ERA found KME's answers to privacy concerns were "inadequate and to some extent misleading" because Timecloud could change the privacy policy at any time.

Workers were told biometric data would be encrypted and would be deleted when the worker's employment with KME ended. Users could use only their first name to protect their privacy.

Users consented to their information being collected and disclosed in accordance with the privacy policy, but that Timecloud could change that policy without notice.

Timecloud would not disclose personal information to any third party "except where disclosure relates to the purposes for which the information was collected … and as agreed in the Terms of Use" - but those terms of use were not provided.

[Fist 666]

/\/\/\ People should read that one, im willing to bet that becomes very commonplace in the next few years. 

[Dirty_habiT]

The problem I see with all of this is that even if you're super tin foil hat man, you had better stay inside your house and never go into public where any cameras are used.  It's actually not that hard to "fingerprint" and identify people that are "off the grid" so to speak.  An easy scenario is when you're at a bar and someone takes a picture of their friends, and you're in the background.  Then, let's say another person also takes this picture and you're in the background.  Then, let's say that the bar has converted from traditional registers to those chincy tablets that have card scanners, and a 3rd party "tech company" is processing all the sales.  The third party tech company could then have a list of photos that they've paid for from instagram/facebook/whoever be made available to them, with geotagging data.  They could easily tie the photos to the purchases, and the photos of people that "don't have accounts" to other purchases.

 

The tech is already there to identify nearly anyone in public.  The ONLY thing that would make you safe is using cash for all purchases, never having a cell phone on you, and covering your face when in public..... but that's more than most anyone in today's age is going to do.

[Dirty_habiT]

biometric databases can build multiple image records of "unkowns".  Meaning, you could have your picture taken in public several times, and end up in a database with a unique id attached to your group of pictures.  At some point the rest of the data necessary to attach that group of pictures to a name/address/phone number/email address will be presented to the database with the unique ID and down the rabbit hole you can go.  Now someone that was "very careful" about their identity, is "part of the system."

 

The DNA scanning programs people willingly participate in these days are crazy.  All we need is some shit form of government to be in place and to determine certain families with certain genes are "unneeded" and we'll see another event similar to the holocaust.

[Hua Guofang]

I haven't look at this yet but people I trust are sitting back in their chars about it.

 

[Hua Guofang]

On 12/30/2019 at 3:27 AM, Dirty_habiT said:

The problem I see with all of this is that even if you're super tin foil hat man, you had better stay inside your house and never go into public where any cameras are used.  It's actually not that hard to "fingerprint" and identify people that are "off the grid" so to speak.  An easy scenario is when you're at a bar and someone takes a picture of their friends, and you're in the background.  Then, let's say another person also takes this picture and you're in the background.  Then, let's say that the bar has converted from traditional registers to those chincy tablets that have card scanners, and a 3rd party "tech company" is processing all the sales.  The third party tech company could then have a list of photos that they've paid for from instagram/facebook/whoever be made available to them, with geotagging data.  They could easily tie the photos to the purchases, and the photos of people that "don't have accounts" to other purchases.

 

The tech is already there to identify nearly anyone in public.  The ONLY thing that would make you safe is using cash for all purchases, never having a cell phone on you, and covering your face when in public..... but that's more than most anyone in today's age is going to do.

What you're saying is right on, you can't hide and going off the grid to hide is not a good idea unless you want to go live in a cave. None of us are going to do that so the next best thing is to understand how data is collected, why it is collected, by whom and how it is used.

 

Having that knowledge will allow people to make informed decisions on which personal information is best protected and how to do that. This coes back to previous discussions on search history, loyalty programs, geo-tagging etc. and how to keep your own info to yourself.

 

For me, the above article hits three points: orgs that collect your data have to be able to protect it and be trusted not to pass it on, 2, understanding the law - not just those directly related to data - is important to defending your privacy, 3, you need to understand how your data can be used for secondary purposes, even if it was collected for legitimate means in the first place.

 

 

[Hua Guofang]

Good chance your car is sending you location, contacts and other details about you back to the manufacturer. 
 

https://futurism.com/cars-secretly-spying/amp?__twitter_impression=true

[Dirty_habiT]

The fun part about it is they don't even really need to use GPS to track your cell phone, so unless you're removing the battery from it or powering it down (and trusting that a powered down phone actually is completely 100% powered off and not just telling you/showing you that it is) then you're still trackable.

 

In fact if you don't want to be tracked, leave your smart phone at home when you go do shit.

[Hua Guofang]

 

Jams microphones with ultrasonics. there are also glasses you can wear that flood your face with (IR, I think) light that stops cameras from being able to determine features. There are also Tshirts and scarves that are a mash of facial features that divert and confuse algorithms used in bio-recognition software.

[Dirty_habiT]

^^ I have a feeling that we're going to be seeing a whole lot more of this tech in the near future as more and more people warm up to the idea that they've been used as pawns this whole time in some very large business's money making schemes without knowing it.

[Hua Guofang]

spoofing and jamming cams is the new wig and fake beard.

 

Speaking of which, bushy beards, wide sunglasses, hats/beanies pulled low, covered ears, etc. are good for beating the cams.

 

Or fuck it, just go full ninja and throw smoke bombs 100% of the time.

[Hua Guofang]

Gee, what a great big fuckin surprise. These guys will be one of the biggest tarets on the web and I only wait for the day when we hear that their entire database has been breached and lost.

 

 

Clearview AI has billions of our photos. Its entire client list was just stolen

By Jordan Valinsky, CNN Business

https://amp.cnn.com/cnn/2020/02/26/tech/clearview-ai-hack/index.html?__twitter_impression=true

Updated 1:24 PM EST, Wed February 26, 2020

 

 

New York(CNN Business) Clearview AI, a startup that compiles billions of photos for facial recognition technology, said it lost its entire client list to hackers.

The company said it has patched the unspecified flaw that allowed the breach to happen.

In a statement, Clearview AI's attorney Tor Ekeland said that while security is the company's top priority, "unfortunately, data breaches are a part of life. Our servers were never accessed." He added that the company continues to strengthen its security procedures and that the flaw has been patched.

 

In a notification sent to customers obtained by Daily Beast, Clearview AI said that an intruder "gained unauthorized access" to its customer list, which includes police forces, law enforcement agencies and banks. The company said that the person didn't obtain any search histories conducted by customers, which include some police forces.

The company claims to have scraped more than 3 billion photos from the internet, including photos from popular social media platforms like Facebook, Instagram, Twitter and YouTube.

The firm garnered controversy in January after a New York Times investigation revealed that Clearview AI's technology allowed law enforcement agencies to use its technology to match photos of unknown faces to people's online images. The company also retains those photos in its database even after internet users delete them from the platforms or make their accounts private.

That prompted cease-and-desist letters from tech giants Twitter (TWTR), Google (GOOGL) and Facebook (FB). Some states, such as New Jersey, even enacted a statewide ban on law enforcement agencies using Clearview while it investigates the software.

In an interview with CNN Business earlier this month, Clearview AI founder and CEO Hoan Ton-That downplayed concerns about his technology. He said he wants to build a "great American company" with "the best of intentions." He said he wouldn't sell his product to Iran, Russia or China and claimed the technology is saving kids and solving crimes.

[Schnitzel]

Damn Hua,  was reading your long article from pre christmas regarding the mobile advertising/surveillance and one of the companies I work with is mentioned there.

And as I was reading a marketing email from them came through.

 

Raven 12oz pocket faraday wallets for phones to cloud data?

 

Wondering if you had. away to block your phone from pinging but then you get in your car.

 

Mine has GPS inbuilt that came with the car and I assume gets reset each time i get my free 30,000 km service or whatever.

 

Can they overlay tracking data from the car and match it with my phone to possibly fill in blanks if I'm going out for a night paint sans phone?

 

 

[Dirty_habiT]

You don't want to just stick your phone in some sort of faraday cage/wallet/pouch.  Maybe if you turn on (and trust) airplane mode and stick it in the pouch that would be ok.  Most phones have logic that will up their transmit power when they cannot reach a network signal in an effort to get a signal where signals are weak.  This will eat your battery life way quicker than normal.

 

I wish they'd make iphones with removable batteries, or a hardware switch that disconnects the batter leads from the phone so you don't have to actually remove it.  I'm certain that we will see a privacy conscious phone like this in the future if there is not already something like that.  I'm excited about some of the diy linux phones to mature because they will certainly fit this type of use case.

[Dirty_habiT]

Also worth mentioning is the fact that you likely are leaking your DNS queries to your ISP.  So you can go through all these hoops to use a VPN etc but if you haven't specifically addressed the DNS side of things then you're very likely still giving them a whole lot of information.

 

The two DNS servers I have configured to be passed out over DHCP on my LAN are 1.1.1.1 and 9.9.9.9.  Additionally, Firefox's recent update just added DNS over HTTPS.  Preferences -> General -> Networking Settings -> Settings -> Enable DNS over HTTPS.  With that enabled I'm not even sure 1.1.1.1 or 9.9.9.9 know what websites I'm looking up (provided it works the way it's supposed to work/as advertised).

[misteraven]

12 hours ago, Dirty_habiT said:

You don't want to just stick your phone in some sort of faraday cage/wallet/pouch.  Maybe if you turn on (and trust) airplane mode and stick it in the pouch that would be ok.  Most phones have logic that will up their transmit power when they cannot reach a network signal in an effort to get a signal where signals are weak.  This will eat your battery life way quicker than normal.

 

I wish they'd make iphones with removable batteries, or a hardware switch that disconnects the batter leads from the phone so you don't have to actually remove it.  I'm certain that we will see a privacy conscious phone like this in the future if there is not already something like that.  I'm excited about some of the diy linux phones to mature because they will certainly fit this type of use case.

Know someone that works with Apple and though I wasn't told specifics, they mentioned that security is going to be a huge topic in the near future. Essentially, they're just letting the current conversation run its course and letting the competition solidify their responses before dropping a game changer on everyone.

 

We'll see but should be 12 - 18 months out.

[misteraven]

1 hour ago, Dirty_habiT said:

Also worth mentioning is the fact that you likely are leaking your DNS queries to your ISP.  So you can go through all these hoops to use a VPN etc but if you haven't specifically addressed the DNS side of things then you're very likely still giving them a whole lot of information.

 

The two DNS servers I have configured to be passed out over DHCP on my LAN are 1.1.1.1 and 9.9.9.9.  Additionally, Firefox's recent update just added DNS over HTTPS.  Preferences -> General -> Networking Settings -> Settings -> Enable DNS over HTTPS.  With that enabled I'm not even sure 1.1.1.1 or 9.9.9.9 know what websites I'm looking up (provided it works the way it's supposed to work/as advertised).

Great, no we have to be rocket scientists to use the interweb without big brother and its minnions knowing every stupid thing we look at.

[Dirty_habiT]

I wouldn't be the least bit surprised if Apple makes something fantastic ..... like they've always done.  Currently, it's a constant challenge in court cases to get Apple to "unencrypt or unlock" a phone.  They refuse to do it and for that reason I will continue to use their products.  That's not the only reason, obviously.  They cost more because they're actually better.  Yes, the price may be a bit inflated for the Apple log, but that's almost anything you want in life that is actually good.... you have to pay the premium.

 

Again, I'll point out that my main computer is a mid-2013 Macbook Air.  It works great for everything except gaming or anything incredibly CPU/GPU intensive.  I wouldn't try to mine cryptocurrency with it.  I would expect to participate in Folding At Home in any respectable capacity, but in terms of "just working well" all the time.... zero complaints.  I'd recommend their products to anyone that is willing to listen.

[Dirty_habiT]

1 minute ago, misteraven said:

Great, no we have to be rocket scientists to use the interweb without big brother and its minnions knowing every stupid thing we look at.

It's always been like that since they decided that snooping DNS was a thing worth doing at the ISP level.  It's super easy to get around though, just log into your home router and change the DHCP settings for DNS to use the two resolvers I named above by IP.

 

1.1.1.1

and

9.9.9.9

 

That should cover almost anyone that wants to remain a bit more private.  Basically, if you don't do this they can see that you're going to pornhub.com but they can't tell you're watching the "fucked your midget step brother" videos... that parts encrypted, but they have imaginations too.

[misteraven]

1 hour ago, Dirty_habiT said:

It's always been like that since they decided that snooping DNS was a thing worth doing at the ISP level.  It's super easy to get around though, just log into your home router and change the DHCP settings for DNS to use the two resolvers I named above by IP.

 

1.1.1.1

and

9.9.9.9

 

That should cover almost anyone that wants to remain a bit more private.  Basically, if you don't do this they can see that you're going to pornhub.com but they can't tell you're watching the "fucked your midget step brother" videos... that parts encrypted, but they have imaginations too.

Can you please explain this a bit more for the laymen? I understand how DHCP is a method to assign IP's to nodes dynamically, but not entirely clear on how this process is used to spy on people or how you're circumnavigating their process by directing your lookups elsewhere. What are those IP's and how do they differ from the usual?

[Dirty_habiT]

Sure thing.  I'll go ahead and go over some terms so that everyone can follow along.

 

DHCP - Dynamic Host Control Protocol.  This is what assigns an IP address to your computer when you connect to a wifi network or plug in an ethernet cable.  This is how the router (that assigns the IP to you via DHCP) knows where to send reply traffic to your outbound requests.  One of the jobs of the DHCP server/router is to assign you a set of DNS Resolvers along with an IP address.

 

DNS & DNS Resolver - Domain Name Service.  DNS is what takes yahoo.com and looks up what it's public IP address is so it knows where to send your request for it's front page when you type in yahoo.com.

 

ISP - Internet Service Provider.  This is who you pay for your internet connection.  They usually provide you a router in your home and set up your wifi network for you.

 

HTTP/HTTPS - Hyper Text Transport Protocol (and Secure) - HTTP is how a website displays a webpage in a way that your browser makes readable to you.  This is, traditionally, not encrypted.  Meaning, anyone else snooping on the traffic going over the network could see exactly what you're looking at by just passively collecting the HTTP packets that are traveling back and forth.  Think of this like a camera that can identify the driver of every car in your neighborhood.  HTTPS encrypts this traffic and makes it to where the client and the server can only encrypt/decrypt traffic as it is sent and received between those two points.  This is like everyone in the neighborhood having limo tint and a license plate written in an alien language on their car.

 

Here's where the problem comes in.  If you use the basic/default settings the ISP sets up for you then you will VERY likely be using their DNS resolvers.  These cascade down so their network assigns IP addresses to the routers that are installed in your home (your cable modem, your fiber internet connection, your DSL modem).  This is your public IP address.  Behind that you have your wifi network.  These are private addresses that are not "routable by the internet".  This means your computer's IP is likely 192.168.0.xxx.  Or something very close to that.  Your ISP gives your cable modem/dsl modem a set of DNS resolvers to use so that it can look up things for you when it receives requests from within your internal network at home.

 

If you leave your router at default settings it will use their DNS resolver.  This means when you type in hotchickswithbigdicks.com.... they can see that you went there, they resolved the IP address for you, and told you where hotchickswithbigdicks.com resides on the internet.  From there, the traffic turns into "HTTPS" (most of the time).  HTTPS encrypts the communications and nobody can really snoop on it from there.  The issue is, that even though they cannot see what you're looking at, they can see every single domain you resolve into an IP address in the process of viewing any website.  This means that when you go to CNN.com and it loads 45 javascripts from ad networks that are all on their own separate domains.... your ISP resolves 45 different domains for you and knows that your computer, or some computer behind the router installed in your house went to those places or requested assets from those places.

 

All you have to do to stop them from snooping is change what DNS resolvers your DHCP server/router assigns to your private network over wifi or ethernet connection.  This is done by logging into your router and adjusting the settings.  I can't go into exact detail on how to do that here because there are many different models with different user interfaces and ways of making those changes.  It's super easy to look up for the most part if you know the brand/model of your router/cable modem/dsl modem.

 

1.1.1.1 - their website here explains it, it's CloudFlare's DNS resolver so it's for the privacy conscious netizen - https://1.1.1.1/

9.9.9.9 - same except not CloudFlare - https://www.quad9.net/

 

Essentially those two resolvers don't keep logs of what you've looked up.

 

@misteraven

[KILZ FILLZ]

 

 

Twitter spying through front facing cameras. 
 

 

 

 

 

I wonder what’s going on with the suit against Facebook for doing the same with Instagram? Cant find anything newer than September. 
 

 

[Dirty_habiT]

@KILZ FILLZ- can you explain a bit about what's going on there in your last post?  What do you mean "spying"?  Lay out the exact end to end scenario that resulted in those photos of those people being posted if you don't mind.  I just don't follow.

[KILZ FILLZ]

It runs parallel with something Facebook/Instagram is accused of:

 

www.businessinsider.com/facebook-spied-on-instagram-users-through-iphone-cameras-lawsuit-says-2020-9%3famp

 

In July, users noticed that a green FaceTime symbol was showing up when they scrolled through their Instagram feed, per the Independent. The symbol appears on iPhones when the camera is on.

 

In November, users accused Facebook of accessing iPhone cameras through the Facebook app. A Facebook spokesperson told CNN that the bug was "inadvertently introduced" and promised to fix the issue.

 

———

that article is from 9/18/20. I’m not having any luck finding something more recent. 
 

those pics are screen grabs Twitter users shared showing that Twitter seems to be doing the same thing. Those photos are supposed to be thumbnails for the ads/posts they are scrolling by, but instead it’s showing their “selfie cam” on and reflecting them. 
 

I am completely ignorant to the backside of things with apps like this. I do think that the three largest social media companies having the same bug is a bit too convenient of a coincidence. With your experience in computer science do you see this being a bug? Or something intentional for data mining? @Dirty_habiT

[Dirty_habiT]

Will respond in the AM. Just read this. 

[Dirty_habiT]

16 hours ago, KILZ FILLZ said:

I do think that the three largest social media companies having the same bug is a bit too convenient of a coincidence. With your experience in computer science do you see this being a bug? Or something intentional for data mining? @Dirty_habiT

 

I can answer your question maybe with my own personal experience and with some theories I have.  I will start with a few questions with answers that will get our thinking about this going.....

 

How do you know if your camera is on?  (it has an indicator/green light/icon on screen)

What turns on the indicator? (software)

Who writes the software?  (Apple/Samsung/Google/etc)

Who writes "any" software you would have on your phone? (someone else that isn't "you")

Can you trust this 3rd party to only behave in a way that benefits you, the "consumer"? (maybe, maybe not)

 

I find it awfully convenient to have a bug like this in a large, widely consumed product, like instagram or snapchat or w/e it was that had the bug.  The reason I think this is because I work for a very small software company and we find WAY LESS serious bugs than this on a daily basis.  It is VERY VERY VERY rare that something makes it into our production clusters that we didn't expect/fix prior to release to production.  For FB a release to production means updating the FB app on everyone's phones w/ the new code.  This is how they give you features and make bug fixes.

 

I think it is very likely that software has the ability (and we've actually seen in the past) to turn on and use ANY of your phone's sensors at any time without doing any other thing.  There is a big if here.  That "if" is that if they have the camera's "on button" power running through that green led on your phone, AND they have failure of that led indicated on the phone if it ever fails then I would think that you could trust the green light on the phone/computer.

 

I'm hesitant to believe this is the case, and am fairly certain that the way the green led works or the on screen icon indicator that your camera is on/microphone is recording, etc.... is that the software has to use some library that "requires" the led to turn on when the camera turns on.  However, as I'm trying to make obvious, I don't think these two things HAVE to happen together. 

 

I haven't dug into the docs on modern phone cameras and the software that controls them.  This is very fishy though and I don't think it's a simple bug.  These companies have been suspected of collecting all sorts of other data on you that would make you cringe if it was laid bare what they're doing.

 

[sp]

I have to agree with @Mercer but also props to the OP for this terrifying intel on AI and people acting like sheep. The world is being transformed into an Orwellian nightmare by unscrupulous governments who are vying for complete surveillance and control. I know this is cliche and has been said many times to the point of jaded reaction. However I, and many others Im noticing, are tired of people gaslighting this issue as a conspiracy theory, when it's happening before our eyes. And the scumbags in charge have been extremely careful to have us believe they are not the problem. It makes me sick seeing "graffiti writers" paint murals of dead judges, people who incarcerate us, because they have been so blinded by either pro or anti trump sentiment that they cannot see the government for what it really is.

[sp]

Does anyone have any experience with "indy" phone OSes (other than iphone and android)

[sp]

DHCP, DNS, and HTTPS -- all things controlled by the overlords. If they decide you shouldn't be allowed on the internet, they can and will revoke your domains, servers, DNS, and you will be forced to host your site on the dark web along with drug dealers and pedos. Again, back to government control/slavery.

Edited December 16, 2020 by sp

[KILZ FILLZ]

1 hour ago, sp said:

Does anyone have any experience with "indy" phone OSes (other than iphone and android)

Ive used BB10 OS (blackberry) and Cyanogen OS (One+)

 

BB10 was really a joy. The only downside was extremely limited app support. Instead of the Google play store or the Apple App Store, you were limited to an Amazon App Store - it didn’t have much available. BUT- if you are ducking around with blackberry you are likely for production focused than entertainment focused. I had the BB Passport model and really wish I had held on to it, but the resale value was just too good to pass up. I think I made a profit off it after about 1yr use. Blackberry fans are loyal as fuck and if they want a model they will pay. 
 

Cyanogen was basically a jail broken Android OS to me. Extreme customization (even the boot-up screen). Absolutely zero bloatware. But when I was using it, it was pretty unstable. My phone would crash a couple times each week doing routine tasks. I had the One+1, first model offered by One+, the hardware was amazing. 
 

I was very close to buying the Amazon Fire phone (3D display) a few years back but never pulled the trigger. If I remember right if you purchased the phone you got one free year of Amazon prime so the math worked out pretty well. I just wasn’t very interested after my experience with BB10 and the Amazon App Store. The fire phone had an Amazon OS that looked like it was separate from Android instead of a modded Android OS. You can probably find one of these phones on eBay for the cheap. 
 

out of the three I’d suggest rolling with the bb passport. The security features on that thing are something I’ve never seen before. Even something as basic as the password keeper.