Mobile Location Scandals Keep Making Facebook's Privacy Flubs Look Like Child's Play

from the ill-communication dept

We've noted a few times now that while Facebook gets a lot of justified heat for its privacy scandals, the stuff going on in the cellular data and app market in regards to location data makes many of Facebook's privacy issues seem like a grade-school picnic. That's something that was pretty well highlighted by the recent Securus and LocationSmart scandals, which showcased perfectly how cellular carriers and location data brokers routinely buy and sell your daily travel habits with only a fleeting effort to ensure all of the subsequent buyers and sellers of that data adhere to basic privacy and security standards.

Over the weekend, the New York Times had an interesting read that offers some fresh insight into just how commonly your daily location data is traded and shared without much in the way of meaningful protection or oversight. There's a certain naive shock by both the Times authors and its subjects as they suddenly realize that apps on mobile devices routinely hoover up users' daily movement patterns, often without anything in the way of real consent or transparency, then sell that valuable data to every Tom, Dick, and Harry in a bid to monetize it:

"The app tracked her as she went to a Weight Watchers meeting and to her dermatologist’s office for a minor procedure. It followed her hiking with her dog and staying at her ex-boyfriend’s home, information she found disturbing.

“It’s the thought of people finding out those intimate details that you don’t want people to know,” said Ms. Magrin, who allowed The Times to review her location data.

The Times investigation found that at least 75 companies routinely receive anonymous, precise location data from apps that collect location data but fail to clarify how that data is used. Several of the firms tracked by the Times note they routinely collect data on more than 200 million mobile devices; data that in many instances is so granular it's updated as many as 14,000 times a day. Of course if you've been paying attention, location data has been a gold mine for cellular carriers (and everybody in the chain) for the better part of the last decade as it's sold to everyone from city planners to shopping malls.

And while carriers and those handling this data routinely insist there's no harm because this data is "anonymized," reports have repeatedly shown that this kind of data isn't really anonymous, especially if it can be linked with other private data (obtained by hackers, leaked, or already in the wild). That's something you can feel the Times reporters realizing as the story proceeds:

"Businesses say their interest is in the patterns, not the identities, that the data reveals about consumers. They note that the information apps collect is tied not to someone’s name or phone number but to a unique ID. But those with access to the raw data — including employees or clients — could still identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there."

Curiously, the Times doesn't even mention the cellular carriers' role in this problem, insisting that location data sales "began as a way to customize apps and target ads for nearby businesses." In reality, cellular carriers have been tracking and selling your location data before the concept was even a twinkle in many app makers' eye, and as the recent LocationSmart scandal (which exposed the personal data of nearly every mobile customer in North America) made very clear, this data is sold to dozens of third-party location data brokers and their sales partners -- without much, if any, effort to ensure it's being protected down the chain.

In other words, app location data sharing is just a smaller part of a massive problem. A problem that started with telecom operators and our total unwillingness to hold them accountable for similar behavior. Politically powerful cellular carriers who repeatedly insisted we didn't need any meaningful privacy rules of the road because "public shame" would keep the industry honest. That promise has never really worked out that well.

Multiple ISPs were accused years ago of collecting and selling consumer clickstream data. When they were pressed for details, many simply either denied doing it or refused to respond. Collectively, we decided that was fine. As more sophisticated network gear like deep-packet inspection emerged, ISPs began tracking and selling online browsing habits down to the millisecond, some even charging users extra if they wanted to protect their own privacy. Wireless only made things worse, some carriers even going so far as to modify your very data packets to glean additional insight without your knowledge or consent.

That initial attitude has subsequently infected every other ecosystem on the network as countless industries ran toward the location data cash cow, utterly apathetic to the slow but steady erosion of consumer trust and privacy. There's an endless list of points of failure here by self-interested companies eager to prioritize growth over all things, from the carriers themselves to the app store approval process. As such, the focus specifically on apps--or Facebook--tends to miss the bigger picture: that this sort of behavior is now the norm across all of tech, not some errant anomaly.

That said, the Times piece is still full of some entertaining revelations on app privacy specifically, like the fact that even some of the companies involved don't understand why the hell they even have access to all of this customer location data:

"To evaluate location-sharing practices, The Times tested 20 apps, most of which had been flagged by researchers and industry insiders as potentially sharing the data. Together, 17 of the apps sent exact latitude and longitude to about 70 businesses. Precise location data from one app, WeatherBug on iOS, was received by 40 companies. When contacted by The Times, some of the companies that received that data described it as “unsolicited” or “inappropriate.'

Currently, outside of a week of bad press that's quickly forgotten (see: Equifax), there's really no penalty for even the most mammoth of privacy abuses (aside from the occasional wrist slap for violating kid specific privacy laws like COPPA). This apathy and incompetence was rooted in the cellular and telecom industry, and has since spiraled outward, infecting every app and internet ecosystem as numerous industries ran to feed at the unsupervised trough. The fact that we're still so collectively naive to the scope of the problem a decade or two later is utterly mind boggling in and of itself.

Filed Under: location data, mobile apps, privacy

United Airlines Made Its App Stop Working On My Phone, And What This Says About How Broken The Mobile Tech Space Is

from the garbage-in-garbage-out? dept

This post isn't really about United Airlines, but let's start there because it's still due plenty of criticism.

One day my phone updated the United App. I forget if I had trusted it to auto-update, or if I'd manually accepted the update (which I usually do only after reviewing what's been changed in the new version), but in any case, suddenly I found that it wasn't working. I waited a few days to see if it was a transient problem, but it still wouldn't work. So I decided to uninstall and reinstall, and that's where I ran into a wall: it wouldn't download, because Google Play said the new version wasn't compatible with my phone.

Wait, what? It used to run just fine. So I tweeted at United, which first responded in a surprisingly condescending and unhelpful way.

Sometime later I tweeted again, and this time the rep at least took the inquiry seriously. Apparently United had made the affirmative choice to stop supporting my Android version. And apparently it made this decision without actually telling anyone (like, any of their customers still running that version, who might not have updated if they knew they would have to BUY A NEW PHONE if they wanted to keep running it).

Ranting about this on Twitter then led to an interesting argument about what is actually wrong with this situation.

But let's not let United off the hook too soon. First, even if United were justified in ceasing to support an Android 4.x capable app, it should have clearly communicated this to the customers with 4.x phones. Perhaps we could have refused the update, but even if not, at least we would have known what happened and not wasted time troubleshooting. Plus we would have had some idea of how much United valued our business...

Second, one of the points raised in United's defense is that it is expensive to have to support older versions of software. True, but if United wants to pursue the business strategy of driving its customers to its app as a way of managing that relationship, then it will need to figure out how to budget for maintaining that relationship with all of its customers, or at least those whose business it wants to keep. If providing support for older phones is too expensive, then it should reconsider the business decision of driving everyone to the app in the first place. It shouldn't make customers subsidize this business decision by forcing them to invest in new equipment.

And then there was the third and most troubling point raised in United's defense, which is that Android 4.x is a ticking time bomb of hackable horror, and that any device still running it should be cast out of our lives as soon as possible. According to this argument, for United to continue to allow people to use their app on a 4.x Android device would be akin to malpractice, and possibly not even be allowed per their payment provider agreements.

At this point we'll stop talking to United, because the problem is no longer about them. Let's assume that the security researchers making this argument are right about the vulnerability of 4.x and its lack of support.

The reality is, THE PHONES STILL WORK. They dial calls. They surf the web. They show movies. Display ebooks. Give directions. Hold information. Sure, at some point the hardware will fail. But for those wrapped in good cases that have managed to avoid plunging into the bath, there's no reason they couldn't continue to chug on for years. Maybe even decades. In fact, the first thing to go may be the battery – although, thanks to them often not being removable, this failure would doom the rest of the device to becoming e-waste. But why should it be doomed to becoming e-waste a moment before it actually becomes an unusable thing? Today these phones are still usable, and people use them, because it is simply not viable for most people to spend several hundred dollars every few years to get a new one.

And yet, in this mobile ecosystem, they'll need to. Not only to keep running the software they depend on, but to be able to use the devices safely. The mere ability to function no longer is enough to delineate a working device from a non-working one. The difference between a working device and a piece of trash is what the OS manufacturer deems it. Because when it says it's done maintaining the OS, then the only proper place for a phone that runs it is a landfill.

It is neither economically nor environmentally sustainable for mobile phones to have such artificially short lifespans. "Your phone was released in 2013!" someone told me, as if I'd somehow excavated it from some ancient ruin and turned it on. It's a perfectly modern device (in fact, this particular phone in my possession came into use far more recently than 2013), still holds a reasonable charge, and is perfectly usable for all the things I use it for (well, except the United app...). So what do you mean that I can't use it? Or that any of the other millions if not billions of people in the world running Android 4.x phones can't use them?

There are lots of fingers to point in this unacceptable state of affairs. At app makers who refuse to support older OSes. At app makers who make us use apps at all, instead of mobile web applications, since one of the whole points of the Web in the first place was to make sure that information sharing would not be device- or OS-dependent. At carriers who bake the OS into their phones in such a way that we become dependent on them to allow us OS updates. At the OS manufacturers who release these systems into the wild with no intention of supporting them beyond just a few years. And to various legal regimes (I'm looking at you, copyright law…) that prevent third parties from stepping in to provide the support the OEM providers refuse to anymore. Obviously there are some tricky issues with having a maintenance aftermarket given concerns with authentication, etc., but we aren't even trying to solve them. We aren't doing anything at all, except damning the public to either throw good money after bad for new devices that will suffer the same premature fate, or to continue to walk around with insecure garbage in their pockets. And neither is ok.

Filed Under: backward compatibility, mobile apps, transparency
Companies: united

NSA, GCHQ Spying On Angry Birds And Lots Of Phone Apps: Time For Mobile Security To Up Its Game

from the game-over dept

Having already "infiltrated" online games like Second Life and World of Warcraft, it appears that the NSA and GCHQ are also busy playing Angry Birds, Candy Crush and pretty much any other popular mobile app as well, as they've learned that such mobile apps are incredibly "leaky" when it comes to revealing information about who you are, what you do and where you are. In a new report based on Snowden documents, ProPublica, the NY Times and the Guardian all have stories about how deeply the US and UK intelligence agencies can dig into your mobile phone to collect just about anything they want on you. And, as usual, they appear somewhat gleeful about the whole thing, as one slide in a presentation talks about "the golden nugget!" in discussing how they can pull so much information: Another set of slides, talking about how much information can be obtained from various mobile platforms, suggests that GCHQ and NSA can basically get just about anything from anyone. Take, for example, this slide about what they can get from an Android phone: Yeah: "If its on the phone, we think we can get it." (Grammar nazis will note the misused "its" there, but everyone else will be concerned about the implications here). Similarly things like "NOSEY SMURF" suggest the ability to turn on the phone's microphone to automatically tap anyone with a phone from anywhere.

Of course, a big part of the issue here is the lack of concern or focus on encrypting and securing mobile apps and data. While there's been increasing talk about encrypting everything on the web, the main focus has been on the desktop. And while there are things like VPNs and security for mobile phones, it's been much less of a priority for many. That needs to change.

In talking about the NSA issue with a variety of startups lately, it's been somewhat depressing to hear more than a few suggest that they were unwilling to speak up, because they were afraid it would shine more of a light on how weak their own privacy and data protection efforts have been. I've told multiple companies that the proper response to this is not to stay quiet but to fix your own data management in order to protect your users. Because sooner or later, people were going to find out about leaky data like this one way or the other.

At this point, it's clear that the NSA, GCHQ and others will seek out and collect any data they can. That makes it imperative for pretty much everyone creating any app that collects any data -- even for something as simple as a game like Angry Birds -- to learn how to properly protect that data and to protect their users. This goes for both small companies and large ones. For example, the reports show the NSA and GCHQ salivating over all of the information that Google Maps provides. Google has been taking a stand that says they're serious about protecting their users' data. If the company is serious about that it should take the lead in making phones much more secure from simple and easy tracking, as is detailed in these documents.

Filed Under: angry birds, encryption, gchq, mobile apps, mobile phones, nsa, security, surveillance

DailyDirt: Smarter Cars On The Way (Not Smarter Drivers)

from the urls-we-dig-up dept

Cars used to be fairly simple mechanical devices that gave drivers the freedom to zip around a city, but now cars are much more technologically advanced gadgets -- getting smarter and connecting with all kinds of other things (eg. sensors, phones, other cars, the internet). Pretty soon, cars could become our artificially-intelligent personal servants, helping us out with our daily tasks like KITT but without the turbo boost. Here are just a few steps towards every driver getting their own car sidekick.

• Unlocking your car with your phone via a 'passive Bluetooth keyless entry system' sounds pretty cool -- just wait for your phone and your car to pair up wirelessly, and voila, you can hop into your car. (And if your phone is out of range, all the doors lock automatically, too.) Right now, this prototype only works with an Android phone and some custom Arduino hardware in the car (and there are probably a few security concerns for this hack, but who cares when your car opens for you automagically). [url]
• The US Public Interest Research Group (PIRG) says that mobile apps are making it easier for young adults (16-34yo) to drive less -- by making carsharing and public transportation more convenient than ever before. Kids these days just want to get from point A to point B without disconnecting from Facebook... Just make sure to look up from your phone every so often as a safety check, folks. [url]
• A survey of car owners suggests that consumers might be more willing to use a self-driving car from a technology company like Google, Apple or Intel -- rather than one from a traditional automaker. The survey question presumes self-driving cars are safe -- so consumers probably aren't quite ready yet to place their lives in the hands of a version 1.0 beta autonomous car. [url]

If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.

Filed Under: automaker, autonomous vehicle, cars, carsharing, keyless entry, mobile apps, prototype, self-driving car
Companies: apple, google, intel

California Looking To Protect You From The Scourge Of Airlines Not Mentioning Privacy Policies You Don't Read

from the i-feel-so-much-safer dept

Back in October, we wrote about how California Attorney General Kamala Harris was threatening United Airlines over Twitter, because their mobile app apparently didn't prominently display the app's privacy policy. California has a silly law that requires privacy policies. Now, Harris has actually sued Delta airlines over the same thing. Of all the illegal things that Harris could be going after, is focusing on mobile apps that don't prominently display their privacy policy really the best use of her time and my taxpayer dollars?

The whole infatuation with privacy policies is, frankly, stupid. They do nothing to actually increase your privacy. Since the only thing they do is hold you to your own rules, they actually encourage companies to take your privacy less seriously, since to avoid possible liability, they're likely to craft privacy policies that aren't as strict. Furthermore, no one reads those things. Forcing companies to display a broadly written policy designed to limit their liability, which no one cares about and no one will read... just seems like a complete waste.

Of course, as we've discussed before, this is exactly what state Attorneys General do all the time. They pick some random issue they can grandstand about, and then pick on companies over those issues, putting all sorts of public pressure on them, solely for the purpose of generating headlines about how they're "protecting consumers" or some other bogus claim... and then they use those headlines for when they run for higher office. The Attorney General slot is quite frequently seen as a stepping stone to becoming governor, and so many AGs abuse the position with these kinds of legal threats and lawsuits almost entirely to be used as campaign fodder. It's sad and pathetic and does little to actually protect the public.

In Harris' press release about the lawsuit, she makes this silly claim: "Losing your personal privacy should not be the cost of using mobile apps, but all too often it is." But that's ridiculous. Just because Delta doesn't link to its privacy policy from the app doesn't mean that users lose their personal privacy.

The only encouraging thing here is that looking through the comments on the Ars Technica article linked above, they seem almost universally to be against Harris for filing such a silly and pointless lawsuit. Maybe, one day, we can hope that such pointless grandstanding is seen for what it really is: a cynical ploy to make an Attorney General look good in the press, rather than any legitimate legal issue.

Filed Under: california, kamala harris, mobile apps, privacy, privacy policies
Companies: delta

HTC Sends Cease & Desist To Developer Who Made Similar Android Widgets

from the can't-compete? dept

Tim K alerts us to the news that phone maker HTC has sent a cease & desist nastygram to the developers of an Android widget that certainly had a similar look and feel to HTC's own Sense UI. Except, many people claim that this newer widget, from LevelUp Studios, was actually better. LevelUp apparently has no interest in fighting this, and are ditching the widget, but it seems that they could have a decent argument here. The bigger question, though, is why HTC is bothering? I'm actually a big HTC fan. My last two mobile phones have both been from HTC, and I had been expecting my next one to be from HTC as well. But this sort of bullying for no good reason makes me wonder why I'd want to support a company like that. Honestly, what was HTC "losing" by letting this widget be created? This seems like bullying just for the sake of bullying.

Filed Under: android, cease & desist, mobile apps, widgets
Companies: htc