Ad Software Dev Doesn't Like Being Called Out For Privacy Violations ; Sends Threatening Letter To Researchers Who Exposed It

from the fixing-it-in-post dept

The Children's Online Privacy Protection Act (COPPA), passed in 1998, governs the sort of data that can be collected from children under the age of 13. That's why kids have to age themselves prematurely to create accounts on some social media networks. It's a law kids under the age of 13 subvert every day, but it's in place to protect kids from online services and restricts information collected by apps and online services that cater to children.

Unfortunately, there are a lot of app developers ignoring this law. A recently-published research paper shows a host of violations and questionable practices that smartphone/tablet app developers are engaged in. Serge Egelman, one of the paper's co-authors, notes that thousands of apps are violating this law every day. In just one example, an advertising SDK (software development kit) made by ironSource is harvesting personal data from 466 child-directed apps.

It's not as though this is a simple oversight. In an earlier blog post detailing COPPA violations, Egelman points out Android developers must take a series of affirmative steps to market apps directed at children. There's a long list of stipulations that must be met before Google will allow apps to become part of its Designed For Families program.

Apps using ironSource's SDK are being marketed to kids, making the presence of a targeted advertising tool not merely questionable, but possibly illegal. As Egelman's blog post notes, it certainly violates ironSource's own terms of service. This is taken from its privacy policy, as archived late last year.

The Services are not directed to children under the age of 13 and children under the age of 13 should not use any portion of the Services. ironSource also does not knowingly collect or maintain personal information collected online from children under the age of 13, to the extent prohibited by the Children’s Online Privacy Protection Act.

"Services" is explained further in the Privacy Policy.

This Privacy Policy (the “Privacy Policy”) describes how ironSource Ltd. and its subsidiaries (collectively “ironSource” or “we”, “us”, “our”) uses end users [sic] (“you” or “your”) information when you view ads served by platforms and services operated by ironSource Mobile Ltd. on third party websites or mobile apps (the “Services”).

This would appear to indicate children under the age of 13 should not see ads served by ironSource. The easiest way to do that would be not to use the targeted ad SDK, as Egelman points out. But the research shows the opposite occurs repeatedly, with developers adding ironSource's ad software to their apps before shoving into the "Family" section of the Play Store.

This research paper -- and the attendant blog posts -- weren't published until this year. Shortly after publication, ironSource apparently chose to express its irritation with being named and shamed as an accomplice in COPPA violations. But the story is stranger than it first appears. IronSource apparently obtained a leaked copy of the report prior to its official publication. The angry letter it sent Egelman's research partner, Irwin Reyes, claims their report is "inaccurate and misleading." But if it is, it's only because ironSource performed a legalese switcheroo after receiving the leaked paper.

To our surprise, between first receiving a leaked draft of our paper in February and sending this letter in April—presumably while they waited for the paper to appear online, for plausible deniability, so that they would not have to explain how they came into possession of a stolen draft—ironSource updated their privacy policy to remove the clause about children not using their services. The current policy, dated March 4, 2018 (i.e., after they were aware of the paper), now simply says that they have no knowledge of receiving data from children.

The letter involves ironSource blundering far across the line between clever and stupid.

Ms. Litay, who claims to be a lawyer, claims that our paper is incorrect because it cites a clause that was removed after the paper was written! This requires significant mental gymnastics (or a significant amount of chutzpah and the misguided belief that the recipients of her letter do not know that the web is archival).

Even with the hastily-applied patch job, ironSource's COPPA "compliance" deserves scare quotes. ironSource is claiming it has "no knowledge" of personal data being collected from children under the age of 13. But this can't possibly be true, even with its reworded privacy policy.

Looking at just our dataset for all the apps transmitting personal information to ironSource, several developers’ names include words like “child,” “baby,” or “kids.”

Behind all of this is a company displeased its questionable and possibly illegal business practices have become the subject of an unflattering research paper. The letter [PDF] ends with a veiled lawsuit threat, claiming the researchers fully-substantiated claims "may result in substantial financial damage" to ironSource.

Egelman's response [PDF] pulls no punches. It calls out ironSource for its lie about its privacy policy's wording.

IronSource’s privacy policy (or rather, the privacy policy of Supersonic, ironSource’s subsidiary), at the time that we accessed it (September of 2017, as documented in the article and since deleted from ironSource’s website), stated the following:

"The Services are not directed to children under the age of 13 and children under the age of 13 should not use any portion of the Services."

Your allegations appear to be based upon your interpretation of the term “Services,” which you claim is defined as being those services that ironSource offers to app developers, and presumably not what is collected from end-users. That is, your letter is claiming that these statements mean that you do not allow developers under 13 to sign up on your website to use your SDK, and not that the SDK should only be used in non-child-directed apps. This may be a reasonable interpretation of the privacy policy and terms of service as they are currently written.

But that's not how they were written before the paper was published -- and before ironSource obtained a copy. Before then, the terms of service stated children under 13 should not use "this portion" of the services, referring to ironSource's targeted ad SDK. If the SDK was bundled with apps targeting kids, information was harvested by the SDK in violation of federal law.

As to the thinly-veiled legal threat closing out ironSource's ridiculous C&D, Egelman says, "Bring it on."

As you know, the verbatim quotation in our paper of Supersonic’s privacy policy as it existed at the time the paper was written, and our reasonable interpretation of that privacy policy are protected speech. You can appreciate, I hope, our concern about your implied threat of a commercial defamation lawsuit, and our perspective that any such action would be a Strategic Lawsuit Against Public Participation (SLAPP), prohibited by California’s anti-SLAPP statute (Ca. Code of Civ. Proc., §§425.16 et seq.). Your concern about ironSource’s financial interests and reputation is not likely to be well served by unfounded threats to academic researchers acting in the public interest.

Rather than let the research paper filter its way into the collection consciousness with possibly minimal reputational damage, ironSource has chosen to draw more attention to it by attempting to silence its authors. Now, it looks like a company that threatens critics when not violating federal privacy laws. Retconning its privacy policies before calling researchers liars is just prime stupidity. The internet is forever. So is ironSource's self-inflicted damage.

Filed Under: advertising, apps, coppa, irwin reyes, privacy, researchers, serge egelman, threats
Companies: ironsource

US Senators Unveil Their Attempt To Secure The Internet Of Very Broken Things

from the good-luck-with-that dept

Over the last few years we've documented in painstaking detail how the lack of any real security and privacy standards in "internet of things" devices is leading us down a path to some serious trouble. That shouldn't be particularly surprising if you've paid attention to how your refrigerator can now leak your Gmail credentials, your "smart" thermostat is now vulnerable to ransomeware attacks, your smart car could be hacked in order to kill you, your power outlets can be hacked and used to launch DDOS attacks, or how your vibrator is now busy collecting data on your daily behavior.

There's one root cause: companies that prioritized making a quick buck over implementing anything resembling sane security or privacy standards.

And despite this dysfunction now being the butt of endless jokes, things really haven't changed all that much, since actually giving a damn about the problem would erode profit margins for WiFi-enabled widget makers. The end result is the daily introduction of millions of new attack vectors for both homes and businesses on a global scale. As such, there's more than a few security experts that, no hyperbole intended, believe it's inevitable that this problem will impact core infrastructure leading to significant human casualties.

Given this is a global problem, and many of these companies are Chinese, legislating the problem away via U.S. law is likely going to be a steep uphill climb. That apparently doesn't seem to concern Congress, which this week introduced a new bill they hope will help secure the internet of very broken things:

"The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon."

While IOT legislation may be well-intentioned, many of these devices (like the security cameras and DVRs that contributed to the historically massive DDOS attack on Dyn last year) are made in China, where manufacturers will laugh off foreign legislative band aids. And while there's very legitimate concerns that legislation crafted by a Luddite Congress could stifle innovation and experimentation in the space, this particular proposal does at least apply some standards to the IOT devices purchased and used by the federal government, injecting at least a layer of sanity and reflection to the rapid expansion of poorly-secured IOT devices.

Security researcher Brian Krebs highlights another good part of the bill, namely the portion that expands legal protections for cyber researchers working in "good faith" to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws:

"Those advocates were no doubt involved in shaping other aspects of this legislation, including one that exempts cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act (CFAA), a dated anti-cybercrime law that many critics say has been abused by government prosecutors and companies to intimidate and silence security researchers. Perhaps the most infamous example of prosecutorial overreach under the CFAA comes in Aaron Swartz, a Harvard research fellow who committed suicide after being hounded by multiple CFAA fraud charges by state and federal prosecutors for downloading a large number of academic journals.

All of that said, the legislation isn't going to do enough to prevent major, looming problems. Between 20 billion and 30 billion "IOT" devices are expected to be connected to the internet by 2020 worldwide. And as Bruce Schneier has noted on occasion, the origins of this market failure begin with an apathetic cycle of dysfunction between both hardware vendors and consumers, something that the market alone has shown it's not capable of -- or seriously interested in -- fixing:

"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

So while this law may be a start, it's going to take a lot more than U.S.-specific legislation to fix this particular market failure, assuming such laws don't actually manage to make the problem worse. Smart networks, smarter engineers, better routers, better code, and better communications between companies, governments, activists, and other stakeholders are all essential to get ahead of this particular threat. Fixing the internet of broken things requires a massive, over-arching, holistic effort, one that doesn't exist yet, and unfortunately isn't likely to gain serious momentum until after the internet of broken things check comes due.

Filed Under: cfaa, congress, iot, mandates, researchers, security

A Bunch Of Security Researchers Cancel Appearance At RSA's Conference To Protest Selling Out To NSA

from the good-for-them dept

A few weeks ago, there was quite a big story concerning how the NSA paid $10 million to RSA to make its compromised random number generator the "default" in a key RSA product. The RSA issued a ridiculously stupid "categorical denial" of the report, which actually denied something entirely different, more or less confirming the original report. Following this, one of the most well-known security researchers around, Mikko Hypponen, announced that he was cancelling his planned talk at RSA's big conference in February. Since then, additional security experts, including Chris Soghoian, Jeffrey Carr and Josh Thomas have each announced that they're cancelling their own talks as well.

Carr also has a good post debunking some of the key claims in RSA's non-denial denial. For example, RSA tried to suggest that Dual EC DRBG was fairly standard when it decided to make it the default, but that wasn't the case. In fact, as a few others have pointed out as well, the NSA actually used the fact that RSA had made it the default in its BSAFE toolkit to push Dual EC DRBG forward as a key standard via NIST, leaving out the tidbit where they had paid RSA $10 million to sell its soul. Carr further notes that, not too long before that, RSA's former President and CEO, Jim Bidzos, had clearly stated that RSA needed to recognize that the NSA believed that RSA was the enemy:

"For almost 10 years, I've been going toe to toe with these people at Fort Meade. The success of this company (RSA) is the worst thing that can happen to them. To them, we're the real enemy, we're the real target."

While Bidzos was long gone from RSA when this deal was concluded, anyone working at RSA had to know that the NSA's interests and RSA's interests were not aligned. The fact that RSA appears to have, at least, looked the other way concerning the security of Dual EC DRBG, while quietly pocketing the money, is really damning. It's good to see security experts speaking up and taking a stand against the company, not just for the deal, but for its totally bogus fake denial.

Filed Under: chris soghoian, jeffrey carr, josh thomas, mikko hypponen, nsa, researchers, rsa conference, security
Companies: rsa