Summer Byte: What data are YOUR apps collecting from you?

Introduction

In our world today, personal technology is almost a given, with over 95 percent of U.S. citizens owning a cellphone, a tablet and/or a personal computer. However, as modern society and scientific innovation continues to progress, these forms of personal technology have only gotten more and more complex, leading to, among other things, the smartphone. As consumers of these apps, it is critical that we understand how our data is being used by corporations and third-parties, what rights we have, and how we can control the amount of permissions we are giving these data-mining applications. 

What is a “Smartphone”?

A smartphone is defined as “a mobile phone that performs many of the functions of a computer, typically having a touchscreen interface, Internet access, and an operating system capable of running downloaded applications,” and includes many popular types of cell phones, such as those produced by Apple, Samsung and Google. In fact, according to a study conducted in February 2018 by the Pew Research Center, a staggering 77 percent of Americans now own some type of smartphone—a number that is up 35 percent from the first study of this sort conducted in 2011. 

Source: https://www.allaboutapps.biz/mobile-app-security-implementation/

How Does This Relate To Security?

All smartphones come preinstalled with certain applications, or apps, which are designed to assist users in a variety of ways. Consumers are also able to personally download specific third-party apps to their phone through the use of a app store, which serves as a digital distribution platform. However, many people may not realize that a lot of popular apps common to several users serve more than just one function: although they do provide a service in an efficient, convenient manner, they also track and store data for use in marketing, health, politics, and many other fields. Let’s examine some widely-used apps and how government and industry utilize them to gather data, as well as what that data is used for.

Facebook/Twitter/Instagram

By and large, the most popular apps installed on smartphones are social media apps, defined as “interactive computer-mediated technologies that facilitate the creation and sharing of information, ideas, career interests and other forms of expression via virtual communities and networks.” In short, social media is a way to communicate with other users by sharing photos, thoughts, or other pieces of personal information through an organized system. There are hundreds of social media sites, the most common being Facebook, Twitter, and Instagram. On these sites, users have several options for how they want to express themselves. They can share thoughts in the form of text posts, upload photos and videos with captions, “friend” or “follow” other users, and reblog and comment on others’ posts. Every post created on a social media site instantly becomes part of a larger set of metadata. It’s the reason behind the common warning: what you put out onto the Internet will exist forever. Even if a user deletes a post from their social media account, the post will always exist in the cloud, or a remote server.

Source: https://blogs.reading.ac.uk/itsnews/2017/06/20/5-security-experts-you-need-to-be-following-on-twitter/

There are several ways this data is then utilized. The most common way is to create targeted advertisements, especially (as seen in the recent Facebook scandal) political advertisements. However, most of this data feeds into metadata, which is data that actually gives information about other data. To most, this just becomes a sea of infinite numbers and information. To information data specialists however, each piece of data can be quantified and used to say something valuable about a consumer. This data is traced and collected to form pictures of user habits and conversations, which is then used in a bit of an atypical way: furthering the progress of artificial intelligence (AI). AI, however, is very much a double-edged blade. 

One type of AI is called a bot, a network generated autonomous creation that can interact with others on a social media platform as if it was another user. Bots are often used by malicious entities, such as hackers, to gather personal information from users by engaging them in conversations while acting like real human beings. Bots are made from algorithms and data crafting—they rely on mass amounts of data to sift through and determine how to act more human. The more data they observe, the more algorithms become specialized to make bots seem more and more realistic, thus making it harder for users to discern real human beings from bots. 

It’s worthwhile asking what the point of a bot is. Bots are primarily used to manipulate the public into believing something or acting a certain way. More than 50% of American users get their news and current information from social media, and bots sway them one way or another. Bots have previously been employed by political organizations (to talk to people and influence their political leanings), by government regimes (to input propaganda and turn the tide of public opinion), and by product developers (to test drive product ideas in large focus groups of consumers). Identifying bots is not easy. The best current way to identify one is to start up a conversation with one and use slang words or emojis, phrases and characters that the bot is most likely not programmed to identify. However, with time, bots will likely even be able to recognize these as they continue to use user data to become seemingly more human.

Source: https://www.psafe.com/en/blog/guide-tightening-facebooks-security-settings/

Safari/Google Chrome/Firefox

There are a large variety of Internet web browsers available to users across the country, and all of them are compatible with almost every search engine, be it Google, Bing, or something else. These web browsers share another common feature, however: the ability for users to store web passwords. In Safari, Apple’s web browser, this feature is called Keychain. It is a password management system that keep track of every username and password that the smartphone’s user has ever entered into a website. Whenever users enter a new password, they are prompted to save that password in Keychain; if they enter a password that does not match that in Keychain, they are prompted to update their Keychain password.

For some, this feature is life-saving, as it remembers passwords for the user, saving them from having to keep track of all their passwords themselves. For others though, it is troubling, as all their passwords are kept in one place on their phone. In order to use a password stored in Keychain, the consumer must provide their fingerprint or face as an identifier, so anyone using the phone besides its owner would not be able to get into a private account. This feature was only added in the iPhone 7, meaning that before this model, no authentication was required, meaning that anyone using an iPhone would be able to access any account if the password was saved in Keychain. For those who are using an older model of a smartphone, it is important to be aware of this feature. Ensure that, if you are using a password management system, that is requires individual authorization every time a password is used.

As for why this poses a danger, that is fairly self-explanatory. Keychain can store a wide range of passwords, from a video game password to a social media password to a bank account password. Not all passwords are made equal, and if Keychain were ever to be hacked or otherwise infiltrated, the attacker would have access to every password you have ever entered into your phone. As for how to protect that information, it is better not to access highly confidential accounts from a smartphone at all. Use a computer with a secure server and remember those important passwords (write them down on paper so they can’t be hacked, if you need a way to remember them) so there is little to no danger of them being appropriated for malicious intent.

Source: https://en.m.wikipedia.org/wiki/Safari_(web_browser)

Spotify

Spotify is an audio streaming platform that contains millions of songs which users can listen to for free. They can make playlists, follow artists, like songs to save them to a library, and listen to audio podcasts. The free version of Spotify includes ads between songs, as well as a limit on how many songs a user can skip within an hour, in order to maximize the amount of users who listen to each song. For $10 a month, Spotify users can also subscribe to Spotify Premium, which provides them with ad-free music streaming and unlimited skips. This allows Spotify to maintain their stream of revenue—they either profit from subscriptions or ads. In order to target ads to customers, Spotify participates in buying and selling personal data from and to other companies which collect that data. For example, they may purchase Google search history in order to show user-specific ads on their app.

Here is an excerpt from Spotify’s own privacy policy. “We may share information with advertising partners in order to send you promotional communications about Spotify or to show you more tailored content, including relevant advertising for products and services that may be of interest to you, and to understand how users interact with advertisements. The information we share is in a de-identified format (for example, through the use of hashing) that does not personally identify you.”

This shows the benefit users can derive from reading the fine print surrounding cybersecurity. In no way is Spotify attempting to deceive its customers, but they do package personal data and share it with advertisers, as well as utilize personal data from other websites to target content as well. As far as identifying data, it is true that Spotify does not sell or purchase strictly identifying data, such as birth dates or addresses, search histories and other forms of metadata can often be just as identifying as quantifiable data, so it is worthwhile to be careful of how much personal data, directly identifying or not, one puts onto the Internet. Spotify does use techniques such as hashing, which is generating a value from a string of text using a mathematical function, to encrypt data but studies have shown that the techniques employed are not the most secure, and as the saying goes: better safe than sorry.

A smartphone is seen in front of a screen projection of Spotify logo, in this picture illustration taken April 1, 2018. REUTERS/Dado Ruvic/Illustration

Google Maps

Google Maps is arguably the most widely used navigation system nationwide. It is based off Google’s satellite imaging, and except for a few issues and bugs that have popped up over the years, is fairly reliable in terms of accurately pinpointing destinations. Google Maps has a variety of features that are designed to make it more convenient of users. In addition to being able to navigate almost anywhere on the planet, Google allows you to store specific destinations you frequently go to, save directions and send to them another person, check the traffic and how much time it will take you to reach your destination, and have Google send you alerts regarding your regular routes.

This data however, while convenient, also comes at a price. Google Maps stores all location data entered into it, including every destination users search up directions for. It analyzes which stores, businesses, and other locations users visit frequently to target ads to them, both on Google and other sites (as Google often packages and sells that information). It tracks the time taken to get from one location to another, in order to better traffic predictions for all other consumers. In this way, Google Maps can alert consumers as to when they should leave to get somewhere on time (for example, work and school) and pull up a route for them with the least amount of traffic. All of this is still more helpful than not, however. The cybersecurity problem with this is that this information, which contains so much and is so readily stored in one place, is then vulnerable to hackers.

Google has already suffered one major privacy breach (which could be a cause of the Google+ eventual shut down), and if recent statistics regarding tech company security breaches are anything to go by, it may not be the last. If the security surrounding Google Maps was breached, hackers would easily be able to track users—they would know which locations users frequently went to, which routes they took to work, how often they left their house, when they weren’t at home, and where users shopped, among other information. This could lead to a rise in robberies (knowing when a user is not at home would leave their house vulnerable to theft), increased violent crime (knowing a user’s location makes it easier to find them for malicious purposes), and a greater rate of identity theft (personal information about a user’s whereabouts could include things such as which banks they use, where they work, and other pieces of identifying information). 

While this scenario is not likely to occur, it is always important to be aware of the fact that cyberterrorists do exist, and many will not hesitate to use personal data in a way that may have bad results. In order to protect yourselves as consumers, before you save routes to Google, have the app set alerts for when you should leave your home, and assign addresses to your home, work, and bank, think about how much information you’re putting into Google Maps, and how that information could possibly be used against you in the future.

Source: https://youtu.be/eOyp0yGwJZ0

Apple Health

The Apple Health app was created by Tim Cook, Apple’s CEO, in order to break into the healthcare industry, an industry which, in his words, “makes the smartphone industry look small”. The app collects data and organizes it into one of four categories: Activity, Sleep, Mindfulness, and Nutrition. In Activity, Health automatically tracks a user’s steps, including distances from walking, running, and climbing stairs. It does so by sensing a range of motion when a user is holding their smartphone, including how fast the phone is being moved and in what direction. In Sleep, Health connects with the Clock app on the iPhone in which users can enter a bedtime and a wake time. Clock will set alarms for both those times, and will feed that data into the Health app. In Nutrition, Health can measure how many calories users burn a day, which is calculated based on activity, weight, and height. Body metrics such as weight and height must be inputted into the app manually beforehand, and are then stored by the app for future use.

Apple Health is doubly useful because of its ability to connect to other health apps, which serve as sources of data. For example, there are apps on the App Store that can measure how long a user slept on any given night, as well as how long they spent in each stage of sleep and in REM sleep, based on their breathing. Other apps can measure heartbeat and heart rate when the phone is on the user’s body, and there are still more that involve diet. Nutrition apps are used by consumers to record what they eat on a daily basis, by having them input specific foods at specific times of day. Health then consolidates this information and breaks it up into types of nutrients and macromolecules, such as carbohydrates, iron, fat, fiber, sugar, and calcium to provide users with knowledge on what they are eating. The Mindfulness section can also connect to apps, such as ones involving yoga or meditation, to count how much time users spend on mindfulness activities each day.

While all of this is highly personal information, the Apple Health app has been touted as more useful than it is dangerous. While it is true that Apple is not invulnerable to cyber attacks, health information is not immediately dangerous for others to have. Furthermore, having this knowledge tracked in one place makes it easier for users to examine their lifestyle habits and determine whether or not they need to change them. Furthermore, the information that Health stores can help save lives. The app also requests data for a “Medical ID,” which includes information about allergies and severity of allergic reactions, current medications and medical conditions (as well as any doctor’s notes on those conditions), organ donor status, blood type, and emergency phone number.

This data, along with biometric data, is readily accessible even when the phone is locked, and provides a thorough, highly comprehensive report with every piece of information a paramedic would need to know. Filling out a date of birth is also optional, which users can decide to do or not do according to their preferences, but the storing of this information can help make instant decisions about administering medication, blood transfusions, or treatments, especially if the user is unable to recall or provide that information at the time—decisions which could take an indeterminate amount of time to make otherwise.

Source: https://blog.elcomsoft.com/2018/11/apple-health-is-the-next-big-thing-health-cloud-and-security/

Goodreads

Goodreads is arguably the most popular app for readers and writers worldwide—it is considered a “social cataloguing app,” meaning that users can use it in order to track lifestyle habits and connect with other users. Upon signing up for a Goodreads account, users gain access to the app’s near limitless database of books, authors, book review, and notes. Users can also register books they have read, want to read, and are currently reading to create reading lists, which can be shared with other users in discussion groups, book blogs, and polls. Most Goodreads users know that the app stores some of their data; after they log a book into the app, they are often asked to rate it on a scale of one to five. Goodreads then takes that data and uses it to make more specific book recommendations in the future.

However, there is another important piece of lesser-known information to be noted about Goodreads: it is owned by Amazon. This means that Goodreads is not just storing data in order to make book recommendations, but that the app is sending it to the media giant for use in advertising. Amazon owns an extraordinarily large amount of other holdings and business ventures—among these include the following: Kindle (a reading tablet manufactured by Amazon, which directly connects to Goodreads and utilizes Goodreads data in order to advertise specific books from Amazon), Audible (an audiobook company which uses Goodreads data in the same way as Kindle), IMDb (an Internet movie database which offers users movies and DVDs, which it does so by using Goodreads data on a user’s preferred book genres to determine what types of movies that user may like), and Twitch (a video gaming service which utilizes Goodreads data to correlate preferred books to video games). 

This is just media; Amazon owns several other companies in the realms of healthcare, hardware, energy and transportation, web services and retail. While it would be impossible to enumerate all the ways in which Amazon uses data in this article at least, some of it starts with an app on your smartphone. Goodreads is just one of the many ways Amazon collects user data in order to form a picture of a consumer: their tastes, their preferences, what they are likely to buy. Every time you rate a book or join a reading group, Amazon files that information away. While this is not necessarily a bad or malicious thing, it is important to know where your data is going.

Source: https://www.nosegraze.com/goodreads-gets-bought-by-amazon-why-this-is-awesome-news/

Apple Wallet

Apple Wallet is a function on iPhones that allows users to store credit cards, gift cards, and any other form of digital money on their phone, essentially serving as a digital wallet service. Anything in this wallet can be used to purchase items and make transactions through Apple Pay (Samsung Pay and Android Pay are similar alternatives), a contactless transfer of money accepted at most major retail stores in America. Apple Pay can even be used in place of cash, or for subscriptions and in-app purchases. In order to do this, it utilizes several cybersecurity functions, the most important being payment tokenization.

Payment tokenization means that, while users do have to input their credit card data (including the number and name on the card, the expiration date, and the security code), this data is then scrambled and converted into a “token”—a cryptogram that is worthless to hackers. Therefore, Apple Pay transaction don’t use your credit card number, just the associated cryptogram, so even if someone were to hack into a database of your purchases, they wouldn’t have any of your information. This is why a lot of retail stores are updating their systems to accept electronic payments—after large hacks seen at stores such as Target, this tokenization system is the best way to prevent the theft of information.

Apple Wallet also takes extra steps to ensure that a user’s info is secure. When a user uploads credit card information, it is encrypted and sent to the corresponding bank for further verification. Depending on the bank, users must them complete multi-factor authentication in order for the bank to determine that the user is who they are claiming to be. Some examples of multi-factor authentication may include providing a fingerprint or face ID, or answering security questions that the bank has on file for the account. It is because of this process that many say Apple Pay is actually safer than using physical credit cards: not only do vendors not receive customers’ real credit card information, but each payment requires authorization by the bank sponsoring the card. This is why many tech companies are now urging consumers to utilize digital wallet services, as many are proving to be even more secure than credit cards. As knowledge about these services gains more public attention, more retail stores are likely to begin taking steps to accept digital payment, creating a world in which hackers can not commit identity theft, since stores would not have any identifying purchase information at all.

Source: https://www.google.com/amp/s/www.macrumors.com/2014/10/02/comprehensive-look-at-apple-pay-security/amp/

Conclusion

Now that we have a better idea of how specific apps you have on your smartphone are using our data, we can move towards taking better control over this information that we willingly give. Though it might feel impossible to do so, to take rein of your data, view what data you are allowing each app in the settings of your phone to change permissions as you see fit. It might also be a good idea to generally limit the information you input into websites as you register, unless you see an asterisk AND reason that the information is needed for the service. Also, keep in touch with the policies that give you control over your data like GDPR, The California Consumer Privacy Act, the Children’s Internet Protection Act (CIPA), and more. By taking proactive steps to become more knowledgeable about your rights and controls, we can become more educated and secure citizens, protecting ourselves and each other from potential breaches of trust!

As always, have a safe and secure week!

Sincerely,

Policy Panther