Security Week 03: 2019 - year of privacy

Well, maybe not the whole of 2019, and predictions in general is a difficult and ungrateful thing . After the loud heading, let us speak more precisely: the important news of the beginning of January, almost all of them in one way or another are devoted to privacy. In 2018, the questions of the value of data collected from network services clients, as well as the problems of uncontrolled use of this data, were first widely discussed. The reason for this was the scandal with the social network Facebook and the massive collection of data from users of the social network, not even by Facebook itself, but by some incomprehensible left-wing firms, followed by widespread use, including in elections.

Specialists and those in the subject have long understood: the Internet giants know almost everything about us. Where we are, what we dream of, how much we earn, how much we cheer, how much we stand in traffic jams, for whom we vote in the elections, from which there was a salad for the holidays. A wider discussion of the topic and, perhaps, more serious pressure on companies collecting information is generally a good thing. It can lead to the end of a peculiar era of the Wild West in the data market. The main thing is that in pursuit of privacy, the quality of services, also dependent on users' personal data, has not been affected.


In the meantime, companies are beginning to use privacy as a competitive advantage. At least those who can afford it without charges also in unfair advertising. At the CES exhibition in Las Vegas in early January, Apple advertised its objectively good positions on the integrity of the data of iPhone users: what happens on your phone remains on your phone. The problem is that the operating system settings alone cannot be protected. This is best shown in a journalistic investigation published on the Motherboard website (a brief summary in Russian is here ).


The author of the article, journalist Joseph Cox, found a private detective ... Although not, probably, this is a very decent term. In the article, he is called a bounty hunter - in general, a person was found who was looking for debtors for money or people hiding from the police, or anyone else at all, if they pay for it. He was given 300 dollars and a mobile phone number. In exchange for money, the bounty hunter sent a screenshot from Google Maps, indicating the location of the owner of the mobile phone accurate to the quarter.

According to American law, such activity is not so prohibited: mobile operators are allowed to transfer data on the location of clients to specialized organizations. These organizations, in turn, are addressed by credit agencies, car dealers, in general, all those who need to make sure that the person who takes a loan or buys a car speaks the truth. The key point is the explicit consent of the owner of the tracking contract, which was not given in the case described in the Motherboard article. Representatives of cellular operators and large providers of personal data eventually blamed a relatively small agency, which resold the data to all those interested and willing to pay.

The article had serious resonance, it even came to the discussions in the US Congress (see the tweet above). With such a refrain: how can that be, it’s possible to track down anyone! Well, yeah. Another case of unwanted surveillance of users came to court: in Los Angeles, a lawsuit ( news ) was filed against The Weather Channel. Initially, it was really a weather channel, now it’s rather a supplier of reports on temperatures and precipitations on smartphones, an advertising platform developer, and since 2016, the company has also become part of IBM.



The lawsuit against the company claims that it collected data on the location of users of the mobile application (an audience of 45 million people) for the purpose of making a profit. At this moment, Captain Obvious comes to the digest and sadly nods his head: what else could there have been a goal? The logic of the claim is as follows: users were informed that geolocation makes it possible to more accurately predict the weather. In fact, this accuracy is not required for weather forecasting, especially since it is not necessary to collect data when no one uses the application, even at night. And the data is still collected, and it is not even cellular networks: here the accuracy is higher. The data is then transferred to IBM and third parties for use in advertising. Representatives of the company, of course, deny everything and insist on the legitimate collection and processing of information. Most likely, it is.

At the very end of December, at the 35С3 conference, researchers from the organization Privacy International told how Facebook collects data even for those users who do not use the social network ( news , organization report ). The Facebook SDK was introduced into the researched Android applications (including very popular ones, such as Yelp or Shazam), through which data is transferred to the social network. Amazing, right? If you were upset by last year’s revelations about how your data is used by the social network, and you decide to remove Facebook from your phone, I have bad news: the social network still knows a lot about you.

The study provides interesting examples. Thus, the electronic version of the Bible transmitted to the social network the number of the chapter and the verse that the user was viewing. Standard data set transmitted by all applications: app usage statistics, device type, inaccurate geolocation based on language and time zone. But this is not the point: information useful for promotional purposes can be extracted simply from the characteristics of the application - some helped to count the menstrual cycles, others - to look for work. Of the 34 applications studied, 61% of the data was constantly sent to Facebook, each time the program was opened on a smartphone.

Thus, Facebook receives data even about those people who either do not have an account on the social network, or do not install the corresponding applications on the smartphone. The Captain enters the room again and stares blankly: what do you think, all ad networks work as well. Developers do not just include Facebook code in their programs, but for profit. The digital economy of the end of the second decade of the twenty-first century is powered by personal data. Nothing personal, just business.

What to do with it depends on your personal attitude to the problem. You can do nothing: except in extreme cases (such as described in the Motherboard article), data collection does not mean that somewhere in conditional Google or Facebook there is a daddy with your personal business, name and surname. The effectiveness of using this data is still quite low - this can be understood by the quality of the advertising shown to you. The quality of services, too, depends on the data collected, and in many cases we are not opposed to network services becoming better. I would just like to have a choice of which data to transmit, and the ability to allow or prohibit companies from collecting and storing information. But this choice is not always.

If you are paranoid, it will not be easy. Interesting examples of ensuring privacy in an era of total digital transparency are provided in the community / r / privacy on Reddit. In particular, the use of iPhone with strict data transfer settings, with a mandatory VPN, with a limited set of applications (for each, carefully read the terms of use and privacy statement). This is an easy way, there is more complicated: Android-smartphone with alternative firmware LineageOS, withoutGoogle services, installing applications manually. Until recently, privacy was associated mainly with anonymity: the type you need to do some dark things on the Internet. Now the attitude is changing, and privacy becomes “the demand of a normal person.” And this is good: if there is demand, it means there will be supply.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.